Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 28

  1. An IS auditor has completed a service level management audit related to order management services provided by a third party. Which of the following is the MOST significant finding?

    • The third party has offshore support arrangements.
    • Penalties for missing service levels are limited.
    • The service level agreement does not define how availability is measured.
    • Service desk support is not available outside the company’s business hours.
  2. To help ensure the accuracy and completeness of end-user computing output, it is MOST important to include strong:

    • reconciliation controls.
    • change management controls.
    • access management controls.
    • documentation controls.
  3. Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data are accurately entered into the system?

    • Reasonableness checks for each cost type
    • Validity checks, preventing entry of character data
    • Display back of project detail after entry
    • Reconciliation of total amounts by project
  4. Rather than decommission an entire legacy application, an organization’s IT department has chosen to replace specific modules while maintaining those still relevant. Which of the following artifacts is MOST important for an IS auditor to review?

    • IT service management catalog and service level requirements
    • Security requirements for legacy data masking and data destruction
    • Applicable licensing agreements for the application
    • Future state architecture and requirements
  5. During a network security review, the system log indicates an unusually high number of unsuccessful login attempts. Which of the following sampling techniques is MOST appropriate for selecting a sample of user IDs for further investigation?

    • Stratified
    • Attribute
    • Monetary unit
    • Variable
  6. The PRIMARY role of a control self-assessment (CSA) facilitator is to:

    • report on the internal control weaknesses.
    • focus the team on internal controls.
    • provide solutions for control weaknesses.
    • conduct interviews to gain background information.
  7. Which of the following is the MOST important consideration for an organization when strategizing to comply with privacy regulations?

    • Ensuring there are staff members with in-depth knowledge of the privacy regulations
    • Ensuring up-to-date knowledge of where customer data is saved
    • Ensuring regularly updated contracts with third parties that process customer data
    • Ensuring appropriate access to information systems containing privacy information.
  8. Which of the following would be best suited to oversee the development of an information security policy?

    • System Administrators
    • End User
    • Security Officers
    • Security administrators

    Explanation:

    The security officer would be the best person to oversee the development of such policies.

    Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated appropriately to ensure that they can be understood by the end users. Policies that are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighth-grade reading level), will not be understood.

    Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue.

    While security officers may be responsible for the development of the security policies, the effort should be collaborative to ensure that the business issues are addressed.

    The security officers will get better corporate support by including other areas in policy development. This helps build buy-in by these areas as they take on a greater ownership of the final product. Consider including areas such as HR, legal, compliance, various IT areas and specific business area representatives who represent critical business units.

    When policies are developed solely within the IT department and then distributed without business input, they are likely to miss important business considerations. Once policy documents have been created, the basis for ensuring compliance is established. Depending on the organization, additional documentation may be necessary to support policy. This support may come in the form of additional controls described in standards, baselines, or procedures to help personnel with compliance. An important step after documentation is to make the most current version of the documents readily accessible to those who are expected to follow them. Many organizations place the documents on their intranets or in shared file folders to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample documents can make awareness more effective.

    For your exam you should know the information below:

    End User – The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.

    Executive Management/Senior Management -Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.

    Security Officer – The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidelines.

    Information Systems Security Professional-Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals. Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed in this role.

    Data/Information/Business/System Owners – A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.

    Data/Information Custodian/Steward – A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets.

    Information Systems Auditor-IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.

    Business Continuity Planner -Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company’s objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the business areas and information technology personnel responsible for disaster recovery.

    Information Systems/ Technology Professionals-These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application.

    Security Administrator – A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.

    Network/Systems Administrator – A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.

    Physical Security – The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated.

    Security Analyst – The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are “in the weeds” and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.

    Administrative Assistants/Secretaries – This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals who desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or of providing unauthorized entry.

    Help Desk Administrator – As the name implies, the help desk is there to field questions from users that report system problems. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk is also often where the first indications of security issues and incidents will be seen. A help desk individual would contact the computer security incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control.

    Supervisor – The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees’ account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee’s role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.

    Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens.

    The following answers are incorrect:

    Systems Administrator – A systems administrator (sysadmin/ netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.

    End User – The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.

    Security Administrator – A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.

    Reference:
    CISA review manual 2014 Page number 109
    Harris, Shun (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-Hill. Kindle Edition.

  9. Which of the following is the MOST important aspect relating to employee termination?

    • The details of employee have been removed from active payroll files.
    • Company property provided to the employee has been returned.
    • User ID and passwords of the employee have been deleted.
    • The appropriate company staff are notified about the termination.
    Explanation:

    Even though Logical access to information by a terminated employee is possible if the ID and password of the terminated employee has not been deleted this is only one part of the termination procedures. If user ID is not disabled or deleted, it could be possible for the employee without physical access to visit the company’s networks remotely and gain access to the information.

    Please note that this can also be seen in a different way: the most important thing to do could also be to inform others of the person’s termination, because even if user ID’s and passwords are deleted, a terminated individual could simply socially engineer their way back in by calling an individual he/she used to work with and ask them for access. He could intrude on the facility or use other weaknesses to gain access to information after he has been terminated.

    By notifying the appropriate company staff about the termination, they would in turn initiate account termination, ask the employee to return company property, and all credentials would be withdrawn for the individual concerned. This answer is more complete than simply disabling account.

    It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away, and all passwords on all systems changed.

    For your exam you should know the information below:

    Employee Termination Processes
    Employees join and leave organizations every day. The reasons vary widely, due to retirement, reduction in force, layoffs, termination with or without cause, relocation to another city, career opportunities with other employers, or involuntary transfers. Terminations may be friendly or unfriendly and will need different levels of care as a result.

    Friendly Terminations
    Regular termination is when there is little or no evidence or reason to believe that the termination is not agreeable to both the company and the employee. A standard set of procedures, typically maintained by the human resources department, governs the dismissal of the terminated employee to ensure that company property is returned, and all access is removed. These procedures may include exit interviews and return of keys, identification cards, badges, tokens, and cryptographic keys. Other property, such as laptops, cable locks, credit cards, and phone cards, are also collected. The user manager notifies the security department of the termination to ensure that access is revoked for all platforms and facilities. Some facilities choose to immediately delete the accounts, while others choose to disable the accounts for a policy defined period, for example, 30 days, to account for changes or extensions in the final termination date. The termination process should include a conversation with the departing associate about their continued responsibility for confidentiality of information.

    Unfriendly Terminations
    Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid off, or when the organization has reason to believe that the individual has the means and intention to potentially cause harm to the system. Individuals with technical skills and higher levels of access, such as the systems administrators, computer programmers, database administrators, or any individual with elevated privileges, may present higher risk to the environment. These individuals could alter files, plant logic bombs to create system file damage at a future date, or remove sensitive information. Other disgruntled users could enter erroneous data into the system that may not be discovered for several months. In these situations, immediate termination of systems access is warranted at the time of termination or prior to notifying the employee of the termination. Managing the people aspect of security, from pre-employment to postemployment, is critical to ensure that trustworthy, competent resources are employed to further the business objectives that will protect company information. Each of these actions contributes to preventive, detective, or corrective personnel controls.

    The following answers are incorrect:
    The other options are less important.

    Reference:

    CISA review manual 2014 Page number 99
    Harris, Shun (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 129). McGraw-Hill. Kindle Edition.

  10. In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network?

    • Software as a service
    • Data as a service
    • Platform as a service
    • Infrastructure as a service
    Explanation:

    Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. Seas is closely related to the ASP (application service provider) and on demand computing software delivery models.

    For your exam you should know below information about Cloud Computing:

    Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

    Cloud computing service model

    Cloud computing service models

    CISA Certified Information Systems Auditor Part 28 Q10 001
    CISA Certified Information Systems Auditor Part 28 Q10 001

    Software as a Service (Seas)
    Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identifies two slightly different delivery models for Seas. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network-based access to a single copy of an application created specifically for Seas distribution.

    Provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created specifically for Seas distribution and use.

    Benefits of the Seas model include:

    easier administration
    automatic updates and patch management
    compatibility: All users will have the same version of software.
    easier collaboration, for the same reason
    global accessibility.

    Platform as a Service (Peas)
    Platform as a Service (Peas) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

    Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where Iasi is the “raw IT network,” Peas is the software environment that runs on top of the IT network.

    Platform as a Service (Peas) is an outgrowth of Software as a Service (Seas), a software distribution model in which hosted software applications are made available to customers over the Internet. Peas has several advantages for developers. With Peas, operating system features can be changed and upgraded frequently. Geographically distributed development teams can work together on software development projects. Services can be obtained from diverse sources that cross international boundaries. Initial and ongoing costs can be reduced by the use of infrastructure services from a single vendor rather than maintaining multiple hardware facilities that often perform duplicate functions or suffer from incompatibility problems. Overall expenses can also be minimized by unification of programming development efforts.

    On the downside, Peas involves some risk of “lock-in” if offerings require proprietary service interfaces or development languages. Another potential pitfall is that the flexibility of offerings may not meet the needs of some users whose requirements rapidly evolve.

    Infrastructure as a Service (Iasi)
    Cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them.

    Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    The following answers are incorrect:

    Data as a service – Data Provided as a service rather than needing to be loaded and prepared on premises.
    Platform as a service – Platform as a Service (Peas) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.
    Infrastructure as a service – Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689
    http://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service
    http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS
    http://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS

  11. Which of the following cloud computing service model provides a way to rent operating systems, storage and network capacity over the Internet?

    • Software as a service
    • Data as a service
    • Platform as a service
    • Infrastructure as a service
    Explanation:

    Platform as a Service (Peas) is a way to rent operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

    For your exam you should know below information about Cloud Computing:

    Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
    Cloud Computing

    Cloud computing service models:
    Cloud computing service models

    CISA Certified Information Systems Auditor Part 28 Q11 002
    CISA Certified Information Systems Auditor Part 28 Q11 002

    Software as a Service (Seas)
    Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identifies two slightly different delivery models for Seas. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network-based access to a single copy of an application created specifically for Seas distribution.

    Provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created specifically for Seas distribution and use.

    Benefits of the Seas model include:

    easier administration
    automatic updates and patch management
    compatibility: All users will have the same version of software.
    easier collaboration, for the same reason
    global accessibility.

    Platform as a Service (Peas)
    Platform as a Service (Peas) is a way to rent operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

    Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where Iasi is the “raw IT network,” Peas is the software environment that runs on top of the IT network.

    Platform as a Service (Peas) is an outgrowth of Software as a Service (Seas), a software distribution model in which hosted software applications are made available to customers over the Internet. Peas has several advantages for developers. With Peas, operating system features can be changed and upgraded frequently. Geographically distributed development teams can work together on software development projects. Services can be obtained from diverse sources that cross international boundaries. Initial and ongoing costs can be reduced by the use of infrastructure services from a single vendor rather than maintaining multiple hardware facilities that often perform duplicate functions or suffer from incompatibility problems. Overall expenses can also be minimized by unification of programming development efforts.

    On the downside, Peas involves some risk of “lock-in” if offerings require proprietary service interfaces or development languages. Another potential pitfall is that the flexibility of offerings may not meet the needs of some users whose requirements rapidly evolve.

    Infrastructure as a Service (Iasi)
    Cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them.

    Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    Characteristics and components of Iasi include:

    Utility computing service and billing model.
    Automation of administrative tasks.
    Dynamic scaling.
    Desktop virtualization.
    Policy-based services.
    Internet connectivity.

    Infrastructure as a Service is sometimes referred to as Hardware as a Service (HaaS).

    The following answers are incorrect:

    Data as a service – Data Provided as a service rather than needing to be loaded and prepared on premises.

    Software as a service – Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. Seas is closely related to the ASP (application service provider) and on demand computing software delivery models.

    Infrastructure as a service – Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689
    http://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service
    http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS
    http://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS

  12. Which of the following cloud computing service model is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components?

    • Software as a service
    • Data as a service
    • Platform as a service
    • Infrastructure as a service
    Explanation:

    Explanation:
    Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    For your exam you should know below information about Cloud Computing:

    Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
    Cloud Computing

    Cloud computing service models:
    Cloud computing service models

    CISA Certified Information Systems Auditor Part 28 Q12 003
    CISA Certified Information Systems Auditor Part 28 Q12 003

    Software as a Service (Seas)
    Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identifies two slightly different delivery models for Seas. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network-based access to a single copy of an application created specifically for Seas distribution.

    Provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created specifically for Seas distribution and use.

    Benefits of the Seas model include:

    easier administration
    automatic updates and patch management
    compatibility: All users will have the same version of software.
    easier collaboration, for the same reason
    global accessibility.

    Platform as a Service (Peas)
    Platform as a Service (Peas) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

    Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where Iasi is the “raw IT network,” Peas is the software environment that runs on top of the IT network.

    Platform as a Service (Peas) is an outgrowth of Software as a Service (Seas), a software distribution model in which hosted software applications are made available to customers over the Internet. Peas has several advantages for developers. With Peas, operating system features can be changed and upgraded frequently. Geographically distributed development teams can work together on software development projects. Services can be obtained from diverse sources that cross international boundaries. Initial and ongoing costs can be reduced by the use of infrastructure services from a single vendor rather than maintaining multiple hardware facilities that often perform duplicate functions or suffer from incompatibility problems. Overall expenses can also be minimized by unification of programming development efforts.

    On the downside, Peas involves some risk of “lock-in” if offerings require proprietary service interfaces or development languages. Another potential pitfall is that the flexibility of offerings may not meet the needs of some users whose requirements rapidly evolve.

    Infrastructure as a Service (Iasi)
    Cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them.

    Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

    Characteristics and components of Iasi include:

    Utility computing service and billing model.
    Automation of administrative tasks.
    Dynamic scaling.
    Desktop virtualization.
    Policy-based services.
    Internet connectivity.

    Infrastructure as a Service is sometimes referred to as Hardware as a Service (HaaS).

    The following answers are incorrect:

    Data as a service – Data Provided as a service rather than needing to be loaded and prepared on premises.

    Software as a service – Software as a Service (Seas) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. Seas is closely related to the ASP (application service provider) and on demand computing software delivery models.

    Platform as a service – Platform as a Service (Peas) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689
    http://searchcloudcomputing.techtarget.com/definition/Software-as-a-Service
    http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS
    http://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS

  13. Which of the following cloud deployment model operates solely for an organization?

    • Private Cloud
    • Community Cloud
    • Public Cloud
    • Hybrid Cloud
    Explanation:

    In Private cloud, the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    For your exam you should know below information about Cloud Computing deployment models:

    Private cloud
    The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Private Cloud

    CISA Certified Information Systems Auditor Part 28 Q13 004
    CISA Certified Information Systems Auditor Part 28 Q13 004

    Community Cloud
    The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    Community Cloud

    CISA Certified Information Systems Auditor Part 28 Q13 005
    CISA Certified Information Systems Auditor Part 28 Q13 005

    Public Cloud
    The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
    Public Cloud

    CISA Certified Information Systems Auditor Part 28 Q13 006
    CISA Certified Information Systems Auditor Part 28 Q13 006

    Hybrid cloud
    The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)
    hybrid cloud

    The following answers are incorrect:

    Community cloud – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

    Public cloud – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

    Hybrid cloud – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689 and 690

  14. Which of the following cloud deployment model can be shared by several organizations?

    • Private Cloud
    • Community Cloud
    • Public Cloud
    • Hybrid Cloud
    Explanation:

    Explanation:
    In Community cloud, the cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

    For your exam you should know below information about Cloud Computing deployment models:

    Private cloud
    The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Private Cloud

    CISA Certified Information Systems Auditor Part 28 Q14 007
    CISA Certified Information Systems Auditor Part 28 Q14 007

    Community Cloud
    The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    Community Cloud

    CISA Certified Information Systems Auditor Part 28 Q14 008
    CISA Certified Information Systems Auditor Part 28 Q14 008

    Public Cloud
    The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

    Public Cloud

    CISA Certified Information Systems Auditor Part 28 Q14 009
    CISA Certified Information Systems Auditor Part 28 Q14 009

    Hybrid cloud
    The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)
    hybrid cloud

    CISA Certified Information Systems Auditor Part 28 Q14 010
    CISA Certified Information Systems Auditor Part 28 Q14 010

    The following answers are incorrect:

    Private cloud – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Public cloud – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

    Hybrid cloud – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689 and 690

  15. Which of the following cloud deployment model is provisioned for open use by the general public?

    • Private Cloud
    • Community Cloud
    • Public Cloud
    • Hybrid Cloud
    Explanation:

    In Public cloud, the cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

    For your exam you should know below information about Cloud Computing deployment models:

    Private cloud
    The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Private Cloud

    CISA Certified Information Systems Auditor Part 28 Q15 011
    CISA Certified Information Systems Auditor Part 28 Q15 011

    Community Cloud
    The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    Community Cloud

    CISA Certified Information Systems Auditor Part 28 Q15 012
    CISA Certified Information Systems Auditor Part 28 Q15 012

    Public Cloud
    The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
    Public Cloud

    CISA Certified Information Systems Auditor Part 28 Q15 013
    CISA Certified Information Systems Auditor Part 28 Q15 013

    Hybrid cloud
    The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)
    hybrid cloud

    CISA Certified Information Systems Auditor Part 28 Q15 014
    CISA Certified Information Systems Auditor Part 28 Q15 014

    The following answers are incorrect:

    Private cloud – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Community cloud – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

    Hybrid cloud – The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689 and 690

  16. Which of the following cloud deployment model is formed by the composition of two or more cloud deployment mode?

    • Private Cloud
    • Community Cloud
    • Public Cloud
    • Hybrid Cloud
    Explanation:

    In Hybrid cloud, the cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

    For your exam you should know below information about Cloud Computing deployment models:

    Private cloud
    The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Private Cloud

    CISA Certified Information Systems Auditor Part 28 Q16 015
    CISA Certified Information Systems Auditor Part 28 Q16 015

    Community Cloud
    The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    Community Cloud

    CISA Certified Information Systems Auditor Part 28 Q16 016
    CISA Certified Information Systems Auditor Part 28 Q16 016

    Public Cloud
    The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
    Public Cloud

    CISA Certified Information Systems Auditor Part 28 Q16 017
    CISA Certified Information Systems Auditor Part 28 Q16 017

    Hybrid cloud
    The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)
    hybrid cloud

    CISA Certified Information Systems Auditor Part 28 Q16 018
    CISA Certified Information Systems Auditor Part 28 Q16 018

    The following answers are incorrect:

    Private cloud – The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

    Community cloud – The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

    Public cloud – The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

    Reference:

    CISA review manual 2014 page number 102
    Official ISC2 guide to CISSP 3rd edition Page number 689 and 690

  17. Which of the following step of PDCA establishes the objectives and processes necessary to deliver results in accordance with the expected output?

    • Plan
    • Do
    • Check
    • Act
    Explanation:

    Plan – Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the spec is also a part of the targeted improvement. When possible start on a small scale to test possible effects.

    For your exam you should know the information below:

    PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products. It is also known as the Deming circle/cycle/wheel, Stewart cycle, control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA. The added “O” stands for observation or as some versions say “Grasp the current condition.”
    The steps in each successive PDCA cycle are:

    CISA Certified Information Systems Auditor Part 28 Q17 019
    CISA Certified Information Systems Auditor Part 28 Q17 019

    PLAN
    Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the spec is also a part of the targeted improvement. When possible start on a small scale to test possible effects.
    DO
    Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.
    CHECK
    Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., “Do”. Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Information is what you need for the next step “ACT”.
    ACT
    Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process.

    The following answers are incorrect:

    DO – Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.
    CHECK – Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences
    ACT -Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product

    Reference:

    CISA review manual 2014 page number 107

  18. Which of the following step of PDCA implement the plan, execute the process and make product?

    • Plan
    • Do
    • Check
    • Act
    Explanation:

    Do – Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.

    For your exam you should know the information below:

    PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products. It is also known as the Deming circle/cycle/wheel, Stewart cycle, control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA. The added “O” stands for observation or as some versions say “Grasp the current condition.”
    The steps in each successive PDCA cycle are:

    CISA Certified Information Systems Auditor Part 28 Q18 020
    CISA Certified Information Systems Auditor Part 28 Q18 020

    PLAN
    Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the spec is also a part of the targeted improvement. When possible start on a small scale to test possible effects.
    DO
    Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.
    CHECK
    Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., “Do”. Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Information is what you need for the next step “ACT”.
    ACT
    Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process.

    The following answers are incorrect:

    PLAN – Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals).
    CHECK – Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences
    ACT -Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product

    Reference:
    CISA review manual 2014 page number 107

  19. Which of the following step of PDCA study the actual result and compares it against the expected result?

    • Plan
    • Do
    • Check
    • Act
    Explanation:

    Check – Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., “Do”. Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Information is what you need for the next step “ACT”.

    For your exam you should know the information below:

    PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products. It is also known as the Deming circle/cycle/wheel, Stewart cycle, control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA. The added “O” stands for observation or as some versions say “Grasp the current condition.”
    The steps in each successive PDCA cycle are:

    CISA Certified Information Systems Auditor Part 28 Q19 021
    CISA Certified Information Systems Auditor Part 28 Q19 021

    PLAN
    Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the spec is also a part of the targeted improvement. When possible start on a small scale to test possible effects.
    DO
    Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.
    CHECK
    Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., “Do”. Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Information is what you need for the next step “ACT”.
    ACT
    Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process.

    The following answers are incorrect:

    PLAN – Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals).

    DO – Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.

    ACT -Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product

    Reference:

    CISA review manual 2014 page number 107

  20. Which of the following step of PDCA request a corrective actions on significant differences between the actual versus the planned result?

    • Plan
    • Do
    • Check
    • Act
    Explanation:

    Act – Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process.

    For your exam you should know the information below:

    PDCA (plan–do–check–act or plan–do–check–adjust) is an iterative four-step management method used in business for the control and continuous improvement of processes and products. It is also known as the Deming circle/cycle/wheel, Stewart cycle, control circle/cycle, or plan–do–study–act (PDSA). Another version of this PDCA cycle is OPDCA. The added “O” stands for observation or as some versions say “Grasp the current condition.”
    The steps in each successive PDCA cycle are:

    CISA Certified Information Systems Auditor Part 28 Q20 022
    CISA Certified Information Systems Auditor Part 28 Q20 022

    PLAN
    Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals). By establishing output expectations, the completeness and accuracy of the spec is also a part of the targeted improvement. When possible start on a small scale to test possible effects.
    DO
    Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.
    CHECK
    Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences. Look for deviation in implementation from the plan and also look for the appropriateness and completeness of the plan to enable the execution, i.e., “Do”. Charting data can make this much easier to see trends over several PDCA cycles and in order to convert the collected data into information. Information is what you need for the next step “ACT”.
    ACT
    Request corrective actions on significant differences between actual and planned results. Analyze the differences to determine their root causes. Determine where to apply changes that will include improvement of the process or product. When a pass through these four steps does not result in the need to improve, the scope to which PDCA is applied may be refined to plan and improve with more detail in the next iteration of the cycle, or attention needs to be placed in a different stage of the process.

    The following answers are incorrect:

    PLAN – Establish the objectives and processes necessary to deliver results in accordance with the expected output (the target or goals).

    DO – Implement the plan, execute the process, make the product. Collect data for charting and analysis in the following “CHECK” and “ACT” steps.

    CHECK – Study the actual results (measured and collected in “DO” above) and compare against the expected results (targets or goals from the “PLAN”) to ascertain any differences

    Reference:

    CISA review manual 2014 page number 107