Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 50

  1. Which of the following ACID property ensures that transaction will bring the database from one valid state to another?

    • Atomicity
    • Consistency
    • Isolation
    • Durability

    Explanation:

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    For CISA exam you should know below information about ACID properties in DBMS:

    Atomicity – Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen.

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction.[citation needed]

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

    The following were incorrect answers:

    Atomicity – Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

    Reference:

    CISA review manual 2014 Page number 218

  2. Which of the following ACID property in DBMS requires that each transaction is “all or nothing”?

    • Atomicity
    • Consistency
    • Isolation
    • Durability
    Explanation:

    Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

    For CISA exam you should know below information about ACID properties in DBMS:

    Atomicity – Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen.

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed]

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

    The following were incorrect answers:

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

    Reference:

    CISA review manual 2014 Page number 218

  3. Which of the following ACID property in DBMS means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors?

    • Atomicity
    • Consistency
    • Isolation
    • Durability
    Explanation:

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

    For CISA exam you should know below information about ACID properties in DBMS:

    Atomicity – Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen.

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed]

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

    The following were incorrect answers:

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

    Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

    Reference:

    CISA review manual 2014 Page number 218

  4. Which of the following ACID property in DBMS ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other?

    • Atomicity
    • Consistency
    • Isolation
    • Durability
    Explanation:

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other.

    For CISA exam you should know below information about ACID properties in DBMS:

    Atomicity – Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. An atomic system must guarantee atomicity in each and every situation, including power failures, errors, and crashes. To the outside world, a committed transaction appears (by its effects on the database) to be indivisible (“atomic”), and an aborted transaction does not happen.

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Isolation – The isolation property ensures that the concurrent execution of transactions results in a system state that would be obtained if transactions were executed serially, i.e. one after the other. Providing isolation is the main goal of concurrency control. Depending on concurrency control method, the effects of an incomplete transaction might not even be visible to another transaction. [citation needed]

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. In a relational database, for instance, once a group of SQL statements execute, the results need to be stored permanently (even if the database crashes immediately thereafter). To defend against power loss, transactions (or their effects) must be recorded in a non-volatile memory.

    The following were incorrect answers:

    Consistency – The consistency property ensures that any transaction will bring the database from one valid state to another. Any data written to the database must be valid according to all defined rules, including but not limited to constraints, cascades, triggers, and any combination thereof. This does not guarantee correctness of the transaction in all ways the application programmer might have wanted (that is the responsibility of application-level code) but merely that any programming errors do not violate any defined rules.

    Durability – Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors.

    Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

    Reference:

    CISA review manual 2014 Page number 218

  5. Which of the following software development methods is based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams?

    • Agile Development
    • Software prototyping
    • Rapid application development
    • Component based development
    Explanation:

    For your exam you should know below information about agile development:

    Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development and delivery, a time-boxed iterative approach, and encourages rapid and flexible response to change. It is a conceptual framework that promotes foreseen tight iterations throughout the development cycle.

    Agile Development

    CISA Certified Information Systems Auditor Part 50 Q05 037
    CISA Certified Information Systems Auditor Part 50 Q05 037

    The Agile Manifesto introduced the term in 2001. Since then, the Agile Movement, with all its values, principles, methods, practices, tools, champions and practitioners, philosophies and cultures, has significantly changed the landscape of the modern software engineering and commercial software development in the Internet era.

    Agile principles

    The Agile Manifesto is based on twelve principles:

    Customer satisfaction by rapid delivery of useful software
    Welcome changing requirements, even late in development
    Working software is delivered frequently (weeks rather than months)
    Close, daily cooperation between business people and developers
    Projects are built around motivated individuals, who should be trusted
    Face-to-face conversation is the best form of communication (co-location)
    Working software is the principal measure of progress
    Sustainable development, able to maintain a constant pace
    Continuous attention to technical excellence and good design
    Simplicity—the art of maximizing the amount of work not done—is essential
    Self-organizing teams
    Regular adaptation to changing circumstances

    What is Scrum?
    Scrum is the most popular way of introducing Agility due to its simplicity and flexibility. Because of this popularity, many organizations claim to be “doing Scrum” but aren’t doing anything close to Scrum’s actual definition. Scrum emphasizes empirical feedback, team self-management, and striving to build properly tested product increments within short iterations. Doing Scrum as it’s actually defined usually comes into conflict with existing habits at established non-Agile organizations.

    The following were incorrect answers:

    Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

    Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The “planning” of software developed using RAD is interleaved with writing the software itself. The lack of extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements.

    Component Based Development – It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits in both the short-term and the long-term for the software itself and for organizations that sponsor such software.

    Reference:

    CISA review manual 2014 Page number 194

  6. Which of the following software development methodology is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems?

    • Agile Developments
    • Software prototyping
    • Rapid application development
    • Component based development
    Explanation:

    Component-based software engineering (CBSE) (also known as component-based development (CBD)) is a branch of software engineering that emphasizes the separation of concerns in respect of the wide-ranging functionality available throughout a given software system. It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits in both the short-term and the long-term for the software itself and for organizations that sponsor such software.

    Software engineers[who?] regard components as part of the starting platform for service-orientation. Components play this role, for example, in web services, and more recently, in service-oriented architectures (SOA), whereby a component is converted by the web service into a service and subsequently inherits further characteristics beyond that of an ordinary component.

    Components can produce or consume events and can be used for event-driven architectures (EDA).

    Definition and characteristics of components

    An individual software component is a software package, a web service, a web resource, or a module that encapsulates a set of related functions (or data).

    All system processes are placed into separate components so that all of the data and functions inside each component are semantically related (just as with the contents of classes). Because of this principle, it is often said that components are modular and cohesive.

    With regard to system-wide co-ordination, components communicate with each other via interfaces. When a component offers services to the rest of the system, it adopts a provided interface that specifies the services that other components can utilize, and how they can do so. This interface can be seen as a signature of the component – the client does not need to know about the inner workings of the component (implementation) in order to make use of it. This principle results in components referred to as encapsulated. The UML illustrations within this article represent provided interfaces by a lollipop-symbol attached to the outer edge of the component.

    However, when a component needs to use another component in order to function, it adopts a used interface that specifies the services that it needs. In the UML illustrations in this article, used interfaces are represented by an open socket symbol attached to the outer edge of the component.
    A simple example of several software components – pictured within a hypothetical holiday-reservation system represented in UML 2.0.

    Another important attribute of components is that they are substitutable, so that a component can replace another (at design time or run-time), if the successor component meets the requirements of the initial component (expressed via the interfaces). Consequently, components can be replaced with either an updated version or an alternative without breaking the system in which the component operates.

    As a general rule of thumb for engineers substituting components, component B can immediately replace component A, if component B provides at least what component A provided and uses no more than what component A used.

    Software components often take the form of objects (not classes) or collections of objects (from object-oriented programming), in some binary or textual form, adhering to some interface description language (IDL) so that the component may exist autonomously from other components in a computer.

    When a component is to be accessed or shared across execution contexts or network links, techniques such as serialization or marshalling are often employed to deliver the component to its destination.

    Reusability is an important characteristic of a high-quality software component. Programmers should design and implement software components in such a way that many different programs can reuse them. Furthermore, component-based usability testing should be considered when software components directly interact with users.

    It takes significant effort and awareness to write a software component that is effectively reusable. The component needs to be:

    fully documented
    thoroughly tested
    robust – with comprehensive input-validity checking
    able to pass back appropriate error messages or return codes
    designed with an awareness that it will be put to unforeseen uses

    The following were incorrect answers:

    Agile Development – Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams.

    Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

    Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The “planning” of software developed using RAD is interleaved with writing the software itself. The lack of extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements.

    Reference:

    CISA review manual 2014 Page number 194

  7. Which of the following software development methodology uses minimal planning and in favor of rapid prototyping?

    • Agile Developments
    • Software prototyping
    • Rapid application development
    • Component based development
    Explanation:

    Rapid application development (RAD) is a software development methodology that uses minimal planning in favor of rapid prototyping. The “planning” of software developed using RAD is interleaved with writing the software itself. The lack of extensive per-planning generally allows software to be written much faster, and makes it easier to change requirements.
    Rapid Application Development

    CISA Certified Information Systems Auditor Part 50 Q07 038
    CISA Certified Information Systems Auditor Part 50 Q07 038

    Four phases of RAD
    Requirements Planning phase – combines elements of the system planning and systems analysis phases of the Systems Development Life Cycle (SDLC). Users, managers, and IT staff members discuss and agree on business needs, project scope, constraints, and system requirements. It ends when the team agrees on the key issues and obtains management authorization to continue.

    User design phase – during this phase, users interact with systems analysts and develop models and prototypes that represent all system processes, inputs, and outputs. The RAD groups or subgroups typically use a combination of Joint Application Development (JAD) techniques and CASE tools to translate user needs into working models. User Design is a continuous interactive process that allows users to understand, modify, and eventually approve a working model of the system that meets their needs.

    Construction phase – focuses on program and application development task similar to the SDLC. In RAD, however, users continue to participate and can still suggest changes or improvements as actual screens or reports are developed. Its tasks are programming and application development, coding, unit-integration and system testing.

    Cutover phase – resembles the final tasks in the SDLC implementation phase, including data conversion, testing, changeover to the new system, and user training. Compared with traditional methods, the entire process is compressed. As a result, the new system is built, delivered, and placed in operation much sooner.

    The following were incorrect answers:

    Agile Development – Agile software development is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams.

    Software prototyping- Software prototyping, refers to the activity of creating prototypes of software applications, i.e., incomplete versions of the software program being developed. It is an activity that can occur in software development and is comparable to prototyping as known from other fields, such as mechanical engineering or manufacturing.

    Component Based Development – It is a reuse-based approach to defining, implementing and composing loosely coupled independent components into systems. This practice aims to bring about an equally wide-ranging degree of benefits in both the short-term and the long-term for the software itself and for organizations that sponsor such software.

    Reference:

    CISA review manual 2014 Page number 195

  8. Which of the following is an estimation technique where the results can be measure by the functional size of an information system based on the number and complexity of input, output, interface and queries?

    • Functional Point analysis
    • Gantt Chart
    • Time box management
    • Critical path methodology
    Explanation:

    For CISA exam you should know below information about Functional Point Analysis:

    Function Point Analysis (FPA) is an ISO recognized method to measure the functional size of an information system. The functional size reflects the amount of functionality that is relevant to and recognized by the user in the business. It is independent of the technology used to implement the system.

    The unit of measurement is “function points”. So, FPA expresses the functional size of an information system in a number of function points (for example: the size of a system is 314 fop’s).
    The functional size may be used:

    To budget application development or enhancement costs
    To budget the annual maintenance costs of the application portfolio
    To determine project productivity after completion of the project
    To determine the Software Size for cost estimating

    All software applications will have numerous elementary processes or independent processes to move data. Transactions (or elementary processes) that bring data from outside the application domain (or application boundary) to inside that application boundary are referred to as external inputs. Transactions (or elementary processes) that take data from a resting position (normally on a file) to outside the application domain (or application boundary) are referred as either an external outputs or external inquiries. Data at rest that is maintained by the application in question is classified as internal logical files. Data at rest that is maintained by another application in question is classified as external interface files.
    Types of Function Point Counts:

    Development Project Function Point Count
    Function Points can be counted at all phases of a development project from requirements up to and including implementation. This type of count is associated with new development work. Scope creep can be tracked and monitored by understanding the functional size at all phase of a project. Frequently, this type of count is called a baseline function point count.

    Enhancement Project Function Point Count

    It is common to enhance software after it has been placed into production. This type of function point count tries to size enhancement projects. All production applications evolve over time. By tracking enhancement size and associated costs a historical database for your organization can be built. Additionally, it is important to understand how a Development project has changed over time.

    Application Function Point Count
    Application counts are done on existing production applications. This “baseline count” can be used with overall application metrics like total maintenance hours. This metric can be used to track maintenance hours per function point. This is an example of a normalized metric. It is not enough to examine only maintenance, but one must examine the ratio of maintenance hours to size of the application to get a true picture.
    Productivity:

    The definition of productivity is the output-input ratio within a time period with due consideration for quality.
    Productivity = outputs/inputs (within a time period, quality considered)

    The formula indicates that productivity can be improved by (1) by increasing outputs with the same inputs, (2) by decreasing inputs but maintaining the same outputs, or (3) by increasing outputs and decreasing inputs change the ratio favorably.

    Software Productivity = Function Points / Inputs

    Effectiveness vs. Efficiency:
    Productivity implies effectiveness and efficiency in individual and organizational performance. Effectiveness is the achievement of objectives. Efficiency is the achievement of the ends with least amount of resources.

    Software productivity is defined as hours/function points or function points/hours. This is the average cost to develop software or the unit cost of software. One thing to keep in mind is the unit cost of software is not fixed with size. What industry data shows is the unit cost of software goes up with size.

    Average cost is the total cost of producing a particular quantity of output divided by that quantity. In this case to Total Cost/Function Points. Marginal cost is the change in total cost attributable to a one-unit change in output.

    There are a variety of reasons why marginal costs for software increase as size increases. The following is a list of some of the reasons

    As size becomes larger complexity increases.
    As size becomes larger a greater number of tasks need to be completed.
    As size becomes larger there is a greater number of staff members and they become more difficult to manage.

    Function Points are the output of the software development process. Function points are the unit of software. It is very important to understand that Function Points remain constant regardless who develops the software or what language the software is developed in. Unit costs need to be examined very closely. To calculate average unit cost all items (units) are combined and divided by the total cost. On the other hand, to accurately estimate the cost of an application each component cost needs to be estimated.

    Determine type of function point count
    Determine the application boundary
    Identify and rate transactional function types to determine their contribution to the unadjusted function point count.
    Identify and rate data function types to determine their contribution to the unadjusted function point count.
    Determine the value adjustment factor (VAF)
    Calculate the adjusted function point count.

    To complete a function point count knowledge of function point rules and application documentation is needed. Access to an application expert can improve the quality of the count. Once the application boundary has been established, FPA can be broken into three major parts

    FPA for transactional function types
    FPA for data function types
    FPA for GSCs

    Rating of transactions is dependent on both information contained in the transactions and the number of files referenced, it is recommended that transactions are counted first. At the same time a tally should be kept of all FTR’s (file types referenced) that the transactions reference. Every FTR must have at least one or more transactions. Each transaction must be an elementary process. An elementary process is the smallest unit of activity that is meaningful to the end user in the business. It must be self-contained and leave the business in consistent state

    The following were incorrect answers:

    Critical Path Methodology – The critical path method (CPM) is an algorithm for scheduling a set of project activities

    Gantt Chart – A Gantt chart is a type of bar chart, developed by Henry Gantt in the 1910s, that illustrates a project schedule. Gantt charts illustrate the start and finish dates of the terminal elements and summary elements of a project. Terminal elements and summary elements comprise the work breakdown structure of the project. Modern Gantt charts also show the dependency (i.e. precedence network) relationships between activities. Gantt charts can be used to show current schedule status using percent-complete shadings and a vertical “TODAY” line as shown here.

    Time box Management – In time management, a time boxing allocates a fixed time period, called a time box, to each planned activity. Several project management approaches use time boxing. It is also used for individual use to address personal tasks in a smaller time frame. It often involves having deliverables and deadlines, which will improve the productivity of the user.

    Reference:

    CISA review manual 2014 Page number 154

  9. Which of the following is a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources?

    • Functional Point analysis
    • Gantt Chart
    • Critical path methodology
    • Time box management
    Explanation:

    Time box management is a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources. There is a need to balance software quality and meet the delivery requirements within the time box or timeframe. The project manager has some degree of flexibility and uses discretion is scoping the requirement. Timebox management can be used to accomplish prototyping or RAPID application development type in which key feature are to be delivered in a short period of time.

    The following were incorrect answers:

    Critical path Method -The critical path method (CPM) is an algorithm for scheduling a set of project activities
    Gantt Chart -A Gantt chart is a type of bar chart, developed by Henry Gantt in the 1910s, that illustrates a project schedule. Gantt charts illustrate the start and finish dates of the terminal elements and summary elements of a project. Terminal elements and summary elements comprise the work breakdown structure of the project. Modern Gantt charts also show the dependency (i.e. precedence network) relationships between activities. Gantt charts can be used to show current schedule status using percent-complete shadings and a vertical “TODAY” line as shown here.

    Functional Point Analysis -Function Point Analysis (FPA) is an ISO recognized method to measure the functional size of an information system. The functional size reflects the amount of functionality that is relevant to and recognized by the user in the business. It is independent of the technology used to implement the system.

    Reference:

    CISA review manual 2014 Page number 154

  10. Who is mainly responsible for protecting information assets they have been entrusted with on a daily basis by defining who can access the data, it’s sensitivity level, type of access, and adhering to corporate information security policies?

    • Data Owner
    • Security Officer
    • Senior Management
    • End User
    Explanation:

    The Data Owner is the person who has been entrusted with a data set that belong to the company. As such they are responsible to classify the data according to it’s value and sensitivity. The Data Owner decides who will get access to the data, what type of access would be granted. The Data Owner will tell the Data Custodian or System Administrator what access to configure within the systems.

    A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.

    The following answers are incorrect:

    Executive Management/Senior Management – Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.

    Security Officer – The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidelines.

    End User – The end user does not decide on classification of the data

    Reference:

    CISA review manual 2014 page number 108
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 342

  11. Which of the following testing method examines the functionality of an application without peering into its internal structure or knowing the details of it’s internals?

    • Black-box testing
    • Parallel Test
    • Regression Testing
    • Pilot Testing
    Explanation:

    Black-box testing is a method of software testing that examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings (see white-box testing). This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well.

    For your exam you should know the information below:

    Alpha and Beta Testing – An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.

    Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.

    White box testing – Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

    Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user’s desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization.

    The following answers are incorrect:

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities

    Reference:
    CISA review manual 2014 Page number 167
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

  12. Which of the following testing method examines internal structure or working of an application?

    • White-box testing
    • Parallel Test
    • Regression Testing
    • Pilot Testing
    Explanation:

    White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT).

    White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system–level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements.
    For your exam you should know the information below:

    Alpha and Beta Testing – An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.

    Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.

    White box testing – Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

    Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user’s desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization.

    The following answers are incorrect:

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities

    Reference:
    CISA review manual 2014 Page number 167
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

  13. Identify the correct sequence of Business Process Reengineering (BPR) benchmarking process from the given choices below?

    • PLAN, RESEARCH, OBSERVE, ANALYZE, ADOPT and IMPROVE
    • OBSERVE, PLAN, RESEACH, ANALYZE, ADOPT and IMPROVE
    • PLAN, OBSERVE, RESEARCH, ANALYZE, ADOPT and IMPROVE
    • PLAN, RESEARCH, ANALYZE, OBSERVE, ADOPT and IMPROVE
    Explanation:

    The correct sequence of BRP benchmarking is PLAN, RESEARCH, OBSERVE, ANALYZE, ADOPT and IMPROVE.

    For your exam you should know the information below:

    Overview of Business Process Reengineering
    One of the principles in business that remains constant is the need to improve your processes and procedures. Most trade magazines today contain discussions of the detailed planning necessary for implementing change in an organization. The concept of change must be accepted as a fundamental principle. Terms such as business evolution and continuous improvement ricochet around the room in business meetings. It’s a fact that organizations which fail to change are destined to perish.

    As a CISA, you must be prepared to investigate whether process changes within the organization are accounted for with proper documentation. All internal control frameworks require that management be held responsible for safeguarding all the assets belonging to their organization. Management is also responsible for increasing revenue.

    BPR Application Steps
    ISACA cites six basic steps in their general approach to BPR. These six steps are simply an extension of Stewart’s Plan-Do-Check-Act model for managing projects:
    Envision -Visualize a need (envision). Develop an estimate of the ROI created by the proposed change. Elaborate on the benefit with a preliminary project plan to gain sponsorship from the organization. The plan should define the areas to be reviewed and clarify the desired result at the end of the project (aka end state objective). The deliverables of the envision phase include the following:
    Project champion working with the steering committee to gain top management approval
    Brief description of project scope, goals, and objectives description of the specific deliverables from this project with a preliminary charter to evidence management’s approval, the project may proceed into the initiation phase.

    Initiate -This phase involves setting BPR goals with the sponsor. Focus on planning the collection of detailed evidence necessary to build the subsequent BPR plan for redesigning the process. Deliverables in the initiation phase include the following:
    Identifying internal and external requirements (project specifications)
    Business case explaining why this project makes sense (justification) and the estimated return on investment compared to the total cost (net ROI)
    Formal project plan with budget, schedule, staffing plan, procurement plan, deliverables, and project risk analysis
    Level of authority the BPR project manager will hold and the composition of any support committee or task force that will be required
    From the profit and loss (P&L) statement, identify the item line number that money will be debited from to pay for this project and identify the specific P&L line number that the financial return will later appear under (to provide strict monitoring of the ROI performance)
    Formal project charter signed by the sponsors It’s important to realize that some BPR projects will proceed to their planned conclusion and others may be halted because of insufficient evidence. After a plan is formally approved, the
    BPR project may proceed to the diagnostic phase.

    Diagnose Document existing processes. Now it’s time to see what is working and identify the source of each requirement. Each process step is reviewed to calculate the value it creates. The goal of the diagnostic phase is to gain a better understanding of existing processes. The data collected in the diagnostic phase forms the basis of all planning decisions:
    Detailed documentation of the existing process
    Performance measurement of individual steps in the process
    Evidence of specific process steps that add customer value
    Identification of process steps that don’t add value
    Definition of attributes that create value and quality
    Put in the extra effort to do a good job of collecting and analyzing the evidence. All future assumptions will be based on evidence from the diagnostic phase.

    Redesign- Using the evidence from the diagnostic phase, it’s time to develop the new process.
    This will take several planning iterations to ensure that the strategic objectives are met. The formal redesign plans will be reviewed by sponsors and stakeholders. A final plan will be presented to the steering committee for approval. Here’s an example of deliverables from the redesign phase.
    Comparison of the envisioned objective to actual specifications
    Analysis of alternatives (AoA)
    Prototyping and testing of the redesigned process
    Formal documentation of the final design
    The project will need formal approval to proceed into the reconstruction phase. Otherwise, the redesign is halted pending further scrutiny while comparing the proposed design with available evidence. Insufficient evidence warrants halting the project.

    Reconstruct With formal approval received, it’s time to begin the implementation phase.
    The current processes are deconstructed and reassembled according to the plan. Reconstruction may be in the form of a parallel process, modular changes, or complete transition. Each method presents a unique risk and reward opportunity. Deliverables from this phase include the following:
    Conversion plan with dependencies in time sequence
    Change control management
    Execution of conversion plan with progress monitoring
    Training of users and support personnel
    Pilot implementation to ensure a smooth migration Formal approval by the sponsor.
    The reconstructed process must be formally approved by management to witness their consent for fitness of use. IT governance dictates that executive management shall be held responsible for any failures and receive recognition for exceptional results. System performance will be evaluated again after entering production use.

    Evaluate (post evaluation) The reconstructed process is monitored to ensure that it works and is producing the strategic value as forecast in the original justification.
    Comparison of original forecast to actual performance Identification of lessons learned
    Total quality management plan to maintain the new process
    A method of continuous improvement is implemented to track the original goals against actual process performance. Annual reevaluation is needed to adapt new requirements or new opportunities.

    Benchmarking as a BPR Tool
    Benchmarking is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering. Performance data may be obtained by using a self-assessment or by auditing for compliance against a standard (reference standard). Evidence captured during the diagnostic phase is considered the key to identifying areas for performance improvement and documenting obstacles. ISACA offers the following general guidelines for performing benchmarks:

    Plan Identify the critical processes and create measurement techniques to grade the processes.
    Research Use information about the process and collect regular data (samples) to build a baseline for comparison. Consider input from your customers and use analogous data from other industries.
    Observe Gather internal data and external data from a benchmark partner to aid the comparison results. Benchmark data can also be compared against published standards.
    Analyze Look for root cause-effect relationships and other dependencies in the process. Use predefined tools and procedures to collate the data collected from all available sources.
    Adapt Translate the findings into hypotheses of how these findings will help or hurt strategic business goals. Design a pilot test to prove or disprove the hypotheses.
    Improve Implement a prototype of the new processes. Study the impact and note any unexpected results. Revise the process by using controlled change management. Measure the process results again. Use reestablished procedures such as total quality management for continuous improvement.

    The following answers are incorrect:

    The other options specified does not represent the correct sequence of BRP benchmarking steps.

    Reference:

    CISA review manual 2014 page number 219 to 211
    CISA certified information system auditor study guide Second Edition Page Number 154 to 158

  14. Identify the correct sequence of Business Process Reengineering (BPR) application steps from the given choices below?

    • Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate
    • Initiate, Envision, Diagnose, Redesign, Reconstruct and Evaluate
    • Envision, Diagnose, Initiate, Redesign, Reconstruct and Evaluate
    • Evaluate, Envision, Initiate, Diagnose, Redesign, Reconstruct
    Explanation:

    The correct sequence of BRP application step is Envision, Initiate, Diagnose, Redesign, Reconstruct and Evaluate.

    For your exam you should know the information below:

    Overview of Business Process Reengineering
    One of the principles in business that remains constant is the need to improve your processes and procedures. Most trade magazines today contain discussions of the detailed planning necessary for implementing change in an organization. The concept of change must be accepted as a fundamental principle. Terms such as business evolution and continuous improvement ricochet around the room in business meetings. It’s a fact that organizations which fail to change are destined to perish.

    As a CISA, you must be prepared to investigate whether process changes within the organization are accounted for with proper documentation. All internal control frameworks require that management be held responsible for safeguarding all the assets belonging to their organization. Management is also responsible for increasing revenue.

    BPR Application Steps
    ISACA cites six basic steps in their general approach to BPR. These six steps are simply an extension of Stewart’s Plan-Do-Check-Act model for managing projects:
    Envision -Visualize a need (envision). Develop an estimate of the ROI created by the proposed change. Elaborate on the benefit with a preliminary project plan to gain sponsorship from the organization. The plan should define the areas to be reviewed and clarify the desired result at the end of the project (aka end state objective). The deliverables of the envision phase include the following:
    Project champion working with the steering committee to gain top management approval
    Brief description of project scope, goals, and objectives description of the specific deliverables from this project with a preliminary charter to evidence management’s approval, the project may proceed into the initiation phase.

    Initiate -This phase involves setting BPR goals with the sponsor. Focus on planning the collection of detailed evidence necessary to build the subsequent BPR plan for redesigning the process. Deliverables in the initiation phase include the following:

    Identifying internal and external requirements (project specifications)
    Business case explaining why this project makes sense (justification) and the estimated return on investment compared to the total cost (net ROI)
    Formal project plan with budget, schedule, staffing plan, procurement plan, deliverables, and project risk analysis
    Level of authority the BPR project manager will hold and the composition of any support committee or task force that will be required
    From the profit and loss (P&L) statement, identify the item line number that money will be debited from to pay for this project and identify the specific P&L line number that the financial return will later appear under (to provide strict monitoring of the ROI performance)
    Formal project charter signed by the sponsors

    It’s important to realize that some BPR projects will proceed to their planned conclusion and others may be halted because of insufficient evidence. After a plan is formally approved, the
    BPR project may proceed to the diagnostic phase.

    Diagnose Document existing processes. Now it’s time to see what is working and identify the source of each requirement. Each process step is reviewed to calculate the value it creates. The goal of the diagnostic phase is to gain a better understanding of existing processes. The data collected in the diagnostic phase forms the basis of all planning decisions:

    Detailed documentation of the existing process
    Performance measurement of individual steps in the process
    Evidence of specific process steps that add customer value
    Identification of process steps that don’t add value
    Definition of attributes that create value and quality

    Put in the extra effort to do a good job of collecting and analyzing the evidence. All future assumptions will be based on evidence from the diagnostic phase.

    Redesign- Using the evidence from the diagnostic phase, it’s time to develop the new process.
    This will take several planning iterations to ensure that the strategic objectives are met. The formal redesign plans will be reviewed by sponsors and stakeholders. A final plan will be presented to the steering committee for approval. Here’s an example of deliverables from the redesign phase.

    Comparison of the envisioned objective to actual specifications
    Analysis of alternatives (AoA)
    Prototyping and testing of the redesigned process
    Formal documentation of the final design

    The project will need formal approval to proceed into the reconstruction phase. Otherwise, the redesign is halted pending further scrutiny while comparing the proposed design with available evidence. Insufficient evidence warrants halting the project.

    Reconstruct With formal approval received, it’s time to begin the implementation phase.
    The current processes are deconstructed and reassembled according to the plan. Reconstruction may be in the form of a parallel process, modular changes, or complete transition. Each method presents a unique risk and reward opportunity. Deliverables from this phase include the following:

    Conversion plan with dependencies in time sequence
    Change control management
    Execution of conversion plan with progress monitoring
    Training of users and support personnel
    Pilot implementation to ensure a smooth migration
    Formal approval by the sponsor.

    The reconstructed process must be formally approved by management to witness their consent for fitness of use. IT governance dictates that executive management shall be held responsible for any failures and receive recognition for exceptional results. System performance will be evaluated again after entering production use.

    Evaluate (post evaluation) The reconstructed process is monitored to ensure that it works and is producing the strategic value as forecast in the original justification.
    Comparison of original forecast to actual performance Identification of lessons learned
    Total quality management plan to maintain the new process
    A method of continuous improvement is implemented to track the original goals against actual process performance. Annual reevaluation is needed to adapt new requirements or new opportunities.

    Benchmarking as a BPR Tool
    Benchmarking is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering. Performance data may be obtained by using a self-assessment or by auditing for compliance against a standard (reference standard). Evidence captured during the diagnostic phase is considered the key to identifying areas for performance improvement and documenting obstacles. ISACA offers the following general guidelines for performing benchmarks:

    Plan Identify the critical processes and create measurement techniques to grade the processes.
    Research Use information about the process and collect regular data (samples) to build a baseline for comparison. Consider input from your customers and use analogous data from other industries.
    Observe Gather internal data and external data from a benchmark partner to aid the comparison results. Benchmark data can also be compared against published standards.
    Analyze Look for root cause-effect relationships and other dependencies in the process. Use predefined tools and procedures to collate the data collected from all available sources.
    Adapt Translate the findings into hypotheses of how these findings will help or hurt strategic business goals. Design a pilot test to prove or disprove the hypotheses.
    Improve Implement a prototype of the new processes. Study the impact and note any unexpected results. Revise the process by using controlled change management. Measure the process results again. Use reestablished procedures such as total quality management for continuous improvement.

    The following answers are incorrect:

    The other options specified does not represent the correct sequence of BRP application steps.

    Reference:

    CISA review manual 2014 page number 219 to 211
    CISA certified information system auditor study guide Second Edition Page Number 154 to 158

  15. Following request for proposal (RFP) responses, a project seeking to acquire a new application system has identified a short list of vendors. At this point, the IS auditor should:

    • encourage contact with current users of the vendor’s products
    • perform a detailed cost-benefit exercise on the proposed application
    • require that contract terms include a right-to-audit clause
    • recommend performing system integration tests
  16. Following a recent acquisition, an information security manager has been requested the outstanding risk reported early in the acquisition process. Which of the following would be the manager’s BEST course of action?

    • Perform a vulnerability assessment of the acquired company’s infrastructure.
    • Re-evaluate the risk treatment plan for the outstanding risk.
    • Re-assess the outstanding risk of the acquired company.
    • Add the outstanding risk to the acquiring organization’s risk registry
  17. During the due diligence phase of an acquisition, the MOST important course of action for an information security manager would be to:

    • review the state of security awareness
    • perform a gap analysis
    • perform a risk assessment
    • review information security policies
  18. When an organization and its IT-hosting service provider are establishing a contract with each other, it is MOST important that the contract includes:

    • each party’s security responsibilities
    • details of expected security metrics
    • penalties for noncompliance with security policy
    • recovery time objectives (RTOs)
  19. An organization is in the process of acquiring a competitor. The information security manager has been asked to report on the security posture of the target acquisition. Which of the following should be the security manager’s FIRST course of action?

    • Implement a security dashboard
    • Quantity the potential risk
    • Perform a gap analysis
    • Perform a vulnerability assessment
  20. A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement:

    • a formal request for proposal (RFP) process
    • an information asset acquisition policy
    • asset life cycle management
    • business case development procedures