Professional Documents
Culture Documents
E-13 IT (Summer 2015)
E-13 IT (Summer 2015)
E-13 IT (Summer 2015)
(a)
(i)
(ii)
(b)
Unit testing is a testing technique that is used to test program logic within a particular
program or module.
Whole-of-program testing focuses on the program, in total, to establish whether it meets the
requirements. Following types of test may be performed under this testing:
Function test
Performance test
Acceptance test
Installation test
Ans.2
(a)
When RU will go for the online payment solution, it will need to develop and install
customised application on its website, connect it to the payment solution providers website,
and implement mandatory controls to ensure secure processing of payment.
Such features and controls may require additional storage space, uploading/downloading
limits and support for development tools etc. Hence, RU would need to review its existing
webhosting contract and to make necessary amendments accordingly.
(b)
The customized application would enable the students to create their accounts (get them
registered) at the RUs website. The application would identify and distinguish each student
through a unique field (ID) e.g., their enrollment number. They would be authenticated
through their passwords, after which the payment requests of the students would be
forwarded automatically to the payment service provider. The application will also keep track
of the students payments using their unique ID.
Page1 of7
Ans.3
(c)
Following controls should be implemented in order to ensure smooth and secure availability
of the online fee payment system:
(i) Installing secure socket layer over students login and payment processing pages.
(ii) Storing students passwords in irreversible encryption.
(iii) Storing students personal information in encrypted format.
(iv) Backup and contingency plan for ensuring availability of the online payment feature.
(d)
RU would need to consider the following factors while selecting a bank for opening internet
merchant account:
(i)
Cost
RU should consider which bank is offering most competitive rates for providing the
required service. This may include account set up cost, annual maintenance cost and
cost per transaction.
(ii)
(iii)
Technical support
RU may consider the extent and level of technical support provided by the bank. This
may include availability of support on 247 basis, strength and qualification of
technical support team and problem reporting and resolution mechanism etc.
(iv)
Security
RU may need to consider the controls that have been implemented by the bank for
ensuring the security of students credit card details. This may include enquiring about
the controls implemented for ensuring security of students data, to which security
standards the payment system is compliant and fraud protection controls etc.
(v)
Availability
RU would need to consider the measures taken by the bank to ensure availability of the
payment system. This may include reviewing the backup and contingency planning.
(vi)
Market reputation
RU may need to survey market and/or take feedback from the banks existing
customers on all of the above stated factors to assess the reliability of the bank.
(a)
If employees access their companys network through their personal mobile devices then the
company may be exposed to following primary security and control issues:
(i)
Protection of sensitive data and intellectual property.
(ii) Malware protection.
(b)
Network access
(i)
Protect the network with a properly configured firewall.
(ii) Determine which devices are allowed on the network.
(iii) Keep list of authorized users updated.
(iv) Data flowing between personal mobile devices and the organizations server should be
encrypted.
Page2 of7
Device management
(i)
Keep updated inventory of authorized devices.
(ii) Create mandatory and acceptable endpoint security components (e.g., updated and
functional antivirus software, updated security patch, level of browser security settings)
to be present on these devices.
(iii) Confidential or sensitive data stored on personal mobile devices should be encrypted in
accordance with the organizations IS policies.
(iv) Take appropriate steps to ensure the availability / recovery of data in case of loss of
device.
Application security management
(i)
Determine which operating systems and versions are allowed on the network.
(ii) Determine which applications are mandatory (or prohibited) for each device.
(iii) Access to application may be on a need-to know basis.
Ans.4
(a)
(b)
Ans.5
(iv)
Complaint Number
Error date
Error code / description
Source of error
Escalation date and time
Initials of the individual responsible for maintaining the log
Initials of the individual responsible for closing the log entry
Department / center responsible for error resolution
Status code of problem resolution (i.e. problem open, problem close, pending etc.)
Error resolution description
Put in place properly documented policies and procedures to guard against unauthorized use
or copying of software.
(vi) Keep an updated list of all types of software in use or in inventory.
(vii) Regularly scanning user PCs, either from the LAN or directly, to ensure that unauthorized
copies of software have not been loaded on the PC.
Yours sincerely,
Sd
IS Auditor
Ans.6
(a)
Key differences between cold, warm and hot sites are as follows
Cold Site
Warm Site
Hot Site
It does not have computer It is partially configured, It is a fully operational offsite data
equipment
in
place, usually with network processing facility equipped with
however, it is ready to connections and disk both hardware and system software.
receive such equipment.
drives but without the
main computer or with a
less powerful CPU.
(b)
Configurations
Required configuration of hardware had not been specified and vendors hardware and
software configurations might have been found to be inadequate to meet company
needs.
(ii)
Disaster
The definition of disaster may not be broad enough to meet the anticipated needs.
Hence, the vendor might have taken time in agreeing to treat the incidence as disaster
and handing over the facility to SIC.
(iii)
Speed of availability
The time within which the site would be made available may not have been specified or
longer than required time may have been specified.
(iv)
Preference
In case of shared hot site the agreement may not be cleared as to arrangements if more
than one client requires the use of the hot site.
(v)
Communications
The agreement may be silent over minimum acceptable communication facilities and
hence the communication facilities provided by the vendor might be inadequate.
(vi)
Five key stages in developing an information strategy plan, along with main steps/activities in each
stage are described below.
Stage 1: Initiate Information Strategy Planning Project
(i)
Gain Senior Management approval and sponsorship
(ii) Form a committee to supervise strategic planning process
(iii) Prepare TOR of the committee
Stage 2: Identify your business position
(i)
Assess current business position (including size, structure and maturity of an organization)
(ii) Identify future business direction (Where it wants to be? / What it wants to do or achieve?)
(iii) Decide what role IT should play in the business
Ans.8
(a)
(b)
(i)
Function
Defining data
Data Administrator
(i)
Strategic data planning
(ii)
Determine user needs
(iii) Specify conceptual and
external schema
definitions
Database Administrator
(i) Specify internal schema
definitions / specifying
the physical data
definition
(ii) Changing the physical
Data definition to
improve performance
Page5 of7
(v)
Developing organizational
standards
Maintaining
database
integrity
(vi) Monitoring
operations
Ans.9
(i)
(ii)
(iii)
(iv)
(v)
(vi)
Page6 of7
Consent
The collection of personal information should be obtained by lawful and fair means and with
the knowledge and consent of the data subject (individual).
(ii)
Purpose specification
The purpose for collecting personal information should be disclosed at the time of collection.
Further uses should be limited to those purposes.
(iii)
Use limitation
Personal information should not be disclosed for secondary purposes without the consent of
the data subject or by authority of law.
(iv)
Data quality
Only the relevant data for the extent necessary for the specific purpose should be collected.
The collected data should be accurate, complete and kept up-to-date.
(v)
Security safeguards
Personal information should be protected by reasonable security safeguards against such risks
as loss/ destruction, modification, unauthorized access/ disclosure etc.
(vi)
Openness
There should be a general policy of openness about developments, practices and policies with
respect to personal data. Means should be readily available to establish the existence and
nature of personal data, the main purposes of their use, and the identity and usual residence
of the data controller.
Page7 of7