Share on Facebook

Share on Twitter

Share on LinkedIn

Share on Email

Share More

Dear friends, sharing with you mnemonic words for CHAPTER 3 of ISCA.

Word file of same is also uploaded in files section of the site. Click here


Reasons for Gap between Need to protect system and protection applied : HIDE & U C ME  (Prof. Jignesh Chheda)

  1. External dangers from Hackers    
  2. Inter connectivity of systems  
  3. Devolution of management & control  
  4. Elimination of Time, Distance, Space constraints   
  5. Widespread Use of technology   
  6. Unevenness of technological Changes   
  7. Growing potentials fir Misuse
  8. External factors such as legal & regulatory requirements

IS Security:

  1. Protection of valuable assets from threat, sabotage etc.     
  2. IS security can be > Physical  e.g. Locks, Insurance  > Logical / Technical e.g. Passwords, Firewalls
  3. To be Holistic - applies to all information to be protected.

IS Security Objectives :  To Protect -

  1. Interest of those relying of Information      
  2. Information system that delivers information

Attributes of IS Security Objectives : CIA = u (DMW)  (Prof. Jignesh Chheda)

  1. Confidentiality : To Prevent  - unauthorized Disclosure      
  2. Integrity : To Prevent  - unauthorized Modification      
  3. Availability : To Prevent  - unauthorized Withholding  

What Information is Sensitive : SBF

  1. Strategic Plans :  > Crucial for the success of the company  > Gives Competitive advantage to competitors if reached their hands                                                                                          
  2. Business Operations :  > Processes & procedures that are proprietary in nature  e.g .Price List, Formulae etc.  > Damaging if passed on in hands of competitors               
  3. Finance :  > Financial Information such as Salary & wages  > Range known within the Industry but precise information gives competitive advantage to others

Information Security policy :  

  1. Statement of Intent by the management on how to protect information and assets      
  2. Does not specify Technology but give rules to -  i) Protect information from unauthorized DMW  ii) Eliminate Legal  liabilities iii) Prevent waste of resources     
  3. It must be in written form  

Tools to Implement Security policy :  

  1. Standards : > Specify Technology to be implemented
  2. Guidelines : > Helps smooth implementation of policy
  3. Procedures : > Gives detailed steps to be followed to achieve goals > Assist in implementation of policy                                

Issues to address by Security policy : DIG Beats Right hand of Dawood

  1. Definition of Information security      
  2. Importance of Information security to the organization      
  3. Goals and Objectives Information security  
  4. Brief explanation of security policies, principles, standards
  5. Definition of all relevant security Responsibilities
  6. Reference to supporting Documentation     

Auditor’s responsibilities in Security policy: Auditor should ensure that policy -

  1. Available to all employees      
  2. Employees are aware of its existence      
  3. Has a owner responsible for maintenance    
  4. Updates for any changes


Components of Security Policy : PSI  IPS  AT IB In Legal Monitoring Dept.

  1. Purpose & Scope of the document    
  2. Security Organization Structure    
  3. IT operations management    
  4. IT Communications    
  5. Physical & Environmental security     
  6. System development & maintenance     
  7. Access Control     
  8. The security Infrastructure     
  9. Incident Handling
  10. Business Continuity Planning
  11. Inventory & Classification of  assets
  12. Legal Compliance
  13. Monitoring & auditing requirement
  14. Document maintenance & compliance   

IS Controls :

Need for IS Controls -

  • Tremendous amount of data and information due to technology
  • Timely flow of accurate information Requires built in controls

IS Control procedures : SAS  O Q Pite Bahu and Pati

  1. Strategy and direction    
  2. Access to IT Resources, Data & Program  
  3. System development methods and change control  
  4. Operation procedures
  5. Quality Assurance procedures   
  6. Physical Access control   
  7. BCP & DRP   
  8. Protective and Detective mechanism     

Impact of Technology on Internal Controls : MARS is At Peak Into Darkness (Prof. Jignesh Chheda)

  1. Management Supervision
  2. Access to Assets and Records      
  3. Record keeping  
  4. Segregation of duties  
  5. Authorization procedures   
  6. Personnel   
  7. Independent Check
  8. Delegation of authority

5 Inter-related components of Internal Control : ReMA  Is a nice girl  (Prof. Jignesh Chheda)

  1. Risk Assessment      
  2. Control Environment      
  3. Monitoring      
  4. Control Activities      
  5. Information & Communications    

IS Control Techniques :

Objectives of Controls :

  1. Controls defined as Policy, Procedure, Practices and Organization structure designed      
  2. To provide reasonable assurance that business objective will be met and undesirable events will be prevented
  3. Reduce or Eliminate cause of Exposure    

Critical Control Considerations : LAB  CT  scan

  1. Lack of management understanding of IS Risk and Controls      
  2. Absence or weak IS Control      
  3. Lack of awareness of IS Risks among Business users  
  4. Complexity in implementing controls  
  5. Lack of implementation of controls in highly Technology driven environment     

Purposes met by Controls objectives : OB

  1. Outline policies laid down by management      
  2. Benchmark to evaluate whether controls objectives are met    


Preventive Controls :

Characteristics : VP Control

  1. Understanding  Vulnerabilities of assets      
  2. Understanding  Probable threat to assets      
  3. Provision of Controls against probable threat    

Example :  > Segregation of duties  > Anti-Virus  > Passwords

Detective Controls :

Characteristics : RP Singh  

  1. Report unlawful activities to appropriate person       
  2. Prevent such acts from occurring       
  3. Surprise checks by Supervisor     

Example :  > Hash totals  > Intrusion Detection system  > Bank Reconciliations

Corrective Controls :

Characteristics : MIC Man  

  1. Minimize impact of threat to assets        
  2. Identify the cause of problem        
  3. Correcting error arising from problem  
  4. Modify the processing system to minimize further occurrence of problem      

Example :  > Contingency Plan  > Back up procedure  > Return procedure  

Organizational Controls Techniques : RP Job Search

  1. Definition of Responsibilities & Objectives of each function    
  2. Policies and Procedures      
  3. Job description    
  4. Segregation of duties  

Management Controls :  MIS - File

  1. By the Management to ensure system functions correctly    
  2. IT activities are adequately controlled       
  3. Scope of controls includes framing high level IT policies, standards and establishing Internal Controls     
  4. Controls Flows from Top to Down in organization   

Financial Controls : ABCD2 Sequel -2  (Prof. Jignesh Chheda)

  1. Authorization      
  2. Budget    
  3. Cancellation of Documents    
  4. Documentation  
  5. Dual Control  
  6. Safe keeping  
  7. Sequentially numbered documents     

Boundary Control techniques : Cryptography In Pin Password

  1. Cryptography    
  2. Identification Cards      
  3. Personal Identification No. (PIN)  
  4. Password

Update Controls : Sanjay Elected MP

  1. Sequence Check Transaction and Master files      
  2. Ensure all record files are processed      
  3. Maintain Suspense account
  4. Process multiple transactions for single record in correct order    

Report Controls : Priyanka Sonia Rahul  (PSR)

  1. Print Run-to-Run Control      
  2. Standing Data      
  3. Recovery Controls    

Information Classification :

Information classification should be based on level of sensitivity i.e. extent to which to information needs to be protected.

5 Grades of Information Classification: Tu Hai Pehla Intezar aur Pyaar 

  1. Top Secret    
  2. Highly Confidential      
  3. Proprietary  
  4. Internal Use only  
  5. Public documents    

Data Integrity :

Data Classified should be secured through various data integrity controls. Data Integrity is reflection of accuracy, correctness and  validity of data

Objectives of Data Integrity

  1. To prevent, detect, correct errors in transactions through stages of processing    
  2. To protect data from accidental / malicious alteration   

Critical procedures in assessing Data Integrity

  1. Virus detection and elimination through installation of software    
  2. Validation controls to provide assurance that information not altered

Six categories of Data Integrity controls : Shine In Old  POT

  1. Source data control
  2. Input validation routines
  3. Online data entry control
  4. Processing and Storage of data control
  5. Output control
  6. Transmission of data control    

Data Integrity Policies :  Vijay Sales takes Daily Backup of Data (Prof. Jignesh Chheda)

  1. Virus Signature updating  
  2. Software testing
  3. Division of Environment
  4. Offsite Backup storage
  5. Backup storage -quarter end / year end
  6. Disaster recovery

Logical Access Control :

Logical Access Paths : TODO (Prof. Jignesh Chheda)

  1. Telecommunication Network  
  2. Online Terminals 
  3. Dial up Ports
  4. Operator Console

Issues and Exposures to Logical Access : 

A] Technical Exposure - Sachin Ramesh Tendulkar Batting Technique During World cup

  1. Salami Technique  
  2. Rounding Down  
  3. Trap Doors  
  4. Bombs - Time & Logic Bombs
  5. Trojan Horse 
  6. Data Diddling  
  7. Worms

B] Computer Crime Exposure - F -DISCS  (Prof. Jignesh Chheda)

  1. Financial Loss    
  2. Disclosure of Confidential & Sensitive Information  
  3. Industrial Espionage / Blackmail 
  4. Sabotage   
  5. Credibility Loss   
  6. Spoofing  

C] Asynchronous Attacks -  Pen  Drive Wirus Scan

  1. Piggybacking    
  2. Data Leakage   
  3. Wire Tapping  
  4. Shut Down / Denial of Service   

User Access Control :

User Access Management : UP Under Review  

  1. User Registration      
  2. Privilege Management      
  3. User Password Management    
  4. Review of user access rights  

User Responsibilities : UP   

  1. Unattended user equipment     
  2. Password Use      

Operating system Access Control : TU Padh Direct Tax Laws   

  1. Automated Terminal Identification       
  2. User Identification and authentication  
  3. Password Management system       
  4. Duress alarm to safeguard users  
  5. Terminal Time Out     
  6. Limitation of connection time   

Physical Access Control : Amitabh Bachchan Payment DUE   

Issues and Exposures to Physical Access :   

  1. Abuse of data   
  2. Blackmail   
  3. Public disclosure of sensitive information  
  4. Damage, Vandalism   
  5. Unauthenticated entry
  6. Embezzlement

Possible Perpetrators to Physical Access :  GOINDEAF (Prof. Jignesh Chheda)

  1. Gambling addiction   
  2. On Strike     
  3. Information to competitors, thieves, hackers,   
  4. Notified on Termination     
  5. Dissatisfied
  6. Threatened by Disciplinary action 
  7. Emotional problems 
  8. Accidental Ignorant 
  9. Former employee  

Access Control Mechanism 3steps : India - Afghanistan Agreement   

  1. Identification       
  2. Authentication
  3. Authorization - 2 approach - a) Ticket Oriented   b) List Oriented

Cyber Frauds : Frauds committed by the use of technology

Major reasons for increase of frauds :   IOS

  1. Internal Control failure    
  2. Organizations failure to update to new set of risks    
  3. Smart fraudsters who target weakness in system before organization realizes  

Types of cyber frauds based on functionality : PC

  1. Pure cyber frauds    
  2. Cyber enabled frauds     

Major cyber attacks :  WE Started New SPV   

  1. Website compromise      
  2. Eavesdropping
  3. Scavenging
  4. Network scanning      
  5. Spam     
  6. Phishing   
  7. Virus / malicious codes     

Impact of cyber frauds on Enterprise : FD Loss Legal Stand

  1. Financial Loss      
  2. Disclosure of Sensitive Information       
  3. Loss of Credibility       
  4. Legal Repercussion
  5. Sabotage     

Techniques to Commit cyber frauds:   

  1. Hacking       
  2. Cracking
  3. Data Diddling
  4. Data Leakage 
  5. Denial of Service attack
  6. Logic / Time Bomb   
  7. Masquerading    
  8. Round Down    
  9. Scavenging    


Published by

Parag Sambhaji Shinde
(Management Trainee)
Category Students   Report

1 Likes   30 Shares   17904 Views


Popular Articles

Follow taxation Exam20 Book Book

CCI Articles

submit article

Stay updated with latest Articles!