CISA Domain 3 Info Sys Acquisition, Development & Implementation 53 Questions with Verified Answers,100% CORRECT

CISA Domain 3 Info Sys Acquisition, Development & Implementation 53 Questions with Verified Answers Benchmarking a Process - CORRECT ANSWER term used to describe the activity of continuous process improvement. The purpose of benchmarking is to compare key measurements in a business process. Plan, Research (yourself), Observe(others), Adopt, Improve Characteristic of the Maturity Levels (CMMI) - CORRECT ANSWER IRDMO - I Remember Do Make Oatmeal 1. Initial -This level has no process, no procedures, and no consistency. 2. Repeatable - At this level of maturity, there is some consistency in the ways that individuals perform tasks from one time to the next, as well as some management planning and direction to ensure that tasks and projects are performed consistently. 3. Defined -The organization has developed a site-wide, documented software development process that is used for all development projects. 4. Managed -At this level, the documented software development process includes key measurement points used to measure effectiveness, efficiency, and defects. These measurements are performed and reported to management as a part of the life cycle. 5. Optimizing At this highest level of maturity, the organization has instituted metrics-driven process improvement techniques to bring about continuous improvement in its SDLC. COCOMO-The Constructive Cost Model - CORRECT ANSWER method for estimating software development projects was developed in the aerospace industry in the 1970s and represented an advancement in the ability to estimate the effort required to develop software COSOMO - Complexity rating - CORRECT ANSWER OSE - This rating for the project, expressed as -"organic" (a smaller project with experienced software engineers and less-than-rigid requirements), -"semi-detached" (a larger project with a mix of rigid and semirigid requirements), -"embedded" (a large project with highly specific and restrictive requirements) Project Objectives - CORRECT ANSWER SMART OBS-object breakdown structure. helps ensure deliverables are not overlooked WBS-work breakdown structure. terms of manageable and controllable units of work. does not include basic elements of the build Project Roles & Responsibilities - CORRECT ANSWER Senior mgt- demonstrates commitment User mgt- assumes ownership of the project Project steering -overall direction, approvals etc Project sponsor- funding for project Gantt - CORRECT ANSWER Helps to schedule the activities When activity should begin and end Which can be done concurrently or sequential Progress of project Track milestones Used to monitor the progress of a project Pert - CORRECT ANSWER Best used for dependencies and shows relationships between planned activities Critical path, quantitative measure, and three estimates of activity duration (Optimistic, most likely, pessimistic) FPA -Functional point analysis - CORRECT ANSWER estimation technique for larger software projects.The number of application functions and their complexity. FPA is not hindered by specific technologies or measuring techniques (such as lines of code) SDLC Phases - CORRECT ANSWER "gate process" approach FRSDDCTIP = Friends Recall Silly Dirty Dipping Cans Till IP • Feasibility • Requirements • Software selection • Design • Development • Configuration • Testing • Post-implementation SDLC -1-Feasibility study - CORRECT ANSWER Benefits of implementing system Cost savings Estimate payback Business case Impact assessment SDLC 2-Requirements definition - CORRECT ANSWER define problem solving define functional and quality requirements Users needs to be actively involved SDLC 3- Selection - CORRECT ANSWER RFP with operational, support and tech requirements Select vendor with suppliers financial viability & provision for escrow SDLC 4-Design - CORRECT ANSWER Baseline of system design of programs & DBs change control process to prevent scope creep security considerations SDLC 5-Development - CORRECT ANSWER Programming & formalizing supporting operational processes All unit & system testing several iterations of user acceptance testing SDLC 6- Configuration - CORRECT ANSWER Configure the system Build interfaces SDLC 7- Testing - CORRECT ANSWER UAT sign off Certification & accreditation process SDLC 8-Post-implementation - CORRECT ANSWER Measurements and formal process to assess the adequacy of the system and ROI Input controls - CORRECT ANSWER ensure every trans is entered processed and recorded accurately & completely Data Validation Edits & Controls (Input Control) - CORRECT ANSWER Sequence check- Limit- Range- Validation - predetermined criterial Reasonableness- ie average # of orders Table lookups- entries looked up in another table Existence check-predetermined criteria Key verification- verify based on repeated key input Check digit-numeric value entered to ensure the data has not been altered Completeness check-field should alway contain data, even if just zeros Duplicate check- Logical relationship-conditional if true then Processing Controls - CORRECT ANSWER Completeness and accuracy of data 1-Manual recalculations-sample trans manually checked 2-Editing- edit check is a program to check input 3-Run to run tools-verify data values through the stages of app processing Programmed- messages based on wrong data Reasonableness- predetermined criteria LImit checks- Reconciliation- Exception reports- Data File Controls (Processing Control) - CORRECT ANSWER Before & After image-trace the transactions Maintenance error reporting & handling- error reports are reconciled and corrected timely Source documentation retention- Internal & external labeling- Verison usage- Data file security- One for one-individual docs agree with group of docs Prerecorded input- Transaction logs-all input is recorded in detail (time, who etc) helps in recovery and investigation File updating & maintenance authorization- Parity checking-similar to check bits, used to verify data has not been altered Output Controls - CORRECT ANSWER Controlling Special Forms, Report Distribution and Receipt,Reconciliation, Retention Testing types - CORRECT ANSWER USIU unit - system - integration - UAT Unit-ensures internal operation or program performs according to specification System-series of tests to ensure system works properly 1) recovery -ability to recover 2) load -evaluate performance 3) volume- incremental volume to determine maximum 4) stress- determine max # of concurrent users/services 5) performance- comparing system performance to other equivalent systems using benchmarks Integration-test passing information from one system to another Final acceptance- two major qualities, QA and UAT, they should not be combined Other types of testing - CORRECT ANSWER Alpha & beta-alpha (users within sw org) & beta (form of UAT, real world expose) Pilot- POCs, basic functionality white box- program logic black box-testing components (UAT & interface testing) function/validation- test functionality against requirements regression-changes did not introduce new errors, use the same test data parallel-feeding data into two systems and comparing results sociability -new system can operate in its target environment without impacting existing systems, nothing to do with user experience sociability testing - CORRECT ANSWER indicate how the application works with other components within the environment and is not indicative of the user experience. parallel testing - CORRECT ANSWER is the process that is completed to make sure that payroll is being accurately calculated by a new system. During parallel testing, the old or "legacy" system is run parallel to new payroll software and the results are compared. Parallel testing is performed when the comparison of two applications Integrated testing - CORRECT ANSWER individual software modules are combined and tested as a group. It occurs after unit testing and before validation testing. function/validation testing - CORRECT ANSWER is a quality assurance process. Functions are tested by feeding them input and examining the output, and internal program structure is rarely considered. Functional testing usually describes what the system does. Agile charateristics - CORRECT ANSWER only plans for the next iteration of development does not emphasize on baseline build on actual functionality vs formally defining limits to defect testing but performs frequently no emphasize on defined repeatable process but instead on frequent inspections Rapid application development (RAD) - CORRECT ANSWER Prototyping is the core strategy Think Prototype when hearing RAD is a response to the slower and more structured application development methodologies (such as waterfall) RAD is characterized by the following activities and features: • Small development teams consisting of highly experienced developers and analysts • The development of prototypes • Development tools that integrate data design, data flow, user interface, and prototyping • A central repository for software components with an emphasis on code reusability • Design and prototype analysis sessions with end users • Tight time frames Prototyping - CORRECT ANSWER Methods- 1-Build the model to create the design. Maybe pressure to implement an early prototype, not ready for prod 2-Gradually build the actual system that will operate using 4GL. Goof for small & medium efforts. For larger efforts strategy needed, may cause poor quality etc. CASE Tools - CORRECT ANSWER Think of contious auditing UML use of automated tools to aid in the sw development process Upper CASE-documenting business process and app requirements Middle CASE-developing the detailed designs (reports, process flows etc) Lower CASE-entire application Considerations- 1-CASE tools help the app design but do not ensure they are correct or aligned with business requirements 2-complement the app dev methodology 3-data moved needs to be monitored and controlled 4- standard DB controls BRP - CORRECT ANSWER Business Engineering process-automating system process for few manual Consider key controls maybe engineered out of the process Applying BPR methods & techniques to a process creates an immediate environment for change and provides consistency of results DDS (Decision Support System) Risks - CORRECT ANSWER Unwilling users, multiple implementors, inability to specify purpose of usage patterns in advance, inability to predict & cushion impact, lack of support, lack of experience, tech & cost effectiveness issues Continuous Auditing (CAAT) Snapshots- - CORRECT ANSWER Records flow of transactions Advantages-verifies program logic Disadvantage-extensive knowledge of IT need Continuous Auditing (CAAT) Mapping- - CORRECT ANSWER identified logic that has not been tested Advantages-efficient, identifies potential exposures Disadvantage-cost Continuous Auditing (CAAT)Tracing & tagging- - CORRECT ANSWER shows the trail of execution and tags Advantages- provides exact picture of sequence of events & is effective with live & similation Disadvantage-computer time, knowledge Continuous Auditing (CAAT) Test data/deck- - CORRECT ANSWER simulates trans through real transactions Advantages-source code review is not necessary, used ahoc, minimal knowledge needed Disadvantage-difficult to ensure proper checks, does not test master file and master file records Continuous Auditing (CAAT) Base-case system- - CORRECT ANSWER uses test data sets developed as part of testing of program & verifies correct system operations before acceptance Advantages- comprehensive testing and compliance testing Disadvantage- extensive effort to maintain, cooperation needed Continuous Auditing (CAAT) Parallel operation- - CORRECT ANSWER ability to compare results from two systems at the same time, used to verify prod before replacing Advantages-verifies new system before replacing old Disadvantage-added processing costs Continuous Auditing (CAAT) Integrated testing facility- - CORRECT ANSWER creates a fictitious file in the database with test transactions processed simultaneously with live data Advantages- periodic testing does not require separate test procedures Disadvantage- need for careful planning, need to isolate test data from prod Continuous Auditing (CAAT) Parallel simulation- - CORRECT ANSWER processes prod data using programs that simulate prod Advantages-eliminates need to prepare test data Disadvantage-programs must be developed Continuous Auditing (CAAT) Transaction selection programs- - CORRECT ANSWER use audit sw to screen and select trans input to the regular prod cycle Advantages- independent of prod system, controlled by the auditor, requires no modifications to prod Disadvantage- costs of development and maintenance Continuous Auditing (CAAT) Embedded audit data collection- - CORRECT ANSWER embedded code 1)SCARF-manual selection 2)SARF-random Advantages-provides sampling and prod statistics Disadvantage- high cost, auditor independence issues Continuous Auditing (CAAT) Extended records- - CORRECT ANSWER gathers all data that have been affected by a particular program Advantages- records are put into one convenient file Disadvantage- adds to data storage costs & sys dev costs Relational integrity tests - CORRECT ANSWER database organization Referential integrity tests - CORRECT ANSWER A feature provided by relational database management systems (RDBMS's) that prevents deleting or adding due to parent child relationship (primary & foreign key) ACID Principle - CORRECT ANSWER Managing parallel user access Atomic-a transaction is either complete or not at all Consistency-all integrity conditions in the db are maintained with each transaction Isolation-each trans is isolated from other Durability-if the trans is complete, the resulting change in the db will survive if there is a hw or sw failure AI Concepts - CORRECT ANSWER Decision tress- using questionnaires Rules- declarative knowledge Semantic nets- conceptual objects and relationships between nodes IS Auditor must understand purpose & functionality, review policies, review decision logic, review procedures for updates & maintenance EDI Traditional - CORRECT ANSWER Communications handler using point to point connection Interface includes translator & app interface. App system-process data EDI Web-based - CORRECT ANSWER Internet for connectivity EDI Risks & Controls - CORRECT ANSWER Risks- Transaction authorization is the largest risk unauthorized access to transaction deletion or manipulation of data prior to or after control Loss or duplication of entries Loss of confidentiality Controls- Standards- formats etc Reasonableness checks Authorization Encryption Electronic signatures