MODEL PAPER

ICMA.
Pakistan
Time Allowed: 02 Hours 40 Minutes (i) (ii) (iii) (iv) (v) (vi) (vii) Attempt all questions. Answers must be neat, relevant and brief.

INFORMATION SYSTEMS AND I.T. AUDIT (ML-303)

SEMESTER- 3

Maximum Marks: 80

Roll No.:

In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate. Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script. Question No.1 Multiple Choice Question printed separately, is an integral part of this question paper. Question Paper must be returned to invigilator before leaving the examination hall. MARKS

Q.1

First question (MCQs Part) comprises 20 MCQs of one (1) mark each to be attempted in 20 minutes. Read the following CASE carefully and answer the questions given below:
CASE Megaton Corporation is a large industrial concern that has a complex network infrastructure with multiple local area and wide area networks that connects Megaton headquarter with its national and international offices. There is an Intranet site that is accessed only by employees to share work-related information. An Internet EDI site is also available that is accessed by customers and suppliers to place orders and check status of the orders. Both sites have both open areas and sections containing private information that requires an ID and password to access. User IDs and passwords are assigned by the central security administrator. The wide area networks are based on a variety of WAN technologies including frame relay, ATM, ISDN, and T1/T3. These network carry unencrypted, nonsensitive information that are sent to international offices of Megaton but do not include any customer identifiable information. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers. A new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Firewall policy did not allow any external access to the internal systems. Various database-driven Internet applications are in use and many have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Megaton headquarter also maintains a data center consists of 15,000 square feet (1,395 square meters). The access to data centre is controlled by a card reader and cameras monitoring the entrance. Recently, Megaton has actively started supporting the use of notebook computers by its staff so they can use them when travelling and when working from home. In this regard Megaton desires that they can access the company databases and provide online information to customers. A large organization-wide ERP software implementation project is also under consideration. Megaton decided to buy a commercial off-the-shelf ERP package and then customize it to fit their needs. Though Megaton was not in a hurry to implement the project but sizeable customizations of ERP were anticipated. The last IS audit was performed more than five years ago. The current business continuity and disaster recovery plans have not been updated in more than eight years. During this time Megaton has grown by over 300 percent. At the headquarters alone, there are approximately 750 employees. The IS auditor has been asked to evaluate the current environment and make recommendations for improvement.

Q.2

PTO

1 of 2

ISITA/Model-Paper

MARKS

Questions: a. What possible risks can be involved with the use of EDI system at Megaton? b. What would be the most serious concerns regarding the wide area networks at Megaton? c. Many issues are involved when a company stores and exchanges the confidential customer information over the network. What could some of the significant issues to address if the information exchange between Megaton headquarter and its international offices include personally identifiable customer information? d. What role top management of Megaton can play for better IT governance? e. Suggest some controls to strengthen the security of Data Centre at Megaton. f. Based on the information given in the case, what would you recommend to Megaton for preparing their disaster recovery plan?

08 06 05

05 03 03

Q.3 (a) Capacity management is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively. The capacity plan should be developed based on input from both user and IS management to ensure that business goals are achieved in the most efficient and effective way. Discuss some types of information required for successful capacity planning. (b) A database is a collection of information that is organized so that it can easily be accessed, managed, and updated. List properties of three major types of database structure: hierarchical, network and relational. Q.4 (a) To develop an information system, the organization can either outsource the system development or rely on its people. What are some of the risk involved when system development is done by the end-users of an information system? (b) E-commerce is a positive development for both business and individuals as it has made transactions more convenient and efficient. E-commerce involves no physical interaction between buyers and sellers and such virtual transactions have many associated risks. Explain some of these risks and their mitigation strategies. Q.5 (a) The acquisition of right hardware and software resources for organization is a complex issue that requires careful planning. What are some of the issues involved in acquiring hardware and software for an information system and the steps involved in the selection of a computer system? (b) An important objective of the IS auditor is to ensure that organization provides adequate segregation of duties within the information system management structure. What are some of the duties and responsibilities of the IS auditor to achieve this objective?

08

06

06

06

06

06

Q.6 (a) While performing IS audit of an organization, IS auditor needs to carefully examine various IS controls implemented by the organization. What are some techniques IS auditor can use to evaluate the application controls implemented in an information system. (b) An organization can hold a variety of sensitive information such as financial results, and business plans for the year ahead. As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorized access increases. What are some basic types of Information Protection that an organization can use to minimize this risk? THE END 2 of 2

06

06

ISITA/Model-Paper