Additional Questionnaires

8/12/2019 Additional Questionnaires

1/26

Answers to attendees questions for the

Global CISA Webinars Held on

3.June.2008 and 5.June.2008

Author: Jay Ranade

CISA, CISM, CBCP, CISSP

New York City

[email protected]


2/26

www.riebeeck.com

2 Copyright Jay Ranade [email protected], June 10, 2008

Note: Only the questions related to CISA exam or the professions of IT Audit are

being answered. I have paraphrased some of the questions from attendees to

enhance understanding. Repeated questions are being answered once only. Please

pay special attention to the last question on the last page of this document on thesubject of biometrics (retina scan vs. Palm scan).

Question 1:

Jay should state that some acronyms will not be expanded in the exam (as per page 522

of the CISA review manual).

Jay:

Everybody please note that some of the commonly used acronyms will not be expanded

in the CISA exam.

Question 2:

How many question will there be from each chapter?

Jay:

Here is the breakdown:

IT Audit Process, 20 questionsIT Governance, 30 question

System and Infrastructure Lifecycle Management, 32 questions

IT service Delivery and Support, 28 questionsProtection of Information Assets, 62 questionsBusiness Continuity and Disaster Recovery, 28 questions

Question 3:

What is the difference between quality management, quality assurance and quality

control in terms of responsibilities?

Jay:

Quality management is managements responsibility

Quality assurance is related to audit

Quality control is related to implementation and monitoring of controls related toimplementation of quality processes


3/26

www.riebeeck.com


Question 4:

What is the order of firewall types and implementation in terms of security and ease of

implementation?

Jay:

Major firewall types are

Packet filtering firewalls, OSI layer 3Application level firewalls, OSI layer 7

Stateful Inspection firewalls, OSI layer 4

In terms of security, statefull inspection firewalls are considered to be the best

In ease of use, the best are the appliances, a hardware/firmware-based firewall which is

easy to use, has very high throughput, but is NOT scalable.

Question 5:

Can we get an explanation of the scaled scoring system, i.e how can we relate it to thepercentage of questions answered correctly?

Jay:

You need a score of 450 on a scale of 200 to 800 to pass the exam. It roughly translatesinto 75 percent (means answering approximately 150 questions out of 200 correctly).

Scaled scoring system compensates for an exam in one year being easier or more difficult

than in the other years and thus adding/subtracting scores based on level of difficulty.

Question 6:

Does the presence of one - authenticity or non-repudiation - always imply the presence of

the other too?

Jay:

No.

Authenticity is for the benefit of the recipient of ensure that the sender is who he/she

says he/she is.Non-repuditaion means that sender can not deny later that the information was not sent

by him/her.They may sound the same but are not the same.


4/26

www.riebeeck.com


Question 7:

What is DOPESS?

Jay:It's an acronym and memory aid to help you remember incompatibilities regarding

segregation of duties (SOD) functions so you can remember during the exam.

D stands for data custodian

O stands for operations

P stands for programmer (application programmer)E stands for end user

S stands for security administrator

S stands for system administrator

An individual should not perform more than one job functions from the above for properSOD. In a small shops it is not possible, so there must be compensating controls in casethis principle is violated.

Question 8:

What does BIA and RTO stand for?

Jay:

BIA is business impact analysis of the business processes

RTO is recovery time objective for a particular business process

Question 9:

In IT Audit there is a difference between Firecall ID and Vendor-supplied IDs. The oneyou are referring to is called Vendor Supplied Default User IDs. e.g; Administrator

userID on Windows platform

Jay:

It is correct. In the presentation what I was trying to say was that passwords for vendor-supplied IDs must not be left to default passwords because anybody and everybody

knows what they are.


5/26

www.riebeeck.com


Question 10:

What is the difference between Active and Passive Attack?

Jay:Passive attack usually precedes active attack. Passive attack is a precursor is to active

attack.

Examples of passive attacks are:

Network analysis

EavesdroppingTraffic analysis

Examples of active attacks are:Brute-force attack

MasqueradingPacket replayPhishing

Message modification

Unauthorized access through the Internet or web-based services

Denial of serviceDial-in penetration attacks

E-mail bombing and spamming

E-mail spoofing

Question 11:What were the 6 things of a BSC again?

Jay:

Six things I mentioned were not related to BSC, but to IT governance. They are:

IT Governance FrameworkAlignment of IT with Business

Value delivery of IT

IT Risk Management

IT Performance MeasurementIT Resource Utilization

BSC (balanced scorecard) is about measurement of IT performance, one of the 6 thingsabove


6/26

www.riebeeck.com


Question 12:

Are digital signatures the same as using private keys?

Jay:Digital signatures are created by creating a hash (or message digest) of the message and

then encrypting that hash with the senders private key.

So, private key is used to create digital signatures, but is not digital signatures by itself.

Question 13:

Are the CISA Exam questions derived from the ISACA CD?

Jay:

No

You wish

Question 14:

What if there is a non real-time offsite backup? Eg: daily backup at end of day to off-site

facility thank you

Jay:

I do not know the context in which this question was asked. However, I must say that

frequency of the backup (real time, every hour, data mirroring etc) will depend upon

Recovery Point Objectives (RPO) of the business process that the backup data issupporting.

Question 15:

The book says that they do *not* ask case studies. It says it in each chapter

Jay:

Now you confused meI am one of the contributors of exam questions and ISACA has been asking us to send

questions related to case studies. And we have.

Question 16:

We dont need a break.


7/26

www.riebeeck.com


Jay:

This suggestion has touched my heart. This suggestion has been given by almost every

attendee. Either it means that you found the presentation too interesting to take a break or

you found the cost of dial-in too expensive to take a break

Question 17:

While using digital signatures, is the message itself encrypted for confidentiality?

Jay:

Message is NOT encrypted for confidentiality in digital signatures.Digital signatures are for integrity, authenticity, and non-repudiation but NOT for

confidentiality.

Question 18:

DOPESS what is the difference between "O" operations and "E" end user - why should

they b e segregated?

Jay:

Operations is related to computer operations NOT business operations. End user is the

user of the computer systems for business purposes.

Question 19:

Hi, i want to ask, what is the difference between system testing and integration testing?

Which one should be performed first ?

Jay:

System testing ensures that program interacts correctly as intended with OTHER system

components. System testing may include security testing, recovery testing, stress testing,performance testing etc.

Integration testing (aka Interface testing) is a test to evaluate interface between two or

more components that PASS information amongst each other.

Integration testing is performed first.

Question 20:

Would you please elaborate on star and ring topologies as well?


8/26

www.riebeeck.com


Jay:

In star topology, workstations on a LAN go through a central hub or switch and thus

whole configuration looks like a star. In Token Rink LANs, mostly the physical topology

implementation is that of a star. Most of the new implementations are based on startopology.

In ring topology, workstations on a LAN hang around a ring configuration and do not go

through a hub or a switch.

Question 21:

What other formulas other than the symmetric key formula you provided would we have

to know for the exam?

Jay:I can not think of any other than the one I gave you all.

Question 22:

From which domain/chapter are the most questions taken for the CISA exam?

Jay:

From domain 5 (Information Asset Protection). It will have 62 questions out of 200.

Question 23:

What is the pass mark?

Jay:

75 percent (approximately 150 correct questions out of 200).

Question 24:

If you have to take your data to the hot site, isnt it actually a warm site?

Jay:If the hot site is owned/managed by a third party (which it usually is), you HAVE to takedata over there to populate the databases after a disaster. That does not make it a warm

site.

Warm site is owned by the organization (not by a third party) and it has data and datastorage devices but usually no computers/processors (since they are expensive).

Servers/processors are acquired after the disaster based on (hopefully) SLA with the

vendor.


9/26

www.riebeeck.com


Question 25:

Is the BOD accountable for the security policy rather than responsible?

Jay:Yes, both. Accountable people will assign someone and hold them responsible forcreation of such a policy.

Question 26:

Please explain the concept around public key infrastructure that will be covered in the

appropriate section. Also please explain to me public key cryptography.

Jay:

This is a topic which takes about 45 minutes to explain or 2-3 hours to type. I am sorry

but I have to pass this question.

Question 27:

What does KPI stand for?

Jay:

Key Performance Indicator. KPIs must be defined before Balanced Score Card is

implemented for performance measurement.

Question 28:

Please repeat the four authentication types, SLOWLY! thanks.

Jay:

What you know (e.g. password)

What you have (e.g. token device or smart card)What you are (e.g. biometrics)

How you act (e.g. signature dynamics or typing dynamics) Note: sometimes this is

considered part of biometrics as well.

Question 29:

Please repeat "sensitive data" slowly.

Jay:

Sensitive data usually is the one that requires both confidentiality and integrity.


10/26

www.riebeeck.com


Question 30:

Can I confirm what was just said that a stateful firewall is stronger than an application

layer firewall?

Jay:

Yes.

Question 31:

Is Encryption a valid control to prevent virus attacks? If so what type of control is it?

Jay:

Encryption NOT a valid control for virus attacks. However, if a virus gets attached toencrypted data, you will not be able to decrypt the data. So, you will know something is

wrong. Or if the decryption also decrypts the virus which was not encrypted to begin with(means virus is now ineffective), you can call it a control.

Question 32:

WHAT IS THE DIFFERENT BETWEEN WEP AND WPA?

Jay:

WEP is older and weaker control for wireless transmission.WPA (and WPA2) is the newer and stronger control for wireless networks.

Question 33:

CAN YOU DIFFERENTIATE BETWEEN SYMETRIC AND ASYMETRIC

ENCRYPTION?

Jay:

In symmetric encryption, the key to encrypt and decrypt is the SAME.

In asymmetric encryption, there is a key pair. If one key is used for encryption, only the

other key can be used for decryption.

Question 34:

What are the 7 levels of the OSI and what are their functionalities?

Jay:

I can give you 7 layers of OSI, but not their functionalities. Thats a topic for one hour

presentation for CISSP exam usually. In CISA, questions do not go into details of layers.


11/26

www.riebeeck.com


Here are the layers:

Application

Presentation

SessionTransport

Network

Data LinkPhysical

Question 35:

Comment: Questions are often written in American English, not UK English.

Jay:

That is correct.However, there can be some acronyms used in Europe but not in USA. For example, ICT

is commonly used acronym in Europe, but rarely used (or even understood) in USA.

This is a global exam not American, so be prepared to know how exam question writersfrom other parts of the world think and write.

Question 36: What did Jay say was the same as electronic vaulting?

Jay:

Electronic vaulting is backing up of data remotely over telecommunications links.

It is also called Televaulting.

Question 37:

What is the difference between board of directors and senior business management?

Jay:

Since this is a global exam with exam takers from private sector, public sector,

governments, government monopolies, not organization has Board of Directors.Therefore, sometimes we use the term senior management.

Question 38:

After DRP is implemented, which test is done first?

Jay:

Table top test is performed first to take out the kinks in the plan.


12/26

www.riebeeck.com


Question 39:

Which is to be considered FIRST, for reciprocal agreement.

Jay:As much as reciprocal agreement is not a recommended BC or DR plan, first thing to

consider would be that both parties are not from the same type of business otherwise. If

ever there is a need, data confidentiality or privacy should not be an issue when sharingthe system.

Question 40:

What is a man in the middle attack?

Jay:

An attack where a malicious person is routing the genuine conversation between two

parties through his/her computer and possibly recording the conversation as well. Theremay or may not be alteration or spoofing of the messages by the perpetrator on a real

time basis.

Question 41:

Can you ask Jay or provide in your question round up whether there are any reputable

sources of practice questions (not including the ISACA books/online study/questions db)

to supplement studies?

Jay:

There are none.

Sources other than ISACA may mislead you in their answers as they have not have beensubjected to rigors of ISACA reviews.

Question 42:

With relation to data transmitted over a wireless LAN, how are keys changed

dynamically, exactly? How often? Is this often system functionality or changed manually?

Jay:Question related to how they are changed is not asked in CISA, but in CISSP only.

Answer to how often is related to work effort required by the malicious entity tobreak the key and depends upon largely on key length. Longer the key length, longer the

required time period required between changes of keys.

It is done in an automated manner, not manually.


13/26

www.riebeeck.com


Question 43:

Recommendation: Since only 3 points on each slide, probably no reason to provide a

summary of each slide... (in my opinion) i understand. it is actually being done as the

response to many of the participants.

Jay:

Thanks for the suggestion. We have many attendees from countries where English is notthe first language. So, I use the technique:

I tell them what I am going to tell them.

Then I tell them.Then I tell them what I just told them

Question 44:What was the best kind of backup, again? (which he said combines incremental anddifferential?)

Jay:

Synthetic backup.

Question 45:

What is split processing for RTO

Jay:

Information is processed at 2 or more than 2 sites. This is to reduce recovery time

objectives to zero or near zero. It is used by military, emergency and life support systems

in hospital, air traffic controllers (I hope), airlines reservation systems etc.

Question 46:

Should Risk assessment be subjective or objective?

Jay:

It should preferably be objective also called quantitative.However, it is difficult to implement it in IT Risk assessment, so it is usually subjectiveor qualitative in IT.

Question 47:

Can Mr. Ranade possibly send us all an email with the 1000+ axioms. He probably has itwritten down already somewhere. It would be extremely helpful.


14/26

www.riebeeck.com


Jay:

I give my axioms to my students free wherever and whenever I teach my classes on CISA,

CISM, CBCP, CISSP, and CIA (USA and abroad). Since I am getting lots of requests for

axioms, I am seriously thinking about finding ways to give them out to non-students aswell. I may publish them soon. But dont expect it anytime soon.

Question 48:

I have been studying using the question manual database for 2008 from ISACA, is it up-

to-date information for the exam? This CD database was purchased from ISACA inJanuary, 2008.

Jay:

If it says version 8, it is up to date.

Question 49:

Is security policy signed by CIO if IS policy is signed by CEO at corporate level

Jay:

IS Security policy is a corporate policy and is signed by CEO.

IT Security policy is for IT only and is signed by CIO. The latter is usually based on ISO

27002 (previously known as ISO 17799).

Question 50:

Is screened subnet firewall the strongest firewall than the stateful inspection firewall?

Jay:

Stateful inspection is a firewall TYPE.

Screened subnet is a firewall IMPLEMENTATION. Screened subnet (aka DMZ) is thestrongest firewall implementation.

Question 51:Are the foreign key and the primary key in different tables within a database to maintain

referential integrity?

Jay:

Yes. It is derived from Clark Wilson Integrity Model.


15/26

www.riebeeck.com


Question 52:

Thus, the secondary key has nothing to do with referential integrity?

Jay:Yes, it is true in a pure relational model. They are for performance purposes in caseselects and joins are done on fields that are secondary keys fields.

Question 53:

I understand that a sender encrypt the message hash using his private key, it ensure

authenticy of the message (hash calculation), integrity and non-repudiation (verfication of

sender's identity) via the use of digital signature. In order to achieve confidentiality, must

the receiver encrypt the (message or message hash?) using his public key and decrypt itusing his private key?

Jay:

Very intelligent question.Encrypting the hash by sender using recipients public key will not provide

confidentiality since hash is a digest of the message only.

Encrypting the message itself by the sender by using recipients public key will ensureconfidentiality but it will be very sloooooooooooooooow, since asynchronous encryption

is about 1000 to 5000 times slower than symmetric encryption.

Best way to do this is to using a session key to encrypt the message, and encrypt sessionkey with recipients public key and then send the encrypted message as well as the

encrypted session key to the sender. This is a form of digital envelope.

Question 54:

Can you please repeat the CMM Level 3 example question from the presentation?

Jay:

Implementing SDLC brings CMM level to 3.

Question 55:

In our country one can enter the exam in its own language. Do you know why practice

stuff of the questions/answers in ones own language can not be obtained while exam isdone like that?

Jay:

Let me try to answer this while being politically correct. This is not an official ISACA

answer though.Some countries have small base of candidates who appear in CISA or CISM. I guess it is

not cost effective to get the material translated in their language (e.g. Dutch or Hebrew).


16/26

www.riebeeck.com


I am sure if one proposes to volunteer this effort of translation to ISACA, they will bethrilled. One of my students in New York City plans to do this for Mandarin speaking

members.

Question 56:

Where do we get the other axioms?

Jay:

There is no plan to sell or distribute axioms for CISA (1008), CISM (800), CISSP (3000),CBCP (500), or CIA (2500) except to get them FREE if I am teaching a class for an

ISACA chapter or any sponsoring organization. You can ask your chapter to sponsor an

onsite class in your city for the fall by writing me at:[email protected]

Or attend the New York Chapter class when it is announced.

Question 57:

Will u have a refresher course for the CISSP? Will u have the refresher course for CISM?

Jay:

I do not know if you meant a 3 hour refresher like this one? Riebeeck might arrange it for

fall for CISA, CISM, CISSP, and CGEIT. They have to look at how long they can do

these classes for free as a public service.If your chapter would like to sponsor, I can do these classes on site for your chapter as

well. Stay tuned for further announcements from Riebeeck.

Question 58:

Is it true that questions that are asking in CISA are based on 2-3 years old technology?

Jay:

Hmmmmn, I can get into trouble answering this. Understanding the cycle of creating newmanuals, new question sets, extensive reviews, it is not possible to include most recent

material in the exam. Having said that, I was surprised to see ISACA discussing Quantum

Cryptography 3 months after it appeared in the New Scientist

Question 59:

DOPESS ? What do you mean ? Not found on CISA manuals 2007 and 2008

Jay:

Because this is a memory aid created by yours sincerely, not ISACA.


17/26

www.riebeeck.com


Question 60:

Just a remark for a previous slide, you should say in this order: Unit test, Integration test,

System test, UAT. Integration test comes BEFORE system test.

Jay:

Please note that the order suggested by question writer is correct in case there is a

question on this.

Question 61:

Please repeat the 5 levels of CMM thank you.

Jay:

Nothing, 0

Initial, 1

Repeatable, 2Defined, 3

Managed, 4

Optimized, 5

Question 62:

You are referring to application controls that need to be included during implementation

of ERP correct???

Jay:

Question is not clear as to its context.

Auditors concern is that in implementing ERP after BPR, you lose previous controls.Usually, concern is about loss of preventive controls that existed before but not any more

after ERP is implemented.

Question 63:

BC & DR - Jay mentioned the 5 components of IT DR and stated Personnel and Data as

1st and 2nd most import respectively. Why are personnel considered more important

when ultimately they can be replaced whereas as Jay said, when data is lost it is gone forgood?

Jay:

What I meant was that after a disastrous incident, saving human life is the most important

thing. Nothing replaces the importance of human life.

For the sake of this exam, saving human life supercedes saving data.


18/26

www.riebeeck.com


Question 64:

How do i detect a digital signature on a mail so as to know if it is a spam thank you.

Jay:Digital signature does not prevent a spam, but you know the identity of the spammer

from digital signature, and can report to Certification Authority, and they can cancel the

certificated and put offender on certificate revocation list (CRL).

Question 65:

What is the first point of call when auditing disaster recovery on project that the auditorwas part of the planning.

Jay:

Question is not clear, but in general if auditor worked on an IT project, and probably

implemented controls, he/she can not audit it for at least one year since that will result inloss of objectivity. You can not audit controls that you implemented.

Question 66:

How does a residual risk jeopardize human life thank you.

Jay:

Residual risk does not jeopardize human life. But when a human life is involved, no

residual risk is an acceptable risk.

Question 67:

What is the level of accepting a residual risk.

Jay:

It is a decision made by the senior management based on their perceived value of the

business process.

Question 68:

What is the rate of time you will recommend for answering one question.

Jay:

In the exam, you should be answering 50 questions in an hour (200 questions in 4 hours).

On average, try doing one question in a minute or less.


19/26

www.riebeeck.com


Question 69:

Please explain about controls in ERP. You mentioned that they are eliminated. thanks.

Jay:In BPR, resulting in ERP implementation, many controls are eliminated as part of the

process in order to fine tune and streamline the new processes.

Question 70:

What is the difference between S-HTTP and HTTPS?

Jay:

In general, HTTPS ( for SSL) is session oriented while S-HTTP is transaction oriented.

Question 71:

I dint get the email address...jayranda..... Thanks every one.

Jay:

It [email protected]

Question 72:

How does crushing work when, by definition, activities on the critical path has zero slack

time?

Jay:

It is crashing. Activities can be completed faster by putting more resources in their

execution. Slack time is still zero, but activity completion time can be shortened.

Question 74:

Is blackbox test a form of unit test or system test?

Jay:

Both.

Question 75:

Can more description be given to CER, EER, FAR, FRR. Thanks. this one will be

answered by jay.


20/26

www.riebeeck.com


Jay:

CER and EER are the same. It is a value when FAR=FRR

FAR is a percentage where an imposter gets accepted as a genuine person.FRR is a percentage where a genuine person is rejected by the system

Question 76:

Is black box and user testing the same? thank you.

Jay:

Not necessarily, but usually it is UAT.

Question 77:QA testing are performed in all stages of testing? or only at the end of all stages?

Jay:

Quality assurance testing (QAT) is done at the end. It focuses on technical aspects.

User acceptance testing (UAT) is also at the end. It focuses on functional aspects.They should not be combined.

Both put together is called Final Acceptance testing.

Quality assurance (QA) (including quality control) is an ongoing activity and is a process.It is an ongoing activity.

Question 78:

Are all Digital Signatures done on Hashes?

Jay:

Yes.

Question 79:

I think cross training does not mitigate the risk of a single individual knowing it all, I

think that we as auditors should detect if there is an individual knowing it all when a

company has cross training... Or I'm wrong with that?

Jay:

Cross training is to mitigate business continuity risks in case the know-it-all individual is

not available. It is usually determined in CSA by the management. Auditors will use

risk-based approach if finding such persons is in their audit plan.


21/26

www.riebeeck.com


Question 80:

Jay taught that the most important thing to do after an employee is terminated is to

remove the user's logical access. Is that more important than disabling the user's

PHYSICAL access as well? (i.e. badge access to the building and server room, etc...)

Jay:

Probable damage caused by logical access far outweighs than by the physical access.

Question 81:

Could you describe the difference between signature-based IDS and statistical IDS? Also,

where does neural based IDS factor in?

Jay:

Signature-based IDS detects intrusions of known signatures.Statistical-based detects intrusions where a signature does not exist yet (zero day attack).

It looks for anomalies.Neural-based is presumed to be very advanced in detecting intrusions because it is

designed after neural networks.

Question 82:

I understand we can't have our cell phones on the desk during the exam, but we can have

it in our pocket turned off as long as we do not take it out of our pockets for the durationof the exam?

Jay:

I guess you should ask proctor for that.

Question 83:

Was the conclusion that guards outside of a datacenter provides better protection thanbadge or biometric access?

Jay:

Guard is NOT a replacement for other preventive controls, but is a compensating control.

Question 84:

If you have a wireless LAN key that you change every 90 days, is that a static key (vs akey that is dynamically generated with a token in real time)?


22/26

www.riebeeck.com


Jay:

Yes, it is a static key

Question 85:

What is the benefit of ITF?

Jay:

ITF is a testing methodology where test data is used in production system. Test data ismade-up data in this case. This data must be isolated from real production data during

processing.


23/26

www.riebeeck.com


Here are few questions where candidates have challenged ISACAs

answers. Let me try to risk my career by commenting on them

Question 86:

During the audit of an acquired software package, the IS auditor learned

that the software purchase was based on information obtained through theInternet, rather than from responses to a request for proposal (RFP). The IS

auditor should FIRST:

A. test the software for compatibility with existing hardware.

B. perform a gap analysis.

C. review the licensing policy.

D. ensure that the procedure had been approved.

The correct answer is:D. ensure that the procedure had been approved.

You answered incorrectly. You chose:C. review the licensing policy.

Explanation:In the case of a deviation from the predefined procedures, the IS auditor should first ensure thatthe procedure followed for acquiring the software is consistent with the business objectives andhas been approved by the appropriate authorities. The other choices are not the first actions theIS auditor should take. They are steps that may or may not be taken after determining that the

procedure used to acquire the software had been approved.

I disagree. The software is purchased already, so it makes no difference whether the

procedure is valid or not. The proper thing to do would be to see if it is licensed correctly.

Jays comment:

I agree with ISACAs answer. It is not unusual to use Internet to get such informationsince Internet gives you opinions from vendors, users, technical experts etc. RFP gives

vendors viewpoint. What matters is whether management approved procedure was

followed or not.


24/26

www.riebeeck.com


Question 87:

The GREATEST benefit in implementing an expert system is the:

A. capturing of the knowledge and experience of individuals in an organization.

B. sharing of knowledge in a central repository.

C. enhancement of personnel productivity and performance.

D. reduction of employee turnover in key departments.

The correct answer is:A. captur ing of the knowledge and experience of individuals in an organization.

You answered incorrectly. You chose:B. sharing of knowledge in a central repository.

Explanation:The basis for an expert system is the capture and recording of the knowledge and experience ofindividuals in an organization. Coding and entering the knowledge in a central repository,shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnelproductivity and performance is a benefit; however, it is not as important as capturing theknowledge and experience. Employee turnover is not necessarily affected by an expert system.

I disagree. The benefit is in sharing not in capturing (it does not say coding).

Jays response:

I agree with ISACAs answer.

Purpose of expert systems is to capture the knowledge. It is a business decision whether it

should be shared in a central repository or not.

Question 88:I wanted to confirm - as I am sitting the exam on 14 June this year is it ok to use the CISApractice question database V7 or is there a more up to date version I should use?

Jay:You have 2 choices:

1. Get V8 of the Practice Question database (CD or print format manual)2. Keep on using V7 but also buy supplementary 100 CISA review questions 2008 (from ISACA)


25/26

www.riebeeck.com


Question 89:

Following is a question from one of my students in New York City. I thought you canall benefit from this.

Jay, I was reading over the axioms for domain 6 and it seemed to me that axiom

number #7 and #85 contradict each other. I must be missing something here..

#7 - Incremental backups have the fastest backup time, Differential backups havethe fastest recovery time

#85 - Creating full backups from incremental backups is called synthetic backups.Synthetic backups make frequency of full backups less frequent and restoration after

failure/incident faster.

Number 85 seems to be suggesting that incremental backups have the fastestrecovery / restoration time although axiom #7 states the opposite. Or am I reading

to much into #85 and in fact although Incremental backups do have a fast recoverytime, axiom #7 is still truedeferential backup recovery time is faster then

incremental backup recovery time?

Jay:

Differential backups have faster recovery time (means good for applications with lowRTO), however, nothing beats the recovery speed of Synthetic Backups which are

created by merging last full backups and last incremental backups offline.


26/26

www.riebeeck.com

26

Question 90:

Following biometric question has confused more people than anything else. Let me

try to clarify this.

Which of the following biometrics has the highest reliability and lowest false

acceptance rate?

A. Palm Scan

B. Face RecognitionC. Retina Scan

D. Hand Geometry

The data base recognized (C) Retina scan as the correct answer.

Retina scan uses the optical technology to map the capillary pattern of an eye's

retina. This is the highly reliable and has the lowest False acceptance rate (FAR)among the current biometric methods. Use of the palm scanning entails placing a

hand on the scanner where a palm's physical characteristics are captured. Handgeometry, one of the oldest techniques, measures the physical characteristic of the

user's hands and fingers from a 3-dimensional perspective. The palm and handgeometry techniques lack uniqueness in geometry data. IN face biometrics, a reader

analyzes the images captured for general facial characteristics. Though considered a

natural and friendly biometric, the main disadvantage of face recognition is the lackof uniqueness, which means that people looking alike can fool the device.

Jays Response:

ISACA's answer is correct.

ISACAs Questions is : which biometric has the highest reliability and the lowest FAR. It

is retina scan

If the question were which biometrics has the lowest EER (also called CER), then the

answer is Palm (correct order is palm, hand, iris, retina, fingerprint, and voice). The value

of EER is when FAR=FRR

Additional Questionnaires

Documents