It was Good n easy nothing special !!!!!!!!!!!!!!!!!

Though it was below standard ppr

 ICAI will ruin our happines with tough checking

around 30 marks Qs were asked from Nov 10 RTP

almost every1 was happy after attempting the paper

All cannot get good marks na

will have to score in next 2 subjects to stay within range nd bear trhe brunt of checking
 

well   had a   good  run  till isca  but  not  even  find  40  in isca 

sure   to  get fail  finally  

i did  a mess ...option  of back  up  // hot  cold  and  warm  i had  written 

full incremental and  deff and   mirror  

24  marks  straight  way  wrong  

means  76  marks  need  40  cant  get  that  even  sure  for  nov  ...

raam functional areas Q6a kya hai??

and the back up options kya hai???

back up option are  cold site  hot  site  wala 

i had  written  incremental  diff  and  full 

6  wala  i  had  not  solved  option me  chod  diya 

Business Continuity Planning and Disaster Recovery Planning

6.13

6.7 ALTERNATE PROCESSING FACILITY ARRANGEMENTS

Security administrators should consider the following backup options:

(i) Cold site : If an organisation can tolerate some downtime, cold-site backup might be

appropriate. A cold site has all the facilities needed to install a mainframe system-raised

floors, air conditioning, power, communication lines, and so on. An organisation can

establish its own cold-site facility or enter into an agreement with another organisation to

provide a cold-site facility.

(ii) Hot site : If fast recovery is critical, an organisation might need hot site backup. All

hardware and operations facilities will be available at the hot site. In some cases,

software, data and supplies might also be stored there. A hot site is expensive to

maintain. They are usually shared with other organisations that have hot-site needs.

(iii) Warm site : A warm site provides an intermediate level of backup. It has all cold-site

facilities plus hardware that might be difficult to obtain or install. For example, a warm

site might contain selected peripheral equipment plus a small mainframe with sufficient

power to handle critical applications in the short run.

(iv) Reciprocal agreement : Two or more organisations might agree to provide backup

facilities to each other in the event of one suffering a disaster. This backup option is

relatively cheap, but each participant must maintain sufficient capacity to operate

another’s critical system.

Q.1(a) -

System Development Life Cycle Methodology 2.25

2.6 SYSTEM REQUIREMENT ANALYSIS

Objectives : This phase includes a thorough and detailed understanding of the current

system, identifies the areas that need modification to solve the problem, the determination of

user/managerial requirements and to have fair idea about various systems development tools.

The following activities are performed in this phase:

• To identify and consult the stake owners to determine their expectations and resolve their

conflicts.

• To analyze requirements to detect and correct conflicts and determine priorities.

• To verify the requirements are complete, consistent, unambiguous, verifiable, modifiable,

testable and traceable.

• To gather data or find facts using tools like - interviewing, research/document collection,

questionnaires, observation.

• To model activities such as developing models to document Data Flow Diagrams, E-R

Diagrams.

• To document activities such as interview, questionnaires, reports etc. and development

of a system (data) dictionary to document the modeling activities.

Document/Deliverable : A systems requirements report.

Q.1(b) -

7.5 RISK AND GOVERNANCE ISSUES IN AN ERP
Organizations face several new business risks when they migrate to real-time, integrated ERP
systems. Those risks include:
• Single point of failure : Since all the organization’s data and transaction processing is
within one application system and transaction processing is within one application
system.
• Structural changes : Significant personnel and organizational structures changes
associates with reengineering or redesigning business processes.
• Job role changes : Transition of traditional user’s roles to empowered-based roles with
much greater access to enterprise information in real time and the point of control shifting
from the back-end financial processes to the front-end point of creation.
• Online, real-time : An online, real-time system environment requires a continuous
business environment capable of utilizing the new capabilities of the ERP application and
responding quickly to any problem requiring of re-entry of information (e.g., if field
personnel are unable to transmit orders from handheld terminals, customer service staff
may need the skills to enter orders into the ERP system correctly so the production and
distribution operations will not be adversely impacted).
• Change management : It is challenging to embrace a tightly integrated environment when
different business processes have existed among business units for so long. The level of
user acceptance of the system has a significant influence on its success. Users must
understand that their actions or inaction have a direct impact upon other users and,
therefore, must learn to be more diligent and efficient in the performance of their day-today
duties. Considerable training is therefore required for what is typically a large
number of users.
• Distributed computing experience : Inexperience with implementing and managing
distributed computing technology may pose significant challenges.
• Broad system access : Increased remote access by users and outsiders and high
integration among application functions allow increased access to application and data.
An Overview of Enterprise Resource Planning (ERP) 7.19
• Dependency on external assistance : Organization accustomed to in-house legacy
systems may find they have to rely on external help. Unless such external assistance is
properly managed, it could introduce an element of security and resource management
risk that may expose the organizations to greater risk.
• Program interfaces and data conversions : Extensive interfaces and data conversions
from legacy systems and other commercial software are often necessary. The exposures
of data integrity, security and capacity requirements for ERP are therefore often much
higher.
• Audit expertise : Specialist expertise is required to effectively audit and control an ERP
environment. The relative complexity of ERP systems has created specialisation such
that each specialist may know only a relatively small fraction of the entire ERP’s
functionality in a particular core module, e.g. FI auditors, who are required to audit the
entire organisation’s business processes, have to maintain a good grasp of all the core
modules to function effectively.

More recently, some of the additional risks and good governance issues introduced by the eenabled
ERP environments concern:
• Single sign on : It reduces the security administration effort associated with
administrating web-based access to multiple systems, but simultaneously introduces
additional risk in that an incorrect assignment of access may result in inappropriate
access to multiple systems.
• Data content quality : As enterprise applications are opened to external suppliers and
customers, the need for integrity in enterprise data becomes paramount.
• Privacy and confidentiality : Regularity and governance issues surrounding the increased
capture and visibility of personal information, i.e. spending habits.

Q.1(c) -

9.5.8 Physical and Environmental Security
For the proper implementation of Physical and Environment Security, the following points need
to taken into account:
• Physical security should be maintained and checks must be performed to identify all
vulnerable areas within each site.
• The IT infrastructure must be physically protected.
• Access to secure areas must remain limited to authorized staff only.
Drafting of IS Security Policy, Audit Policy, IS Audit Reporting
- A Practical Perspective
9.15
• Confidential and sensitive information and valuable assets must always be securely
locked away when not in use.
• Computers must never be left unattended whilst displaying confidential or sensitive
information or whilst logged on to systems.
• Supplies and equipment must be delivered and loaded in an isolated area to prevent any
unauthorized access to key facilities
• Equipment, information or software must not be taken off-site without proper
authorization.
• Wherever practical, premises housing computer equipment and data should be located
away from, and protected against threats of deliberate or accidental damage such as fire
and natural disaster.
• The location of the equipment room(s) must not be obvious. It will also where practical
be located away from, and protected against threats of, unauthorized access and
deliberate or accidental damage, such as system infiltration and environmental failures

Q.1(d) -

[Section 7] Retention of Electronic Records :

(1) Where any law provides that documents, records or information shall be retained for any

specific period, then, that requirement shall be deemed to have been satisfied if such

documents, records or information are retained in the electronic form, -

(a) the information contained therein remains accessible so as to be usable for a

subsequent reference;

(b) the electronic record is retained in the format in which it was originally generated,

sent or received or in a format which can be demonstrated to represent accurately

the information originally generated, sent or received;

(c) the details which will facilitate the identification of the origin, destination, date and

time of dispatch or receipt of such electronic record are available in the electronic

record:

However,

this clause does not apply to any information which is automatically generated solely for the

purpose of enabling an electronic record to be dispatched or received.

(2) Nothing in this section shall apply to any law that expressly provides for the retention of

documents, records or information in the

well  on   1  a not that  perfect   

other  i written quite  well 

Q.2(a) -

When utilizing PKI policies and controls, financial institutions need to consider the following:
• Defining within the certificate issuance policy the methods of initial verification that are
appropriate for different types of certificate applicants and the controls for issuing digital
certificates and key pairs;
• Selecting an appropriate certificate validity period to minimize transactional and
reputation risk exposure—expiration provides an opportunity to evaluate the continuing
adequacy of key lengths and encryption algorithms, which can be changed as needed
before issuing a new certificate;
• Ensuring that the digital certificate is valid by such means as checking a certificate
revocation list before accepting transactions accompanied by a certificate;
• Defining the circumstances for authorizing a certificate’s revocation, such as the
compromise of a user’s private key or the closing of user accounts;
• Updating the database of revoked certificates frequently, ideally in real-time mode;
• Employing stringent measures to protect the root key including limited physical access to
CA facilities, tamper-resistant security modules, dual control over private keys and the
process of signing certificates, as well as the storage of original and back-up keys on
computers that do not connect with outside networks;
3.76 Information Systems Control and Audit
• Requiring regular independent audits to ensure controls are in place, public and private
key lengths remain appropriate, cryptographic modules conform to industry standards,
and procedures are followed to safeguard the CA system;
• Recording in a secure audit log all significant events performed by the CA system,
including the use of the root key, where each entry is time/date stamped and signed;
• Regularly reviewing exception reports and system activity by the CA’s employees to
detect malfunctions and unauthorized activities; and
• Ensuring the institution’s certificates and authentication systems comply with widely
accepted PKI standards to retain the flexibility to participate in ventures that require the
acceptance of the financial institution’s certificates by other CAs.

Q.2(b) -

The benefits of performing a technology risk assessment are:

• A business-driven process to identify, quantify and manage risks while detailing future

suggestions for improvement in technical delivery.

6.12 Information Systems Control and Audit

• A framework that governs technical choice and delivery processes with cyclic

checkpoints during the project lifecycle.

• Interpretation and communication of potential risk impact and where appropriate, risk

reduction to a perceived acceptable level.

• Implementation of strict disciplines for active risk management during the project

lifecycle.

The technology risk assessment needs to be a mandatory requirement for all projects to

ensure that proactive management of risks occurs and that no single point of failure are

inadvertently built into the overall architecture.