SysTrust and WebTrust

Trust Services Principles and Criteria

(Incorporating SysTrust and WebTrust)

Trust Services (including WebTrust and SysTrust) are defined as a set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria) to address the risks and opportunities of information technology.

SysTrust and WebTrust are two specific services jointly developed by the CICA and AICPA that are based on the Trust Services Principles and Criteria. The Trust Services Principles and Criteria may, however, be used to offer services other than SysTrust and WebTrust.

The CICA/AICPA Privacy Framework consists of nine privacy practices that are key to the proper management of personal information and are based on internationally known fair information practices. Privacy laws and regulations from various jurisdictions around the world require many of these practices. Though they may not be widely known, these nine privacy practices appear in most comprehensive privacy laws worldwide. They include:


Notice The entity provides notice about its privacy policies and practices to individuals at or before the information is collected, or as soon as practicable thereafter. The notice describes the purpose for which personal information is collected and how it will be used.

Choice and consent The entity describes the choices available to the individual and obtains consent from the individual with respect to the collection, use, disclosure, and retention of personal information.

Collection The entity limits the collection of personal information to that which is necessary for the purposes described in the notice.

Use and retention The entity limits the use of personal information to purposes described in the notice and for which the individual has provided either implicit or explicit consent. The entity retains personal information for only as long as necessary for the fulfillment of the stated purposes, or as required by laws and regulations.

Access The entity provides access to the individual with to review, update, block further use, or erase his or her personal information.

Onward Transfer and disclosure The entity discloses personal information to third parties only for the purposes described in the notice and for which the individual has provided either implicit or explicit consent, or as permitted by laws and regulations. The entity discloses personal information only to third parties who provide substantially equivalent protection as the entity.

Security The entity takes reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction based on the sensitivity and value of the information.

Integrity The entity maintains accurate, complete, relevant and reliable personal information for the purposes for which it is used.

Management and enforcement The entity designates one or more individuals who are accountable for the entity’s compliance with its privacy policies. The entity has a periodic process to assess and verify compliance with its privacy policies. The entity has procedures to address privacy-related inquiries and disputes.

Trust Services provides for a modular approach using five different principles—security, availability, processing integrity, online privacy and confidentiality. It is possible for the client to request a separate Trust Services examination that covers one or any combination of the principles. Principles provide the basis for describing various aspects of the system under examination with logical groupings of suitable criteria.

Copyright © 2003 by American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants. Used with permission..

Reflections by CA Final Students of Hyderabad on 4 day ISCA Class held at Hyderabad Branch of SIRC of ICAI

Roja @ Hello Sir, Good morning, Am really very happy that i have attended a good session.To the date ISCA used to be a very boring n a very dry subject for me but after attending the four days session its my most favourite subject now.The way you taught the subject made us to know how to deal with such subjects.Now it became easy for me to even read the rest of the theory subjects of CA Final course.Thank you very much sir. Please keep on conducting the sessions and please do keep posting the information regarding your classes. Have a nice day Sir

SANTOSH @ Good Morning Sir, It was really wonder insight into the subject of What is the all about the ISCA subject. We come to know the subject's core objective i.e. what it is?, how important to this world were only infomation is processed and documentated for further usage.
Thank you Sir, for making this subject so easy to study and understand its application. Your lively interaction has help to gain an advantage which can't be expressed in words.
thank you sir once again.

Digital Signature - A Monograph

Digital Signature – Introduction:


A digital signature is an electronic identification of a person or entity created by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender. To verify the integrity of the data, a cryptographic hashing algorithm is computed against the entire message, which generates a small fixed string message usually about 128 bits in length. This process, also referred to as a digital signature algorithm, creates a message digest (i.e. smaller extrapolated version of the original message).

Encryption:


Encryption is the process of converting a plaintext message into a secure-coded form of text, called cipher text, which decryption (the reverse process), to plaintext. This is done via a mathematical function and a special encryption / decryption password called the key. In many countries, encryption is subject to governmental laws and regulations.

Encryption generally is used to:

1. Protect data in transit over networks from unauthorized interception and manipulation (confidentiality)

2. Protect information stored on computers from unauthorized viewing and manipulation (integrity)

3. Deter and detect accidental or intention alterations of data

4. Verify genuineness of a transaction or document (authentication)

Encryption is limited in that it cannot prevent the loss of data and its programs can be compromised. Therefore, encryption should be regarded as an essential, but incomplete, form of access control that should be incorporated into an organisation’s overall computer security program.

Key elements of encryption systems include:

1. Encryption algorithm: A mathematically based function or calculation that encrypts / decrypts data

2. Encryption Keys: A piece of information that is used within an encryption algorithm (calculation) to make the encryption or decryption

3. Key length: A predetermined length for the key. The longer the key, the more difficult it is to compromise in a brute-force attack (an intruder launches an attack, using many of the password cracking tools available at little or no cost, on encrypted passwords to gain unauthorized access on an organisation’s network systems) where all possible key combinations are tried.

Effective encryption systems depend upon algorithm strength, secrecy and the difficulty of compromising a key, the existence of back doors by which an encrypted file can be decrypted without knowing the key, the ability to decrypt an entire cipher text message if the way a portion of it decrypts is known (called a known-text attack), and the properties of the plaintext known by a perpetrator.

Most encrypted transactions over the Internet use a combination of private / public keys, secret keys, hash functions (fixed values derived mathematically from a text message) and digital certificates to achieve confidentiality, message integrity, authentication and non-repudiation by either sender or recipient (also known as Public Key Infrastructure). This encryption process allows data to be stored and transported with reduced exposure, so a company’s corporate data are secure as they move across the Internet or other networks. There are two types of cryptographic systems: symmetric or private key, and asymmetric or public key cryptographic systems.

Private Key Encryption (Symmetric Cryptosystem):


Private Key cryptographic systems are based on a symmetric encryption algorithm, which uses a secret (private) key to encrypt the plaintext to the cipher text and the same key to decrypt the ciphertext to the corresponding plaintext. In this case the key is symmetric because the encryption key is the same as the decryption key.

The most common private key cryptographic system is the Data Encryption Standard (DES). DES is a standard encryption / decryption technique published by the US National Bureau of Standards (NBS) in 1977 (the predecessor of the US National Institute of Standards and Technology). DES is based on a public algorithm that operates on plaintext in blocks (strings or groups) of bits. This type of algorithm is known as a block cipher. DES uses blocks of 64 bits. A key of 56 bits is used for the encryption and decryption of plaintext. An additional 8 bits are used for parity checking. Any 56-bit number can be used as a key and there are 72,057,594,037,927,936 (i.e. 256) possible keys in the key space.

There are two main advantages to private key cryptosystems. The first is that the user has to use only one key for both encryption and decryption. The second is that private key cryptosystems are generally less complicated and therefore use up less processing power than asymmetric techniques. This makes private key cryptosystems ideally suited for bulk data encryption. The major disadvantage of this approach is how to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities. Also, a symmetric key cannot be used to sign electronic documents or messages due to the fact that the mechanism is based on a shared secret.

Public Key Encryption (Asymmetric cryptosystem):


Public key cryptographic systems developed for key distributions solve the problem of getting symmetric keys into the hands of two people, who do not know each other, but who want to exchange information in a secure manner. Based on an asymmetric encryption process, two keys work together as a pair. One key is used to encrypt data; the other is used to decrypt data. Either key can be used to encrypt or decrypt, but once the key has been used to encrypt data, only its partner can be used to decrypt the data (even the key that used to encrypt the data cannot be used to decrypt it).

The keys are asymmetric in that they are inversely related to each other. Based on mathematical integer factorization, the idea is to generate a single product from two large prime numbers (viz. 100 digit prime numbers), where it is impracticable to factor and recover the two factors. This integer factorization process forms the basis for public key cryptography (i.e. function easy to compute in one direction, but very difficult or impractical in the other direction). The system involves modular arithmetic, exponentiation, and large prime numbers thousands of bits long. Since the keys are large numbers (e.g. 1024 bits), they are used for short messages such as encrypting symmetric keys or creating digital signatures.

A common form of asymmetric encryption is RSA. RSA is a public key cryptosystem for both encryption and authentication; it was invented in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman (RSA stands for the initials of their last names). It works as follows: take two large primes, p and q, and find their product n = p x q; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1) x (q-1), which means that e and (p-1) x (q-1) have no common factors except 1. Find another number d, such that (ed–1) is divisible by (p-1) x (q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); and the private key is (n, d). The factors p and q may be kept with the private key, or destroyed.


It is extremely unlikely that one could obtain the private key d from the public key (n, e). if one could factor n into p and q, however, then one could obtain the private key d. Thus, the security of RSA is related to the assumption that factoring is difficult.

Generally, with asymmetric encryption, one key p the secret or private key – is known only to one person; the other key – the public key – is known by many people. In other words, a message that as been sent enciphered by the secret key of the sender can be deciphered by anyone with the public key, but could only have come from the sender. This forms the basis of authentication and nonrepudiation (i.e. the sender cannot later claim that he/she did not generate the message). A message that has been enciphered using the public key of the receiver can be generated by anyone, but can only be read by the receiver. This is the basis of confidentiality. A message that has been encrypted twice, first by the sender’s secret key and secondly by the receiver’s public key achieves both authentication and confidentiality objectives.

Data Integrity (Hash Algorithm):

A digital signature is an electronic identification of a person or entity by using a public key algorithm and intended to verify to a recipient the integrity of the data and the identity of the sender. To verify the integrity of the data, a cryptographic hashing algorithm is computed against the entire message, which generates a small fixed string message usually about 128 bits in length. This process, also referred to as a digital signature algorithm, creates a message digest (i.e. smaller extrapolated version of the original message).

This algorithm is a one-way function unlike private and public key encryption algorithms. The process of creating message digests cannot be reversed. They are meant for digital signature applications where a large electronic document or string of characters, such as a word processor text, a spreadsheet, a database record, the content of a hard disk or a jpg image, has to be compressed in a secure manner before being signed with the private key. The digest algorithm takes a message of arbitrary length and produces a 128-bit message digest.


Sender’s Authentication (Digital Signature):



The next step, which verifies the identity of the sender, is to encipher the message digest using the sender’s private key, which “signs” the document with the sender’s digital signature for message authenticity. To decipher, the receiver would use the sender’s public key, proving that the message could only have come from the sender. This process of sender authentication is known as nonrepudiation, because the sender cannot later claim that they did not generate the message.

Once decrypted, the receiver will recompute the hash using the same hashing algorithm on the electronic document and compare the results with what was sent to ensure the integrity of the message. Therefore, digital signature is a cryptographic method that ensures:



Data integrity – Any change to the plaintext message would result in the recipient failing to compute the same message hash.
Authentication – The recipient can ensure that the message has been sent by the claimed sender has the secret key.
Nonrepudiation – The claimed sender cannot deny generating and sending the message.

ISCA - CA Final - Short Notes on ITIL

ITIL


ITIL is an acronym for Information Technology Infrastructure Library. ITIL are a series of books and training manuals that outline and explain the practices that are the most beneficial to IT services (usually manager focused). The goal of ITIL is for managers to have extremely high standards in IT value, as well as high financial quality in day to day IT operations. ITIL procedures are supplier independent and include instructional materials on IT infrastructure, operations and development issues.

It should be noted that the acronym ITIL is a registered trademark, and the books included in the ITIL library are copyrighted as well.

ITIL has had a long history of development, and many IT professionals believe that ITIL grew out of the yellow books, which were best practices and guidelines that were used in IBM during the 1980's, however it wasn't until the middle of the 1990's that ITIL become a formal library of IT best practice frameworks. The newest version of ITIL (version 3) is set to be released in May of 2007. The ITIL v3 has been anticipated by many IT professionals all over the world for the last few years. It is expected that five core texts will be packaged in the publication, they include: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement

The original ITIL library included several books that covered specific themes in IT Service Management. However, after the original publication, the books in the library grew to over 30 volumes. Since 30 volumes can be cumbersome, difficult to read and digest and expensive to purchase as a complete set, the second version of ITIL has been consolidated.

ITIL v2 was packaged differently; version 2 was sold in sets that related to process guidelines and included several different aspects of IT including applications, services and IT management. It should be noted that the most popular sets being sold in ITIL v.2 include the services set, specifically Service Support and Service Delivery. While these two sets are by far the most popular, the ITIL library used as a whole is extremely comprehensive and a good foundation for any business using IT components today.

Following is a list of the books included in ITIL version 2:

1. Introduction to ITIL: While not one of the core competencies of ITIL, this publication gives the reader a comprehensive overview of the advantages, methods used and wide array of publications available in the ITIL library. This introductory book helps both the individual and organization acquire a thorough understanding of how ITIL can be an invaluable tool when put into action.
2. Service Delivery- Part of the IT Service Management Set, the service delivery book is primarily focused on being proactive and looking at the long term for what businesses require from its ICT (information and communications technology) provider to make sure that the proper support is being given to its businesses users. This includes Service Level Management, Capacity Management, IT Services Continuity Management, Availability Management and Financial Management.
3. Service Support- Service Support is also part of the IT Service Management Set. This book is focused on the businesses end user and making sure that all end users of the organization have appropriate services to run and complete their tasks accordingly.
4. ICT Infrastructure Management- ICT is an acronym for information and communications technology, this manual includes best practices for several facets of the ICT infrastructure including ICT design, planning, deployment, operations and technical support.
5. Security Management- ITIL security management focuses on the best practices and guidelines to make sure that information is stored safely and protected against risks of hacking and theft. In today's business world, it is extremely important that sensitive data remains private and confidential.
6. Business Perspective- This book details the best practices and addresses many issues in IT. This book tries to facilitate understanding regarding key issues in the IT along with quality management in the IS (Information Service) field.
7. Application Management- This set includes best practices and guidelines in order to improve quality of software applications and support of these applications through the entire development life cycle.
8. Software Asset Management- Software asset management is part of IT service management and looks at how software should be treated as an asset with value. This book details how businesses can save money through policies and procedures that underline using software expeditiously.
9. Planning to Implement Service Management- provides business with a framework for analyzing and understanding what is needed when instituting certain IT processes and approaches. Many times a CSIP (Continuous Service Improvement Program) is implemented, along with other ITIL books and disciplines.
10. ITIL Small Scale Implementation- This discipline is used for businesses with smaller ITIL departments. This book covers many best practices and guidelines used for larger implementation, but focuses as well on the important roles and responsibilities within a small unit and ways to avoid conflicts between ITIL priorities.

Advantages of ITIL

There are several benefits for using the Information Technology Infrastructure Library for many of your IT business needs and one main benefit is that through the guidelines and best practices that are taught in the library, your business can save a tremendous amount of money once implemented.

Another advantage of ITIL is that it will help your IT department organize and manage many different disciplines using one comprehensive volume. ITIL is the leader in IT guidelines and best practice publications; it has been tested in real world environments for over a decade and is proven to work.

Disadvantages of ITIL

While the advantages usually far outweigh the disadvantages, there are a couple of criticisms that are worth noting including the idea that most IT professionals consider ITIL a holistic approach to IT management. While ITIL is comprehensive, even the publication itself does not consider itself a holistic approach to IT management.

In addition, there are also accusations by some IT professionals that following only the ITIL due to its acceptance by many IT managers as the authoritative source has actually led to many businesses to skip pragmatic solutions for their specific business needs. Finally, another criticism of ITIL is that while some topics are covered extensively and are of high value, other topics may not receive enough emphasis with quality being uneven in certain publications.

(Please give your suggestions / comments / feedback below).

ISCA - Practice Manual - Latest - January 2011 Edition - CA Final - Group II - Paper 6 : {Courtesy: ICAI}

Friends,

ICAI has come up latest with Practice Manual. This is a booklet published by ICAI containing the synopsis of the Chapters and the Answers for Self Examination Questions and Past Exam Questions. This is prepared by Board of Studies of ICAI. This is a copyrighted material. Kindly use it for academic purposes only. The link below gives the PDF file (Jan 2011 edition) for each chapter.

Chapter 1: Information System Concepts

https://sites.google.com/site/gkr8164/infotech/21483sm_finalnew_isca_vol2_cp1.pdf?attredirects=0&d=1

Chapter 2 : System Development LIfe Cycle Methodology

https://sites.google.com/site/gkr8164/infotech/21484sm_finalnew_isca_vol2_cp2.pdf?attredirects=0&d=1

Chapter 3 : Control Objectives

https://sites.google.com/site/gkr8164/infotech/21485sm_finalnew_isca_vol2_cp3.pdf?attredirects=0&d=1

Chapter 4 : Testing - General and Automated Controls

https://sites.google.com/site/gkr8164/infotech/21486sm_finalnew_isca_vol2_cp4.pdf?attredirects=0&d=1

Chapter 5 : Risk Assessment Methodologies and Applications

https://sites.google.com/site/gkr8164/infotech/21487sm_finalnew_isca_vol2_cp5.pdf?attredirects=0&d=1

Chapter 6 : Business Continuity Planning and Disaster Recovery Planning

https://sites.google.com/site/gkr8164/infotech/21488sm_finalnew_isca_vol2_cp6.pdf?attredirects=0&d=1

Chapter 7 : An Overview of Enterprise Resource Planning

https://sites.google.com/site/gkr8164/infotech/21489sm_finalnew_isca_vol2_cp7.pdf?attredirects=0&d=1

Chapter 8 : Information Systems Auditing Standards, Guidelines and Best Practices

https://sites.google.com/site/gkr8164/infotech/21490sm_finalnew_isca_vol2_cp8.pdf?attredirects=0&d=1

Chapter 9 : Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - A Practical Perspective

https://sites.google.com/site/gkr8164/infotech/21491sm_finalnew_isca_vol2_cp9.pdf?attredirects=0&d=1

Chapter 10 : Information Technology (Amendment) Act, 2008

https://sites.google.com/site/gkr8164/infotech/21492sm_finalnew_isca_vol2_cp10.pdf?attredirects=0&d=1

Any comments please give down below with open mind (critic views are first and most welcomed for future improvements) or email to gkr@icai.org

Happy Reading...

ISCA - Chapter 3 : Control Objectives: Scan of Past Exam Questions with reference to Study Material: CA Final - Group II - Paper 6

CHAPTER
3

CONTROL
OBJECTIVES

Scan
of Past Exam Questions:

Year	Marks	Questions	Answers in ICAI-ISCA Study Material Page No:
N 08	10	3(a) What do you understand by classification of information? Explain different classifications of information	3.68
	5	3(c) Briefly explain the formal change management policies, and procedures to have control over system and program changes	3.45 – 3.48
	5	7(b) Key elements in System Development and Acquisition Control	3.38
J 09	5	2(b) “While reviewing a client’s control system, an information system auditor will identify three components of internal control.” State and briefly explain these three components.	3.23
	10	3(a) A company is engaged in the stores taking data activities. Whenever, input data error occurs, the entire stock data is to be reprocessed at a cost of Rs. 50,000. The management has decided to introduce a data validation step that would reduce errors from 12% to 0.5% at a cost of Rs. 2,000 per stock taking period. The time taken for validation causes an additional cost of Rs. 200. (i) Evaluate the percentage of cost benefit effectiveness of the decision taken by the management and (ii) suggest preventive control measures to avoid errors for improvement.	3.17
	5	3(b) What are the issues that should be considered by a system auditor at post implementation review stage before preparing the audit report?	3.66, 3.67
	5	7(c) Firewall	3.76
N 09	5	3(c) Explain the term “Cryptosystems”.  Briefly discuss Data Encryption Standard.	3.73
	5	4(c) Discuss the three processes of Access Control Mechanism, when a user requests for resources?	3.106, 3.107
	5	5(c) Discuss anti-virus software and its types?	3.87
J 10	10	2(c) The management of ABC Limited wants to design a detective control mechanism for achieving security policy objective in a computerized environment. As an auditor explain, how audit trails can be used to support security objectives.	3.30
	5	3(c) Explain the role of IS auditor in evaluating logical access controls	3.100

ISCA - Chapter 5 : Scan of Past Questions with reference to Study Material - CA Final - Group II - Paper 6

CHAPTER
5

RISK
ASSESSMENT METHODOLOGIES APPLICATIONS

Scan
of Past Exam Questions:

Year	Marks	Questions	Answers in ICAI-ISCA Study Material Page No:
N 08	10	5(a) Explain the following terms with reference to Information Systems: (i) Risk, (ii) Threat, (iii) Vulnerability, (iv) Exposure, (v) Attack	5.1-5.3
	5	5(b) “There always exist some common threats to the computerized environment”. Explain these threats	5.3-5.4
	5	5(c) What do you understand by “Risk Assessment”? Discuss the various areas that are to be explored to determine the risk?	5.5-5.7
J 09	5	3(c) “Always, there exists some threats due to Cyber Crimes”. Explain these threats	5.4, 5.5
	5	4(b) State and explain four commonly used techniques to assess and evaluate risks	5.10, 5.11
N 09	5	2(b) Explain the threats due to Cyber Crimes.	5.4, 5.5
	5	3(b) Describe Risk Management Process	5.8
M 10	5	2(a) What are the common threats to the computerized environment other than natural disasters, fire and power failure?	5.3
	5	5(a) What are the two primary questions to consider when evaluating the risk inherent in a business function in the context of the risk assessment methodologies? Give the purposes of risk evaluation.	5.10

ISCA - Chapter 6 - Scan of Past Exam Questions with reference to study material - CA Final - Group II - Paper 6

CHAPTER
6

BUSINESS
CONTINUITY PLANNING

DISASTER
RECOVERY PLANNING

Scan
of Past Exam Questions:

Year	Marks	Questions	Answers in ICAI-ISCA Study Material Page No:
N 08	5	1(b) Discuss the objectives and goals of Business Continuity Planning	6.2
	10	6(a) What do you understand by the term Disaster? What procedural plan to you suggest for disaster recovery?	6.17
	5	6(b) Describe the methodology of developing a business continuity plan?	6.3
	5	6(c) Briefly explain the various types of system’s back-up for the system and data together	6.12
J 09	10	4(a) As a system auditor, what control measures will you check to minimize threats, risks and exposures in a computerized system?	6.9, 6.10
	5	4(c) What are the audit tools and techniques used by a system auditor to ensure that disaster recovery plan is in order? Briefly explain them	6.23, 6.24
N 09	3(a)	What analysis should be done for understanding the degree of potential loss (such as reputation damage, regulation effects) of an organisation? Enumerate the tasks to be undertaken in this analysis. In what ways the information can be obtained for this analysis?	6.5
M 10	5	3(b) A company has decided to outsource a third party site for its alternate back-up and recovery process. What are the issues to be considered by the security administrator while drafting the contract?	6.13
N 10	4	“Technology risk assessment needs to be a mandatory requirement for project to identify single point of failures” - Justify	6.11