Chapter 4

1. Availability of system utility is IS auditor most concerned when conducting an audit of client-
server database security because may enable unauthorized changes to be made to data on the
client-server database.

2. Recovery point objective (RPO) : age of the recovered data (ie. How long ago the data were
backed up)->if RPO is very low like minutes, it means org cannot afford to even lose even a few
minutes of data->data mirroring should be used

IF RPO is high->other backup procedures such as tape backup and recovery could be used

High Recovery time Objective (RTO):IT system may not be needed immediately after the disaster
declaration (it can be recovered later)

3. Mobile site: specially designed trailers that can be quickly transported to a business location or to
an alternate site to provide ready-conditioned information processing facility

Warm site: partially configured usually with network connections and selected peripheral
equipment but without main computer

Cold site: have only basic environment to operate IPF, ready to receive equipment but do not offer
any components at site in advance

Hot site: fully configured and ready to operate within several hours or even minutes

A4-2. Transition clause from old supplier to new supplier in the case of expiration or termination is
most important because there is a risk the old supplier may simply pull the plug make no data
available to the org

A4-3 Right to audit is most important in an outsourcing contract with a service provider

A4-11 To ensure system availability, test plans and procedures should be exist and closely followed

A4-12 ** Incident response plan determines the information security responses to incidents such as
cyberattacks on systems. This plan establishes procedures to enable security personnel to identify,
mitigate and recover from malicious computer incidents

A4-14 **Open system architecture

Open systems are those which suppliers provide components whose interfaces are defined by public
standards, thus facilitating interoperability (help with each other) between systems made by
different vendors

A4-15: Unshielded twisted pair: reduce likelihood of crosstalk

A4-16: Critical element of disaster recovery plan: offsite storage of backup data

A4-17 Continuous monitoring

A4-24 Quality of Service: traffic prioritization and resource reservation control mechanisms rather
than the achieved service quality->priority to business applications and end users through
allocation of dedicated parts of bandwidth to specific traffic

A4-28

Retention time: duration of time for which the information should be maintained 
Network diagnostic tool: client/server program that provides network configuration and
performance testing to a user desktop or laptop

Online monitor: measure telecommunication transmissions and determine whether transmissions

were accurate and complete

Downtime report: track availability of telecommunication lines and circuits

Help desk report: prepared by help desk, staffed or supported by IS technical support personnel
trained to handle problems

Protocol analyzers: network diagnostic tools that monitor and record network information from
packets travelling in the link to which the analyser is attached

Fallback procedures: restore a system to a previous state->when software is being upgraded byt
the upgrade does not work and requires a fallback to its former state

A4-36 Normalize a table: group tables together->reduce redundancy

Denormalize a table: increase redundancy->useful when u are retrieving a data->increase risk of

loss of data integrity because there is a lack of consistency of data

A4-39 Concurrency control: prevent data integrity problems, which can arise when two update
processes access the same data item at the same time

A4-40

Parity bits -extra bit added to data while sending data to

one computer to another
-detect data transmission error
-ensure data completion
-ensure data integrity
Checksum (identify transmission error and Same as parity but able to identify compex
options) error by increasing the complexity of arithmetic
CRC(identify transmission error More advanced of parity and checksum
Network monitoring tools: mainly focus on availability

A4-55 Capacity monitoring: ensure compliance with internal SLA

Bridge: contains only few ports for LAN connectivity

Switch: contains many ports for LAN connectivity

*Gateway-Application layer
A4-69 Escrow agreement: ensure customer can continue to use the software and obtain technical
support if a vendor were to go out of business
Object oriented technology

1. inheritance

-> both have similar features so you can simply inherit

2. encapsulation

3. polymorphism
SQL: structured query language->used to communicate with a database->SQL statements are sed to
perform tasks such as update data on database or retrieve data from database

Referential integrity: Primary key vs foreign key

Business process reengineering

Stress testing: relates to capacity and availability

Black box testing: performed on individual modules

Interface testing: test the interaction with external systems but would not validate the performance
of changed system

System testing: test all functionality and interfaces between modules

Network topology: arrangement of the elements (links, nodes etc) of a communication network,
used to define or describe the arrangement of various types of telecommunication networks
Redundant Array of Inexpensive Disks (RAID) level 1:
Provides disk mirroring, data written to one disk are also written to another disk->if one disk fails,
the second disk take over->ensure availability of data

 Will not protect against natural disaster

Before image dump: last transaction in the dump will not have updated the database prior to the
dump being taken

For online systems, it is particularly important to ensure periodic dumps of transaction logs is the
only safe way of preserving timely historic data because online system do not have a paper trail that
can be used to recreate data, maintaining transaction logs is critically important to prevent data loss

Back up addresses availability not integrity

Containment=stop

Cyclic redundancy check (CRC): error detection

A CRC-enabled device calculates a short, fixed-length binary sequence, known as the check
value or CRC, for each block of data to be sent or stored and appends it to the data, forming
a codeword.
When a codeword is received or read, the device either compares its check value with one
freshly calculated from the data block, or equivalently, performs a CRC on the whole codeword
and compares the resulting check value with an expected residue constant.
If the CRC values do not match, then the block contains a data error.
The device may take corrective action, such as rereading the block or requesting that it be sent
again. Otherwise, the data is assumed to be error-free (though, with some small probability, it
may contain undetected errors; this is inherent in the nature of error-checking).
Incremental backup: minimise media storage
Disk to disk backup: primary backup is written to disk instead of tape. That backup can then be
copied, cloned or migrated to tape at a later time ->allows the backup of data to be performed
without impacting system performance and allows large quantity of data to be backed up in a very
short backup window. In case of a failure, the fault tolerant system can transafer immediately to the
other disk set
Domain 5

Parameter tampering  a form of Web-based attack in which

certain parameters in the Uniform Resource
Locator (URL) or Web page form field data
entered by a user are changed without that
user's authorization.
Cross site scripting Bypass access controls such as same origin
policy
-insert script languages in a text field that other
users can see
-Types: reflected/stored/DOM
-involves the compromise of the web page to
redirect users to content on the attacker web
site
Cookie poisoning Change cookie files in order to steal
someone’s identity or financial information.
 Many different kinds of hacking that focus
on taking data from cookies can be called
cookie poisoning, including theft of
passwords, credit card numbers or other
identifiers that are stored on cookie files.
Stealth commanding Insert a code in text field to take control of an
application

Encryption Hashing
Both ways One way, you cant get the original file with the
hash value
Unique file In rare occasion, there will be hash conflict

Document hashing: ensure accuracy

Password hashing: increase security
Detect transmission error (better than parity
bit)

Check digit->transposition and transcription errors->check accuracy (you have formula and calculate
into a certain number and you add it in the last number)

Parity bits: detect data transmission error->ensure data completion-> ensure data integrity (how?
You check how many 1 in the file and if 4 use 0)

Checksum: same as parity but able to identify complex errors by increasing the complexity of
arithmetic

CRC: more advanced version of parity and checksum and increase complexity of the arithmetic

Forward error control: correct data transmission error

Primary reason for establishing audit trails: establish accountability and responsibility for processed
transactions

Intrusion detection systems (IDS) Detect network or host-based errors

Data mining Detect trends or patterns of transactions or
data
Firewall Protect network and system
Packet filtering router Operates at network level
 Network IDS Host IDS
Monitor activities on identified network Monitor activities on particular single system
Check for attacks by inspecting contents and Detect activity on host computer eg. Deletion
header information of all packets of files, modification of programs

Componenets of IDS: Sensors(collect data)->analyser (analyse data and determine intrusive activity)-
>user interface (users view result and take actions)-> administration console (manage IDS rules and
function)

Signature-based IDS: intrusion is identified on the basis of known type of attacks

Statistical based IDS: generate most false positive, determine normal (known and expected)
behaviour of the system

Neural network: similar to statistical based IDS with added self learning , capable of capturing
relationship missed by other statistical methods

IDS : monitor and record intrusion activities

IPS: also prevent intrusion activities

*IDS wont detect application level vulnerabilities, will not detect encrypted traffic

Types of firewall:

Packet filtering filter -simplest and earliest kind

(network) -allow or deny action is done per IP address and
port no of source and destination of packets
Stateful inspection -keep track of destination of each packet that
(network) leaves the internal network
* allow traffic from outside in response to -ensure incoming message is in response to the
traffic from internal host request that went out
Application level firewall (most secured) -works on bastion host and proxy server
(application) -separate proxy for each application
-control FTP and http
Circuit level firewall -works on bastion host and proxy server
(session)
Most robust configuration: deny all traffic and allow specific traffic

What is bastion host: kind of reception area in office premise, only cpt allows to be addressed
directly from public network and designed to protect the rest of network from exposure

-no critical application or data are hosted in bastion host

Proxy: middleman, stands between internal and external network; will not allow direct
communication between two networks
Firewall Implementation

Screened host firewall Characterisitics: one packet filtering router, one

bastion host
Dual homed firewall One packet filtering router
One bastion host with two network interface
card
Most restrictive form of screened host firewall
Screened Subnet firewall Two packet filtering router
*most secure One bastion host
For Confidentiality & Authenticity: Hash-encrypt using sender’s private key; message-encrypt using
receiver’s public key

For Confidentiality & Authenticity & Integrity: Hash-encrypt using sender’s private key; message-
encrypt using receiver’s public key

Digital signature:

Encrypt by sender’s private key and decrypt by sender’s public key

-use both hash and encryption

-ensure authentication and integrity and non repudication

-wont ensure confidentiality

Non-repudiation: sender cannot deny him sending the message

Classification of Information assets: have inventory of information assets->establish ownership-

>classification of IS resources->labelling of IS resources(who can access)

Telecommunication network:

1)Broadband network digital transmission

2) Baseband network-shared with many other users and requires encryption of traffic but still may
allow some traffic analysis by an attacker

3)

Testing

Blind testing Black box testing

-where penetration tester is not given any
information and is forced to rely on publicly
available information
-simulates a real attack, except target org is
aware of testing being conducted
Targeted testing White box testing
-penetration tester is provided with info and
target org is aware of testing activities
Double blind testing Zero knowledge testing
-penetration tester is not given any information
 and the target organization is not given any
warning-both parties are blind
External testing External penetration tester launches attacks on
target’s network perimeter outside target
network

Denial of service attack Make it unavailable to user want to use

Spoofing Impersonation where one computer tries to
take on identity of another computer->bypass
firewalls and other network security controls
Port scanning Gather information about a target before a
more active attack
A man in the middle attack Active eaverdropping
Attacked intercepts a computerized
conversation between two parties and then
allows the conversation to continue by relaying
the appropriate data to both parties while
simultaneousl monitoring the same data
passing

Data Encryption Standard Susceptible to brute force attack and has been
broken publicly ->no assurance that data
encrypted using DES will be protected from
unauthorized disclosure
Message digest 5 Generate one way hash of data to testand
verify data integrity
Does not encrypt data but put data through
mathematical process that cannot be reversed
Advanced Encryption Standard Greatest assurance that data are protected
Secure Shell (SSH) Encrypt data transmitted during a session, but
cant encrypt data at rest including USB
Social engineering attack: gather sensitive information to launch an attack, can be exercised ver any
kind of telephony
Responsibility:

1. Information asset owner: assign criticality levels to data

2. Data custodians: implement information security, access rules to data and programs

3. Security admin: provision of physical and logical security for data

Race condition Involves timing of two events and an action

that causes one event to happen later than
expected
Privilege escalation Higher level system authority is obtained by
various methods
Buffer overflow Involve applications of actions that take
advantage of a defect in the way an application
or systems uses memory. By overloading the
memory storage mechanism, system will
perform in unexpected ways
Impersonation Error in identification of a privileged user
In discretionary access control permissions are set usually by the resource owner.
In mandatory access control permissions are set by fixed rules based on policies and
cannot be overridden by users.

electromagnetic emission 電磁輻射

->low risk to health
->wont damage or erase nearby storage media
->can be detected and displayed->unauthorized person access to data

Social engineering No use of computer tools

Info will be revealed during different
 situation eg interview
Usually do not require physical presence of
the intruder
Sniffer Cpt tool to monitor the traffic in network
Back door Cpt programs left by hackers to exploit
vulnerabilities
Trojan horses Pretend to supplant a real program-
>program Is not authorized and is malicious
*False Acceptance rate->best performance indicator
CER->overall best performance indicator
The main accuracy measures used for a biometric solution:
1. FAR-> FRR->CER/EER
Biometric life cycle: enrolment, transmission and storage, verification, identification,
termination
PKI
Replay->residual biometrics characteristics
Mimic->Faking the characteristics
Crypto->attack on cryptography or encryption
Bruce force attack->sending numerous attack
*Retina scan has highest reliability

*key difference between elliptic curve encryption vs RSA encryption

=computation speed
(ECE use small keys in ECC algorithm)
Masquerading: alters data by modifying the origin->active attack
Examples of active attack: masquerading, denial of service, email spoofing
Examples of passive attack: network analysis, traffic analysis, evasdropping

*Security level of private key system depends on number of encryption key bits(key length)-
>larger number of bits, more difficult it would be difficult to brute force

Digital Signature vs Digital certificate

Single Sing on
-Advantage: multiple pw not required->encourage user to select a stronger pw; improve
admin’s ability to manage user’s accounts; reduce admin overhead cost in resetting pw due
to lower number of IT help; reduce time taken to log on
-Disadvantages:single authentication point for multiple app=>risk->single point of failure;
support of all major operating system environment is difficult
** acts as single authentication point for multiple app as well as single point of failure
**most important control for SSO: strong implementation of pw policy
Example: Kerberos
*Encapsulation: encrypt the traffic payload so that it can be securely transmitted over an
insecure network

Back door: opening implanted into or left in software that enables unauthorized entry into a
system
Ways to connect a private network over internet in small medium org:
-VPN(best)>dedicated line(exp)>leased line(exp but private option)>Integreated services
digital network (not encrypted)
Function of VPN:
-hide information from sniffers on internet using tunnel->works based on encapsulation and
encryption of sensitive traffic
-using tunnelling->confidentiality is ensured
Web of trust: suitable for secure communication within a small group
Keberos Authentication system: for a file to access to file server, it must pass through key
distribution centre, request for a ticket with encrypted key, distribution centre decrypt the
key and verify the client->send back a ticket encrypted with a secret key
*Voltage regulator->protect against short-term power fluctuations
Peer to peer computing: In peer-to-peer (P2P) networking, a group of computers are
linked together with equal permissions and responsibilities for processing data. Unlike
traditional client-server networking, no devices in a P2P network are designated solely to
serve or to receive data.
Filtering techniques:

Heuristic (rule-based) Exception rules need to be defined when a

valid
Signature based
Pattern matching
Bayesian (statistical) Perform a frequency anaylsis on each word
within the message and then evaluating the
message as a whole->ignore suspicious
keyword if the entire message is within
normal bounds
UDP (User Datagram Protocol) :is a communications protocol that is primarily used for
establishing low-latency and loss-tolerating connections between applications on the
internet. It speeds up transmissions by enabling the transfer of data before an agreement is
provided by the receiving party
Dynamic Host Configuration Protocol:
-automatically assign IP addresses to anyone connecting to the network->with it disabled,
static IP addresses must be used and this require either admin support or higher level of
technical skill to attach to the network and gain internet access
-suitable for all sizes of company
-does not provide IP addresses when disabled
Domain 1
-Impact: measure of the consequence (including financial loss, reputation)
-Vulnerability: lack of adequate controls, exposing sensitive information and data to the risk
of malicious damage, attack or unauthorized access by hackers
-Asset: sth of either tangible or intangible value worth protecting, include people,
-Threat: potential cause of an unwanted incident

Threat Vulnerability
External factor Internal factor
Not in our control Can be controlled
Example: fire, earthquake, malware, system Example: missing anti-virus, weaking
failure, hacker coding, weak access control
Probability *Impact->Risk
Threat* vulnerability->risk
R=P*I
R=T*V
Risk
-situation involve exposure to danger
-combination of probability of an event and its consequences
-potential a given threat will exploit vulnerabilities
-effect of uncertainty on objectives
Steps in risk assessment
1. Understand business environment
2. Identify critical assets
3. identify all potential risks for critical assets
4. prioritize risks in order of criticality
5. evaluate control mechanism available
6. apply relevant controls
Types of risk
1. Inherent risk: risk before controls
2. residual risk: risk after controls
3. control risk: ineffective controls (risk that a misstatement could occur but may not be
detected/prevented by entity’s internal control mechanism)
4. detection risk: ineffective audit
5. audit risk: Inherent risk+control risk +detection risk

Compliance testing Substantive testing

Test of controls Test of transactions
Test org’s compliance with controls Evaluate integrity of data, transaction or
other information
Check presence of controls Check integrity of contents
Example: verify configuration of router for Example: conduct bank confirmation to test
controls ending cash balances
Review of system access rights Observe period end counting of inventory
Review of firewall settings *review of trial balance, P&L, transactions
Review compliance with pw policy
* compliance testing first, then substantive testing
*outcome/result of compliance testing will form basis for planning of substantive testing
*attribute sampling method (either control is present or absent) useful when testing for
compliance
-when internal controls are strong, a lower confidence coefficient can be adopted->enable
the use of a smaller sample size
-the very first step in reviewing an org’s IT strategic plan is to review/understand the
business plan
-IT process should be aligned as per business requirement
*not alignment of business process per IT requirement
Entreprise requirement is the basis for security requirement
IT strategy is derived
-In any given scenario, IT alignment with business objective can be best assured by
involvement of top management. Top management who are very well aware of business
objectives can derive maximum benefit from information system by way of structure
alignment
Audit Charter
-approved by highest level of management
-written document
-define roles and responsibilities of Audit function
SHOULD NOT BE
-dynamic in nature (should not be changed too often)
-include detailed yearly audit calendar, audit planning, resources allocation
-include aspects like professional fees payable, travel epenses budget for auditors
  Threat is what an organization is defending itself against, e.g. a DoS attack.
 Vulnerabilities are the gaps or weaknesses that undermine an organization’s
IT security efforts, e.g. a firewall flaw that lets hackers into a network. 
 Risk refers to the calculated assessment of potential threats to an
organization’s security and vulnerabilities within its network and information
systems.

Control self assessment requires broad stakeholders involvement

->emphasize mgmt. of and accountability for developing and monitoring the controls of an
org’s business processes, include empowered employees, continuous improvement,
extensive employee participation and training
-Generalized audit software (GAS): data analytic tool that can be used to filter large amount
of data
-Regression tests: test new versions of software to ensure that previous changes and
functionality are not inadvertently overwritten or disabled by the new changes
-

Software capability maturity model (CMM)

-level 5: continuous improvement
-level 4 and below: quantitative quality goals
-level 3 and below: documented process
-level 2 or below: process tailored to specific projects
Enterprise architecture:
-ensure technology investment are consistent with platform, data and development
standards of the IT organization
-defines both current and future state in areas such as the use of standard platforms,
databases or programming languages
LAN (local area network) admin:
-should not have programming responsibilities
-may have end user responsibilities
Balance scorecard
-specifying and measuring the attainment of strategic results
-measure the delivery of effective and efficient services
*Outsourcing contract of IT facilities should specify who owns the intellectual property
(information being processed, application programs)
Information security governance: -provide four basic outcome: strategic alinment, value
delivery, risk management, performance measurement
Strategic alignment: provides input for security requirements driven by enterprise
requirement
Risk acceptable level are set by senior management, not by IT management
Having a top-down approach to the development of operational policies: ensure consistent
across the organization
Cross training: process of training more than one to perform a specific job->assess the risk
of any person knowing all parts of a system and related potential exposuresrelated to
abuse of privilege; helps reduce dependence on single person; assiss in succession
planning
IT balance scorecard: provide bridge between IT objectives and business obkectives by
supplementing the traditional financial evaluation with measures to evaluate customer
satisfaction, internal processes and the ability to innovate

Overall quantitative risk for a particular threat=product of likelihood and magnitude of

the impact should a threat successfully exploit a vulnerability
Fidelity insurance: cover loss arising from dishonest or fraudulent acts by employees
Errors and omissions: legal liability protection where professional practitioner commits an
act that result in financial loss to client
Extra expenses: cover extra cost of continuing operations following a disaster/disruption
For BCP, in order to evaluate the effectiveness->best to review results from previous test
For BCP, in order to evaluate adequacy->review plans and compare with appropriate
standards and results of test
For BCP, in order to evaluate clarity and simplicity-> interview key stakeholders, check if
they understand their roles and responsibilities

**BCP should be activated based on the duration of the outage

Risk appetite: level of risk an org is prepared to accept

Tabletop exercises are discussion-based sessions where team members meet in an

informal, classroom setting to discuss their roles during an emergency and their responses
to a particular emergency situation. A facilitator guides participants through a discussion of
one or more scenarios.
Benefit of Control self assessment: have business management become more aware of
importance of internal control and their responsibility in terms of corporate goverance

Full operational test: conducted after paper and preparedness test, quite exp
Preparedness test: test the adequacy of the preparedness of local operations
Paper test: structured walkthough of the disaster recovery plan and should be conducted
before preparedness test
Regression test: not test in disaster recovery plan and is used in software development
and maintenance
Disaster recovery planning: technological aspect of BCP that focuses on IT systems and
operations
Implementation of DRP will increase the cost
BCP Process: Complete business impact analysis->develop recovery strategy->develop
plan->test and maintain the plan->implement the plan

Enterprise’s risk appetite is established by steering committee

Audit tools:
1. System Control Review Audit File/embedded audit management
-inbuilt audit software
-used when regular processing cannot be interrupted
-records only those transactions which are of special audit significance such transactions
above specified
2. Audit Hooks:
-when selected transactions need to be examined
-helps in early detection of error/fraud
-criteria for suspicious transactions are designed (eg. Capture cash transaction>10000)
3. Integrated Test Facility
-dummy entities are created in live production environment
-no need to create separate test environment, need to isolate test data from actual
production data
-verify system processing (check the logic of the system)
4. continuous intermittent simulation
-used with dbms
-best when transaction meeting certain criteria needs to be examined
-determine whether any discrepancies exist between the results it produces and those the
application system produces
-simulates the application system processing
5. Snapshot
-used with audit trail

Domain 3
Unit testing (individual program or module)->integrated testing(accurate flow of
information between two>system testing (full fledge test eg. Stress test, load test, volume
test)->final acceptance testing (QAT &UAT)

Unit test
-test of individual program or module
-test done during development stage
-white box is applied (test of internal program logic)
Integrated testing
-test of connection of two or more module
-perform testing on architectural design

Vouching: inspection of documentary evidence supporting and substantiating a transaction, by

an auditor.
Hardware or software test that evaluates the connection of two or more components that
pass information from one area to another ->key word is “interact”
Stress test: use live data in test environment
Regression testing:
-ensure changes or corrections in a program have not introduce any new errors
-data used for regression testing should be same as data used in previous test
Sociability testing:
-ability to have companionship with others (adopt with existing environment)
-ensure new or modified system can work in the specified environment without adversely
impacting existing system
Pilot testing:
-take place first at one location to review the performance->see if new system operates
satisfactory and implement in another location
Parallel testing:
-comparing result with old and new
Decision Support system:
-interactive system
-support semi structured decision making
Characterisitics:
-support semi-structured or less structured decisions
-use techniques with traditional data access and retrieval function
-flexible and adoptable in changing environment and decision making
Risk:
-inability to specify purpose and usage pattern
Agile
-able to move quickly and easily
-less importance is placed on formal paper based deliverables
-just start write a program without spending much time on planning
-reviews are done afterwards to identify lesson to learn
-major risk: lack of documentation (lack of testing might be an issue but documentation is
more important)
Object Oriented System Development
-application is made up of smaller component
-Benefits of object oriented design and development: ability to reuse object
Polymorphism: ability of >-two object to interpret a message differently at execution
depending upon the superclass of the calling object->same message is interpreted
differently by two or more objects
Encapsulation: one object interacts with another object; permits enhanced degree of
security over data
Prototype:
-sample or model to test a concept or process
-Prototyping: process of creating systems through controlled trial and error
Benefits: provide organization with significant time and cost saving
Risk: by focusing mainly on what the user wants and sees, developers may miss some of the
controls that come from traditional systems development approach;finished system will
have poor controls
Rapid Application Development
-use of small and well trained development teams, prototypes, tools to support modelling,
prototyping and component reusability, tools to support modelling, prototyping and
component reusability, central repository, rigid limits on development time frames
-enables org to develop systems quickly while reducing development cost and maintain
quality
Advantage: significant cost and time saving
Most effective testing method for prototype: top down approach
Approach used by RAD to meet changing business or user requirement: prototype approach
*in prototyping, changes in designs and requirements occur quickly and are seldom
documented or approved; hence change control becomes more complicated with
prototyped systems
 Gantt Chart -prioritization requirement, but not as
effective as evaluation review technique
(PERT)
Earned value analysis (EVA) -track project cost vs project deliverables
Program evaluation review technique Works on principle of obtaining project
(PERT) time lines based on project events fo three
likely scenarios (worst, best, normal), the
time line is calculated by a predefined
formula and identifies the critical path,
which identifies the key activities that must
be prioritized
Function point analysis -measures the complexity of input and
outpt and does not help to prioritize
project activities

A3-177
Project sponsor is the owner of the project->most appropriate person to ask whether the
business requirements defined as part of the project objectives
Project manager organize and ensure direction of the project aligns to the overall direction,
complies with standards and monitors project milestones
Scope creep
Check digit: use a set of formula to calculate one number->prevent transposition error

Project security officer: ensure system controls are in place

White box testing: assess effectiveness of program logic