Section: The process of Auditing Information System

Section: Protection of Information Assets
Explanation:
A best practice would be to conduct a paper test. Senior management sponsorship and business needs
identification should have been obtained prior to implementing the plan. A paper test should be conducted
first, followed by system or full testing.

Section: Protection of Information Assets
Explanation:
There is no attempt on the part of the investment advisor to prove their identity or to keep the newsletter
confidential. The objective is to assure the receivers that it came to them without any modification, i.e., it
has message integrity. Choice A is correct because the hash is encrypted using the advisor's private key.
The recipients can open the newsletter, recompute the hash and decrypt the received hash using the
advisor's public key. If the two hashes are equal, the newsletter was not modified in transit. Choice B is not
feasible, for no one other than the investment advisor can open it. Choice C addresses sender
authentication but not message integrity. Choice D addresses confidentiality, but not message integrity,
because anyone can obtain the investment advisor's public key, decrypt the newsletter, modify it and send
it to others. The interceptor will not be able to use the advisor's private key, because they do not have it.
Anything encrypted using the interceptor's private key can be decrypted by the receiver only by using their
public key.

Section: Information System Acquisition, Development and Implementation

Section: Protection of Information Assets
Explanation:
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.