Paper - 6: Information Systems Control and Audit Questions Concepts of Governance and Management of Information Systems
Paper - 6: Information Systems Control and Audit Questions Concepts of Governance and Management of Information Systems
Paper - 6: Information Systems Control and Audit Questions Concepts of Governance and Management of Information Systems
QUESTIONS
Concepts of Governance and Management of Information Systems
1. (a) What is Governance of Enterprise IT (GEIT)? Explain its key benefits in brief.
(b) Discuss key management practices for implementing risk management.
2. Discuss the areas, which should be reviewed by Internal Auditors as a part of the review
of Governance, Risk and Compliance (GRC).
3. Discuss the key management practices for assessing and evaluating the system of
Internal Controls in an enterprise in detail.
Information Systems Concepts
4. What do you understand by Transaction Processing System (TPS)? Briefly discuss the
key activities involved in a TPS.
5. (a) Briefly discuss major misconceptions about Management Information System (MIS).
(b) ‘There are various constraints, which come in the way of operating an MIS’. Explain
any four such constraints in brief.
6. What is Executive Information Systems (EIS)? Explain major characteristics of an EIS.
Protection of Information Systems
7. (a) What are the key components of a good Security Policy? Explain in brief.
(b) Discuss five interrelated components of Internal Controls.
8. What do you understand by Boundary Controls? Explain major boundary control
techniques in brief.
9. (a) Briefly explain major Data Integrity Policies.
(b) What do you understand by Asynchronous Attacks? Explain various forms of
asynchronous attacks in brief.
Business Continuity Planning and Disaster Recovery Planning
10. (a) Discuss the objectives of Business Continuity Planning (BCP).
(b) While developing a Business Continuity Plan, what are the key tasks that should be
covered in the second phase ‘Vulnerability Assessment and General definition of
Requirement’?
11. (a) Discuss the maintenance tasks undertaken in the development of a BCP in brief.
(b) A company has decided to outsource its recovery process to a third party site. What
are the issues that should be considered by the security administrators while
process. It is observed that its students are facing problems regarding their routine work
and queries due to this manual process. In addition, they are required to visit the Institute
physically even for very small tasks. In view of these aforementioned facts, the Controller
of Examinations decided to launch a web based Portal to facilitate the students of
different courses. It is proposed to upload the examination forms, admit cards, results
etc. of various courses on this Portal. It is expected that the portal will be very useful for
the students as it aims to provide the access of various examination related resources on
anytime anywhere basis. For the implementation of this project, a technical consultant
was appointed by the Institute. Accordingly, an initial feasibility study under various
dimensions was done and a detailed report was submitted. As a next step, as per the
recommendations of the consultant, an expression of interest was published by the
Institute in various national/regional newspapers inviting organizations to showcase their
capabilities and suggest a good solution as per the requirements of the examination
department of the Institute.
Read the above carefully and answer the following:
(a) What are three major attributes of information security? Out of these attributes,
which attribute will be having the highest priority while developing web based
examination portal?
(b) In your opinion, what may be the possible dimensions under which the feasibility
study of the proposed Portal was done?
(c) What may be the major validation methods for validating the vendors’ proposal for
developing the Portal?
25. XYZ Group is in the process of launching a new business unit to provide various
technical consultancy services to the organizations worldwide to assist them in the
computerization of their business modules. It involves a number of activities starting from
capturing of requirements to maintenance. Business continuity and disaster recovery
planning are two key activities, which must be taken care of right from the beginning.
Business continuity focuses on maintaining the operations of an organization, especially
the IT infrastructure in face of a threat that has materialized. Disaster recovery, on the
other hand, arises mostly when business continuity plan fails to maintain operations and
there is a service disruption. This plan focuses on restarting the operations using a
prioritized resumption list. But both the plans must be assessed regarding their
performance on a periodic basis.
Read the above carefully and answer the following:
(a) What are the issues, which are emphasized by the methodology for developing a
Business Continuity Plan?
(b) Explain the objectives of performing Business Continuity Planning tests.
(c) Out of various backup options available, explain Incremental Backup in brief?
• Scope: The internal audit activity must evaluate and contribute to the improvement
of governance, risk management, and control processes using a systematic and
disciplined approach.
• Governance: The internal audit activity must assess and make appropriate
recommendations for improving the governance process in its accomplishment of
the following objectives:
♦ Promoting appropriate ethics and values within the organization;
♦ Ensuring effective organizational performance management and
accountability;
♦ Communicating risk and control information to appropriate areas of the
organization; and
♦ Coordinating the activities of and communicating information among the board,
external and internal auditors, and management.
• Evaluate Enterprise Ethics: The internal audit activity must evaluate the design,
implementation, and effectiveness of the organization’s ethics related objectives,
programs, and activities. The internal audit activity must assess whether the
information technology governance of the organization supports the organization’s
strategies and objectives.
• Risk Management: The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.
• Interpretation: The internal audit activity must determine whether risk management
processes are effective in a judgment resulting from the internal auditor’s
assessment that:
♦ Organizational objectives support and align with the organization’s mission;
♦ Significant risks are identified and assessed;
♦ Appropriate risk responses are selected that align risks with the organization’s
risk appetite; and
♦ Relevant risk information is captured and communicated in a timely manner
across the organization, enabling staff, management, and the board to carry
out their responsibilities.
• Risk Management Process: The internal audit activity may gather the information
to support this assessment during multiple engagements. The results of these
engagements, when viewed together, provide an understanding of the
organization’s risk management processes and their effectiveness. Risk
management processes are monitored through on-going management activities,
separate evaluations, or both.
• Evaluate Risk Exposures: The internal audit activity must evaluate risk exposures
relating to the organization’s governance, operations, and information systems
regarding the:
♦ Achievement of the organization’s strategic objectives;
♦ Reliability and integrity of financial and operational information;
♦ Effectiveness and efficiency of operations and programs;
♦ Safeguarding of assets; and
♦ Compliance with laws, regulations, policies, procedures, and contracts.
• Evaluate Fraud and Fraud Risk: The internal audit activity must evaluate the
potential for the occurrence of fraud and how the organization manages fraud risk.
• Address Adequacy of Risk Management Process: During consulting
engagements, internal auditors must address risk consistent with the engagement’s
objectives and be alert to the existence of other significant risks. Internal auditors
must incorporate knowledge of risks gained from consulting engagements into their
evaluation of the organization’s risk management processes. When assisting
management in establishing or improving risk management processes, internal
auditors must refrain from assuming any management responsibility by actually
managing risks.
3. The key management practices for assessing and evaluating the system of internal
controls in an enterprise are given as follows:
• Monitor Internal Controls: Continuously monitor, benchmark and improve the IT
control environment and control framework to meet organizational objectives.
• Review Business Process Controls Effectiveness: Review the operation of
controls, including a review of monitoring and test evidence to ensure that controls
within business processes operate effectively. It also includes activities to maintain
evidence of the effective operation of controls through mechanisms such as periodic
testing of controls, continuous controls monitoring, independent assessments,
command and control centres, and network operations centres. This provides the
business with the assurance of control effectiveness to meet requirements related
to business, regulatory and social responsibilities.
• Perform Control Self-assessments: Encourage management and process owners
to take positive ownership of control improvement through a continuing program of
self- assessment to evaluate the completeness and effectiveness of management’s
control over processes, policies and contracts.
• Identify and Report Control Deficiencies: Identify control deficiencies and
analyze and identify their underlying root causes. Escalate control deficiencies and
report to stakeholders.
• Ensure that assurance providers are independent and qualified: Ensure that
the entities performing assurance are independent from the function, groups or
organizations in scope. The entities performing assurance should demonstrate an
appropriate attitude and appearance, competence in the skills and knowledge
necessary to perform assurance, and adherence to codes of ethics and professional
standards
• Plan Assurance Initiatives: Plan assurance initiatives based on enterprise
objectives and conformance objectives, assurance objectives and strategic
priorities, inherent risk resource constraints, and sufficient knowledge of the
enterprise.
• Scope assurance initiatives: Define and agree with management on the scope of
the assurance initiative, based on the assurance objectives.
• Execute assurance initiatives: Execute the planned assurance initiative. Report
on identified findings. Provide positive assurance opinions, where appropriate, and
recommendations for improvement relating to identified operational performance,
external compliance and internal control system residual risks.
4. Transaction Processing System (TPS): At the lowest level of management, TPS is an
information system that manipulates data from business transactions. Any business
activity such as sales, purchase, production, delivery, payments or receipts involves
transaction and these transactions are to be organized and manipulated to generate
various information products for internal and external use. For example, selling of a
product to a customer will give rise to the need of further information like customer
billing, inventory status and increase in account receivable balance. TPS will thus record
and manipulate transaction data into usable information.
Major activities involved in a TPS are given as follows:
• Capturing data and organizing in files or databases;
• Processing files/databases using application software;
• Generating information in the form of reports; and
• Processing queries from various quarters of the organization.
5. (a) Following are the major misconceptions about Management Information System
(MIS):
♦ Any computer based information system is a MIS.
♦ Any reporting system is MIS.
♦ MIS is a management technique.
♦ MIS is a bunch of technologies.
Hacker
Observe Message -
Read Contents from B
Internet
/Communication
Facility
Mr. B
Mr. A
Wire Tapping
(iii) Piggybacking: This is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication link that
intercepts and alters transmissions. This involves intercepting communication
between the operating system and the user and modifying them or substituting new
messages. A special terminal is tapped into the communication for this purpose.
Hacker
Internet /
Communication
Facility
Mr. B Mr. A
Piggybacking
(iv) Shutting Down of the Computer/Denial of Service: This is initiated through
terminals or microcomputers that are directly or indirectly connected to the
computer. Individuals, who know the high-level systems log on-ID initiate shutting
down process. The security measure will function effectively if there are appropriate
access controls on the logging on through a telecommunication network. When
overloading happens some systems have been proved to be vulnerable to shutting
themselves. Hackers use this technique to shut down computer systems over the
Internet.
Hacker
Hacker disrupts
service provided
by server
Internet /
Communication
Facility
Mr. B Server
Denial of Service
10. (a) Objectives of Business Continuity Planning (BCP): The primary objective of a
Business Continuity Planning is to enable an organization to survive a disaster and
to re-establish normal business operations. In order to survive, the organization
must assure that critical operations can resume normal processing within a
reasonable time frame. The key objectives of the contingency plan should be to:
♦ Provide for the safety and well-being of people on the premises at the time of
disaster;
♦ Continue critical business operations;
♦ Minimise the duration of a serious disruption to operations and resources (both
information processing and other resources);
♦ Minimise immediate damage and losses;
♦ Establish management succession and emergency powers;
♦ Facilitate effective co-ordination of recovery tasks;
♦ Reduce the complexity of the recovery effort;
(b) While developing a Business Continuity Plan, the key tasks that should be covered
in the second phase ‘Vulnerability Assessment and General definition of
Requirement’ are given as follows:
♦ A thorough Security Assessment of the computing and communications
environment including personnel practices; physical security; operating
procedures; backup and contingency planning; systems development and
maintenance; database security; data and voice communications security;
systems and access control software security; insurance; security planning and
administration; application controls; and personal computers.
♦ The Security Assessment will enable the project team to improve any existing
emergency plans and disaster prevention measures and to implement required
emergency plans and disaster prevention measures where none exist.
♦ Present findings and recommendations resulting from the activities of the
Security Assessment to the Steering Committee so that corrective actions can
be initiated in a timely manner.
♦ Define the scope of the planning effort.
♦ Analyze, recommend and purchase recovery planning and maintenance
software required to support the development of the plans and to maintain the
plans current following implementation.
♦ Develop a Plan Framework.
11. (a) Major maintenance tasks undertaken in development of a BCP are to:
♦ Determine the ownership and responsibility for maintaining the various BCP
strategies within the enterprise;
♦ Identify the BCP maintenance triggers to ensure that any organizational,
operational, and structural changes are communicated to the personnel who
are accountable for ensuring that the plan remains up-to-date;
(i) User Related Issues: It refers to those issues where user/customer is reckoned as
the primary agent. Some of the aspects with regard to this problem are mentioned
as follows:
♦ Shifting User Needs: User requirements for IT are constantly changing. As
these changes accelerate, there will be more requests for Information systems
development and more development projects. When these changes occur
during a development process, the development team faces the challenge of
developing systems whose very purpose might change after the development
process began.
♦ Resistance to Change: People have a natural tendency to resist change, and
information systems development projects signal changes - often radical - in
the workplace. When personnel perceive that the project will result in
personnel cutbacks, threatened personnel will dig in their heels, and the
development project is doomed to failure.
♦ Lack of User Participation: Often users do not participate in the development
stage because they are preoccupied with their existing work, or do not
understand the benefits of the new system. User apathy ‘I have nothing to gain
if I participate’ is also a reason.
♦ Inadequate Testing and User Training: Often systems are not tested due to
lack of time and rush to introduce the new system or because problems were
not envisaged at the development stage. Inadequate user training may be a
result of poor project planning, or lack of training techniques, or because user
management does not release personnel for training due to operational
pressure.
(ii) Developer Related Issues: It refers to the issues and challenges with regard to
developers. Some of the critical bottlenecks are mentioned below:
♦ Methodologies: Some organizations do not formalize their project
management and system development methodologies, thereby making it very
difficult to consistently complete projects on time or within budget.
♦ Overworked or Under-Trained Development Staff: In many cases, system
developers lack sufficient educational background and requisite state of the art
skills. Furthermore, many companies do little to help their development
personnel stay technically sound, and often a training plan and training budget
do not exist.
(iii) Management Related Issues: It refers to the bottlenecks with regard to
organizational set up, administrative and overall management to accomplish the
system development goals. Some of such bottlenecks are mentioned as follows:
20. (a) Major steps, which can be followed for Green IT, are given as follows.
♦ Power-down the CPU and all peripherals during extended periods of inactivity.
♦ Try to do computer-related tasks during contiguous, intensive blocks of time,
switching off hardware at other times.
♦ Power-up and power-down energy-intensive peripherals such as laser printers
according to need.
♦ Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube
(CRT) monitors.
♦ Use notebook computers rather than desktop computers whenever possible.
♦ Use the power-management features to turn off hard drives and displays after
several minutes of inactivity.
♦ Minimize the use of paper and properly recycle waste paper.
♦ Dispose of e-waste according to central, state and local regulations.
♦ Employ alternative energy sources for computing workstations, servers,
networks and data centers.
(b) Four challenges to Cloud Computing are given as follows:
♦ Confidentiality: Prevention of unauthorized disclosure of data is referred to as
Confidentiality. Normally, Cloud works on public networks; therefore, there is a
requirement to keep the data confidential the unauthorized entities. With the
use of encryption and physical isolation, data can be kept secret. The basic
approaches to attain confidentiality are the encrypting the data before placing
it in a Cloud with the use of TC3 (Total Claim Capture & Control).
♦ Integrity: Integrity refers to the prevention of unauthorized modification of data
and it ensures that data is of high quality, correct, consistent and accessible.
After moving the data to the cloud, owner hopes that their data and
applications are secure. It should be ensured that the data is not changed after
being moved to the cloud. It is important to verify if one’s data has been
tampered with or deleted. Strong data integrity is the basis of all the service
models such as Software as a Service (SaaS), Platform as a Service (PaaS)
and Infrastructure as a Service (IaaS). Methods like Digital Signature,
Redundant Array of Independent Disks (RAID) strategies etc. are some ways
to preserve integrity in Cloud computing. The most direct way to enforce the
integrity control is to employ cryptographic hash function. For example, a
solution is developed as underlying data structure using hash tree for
authenticated network storage.
♦ Availability: Availability refers to the prevention of unauthorized withholding of
data andit ensures the data backup through Business Continuity Planning
(c) Test Plan under BCP & DRP: The final component of a Disaster Recovery Plan
(DRP) is a test plan. The purpose of the test plan is to identify deficiencies in the
emergency, backup, or recovery plans or in the preparedness of an organization
and its personnel for facing a disaster. It must enable a range of disasters to be
simulated and specify the criteria by which the emergency, backup, and recovery
plans can be deemed satisfactory. Periodically, test plans must be invoked.
Unfortunately, top managers are often unwilling to carry out a test because daily
operations are disrupted. They also fear a real disaster could arise as a result of the
test procedures.
(d) Audit Hooks: There are audit routines that flag suspicious transactions. For
example, internal auditors at Insurance Company determined that their policyholder
system was vulnerable to fraud every time a policyholder changed his or her name
or address and then subsequently withdrew funds from the policy. They devised a
system of audit hooks to tag records with a name or address change. The internal
audit department will investigate these tagged records for detecting fraud. When
audit hooks are employed, auditors can be informed of questionable transactions as
soon as they occur. This approach of real-time notification may display a message
on the auditor’s terminal.
22. (a) Black Box Testing: Black Box Testing takes an external perspective of the test
object, to derive test cases. These tests can be functional or non-functional, though
usually functional. The test engineer has no prior knowledge of the test object’s
internal structure. The test designer selects typical inputs including simple, extreme,
valid and invalid input-cases and executes to obtain assurance or uncover errors.
This method of test design is applicable to all levels of software testing i.e. unit,
integration, functional testing, system and acceptance. The higher the level, the box
is bigger and more complex, and the more one is forced to use black box testing to
simplify. While this method can uncover unimplemented parts of the specification,
one cannot be sure that all existent paths are tested. If a module performs a
function, which it is not supposed to, the black box test may not identify it.
White Box Testing: It uses an internal perspective of the system to design test
cases based on internal structure. It requires programming skills to identify all paths
through the software. The tester chooses test case inputs to exercise paths through
the code and determines the appropriate outputs. Since the tests are based on the
actual implementation, if the implementation changes, the tests probably will need
to change, too. It is applicable at the unit, integration and system levels of the
testing process, it is typically applied to the unit. While it normally tests paths within
a unit, it can also test paths between units during integration, and between
subsystems during a system level test. After obtaining a clear picture of the internal
workings of a product, tests can be conducted to ensure that the internal operation
of the product conforms to specifications and all the internal components are
adequately exercised.
(b) Differential Backup: A differential backup stores files that have changed since the
last full backup. Therefore, if a file is changed after the previous full backup, a
differential backup takes less time to complete than a full back up. Comparing with
full backup, differential backup is obviously faster and more economical in using the
backup space, as only the files that have changed since the last full backup are
saved.
Restoring from a differential backup is a two-step operation: Restoring from the last
full backup; and then restoring the appropriate differential backup. The downside to
using differential backup is that each differential backup probably includes files that
were already included in earlier differential backups.
Full Backup: A full backup captures all files on the disk or within the folder selected
for backup. With a full backup system, every backup generation contains every file
in the backup set. However, the amount of time and space such a backup takes
prevents it from being a realistic proposition for backing up a large amount of data.
(c) Structured English: Structured English, also known as Program Design Language
(PDL), is the use of the English language with the syntax of structured
programming. Thus, Structured English aims at getting the benefits of both the
programming logic and natural language. Program logic that helps to attain
precision and natural language that helps in getting the convenience of spoken
languages. A better structured, universal and precise tool is referred to as pseudo
code.
Flowchart: Flowcharting is a pictorial representation technique that can be used by
analysts to represent the inputs, outputs and processes of a business process. It is
a common type of chart that represents an algorithm or process showing the steps
as boxes of various kinds, and their order by connecting these with arrows.
Flowcharts are used in analyzing, designing, documenting or managing a process
or program in various fields.
23. (a) System Requirements Analysis is a phase, which includes a thorough and detailed
understanding of the current system, identification of the areas that need
modification/s to solve the problem, the determination of user/managerial
requirements and to have fair ideas about various system development tools.
The following activities are performed in this phase:
♦ To identify and consult the stake owners to determine their expectations and
resolve their conflicts;
♦ To analyze requirements to detect and correct conflicts and determine
priorities;
♦ To verify requirements in terms of various parameters like completeness,
consistency, unambiguous, verifiable, modifiable, testable and traceable;
♦ The team does not have to invest time and efforts and finally find that by the
time they delivered the product, the requirement of the customer has changed.
♦ Face to face communication and continuous inputs from customer
representative leaves a little space for guesswork.
♦ The documentation is crisp and to the point to save time.
♦ The end result is generally the high quality software in least possible time
duration and satisfied customer.
24. (a) Three major attributes of information security are given (CIA) that are as follows:
♦ Confidentiality: Prevention of the unauthorized disclosure of information;
♦ Integrity: Prevention of the unauthorized modification of information; and
♦ Availability: Prevention of the unauthorized withholding of information.
In the given scenario, Integrity will be having the highest priority while developing
web based examination portal because in any examination system, the prime goal
should be to make available the correct information only. It should not be altered or
modified by any unauthorized person/s.
(b) The possible dimensions under which the feasibility study of the proposed Portal
was done are given as follows:
♦ Technical: Is the technology needed available?
♦ Financial: Is the solution viable financially?
♦ Economic: Return on Investment?
♦ Schedule/Time: Can the system be delivered on time?
♦ Resources: Are human resources reluctant for the solution?
♦ Operational: How will the solution work?
♦ Behavioural: Is the solution going to bring any adverse effect on quality of
work life?
♦ Legal: Is the solution valid in legal terms?
(c) Major validation methods of validating the vendors’ proposal for developing the
Knowledge Portal are as follows:
(i) Checklists: It is the most simple and rather subjective method for validation
and evaluation. The various criteria are put into check lists in the form of
suitable questions against which the responses of the various vendors are
validated. For example : Support Service Checklists may have parameters like
– Performance, System development, Maintenance, Conversion, Training,
Back-up, Proximity, Hardware, Software.
(ii) Point-Scoring Analysis: Point-scoring analysis provides an objective means
of selecting the final system. There are no absolute rules in the selection
process, only guidelines for matching user needs with software capabilities.
Evaluators must consider such issues as the University’s needs to operate and
maintain the portal, vendor reputations, software costs, user-friendliness for
students (who are the customers in this case), and so forth.
(iii) Public Evaluation Reports: Several consultancy agencies compare and
contrast the hardware and software performance for various manufacturers
and publish their reports in this regard. This method has been frequently and
usefully employed by several buyers in the past. For those criteria where
published reports are not available, however, resort would have to be made to
other methods of validation. This method is particularly useful where the
buying staff has inadequate knowledge of facts. E.g. Public reports by
agencies like Gartner’s magic quadrant on systems used by other universities
offering online courses may be considered.
(iv) Benchmarking Problem for Vendor’s Proposals: Benchmarking problems
for vendors’ proposals are sample programs that represent at least a part of
the buyer’s primary computer work load and include software considerations
and can be current applications programs or new programs that have been
designed to represent planned processing needs. E.g. develop a set of sample
requirements of a student and see whether the proposed system is able to
effectively and efficiently deliver them. That is, benchmarking problems are
oriented towards testing whether a computer system offered by the vendor
meets the requirements of the buyer.
(v) Test Problems: Test problems disregard the actual job mix and are devised to
test the true capabilities of the hardware, software or system. For example,
test problems may be developed to evaluate the time required to download e-
lectures (which are large sized files) by students, response time when large
number of students login in at the same time, overhead requirements of the
operating system in executing multiple user requests, length of time required to
execute an instruction, etc. The results, achieved by the machine can be
compared and price performance judgment can be made. It must be borne in
mind, however that various capabilities to be tested would have to be assigned
relative weightage as all requirements may not be equally important.
25. (a) The methodology for developing a Business Continuity Plan emphasizes the
following:
(i) Providing management with a comprehensive understanding of the total efforts
required to develop and maintain an effective recovery plan;
(ii) Obtaining commitment from appropriate management to support and
participate in the effort;
(iii) Defining recovery requirements from the perspective of business functions;
(iv) Documenting the impact of an extended loss to operations and key business
functions;
(v) Focusing appropriately on disaster prevention and impact minimization, as well
as orderly recovery;
(vi) Selecting business continuity teams that ensure the proper balance required
for plan development;
(vii) Developing a business continuity plan that is understandable, easy to use and
maintain;
(viii) Planning the testing of plans in a systematic manner and measuring results of
such tests; and
(ix) Defining how business continuity considerations must be integrated into
ongoing business planning and system development processes in order that
the plan remains viable over time.
(b) The objectives of performing BCP tests are to ensure that:
♦ the recovery procedures are complete and workable;
♦ the competence of personnel in their performance of recovery procedures can
be evaluated;
♦ the resources such as business processes, IS systems, personnel, facilities
and data are obtainable and operational to perform recovery processes;
♦ manual recovery procedures and IT backup system/s are current and can
either be operational or restored; and
♦ the success or failure of business continuity training program is monitored.
(c) Incremental Backup: An Incremental Backup captures files that were created or
changed since the last backup, regardless of backup type. This is the most
economical method, as only the files that changed since the last backup are backed
up. This saves a lot of backup time and space.
Normally, incremental backup are very difficult to restore. One will have to start with
recovering the last full backup, and then recovering from every incremental backup
taken since.