CISA Domain 2 - Governance and Management of IT
Establishing the level of acceptable risk is the responsibility of: a. quality assurance management b. senior business management c. the chief information officer d. the chief security officer
B - Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can also be the quality assurance (QA), chief information officer (CIO) or the chief security officer (CSO), but the responsibility rests with the business manager
A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: a. recovery b. retention c. rebuilding d. reuse
B - besides a good practice, laws and regulations may require an organization to keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic paper makes the retention policy of corporate email a necessity.
The rate of change in technology increase the importance of: a outsourcing the IT function b. implementing and enforcing sound processes c. hiring qualified personnel d. meeting user requirements
B - change control requires that good change management processes be implemented and enforcing sound processess
What is not a goal of business continuity planning? a. ensure the protection of lives b. ensure critical data is backed up c. provide an immediate response to an emergency d. ensure the business can continue critical business functions in the event of a disaster
B. Ensuring critical data is backed up is not a goal of business continuity planning. BCP is all about protecting lives and resuming critical business functions
During the course of a risk assessment, an auditor identifies a vulnerability with a low probability of occurrence and a high impact. This is an example of what type of risk a. significant risk b. contingency risk c. high incident risk d. minor risk
B. Low probability, high impact is a contingency risk
What topic is generally included in the Scope section of a business continuity plan? a. the duration of the BCP project b. the type of threats to be addressed c. the name of the bcp coordinator d. the bcp budget
B. The scope in the BCP is that types of threats that are going be addressed
Which describes a hot site vs a warm or cold site facility a. a hot site has disk drives, controllers and tape drives b. a hot site has all necessary PCs, servers, telecommunications and power c. a hot site has tape drives, central air and raised flooring d. a hot site has wiring, central air and raise flooring
B. a hot site's got everything
An auditor wants to see how an organization's risk management program changes over time. What is the best approach to achieve this? a. establish baselines b. define and collect carefully chosen metrics c. use risk management tools such as ArcSight d. Follow an established risk management framework
B. metrics can be tracked on a dashboard
Why is it a good idea to sanitize a BCP before release it to an external entity? a. because the BCP may not be accurate b. because it contains information about vulnerabilities that could be used by another attacker c. because the BCP is usually too large to be exported easily d. because the BCP cannot be used unless it is accompanied by the disaster recovery plan
B. the BCP should be sanitized so that no other hackers can use it
Your company merges with another company. What should be done with your company's BCP a. change the name of the company to cover and throughout its contents b. update the plan in it's entirety c. update the BIA only d. throw it away as it isn't useful anymore
B. the BCP should be updated entirely
What is the main difference between disaster recovery and business continuity a. disaster recovery deals with operations and business continuity deals with mitigating risks b. business continuity deals with keeping critical business functions operating; disaster recovery deals with returning an IT function to an operational mode c. they are one and the same d. business continuity deals with the actions that you take place right after a disaster and disaster recovery deals with the actions that need to take place to keep operations running
B. the main difference is BC keeps critical functions operating, DR returns IT functions to operational mode.
The duration a function can continue to operate without a given resource is the a. mean time between failures b. minimum acceptable down time c. maximum tolerable downtime d. annual loss expectancy
C
What is the correct order of events in Business Continuity Planning? a. identify preventative control then perform business impact analysis b. create the business continuity plan then identify preventative controls c. perform the business impact analysis then create the business continuity plan d. create the business continuity plan then perform the business impact analysis
C - BIA is a comprehensive analysis that examines all the threats, vulnerabilities, functions and resources and calculates the risk to the organization
The initial step in establishing an information security program is the: a. development and implementation of an information security standards b. performance of a comprehensive security control review by the IS auditor c. adoption of a corporate information security policy statement d. purchase of security access control software
C - a policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program
An IT steering committee should: a. include a mix of members from different departments and staff levels b. ensure that IS security policies and procedures have been executed properly c. maintain minutes of its meetings and keep the board of directors informed d. be briefed about new trends and products at each meeting by a vendor
C - it is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee. The board of directors should be informed about those decisions on a timely basis
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: Select an answer: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define the loss amount exactly.
C - the common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affect by the risk defines the impact in terms of a weighted factor (e.g. one is very low impact to the business and 5 is a very high impact)
The risk associated with electronic evidence gathering is most likely reduced by email: a. destruction policy b. security policy c. archive policy d. audit policy
C - with a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible
An auditor has established the risk and cost of an organizational loss. After reviewing the report, management decides to respond by purchasing insurance. this is an example of? a. avoidance b. mitigation c. transference d. acceptance
C.
What is not a good way to keep the Business Continuity Plan up to date? a. make the updating of the BCP part of the change control process b. make the updating of the BCP part of employee job descriptions and performance evaluations c. update the plan only after a disaster occurs d. integrate BCP updates into the auditing process
C.
During the course of an audit you realize that an organization has no risk management programs. The organization's CEO asks you to provide a brief description of the main purpose of risk management. What is the most accurate response? a. it is the process of implementing the right mechanisms to maintain a given level of risk b. it is the process of obtaining funding, assessing the environment, and implementing government policies c. it is the process of identifying, assessing and reducing the risk to an acceptable level d. it is the process of identifying, assessing and increase the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk
C. Acceptable level
The Risk Management phase where most of the work is performed... a. acceptance b. planning c. collection d. recommendations
C. Most of the work is performed in the collection phase
What is the primary purpose of a business impact analysis (BIA) a. Identify the events that could impact the continuity of an organization's operations b. publicize the commitment of the organization to physical and logical security c. provide a plan for resuming operations after a disaster d. provide the basis for an effective business continuity plan (BCP)
D BIA - the real works that gets done, it is a comprehensive analysis that examines all the threats, vulnerabilities, functions and resources and calculates the risk to the organization - its done before the BCP
A Critical Business function... a. a function that relies on one or more other functions b. a function that has the lowest ale c. a function that costs the most money d. a function that many other functions rely on which the BCP ensures timely resumption of
D.
What should not be in a publicly released Business Continuity Plan a. Ensure that BCP document size is not too large b. ensure that the website administrator has reviewed the BCP c. Ensure that the version of the BCP posted on the website is up to date d. ensure that the version of the BCP posted on the website has been sanitized.
D. BCP's should be sanitized before being publicly released
Auditing governance is ____ a. the most important part of an audit b. the least important part of an audit c. more technical than business process d. more business process than technical
D. auditing governance is more business process than technical
You are auditing an organization's BCP management. What should always check for? a. Is the BCP greater than 200 pages? b. is the BCP stored in a secure location c. Does the BCP follow a framework d. Check to see if there is a process to keep the BCP up to date
D. should always check to see if there is a prior process!
What would be the most significant audit finding when auditing an organization's Business continuity plan? a. the plan has not been approved by management b. the plan outlines roles and responsibilities c. the plan is out of date d. the plan includes regular testing
a. the most significant finding would be that it has not been approved by management
What should not be in a publicly release Business Continuity Plan? a. business recovery procedures b. organization names c. revision date d. version
a. this is the most private
Which choice is not considered a threat a. unpatched server b. malicious code c. malicious hacker d. hurricane
a. unpatched server is a vulnerability
What is the best way to ensure the BCP can be implemented in the event of a disaster? a. Check the MTD calculations b. Conduct testing c. review the BIA periodically d. conduct management review of the BCP
b
Which choice best describes a business continuity/disaster recovery test that requires all regular operations to cease? a. parallel test b. full-interruption test c. simulation test d. walk-through test
b - full interruption, gotta stop for the interruption
While reviewing IS strategies, an IS auditor can best determine if the IS strategy supports the organization's business objectives if IS... a. is adequately staffed and has the equipment it needs b. develops plans that are consistent with management strategy c. has extra resources to respond to change d. is using their people and their equipment effectively and efficiently
b - word choice, supports business objectives, so look for consistency
You are auditing an IT organization's software development process and found that approval from several members of the software development staff with different areas of responsibility was required in order to promote code to production. this is an example of... a. need to know rules b. segregation of duties c. need to access rules d. collaboration
b SOD
Defining an alternative business process is an example of a. fault tolerance b. a recovery strategy c. quality assurance d. availability
b. defining an alternative business process is a recovery strategy
In which situation is it acceptable to simply do nothing and accept the risk of a potential loss? a. when the risk can be transferred to another organization who will be responsible for the risk b. when the risk is within the acceptable risk level for the organization to accept it c. when the risk can be avoided by simply discontinuing the activity d. it is never acceptable to accept the risk of a potential loss
b. if the risk is acceptable, you can accept it haha
A policy references a supporting document that identifies the steps required to approve access to data. This supporting document is... a. report b. procedure c. guideline d. brochure
b. procedures are for how something will be approved
an organization determines that they are running vulnerable web servers. Patching the webserver causes an important application to break. They decide to run the application on a web server product from a different vendor that doesn't have the same vulnerability and decommissions the original webserver. What best describes the response to this risk? a. risk mitigation b. risk avoidance c. risk transference d. risk acceptance
b. risk avoidance!
Which choice best describes the functions of an IT Steering Committee a. acts as a liaison between the user and the IS department b. oversees major projects including approval and monitoring of projects and reporting the status of the IS plans and budgets c. makes certain that within the IT processing department there is a separation of duties and job descriptions d. defines strategic business objectives and allocating resources to meet those objectives
b. the IT Steering Committee oversees major projects including approval and monitoring of projects and reporting the status of the IS plans and budgets
The amount of money an organization could lose in the event of a disaster is the a. annual mean times between failures b. annualized loss expectancy c. likelihood of failure d. chance of occurrence
b. the amount of money an organization could lose in an event of a disaster is the annualized loss expectancy
What is the first thing you should look for when auditing an organization's risk management capability a. how much does the organization budget for risk management b. does the organization have a process for performing risk management c. does the organization have defined levels of risk d. does the organization categorize threats
b. the first thing you should look for when looking at the capabilities is if they have a prior process
Which document defines what other policies the organization will maintain? a. access control policy b. master policy c. classification policy d. communication security policy
b. the master policy defines what other policies the organization will maintain
What should you check for when auditing the management structure with respect to IT and security a. IT and security should report to the same manager b. the organization should have separation between IT and security c. IT and security should both reside within operations d. it is irrelevant where IT and security sits within the organization
b. the organization should have separation between IT and security
An organization decides to discontinue the use of a software product that has known security vulnerabilities. This is an example of... a. risk mitigation b. risk avoidance c. risk assessment d. threat reduction
b. this is risk avoidance
Should auditors be part of the risk management team? a. no b. yes c. only if required by regulation d. sometimes
b. yurrr
The most important item of consideration when an IS auditor is evaluating an organization's IS strategy? a. Are the procurement procedures compliant b. is the IS department operating within budget c. are the organization's business objectives being met? d. is the organization using a balance scorecard?
c - gotta do the ones with organization, objectives are more important than balanced scorecard
What is the most important factor that drives the success of risk management? a. experience of team b. risk mitigation c. commitment from senior management d. following a plan
c. We will need senior management's support!
The best description of a policy a. general guidelines to use to accomplish a specific tasks b. a step-by-step directions on how to accomplish a task c. broad, high-level statements from management d. detailed documents explaining how security incidents should be handled
c. a policy is a broad, high-level statement from management
Which policy defines controls for granting, revoking, modifying and validating access? a. firewall policies b. acceptable use c. access control policies d. resource policies
c. access control - are access, authorization and monitoring policies
When performing a risk assessment, which information is not required to be collected? a. exposure factor (ef) b. annualized loss expectancy (ale) c. cost/benefit analysis (cba) d. single loss expectancy (sle)
c. all the rest use risk variables
What forces an organization to look at itself from different perspectives and track progress? a. management b. strategy committee c. balanced scorecard d. steering committee
c. balanced scorecard translate internal strategy into action
What process ensures that only approved changes can be made to the IT environment a. SOD b. configuration management c. change managment d. quality management
c. change management - process in place to implement change
Who should auditors report to? a. quality assurance b. security management c. executive management d. risk manager
c. executive management
After a control is put in place to mitigate a risk the resulting risk is called ____ a. control gap b. exposure factor c. residual risk d. mitigated risk
c. residual risk - what's residual
During the course of an audit, an auditor discovers that an organization's documentation is out of date. What type of finding is this? a. vulnerability b. exposure c. threat d. insufficient process
d
During the course of an audit, one area that is quickly identified is a small warehouse in a heavily populated area that holds valuable assets. The warehouse has no perimeter defense. This lack of protection would be characterized as a ___ a. Countermeasure b. exposure factor c. threat d. vulnerability
d
When performing a risk assessment, which information is not required to be collected a. list of vulnerabilities b. list of assets c. value of assets d. list of data classifications
d - its classified
The BIA should always accomplish... a. identify how recovery approaches should be tested b. implementation of backup and recovery procedures c. development of a patch management plan d. identification of the organization's critical business functions
d - planning for the BCP
What do you call an agreement between two companies to lend facilities in the case of a disaster? a. rolling hot site b. merger agreement c. redundant site d. reciprocal agreement
d.
Which statement is most true a. BCP is more focused on testing b. BCP is focused on system; DRP is focused on people c. BCP is short term; DRP is long term d. BCP is focused on business; DRP is focused on information technology
d. B as in business
A service level agreement defines the relationship between what two parties a. consultant and vendor b. employee and consultant c. employer and employee d. organization and vendor
d. a SLA defines the relationship between the organization and vendor
First thing in the risk management collection phase a. identify vulnerabilities and threats to assets b. calculate risk c. assign value to assets d. identify the assets
d. first one should identify the assets
What is the primary goal of auditing governance a. determine the effectiveness of the business b. determine if the organization has the right people in place c. determine if the organization is following a framework d. determine if the organization is doing what they said they were going to do
d. governance is the board of directors/chairs of the board providing guidance
What is not a challenge of risk management a. gathering data from many sources b. trying to predict the future c. surmising all possible threats d. learning the risk management process
d. its ez and should be cobit or somithing
When auditing an organization's business continuity process, which question is not something you need to ask? a. are business continuity roles identified b. are the business continuity goals defined and approved by management c. are the business continuity functions tested? d. is the length of the plan appropriate?
d. least important
Who has the final approval of the disaster recovery and business continuity plan? a. each representative of each department b. external authority c. the planning committe d. management
d. management has the final approval of the plans
The activation phase of a BCP should always contain ___ procedures a. reconstitution b. mitigation c. recovery d. notification
d. the activation phase of a BCP should always contain notification procedures
An organization determines that they are running a vulnerable web server. Instead of patching the server they decide to put the service behind an application firewall. a. risk mitigation b. risk acceptance c. risk transference d. risk avoidance
a. a firewall is risk mitigation
Which type of risk has a high likelihood and low impact a. high incidence risk b. significant risk c. contingency risk d. minor risk
a. a lot of incidents
a systems administrator suggests to their manager that they use a subscription hot site in case of a disaster. Their manager informed them that they cannot afford the expense of a subscription hot site. what should they choose? a. cold site b. boiling site c. off site d. backup site
a. cold site
Which is most important during a disaster a. human life b. assets governed by regulations c. confidential data d. reducing costs
a. human life duh
low likelihood and low impact a. minor risk b. significant risk c. high incident risk d. contingency risk
a. minor
What are the 3 main phases of a business continuity plan (BCP)? a. activation, recovery and reconstitution b. activation, review, and reciprocity c. recovery, reconstitution and redemption d. reactivation, reiteration and recovery
a. the 3 main phases of a business continuity plan are activation, recovery and reconstitution
Which of the following is MOST critical for the successful implementation and maintenance of a security policy a. Assimilation of the framework and intent of a written security policy by all appropriate parties b. management support and approval for the implementation and maintenance of a security policy c. enforcement of security rules by providing punitive actions for any violation of security rules d. stringent implementation, monitoring and enforcing of rules by the security officer through access control software
A this is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective
An internal auditor is assisting the IT team in prioritizing their projects for the next year. The auditor interviews users, administrators, and managers in the IT department and records their recommendations based upon their perceptions of risk. This is an example of what kind of approach to risk analysis a. qualitative b. value based c. accumulative d. quantitative
a. qualitative is more touchy feeling "on a scale of 1-10 which is more risky". Key word - perception of risk!
IT governance is PRIMARILY the responsibility of the: a. chief executive officer b. board of directors c. IT steering committee d. audit committe
B - IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors)
Which type of analysis would best be used to assess risk to an organizations reputation? a. qualitative b. quantitative c. mitigation d. technical
a. reputation is not an exact
Which option for handling risk is only allowed within an acceptable level a. risk acceptance b. risk mitigation c. risk transference d. risk avoidance
a. risk acceptance
What is the best way to review an organization's approach to risk management? a. review the risk management plan b. review the organization's risk mitigation plan c. talk to employees d. search through all the organization's records
a. risk management = risk management
What is not a reason for segregation of duties (SoD) a. speed of operation b. improves error detection c. assisting in avoiding single points of failure d. reduces fraud
a. speed of operation
During the course of an audit, an auditor discovers than an organization's controls do no align with the control framework being used. What type of finding best describes this situation? a. lack of governance b. misuses of balances scorecards c. lack of resources d. lack of documentation
a. - governance is making sure the boat is being steered
ALE (annual loss expectancy) 15k, ARO (annualized rate of occurrence 5, what's the single loss expectancy (SLO) a. 3k b. 75k c. 5k d. 20k
a. 3k
What is not part of the BCP project initiation a. determine the business impact of a threat b. outline the BCP goals c. identify required documentation d. appoint BCP coordinator or project manager
a. BCP project initiation is more about policies and goals and qualitative! kinda wishy washy
Who is ultimately responsible for determining the acceptable risk level a. management b. security analysts c. auditors d. IT team
a. Management is ultimately responsible for determining the acceptable risk level
you audit an organization and discover that errors are not being detected before it's too late. How can you improve the situation a. SOD b. Risk avoidance c. auditors reporting directly to management d. security team reporting directly to management
a. SOD
Which type of risk has a low liklihood and high impact a. contingency risk b. high incidence risk c. significant risk d. minor risk
a. a contingency risk has a low liklihood and a high impact
