CISA Domain 4

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely: A. increase. B. decrease. C. remain the same. D. be unpredictable.

A

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? A. To detect data transposition errors B. To ensure that transactions do not exceed predetermined amounts C. To ensure that data entered are within reasonable limits D. To ensure that data entered are within a predetermined range of values

A is the correct answer. Justification A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check.

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan? A. Contact information of key personnel B. Server inventory documentation C. Individual roles and responsibilities D. Procedures for declaring a disaster

A is the correct answer. Justification A. In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. B. Asset inventory is important and should be linked to the change management process of the organization but having access to key people may compensate for outdated records. C. These are important, but in a disaster many people could fill different roles depending on their experience. D. These are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.

During an IS audit of the disaster recovery plan of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.

A is the correct answer. Justification A. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. B. The corporate business continuity plan may not include disaster recovery plan (DRP) details for remote offices. It is important to ensure that the local plans have been tested. C. Security is an important issue because many controls may be missing during a disaster. However, not having a tested plan is more important. D. The backups cannot be trusted until they have been tested. However, this should be done as part of the overall tests of the DRP.

Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan? A. Preparedness tests B. Paper tests C. Full operational tests D. Actual service disruption

A is the correct answer. Justification A. These involve simulation of the entire environment (in phases) at relatively low cost and help the team to better understand and prepare for the actual test scenario. B. These test the entire plan, but there is no simulation and less is learned. It also is difficult to obtain evidence that the team has understood the test plan. C. These would require approval from management, are not easy or practical to test in most scenarios and may trigger a real disaster. D. This is not recommended in most cases unless required by regulation or policy.

An IS auditor is reviewing the most recent disaster recovery plan of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? A. Executive management B. IT management C. Board of directors D. Steering committee

B is the correct answer. Justification A. Although executive management's approval is essential, the IT department is responsible for managing system resources and their availability as related to disaster recovery. B. Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management's approval would be most important to verify that the system resources will be available in the event that a disaster event is triggered. C. This group may review and approve the DRP, but the IT department is responsible for managing system resources and their availability as related to disaster recovery. D. This group would determine the requirements for disaster recovery (recovery time objective and recovery point objective); however, the IT department is responsible for managing system resources and their availability as related to disaster recovery.

An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? A. Change permissions to prevent DBAs from purging logs. B. Forward database logs to a centralized log server to which the DBAs do not have access. C. Require that critical changes to the database are formally approved. D. Back up database logs to tape.

B is the correct answer. Justification A. This may not be feasible and does not adequately protect the availability and integrity of the database logs. B. To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access. C. This does not adequately protect the availability and integrity of the database logs. D. Backing up database logs to tape does not adequately protect the availability and integrity of the database logs.

The FIRST step in the execution of a problem management mechanism should be: A. issue analysis. B. exception ranking. C. exception reporting. D. root cause analysis.

C is the correct answer. Justification A. Analysis and resolution are performed after logging and triage have been performed. B. This can only be performed once the exceptions have been reported. C. The reporting of operational issues is normally the first step in tracking problems. D. This is performed once the exceptions have been identified and is not normally the first part of problem management.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

C is the correct answer. Justification A. The hash total will only validate the data integrity at a batch level rather than at a transaction level. B. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. C. This will involve the comparison of a selection of individual transactions from the database before and after the migration. D. This does not imply that the records are complete or that individual values are accurate.

During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: A. user raises a change request and tests it in the test environment. B. programmer codes a change in the development environment and tests it in the test environment. C. manager approves a change request and then reviews it in production. D. manager initiates a change request and subsequently approves it.

D

A hard disk containing confidential data was damaged beyond repair. If the goal is to positively prevent access to the data by anyone else, what should be done to the hard disk before it is discarded? A. Overwriting B. Low-level formatting C. Degaussing D. Destruction

D is the correct answer. Justification A. Rewriting data is impractical because the hard disk is damaged and offers less assurance than physical destruction even when done successfully. B. This is impractical because the hard disk is damaged and offers less assurance than physical destruction even when done successfully. C. This is highly effective but offers less assurance than physical destruction. D. Physically destroying the hard disk is the most effective way to ensure that data cannot be recovered.

Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process? A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

D is the correct answer. Justification A. Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. C. This is not as effective as a walk-through of the change controls process because people may know the process but not follow it. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

An IS auditor analyzing the audit log of a database management system finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? A. Consistency B. Isolation C. Durability D. Atomicity

D is the correct answer. Justification A. This ensures that the database is in a proper state when the transaction begins and ends and that the transaction has not violated integrity rules. B. This means that, while in an intermediate state, the transaction data are invisible to external operations. This prevents two transactions from attempting to access the same data at the same time. C. This guarantees that a successful transaction will persist and cannot be undone. D. This guarantees that either the entire transaction is processed or none of it is.

A large chain of shops with electronic funds transfer at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? A. Offsite storage of daily backups B. Alternative standby processor onsite C. Installation of duplex communication links D. Alternative standby processor at another network node

D is the correct answer. Justification A. This would not help, because electronic funds transfer tends to be an online process and offsite storage will not replace the dysfunctional processor. B. The provision of an alternate processor onsite would be fine if it were an equipment problem but would not help in the case of a power outage and may require technical expertise to cutover to the alternate equipment. C. This would be most appropriate if it were only the communication link that failed. D. Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications.

Which of the following BEST ensures that users have uninterrupted access to a critical, heavily used web-based application? A. Disk mirroring B. Redundant Array of Inexpensive Disks C. Dynamic domain name system D. Load balancing

D. This best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps ensure consistent response time for web applications. Also, if a web server fails, load balancing ensures that traffic will be directed to a different, functional server.

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers.

A is the correct answer. Justification A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. B. This would prevent unauthorized access to the database but would not record the activity of the user when using the database. C. This would restrict users from seeing data that they should not be able to see but would not record what users did with data they were allowed to see. D. This may help in better administration or even in implementing access controls but does not address the accountability issues.

Disaster recovery planning addresses the: A. technological aspect of business continuity planning (BCP). B. operational part of BCP. C. functional aspect of BCP. D. overall coordination of BCP.

A is the correct answer. Justification A. Disaster recovery planning (DRP) is the technological aspect of BCP that focuses on IT systems and operations. B. Business resumption planning addresses the operational part of BCP. C. Disaster recovery addresses the technical components of business recovery. D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

The PRIMARY objective of service-level management is to: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management.

A is the correct answer. Justification A. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. B. SLM does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. C. SLM cannot ensure that costs for all services will be kept at a low or minimum level because costs associated with a service will directly reflect the customer's requirements. D. Monitoring and reporting legal noncompliance is not a primary objective of SLM.

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization? A. Review software migration records and verify approvals. B. Identify changes that have occurred and verify approvals. C. Review change control documentation and verify approvals. D. Ensure that only appropriate staff can migrate changes into production.

B

An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: A. the setup is geographically dispersed. B. the servers are clustered in one site. C. a hot site is ready for activation. D. diverse routing is implemented for the network.

B is the correct answer. Justification A. Dispersed geographic locations provide backup if a site has been destroyed. B. A clustered setup in one site makes the entire network vulnerable to natural disasters or other disruptive events. C. A hot site would also be a good alternative for a single point-of-failure site. D. Diverse routing provides telecommunications backup if a network is not available.

The PRIMARY objective of testing a business continuity plan is to: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

D is the correct answer. Justification A. This is a secondary benefit of a test. B. It is not cost-effective to address all residual risk in a business continuity plan. C. It is not practical to test all possible disaster scenarios. D. Testing the business continuity plan provides the best evidence of any limitations that may exist.

Which of the following is the BEST method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? A. Ensure that automatic updates are enabled on critical production servers. B. Verify manually that the patches are applied on a sample of production servers. C. Review the change management log for critical production servers. D. Run an automated tool to verify the security patches on production servers.

D is the correct answer. Justification A. This may be a valid way to manage the patching process; however, this would not provide assurance that all servers are being patched appropriately. B. This will be less effective than automated testing and introduces a significant audit risk. Manual testing is also difficult and time consuming. C. The change management log may not be updated on time and may not accurately reflect the patch update status on servers. A better testing strategy is to test the server for patches, rather than examining the change management log. D. An automated tool can immediately provide a report on which patches have been applied and which are missing.

Emergency changes that bypass the normal change control process are MOST acceptable if: A. management reviews and approves the changes after they have occurred. B. the changes are reviewed by a peer at the time of the change. C. the changes are documented in the change control system by the operations department. D. management has preapproved all emergency changes.

A is the correct answer. Justification A. Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur. B. Although peer review provides some accountability, management should review and approve all changes, even if that review and approval must occur after the fact. C. Documenting the event does not replace the need for a review and approval process to occur. D. It is not a good control practice for management to ignore its responsibility by preapproving all emergency changes in advance without reviewing them. Unauthorized changes could then be made without management's knowledge.

An IS auditor notes during an audit that an organization's business continuity plan does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include: A. the level of information security required when business recovery procedures are invoked. B. information security roles and responsibilities in the crisis management structure. C. information security resource requirements. D. change management procedures for information security that could affect business continuity arrangements.

A is the correct answer. Justification A. Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified. B. During a time of crisis, the security needs of the organization may increase because many usual controls such as separation of duties are missing. Having security roles in the crisis management plan is important, but that is not the best answer to this scenario. C. Identifying the resource requirements for information security, as part of the business continuity plan (BCP), is important, but it is more important to set out the security levels that would be required for protected information. D. Change management procedures can help keep a BCP up to date but are not relevant to this scenario.

Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? A. Implementing a fault-tolerant disk-to-disk backup solution B. Making a full backup to tape weekly and an incremental backup nightly C. Creating a duplicate storage area network (SAN) and replicating the data to a second SAN D. Creating identical server and storage infrastructure at a hot site

A is the correct answer. Justification A. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set. B. While a backup strategy involving tape drives is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. This would not enable the system to be available 24/7. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to tape, or deploy a disk-to-disk solution, which is effectively the same thing. C. While creating a duplicate SAN and replicating the data to a second SAN provides some redundancy and data protection, this is not really a backup solution. If the two systems are at the same site, there is a risk that an incident such as a fire or flood in the data center could lead to data loss. D. While creating an identical server and storage infrastructure at a hot site provides a great deal of redundancy and availability to enable the system to stay operational, it does not address the need for long-term data storage. There is still the need to create an efficient method of backing up data.

In a disaster recovery situation, which of the following is the MOST important metric to ensure that data are synchronized between critical systems? A. Recovery point objective B. Recovery time objective C. Recovery service resilience D. Recovery service scalability

A is the correct answer. Justification A. Establishing a common recovery point objective is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in accounting transactions that cannot be reconciled and a loss of referential integrity. B. These are not as important to synchronize because they normally vary depending on the level of effort and resources required to restore a system. C. This measures the fault tolerance due to data exceptions and ability to restart and recover from internal failures. D. This refers to the capacity constraints and limitations that a recovery solution may have relative to the original system configuration.

If a database is restored using before-image dumps, where should the process begin following an interruption? A. Before the last transaction B. After the last transaction C. As the first transaction after the latest checkpoint D. As the last transaction before the latest checkpoint

A is the correct answer. Justification A. If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. B. The last transaction will not have updated the database and must be reprocessed. C. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures. D. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? A. Staging and job setup B. Supervisory review of logs C. Regular backup of tapes D. Offsite storage of tapes

A is the correct answer. Justification A. If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. B. This is a detective control that would not prevent loading of the wrong tapes. C. This is not related to bypassing tape header records. D. This would not prevent loading the wrong tape because of bypassing header records.

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: A. physically separated from the data center and not subject to the same risk. B. given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities.

A is the correct answer. Justification A. It is important that there is an offsite storage location for IS files and that it is in a location not subject to the same risk as the primary data center. B. The offsite location may be shared with other companies and, therefore, have an even higher level of protection than the primary data center. C. An offsite location may be owned by a third party or by the organization itself. D. Physical protection is important but not as important as not being affected by the same crisis.

An IS auditor should recommend the use of library control software to provide reasonable assurance that: A. program changes have been authorized. B. only thoroughly tested programs are released. C. modified programs are automatically moved to production. D. source and executable code integrity is maintained.

A is the correct answer. Justification A. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. C. Programs should not be moved automatically into production without proper authorization. D. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

Which of the following scenarios provides the BEST disaster recovery plan to implement for critical applications? A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center B. Daily data backups that are stored onsite in a fireproof safe C. Real-time data replication between the main data center and the hot site located 500 meters from the main site D. Daily data backups that are stored offsite with a warm site located 70 kilometers from the main data center

A is the correct answer. Justification A. Of the given choices, this is the most suitable answer. The disaster recovery plan includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. Not having real-time backups may be a problem depending on recovery point objective (RPO). B. Having data backups is necessary, but not having a replication site would be insufficient for the critical application. C. Depending on the type of disaster, a hot site should normally be located more than 500 meters from the main facility. Having real-time backups may be the best option though, depending on the data RPO. D. A warm site may take days to recover, and therefore, it may not be a suitable solution.

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? A. Provide and monitor separate developer login IDs for programming and for production support. B. Capture activities of the developer in the production environment by enabling detailed audit trails. C. Back up all affected records before allowing the developer to make production changes. D. Ensure that all changes are approved by the change manager prior to implementation.

A is the correct answer. Justification A. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. This would allow for rollback in case of an error but would not prevent or detect unauthorized changes. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.

Which of the following is the MOST critical element to effectively execute a disaster recovery plan? A. Offsite storage of backup data B. Up-to-date list of key disaster recovery contacts C. Availability of a replacement data center D. Clearly defined recovery time objective (RTO)

A is the correct answer. Justification A. Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. B. Having a list of key contacts is important but not as important as having adequate data backup. C. A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement. D. Having a clearly defined recovery time objective is especially important for business continuity planning, but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.

A is the correct answer. Justification A. The applications have been operated intensively, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. B. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load. C. Because users were able to connect to and use the system, the response time must have been satisfactory. D. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: A. transition clauses from the old supplier to a new supplier or back to internal in the case of expiration or termination. B. late payment clause between the customer and the supplier. C. contractual commitment for service improvement. D. dispute resolution procedure between the contracting parties.

A is the correct answer. Justification A. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization. B. Contractual issues regarding payment, service improvement and dispute resolution are important but not as critical as ensuring that service disruption, data loss, data retention, or other significant events occur in the event that the organization switches to a new firm providing outsourced services. C. The service level agreement (SLA) should address performance requirements and metrics to report on the status of services provided; it's nice to have commitment for performance improvement, although it's not mandated. D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute, but this is not the most critical part of an SLA.

Which of the following business continuity plan tests involves participation of relevant members of the crisis management/response team to practice proper coordination? A. Tabletop B. Functional C. Full-scale D. Deskcheck

A is the correct answer. Justification A. The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. B. Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication. C. Full-scale testing involves enterprisewide participation and full involvement of external organizations. D. Deskcheck testing requires the least effort of the options given. Its aim is to ensure the plan is up to date and promote familiarity of the BCP to critical personnel from all areas.

After a disaster declaration, the media creation date at a warm recovery site is based on the: A. recovery point objective. B. recovery time objective. C. service delivery objective. D. maximum tolerable outage.

A is the correct answer. Justification A. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. B. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. C. Service delivery objective is in incorrect. This is directly related to the business needs and is the level of service to be reached during the alternate process mode until the normal situation is restored. D. This is the maximum time that an organization can support processing in alternate mode.

Recovery procedures for an information processing facility are BEST based on: A. recovery time objective. B. recovery point objective. C. maximum tolerable outage. D. information security policy.

A is the correct answer. Justification A. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives. B. This has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. C. MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse. D. This does not address recovery procedures.

During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? A. The client did not pay for the open source software components. B. The organization and client must comply with open source software license terms. C. Open source software has security vulnerabilities. D. Open source software is unreliable for commercial use.

B is the correct answer. Justification A major benefit of using open source software is that it is free. The client is not required to pay for the open source software components; however, both the developing organization and the client should be concerned about the licensing terms and conditions of the open source software components that are being used. B. There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences. C. Open source software, just like any software code, should be tested for security flaws and should be part of the normal system development life cycle (SDLC) process. This is not more of a concern than licensing compliance. D. Open source software does not inherently lack quality. Like any software code, it should be tested for reliability and should be part of the normal SDLC process. This is not more of a concern than licensing compliance.

During the audit of a database server, which of the following would be considered the GREATEST exposure? A. The password on the administrator account does not expire. B. Default global security settings for the database remain unchanged. C. Old data have not been purged. D. Database activity is not fully logged.

B is the correct answer. Justification A. A non-expiring password is a risk and an exposure but not as serious a risk as a weak password or the continued use of default settings. B. Default security settings for the database could allow issues such as blank user passwords or passwords that were the same as the username. C. Failure to purge old data may present a performance issue but is not an immediate security concern. D. Logging all database activity is a potential risk but not as serious a risk as default settings.

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit? A. Ensure that media are encrypted. B. Maintain a duplicate copy. C. Maintain chain of custody. D. Ensure that personnel are bonded.

B is the correct answer. Justification A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data. C. Chain of custody is an important control, but it will not mitigate a loss if a locked area is broken into and media removed or if media are lost while in an individual's custody. D. Bonded security, although good for preventing theft, will not protect against accidental loss or destruction.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A. IT department implement control mechanisms to prevent unauthorized software installation. B. security policy be updated to include the specific language regarding unauthorized software. C. IT department prohibit the download of unauthorized software. D. users obtain approval from an IS manager before installing nonstandard software.

B is the correct answer. Justification A. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls. C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.

The BEST method for assessing the effectiveness of a business continuity plan is to review the: A. plans and compare them to appropriate standards. B. results from previous tests. C. emergency procedures and employee training. D. offsite storage and environmental controls.

B is the correct answer. Justification A. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. B. Previous test results will provide evidence of the effectiveness of the business continuity plan. C. Reviewing emergency procedures would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness. D. Reviewing offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness.

An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST: A. draft an audit finding and discuss it with the auditor in charge. B. determine the sensitivity of the information on the hard drives. C. discuss with the IT manager the good practices in data disposal. D. develop an appropriate data disposal policy for the enterprise.

B is the correct answer. Justification A. Drafting a finding without a quantified risk would be premature. B. Even though a policy is not available, the IS auditor should determine the nature of the information on the hard drives to quantify, as much as possible, the risk. C. It would be premature to discuss good practices with the IT manager until the extent of the incident has been quantified. D. An IS auditor should not develop policies.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

B is the correct answer. Justification A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged. B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment.

B is the correct answer. Justification A. Having a log is not a control; reviewing the log is a control. B. The matching of hash keys over time would allow detection of changes to files. C. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

Which of the following is MOST directly affected by network performance monitoring tools? A. Integrity B. Availability C. Completeness D. Confidentiality

B is the correct answer. Justification A. Network monitoring tools can be used to detect errors that are propagating through a network, but their primary focus is on network reliability so that the network is available when required. B. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability. C. Network monitoring tools will not measure completeness of the communication. This is measured by the end points in the communication. D. A network monitoring tool can violate confidentiality by allowing a network administrator to observe non-encrypted traffic. This requires careful protection and policies regarding the use of network monitoring tools.

Doing which of the following during peak production hours could result in unexpected downtime? A. Performing data migration or tape backup B. Performing preventive maintenance on electrical systems C. Promoting applications from development to the staging environment D. Reconfiguring a standby router in the data center

B is the correct answer. Justification A. Performing data migration may impact performance but would not cause downtime. B. Preventive maintenance activities should be scheduled for non-peak times of the day, and preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker could result in unplanned downtime. C. Promoting applications into a staging environment (not production) should not affect systems operations in any significant manner. D. Reconfiguring a standby router should not cause unexpected downtime because the router is not operational and any problems should not affect network traffic.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be delayed.

B is the correct answer. Justification A. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. B. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. C. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. D. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

B is the correct answer. Justification A. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.

A programmer maliciously modified a production program to change data and then restored it back to the original code. Which of the following would MOST effectively detect the malicious activity? A. Comparing source code B. Reviewing system log files C. Comparing object code D. Reviewing executable and source code integrity

B is the correct answer. Justification A. Source code comparisons are ineffective because the original programs were restored, and the changed program does not exist. B. This is the only trail that may provide information about the unauthorized activities in the production library. C. Object code comparisons are ineffective because the original programs were restored, and the changed program does not exist. D. This is an ineffective control, because the source code was changed back to the original and will agree with the current executable.

Integrating the business continuity plan into IT project management aids in: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.

B is the correct answer. Justification A. Testing the BCP's requirements is not related to IT project management. B. Integrating the business continuity plan (BCP) into the development process ensures complete coverage of the requirements through each phase of the project. C. A transaction flowchart aids in analyzing an application's controls but does not affect business continuity. D. A BCP will not directly address the detailed processing needs of the users.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? A. Preventing the compromise of the source code during the implementation process B. Ensuring that vendor default accounts and passwords have been disabled C. Removing the old copies of the program from escrow to avoid confusion D. Verifying that the vendor is meeting support and maintenance agreements

B is the correct answer. Justification A. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation. B. Disabling vendor default accounts and passwords is a critical part of implementing a new application. C. Because this is a new application, there should not be any problem with older versions in escrow. D. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.

An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the: A. alignment of the BCP with industry good practices. B. results of business continuity tests performed by IS and end-user personnel. C. offsite facility, its contents, security and environmental controls. D. annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan.

B is the correct answer. Justification A. This does not provide the assurance of the effectiveness of the BCP. B. The effectiveness of the business continuity plan (BCP) can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. C. These do not provide the assurance of the effectiveness of the BCP. Only testing will provide an accurate assessment of the effectiveness of the BCP. D. This does not provide the assurance of the effectiveness of the BCP. Only testing will provide an accurate assessment of the effectiveness of the BCP.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? A. Full operational test B. Preparedness test C. Paper test D. Regression test Solution

B is the correct answer. Justification A. This is conducted after the paper and preparedness test and is quite expensive. B. This is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. C. This is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test, but a paper test (deskcheck) is not sufficient to test the viability of the plan. D. This is not a disaster recovery plan test and is used in software development and maintenance.

In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? A. Maintaining system software parameters B. Ensuring periodic dumps of transaction logs C. Ensuring grandfather-father-son file backups D. Maintaining important data at an offsite location

B is the correct answer. Justification A. This is important for all systems, not just online systems. B. This is the only safe way of preserving timely historic data. Because online systems do not have a paper trail that can be used to recreate data, maintaining transaction logs is critically important to prevent data loss. The volume of activity usually associated with an online system may make other more traditional methods of backup impractical. C. Having generations of backups is a good practice for all systems. D. All backups should consider offsite storage at a location that is accessible but not likely to be affected by the same disaster.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? A. Confidentiality of the information stored in the database B. The hardware being used to run the database application C. Backups of the information in the overseas database D. Remote access to the backup database

B is the correct answer. Justification A. This is not a major concern, because the information is intended for public use. B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. C. These are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. D. This does not impact availability.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

B is the correct answer. Justification A. This would identify changes and activity on a system but would not identify whether the change was authorized unless conducted as a part of a compliance test. B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. C. This is a specialized technique for criminal investigation. D. This assesses the general control environment of an organization.

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? A. Perform disaster recovery exercises annually. B. Ensure that partnering organizations are separated geographically. C. Regularly perform a business impact analysis. D. Select a partnering organization with similar systems.

B is the correct answer. Justification A. While disaster recovery exercises are important but difficult to perform in a reciprocal agreement, the greater risk is geographic proximity. C. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. C. A business impact analysis will help both organizations identify critical applications, but separation is a more important consideration when entering reciprocal agreements. D. Selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern? A. System administrators use shared accounts which never expire at the hot site. B. Disk space utilization data are not kept current. C. Physical security controls at the hot site are less robust than at the main site. D. Servers at the hot site do not have the same specifications as at the main site.

B is the correct answer. Justification A. While it is not a good practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space. B. Not knowing how much disk space is in use and, therefore, how much is needed at the disaster recovery site could create major issues in the case of a disaster. C. Physical security controls are important, and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed. D. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: A. only systems administrators perform the patch process. B. the client's change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.

B is the correct answer. Justification A. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. C. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. D. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval.

Which of the following is MOST important when an operating system patch is to be applied to a production environment? A. Successful regression testing by the developer B. Approval from the information asset owner C. Approval from the security officer D. Patch installation at alternate sites

B is the correct answer. Justification A. While testing is important for any patch, in this case it should be assumed that the operating system (OS) vendor tested the patch before releasing it. Before this OS patch is put into production, the organization should do system testing to ensure that no issues will occur. B. It is most important that information owners approve any changes to production systems to ensure that no serious business disruption takes place as the result of the patch release. C. The security officer does not normally need to approve every OS patch. D. Security patches need to be deployed consistently across the organization, including alternate sites. However, approval from the information asset owner is still the most important consideration.

An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk? A. Testing of the DRP has not been performed. B. The disaster recovery strategy does not specify use of a hot site. C. The business impact analysis was conducted, but the results were not used. D. The disaster recovery project manager for the implementation has recently left the organization.

C is the correct answer. Justification A. Although testing a DRP is a critical component of a successful disaster recovery strategy, this is not the biggest risk; the biggest risk comes from a plan that is not properly designed. B. Use of a hot site is a strategic determination based on tolerable downtime, cost and other factors. Although using a hot site may be considered a good practice, this is a very costly solution that may not be required for the organization. C. The risk of not using the results of the BIA for disaster recovery planning means that the disaster recovery plan (DRP) may not be designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization to recover from a disaster. D. If the DRP is designed and documented properly, the loss of an experienced project manager should have minimal impact. The risk of a poorly designed plan that may not meet the requirements of the business is much more significant than the risk posed by loss of the project manager.

An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? A. Changes are authorized by IT managers at all times. B. User acceptance testing is performed and properly documented. C. Test plans and procedures exist and are closely followed. D. Capacity planning is performed as part of each development project.

C is the correct answer. Justification A. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. B. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. D. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

The BEST audit procedure to determine if unauthorized changes have been made to production code is to: A. examine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system.

C is the correct answer. Justification A. Checking the change control system will not detect changes that were not recorded in the control system. B. Reviewing access control permissions will not identify unauthorized changes made previously. C. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. D. Reviewing change approved designations will not identify unauthorized changes.

While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: A. adequately monitoring service levels of IT resources and services. B. providing data to enable timely planning for capacity and performance requirements. C. providing accurate feedback on IT resource capacity. D. properly forecasting performance, capacity and throughput of IT resources.

C is the correct answer. Justification A. Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important. B. While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability. C. Accurate capacity monitoring of IT resources would be the most critical element of a continuous monitoring process. D. While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate.

Which of the following is the BEST reason for integrating the testing of noncritical systems in disaster recovery plans (DRPs) with business continuity plans (BCPs)? A. To ensure that DRPs are aligned to the business impact analysis. B. Infrastructure recovery personnel can be assisted by business subject matter experts. C. BCPs may assume the existence of capabilities that are not in DRPs. D. To provide business executives with knowledge of disaster recovery capabilities.

C is the correct answer. Justification A. DRPs should be aligned with the business impact analysis; however, this has no impact on integrating the testing of noncritical systems in DRPs with BCPs. B. Infrastructure personnel will be focused on restoring the various platforms that make up the infrastructure, and it is not necessary for business subject matter experts to be involved. C. BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities (e.g., they cannot support a large number of employees working from home). While the noncritical systems are important, it is possible that they are not part of the DRPs. For example, an organization may use an online system that does not interface with the internal systems. If the business function using the system is a critical process, the system should be tested, and it may not be part of the DRP. Therefore, DRP and BCP testing should be integrated. D. While business executives may be interested in the benefits of disaster recovery, testing is not the best way to accomplish this task.

An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is required for smooth functioning of business operations, but this practice may not be addressed in the enterprise's access management policy. Which of the following controls would the IS auditor MOST likely recommend first for long-term resolution? A. Redesign of the controls related to data authorization. B. Implementation of additional segregation of duties controls as these users take on different roles. C. Amendment of the access management policy to document a formal exception process. D. Implementation of additional logging controls to identify any abuse of elevated system access.

C is the correct answer. Justification A. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. B. While adequate segregation of duties is important, the IS auditor must first review policy to see if there is a formal documented process for this type of temporary access controls to enforce segregation of duties. C. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made. D. Audit trails are needed whenever temporary elevated access is required. However, but this is not the first step the auditor should take in reviewing the overall process.

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? A. Restoration testing for backup media is not performed; however, all data restore requests have been successful. B. The policy for data backup and retention has not been reviewed by the business owner for the past three years. C. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. D. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

C is the correct answer. Justification A. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. B. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. C. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. D. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: A. the training needs for users after applying the patch. B. any beneficial impact of the patch on the operational systems. C. delaying deployment until testing the impact of the patch. D. the necessity of advising end users of new patches.

C is the correct answer. Justification A. Normally, there is no need for training users when a new operating system patch has been installed. B. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. C. Deploying patches without testing exposes an organization to the risk of system disruption or failure. D. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations.

**To address an organization's disaster recovery requirements, backup intervals should not exceed the: A. service level objective. B. recovery time objective. C. recovery point objective. D. maximum acceptable outage.

C is the correct answer. Justification A. Organizations will try to set service level objective to meet established business targets. The resulting time for the service level agreement relates to recovery of services, not to recovery of data. B. defines the time period after the disaster in which normal business functionality needs to be restored. C. This defines the point in time to which data must be restored after a disaster to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If the backups are not done frequently enough, then too many data are likely to be lost. D. This is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption or maximum allowable downtime. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a cross-departmental working group to share perspectives. C. Develop a scenario and perform a structured walk-through. D. Develop a project plan for end-to-end testing of disaster recovery.

C is the correct answer. Justification A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. B. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable. C. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. D. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks level 1 in a file server is to: A. performance improvement. B. provide user authentication. C. ensure availability of data. D. ensure the confidentiality of data.

C is the correct answer. Justification A. RAID level 1 does not improve performance. It writes the data to two separate disk drives. B. RAID level 1 has no relevance to authentication. C. Redundant Array of Inexpensive Disks (RAID) level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. D. RAID level 1 does nothing to provide for data confidentiality.

A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor? A. Reciprocal agreement with another organization B. Alternate processor in the same location C. Alternate processor at another network node D. Duplex communication links

C is the correct answer. Justification A. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. B. Having an alternate processor in the same location resolves the equipment problem but would not be effective if the failure was caused by environmental conditions (i.e., power disruption). C. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. D. The installation of duplex communication links would only be appropriate if the failure were limited to the communication link.

As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? A. Risk such as single point-of-failure and infrastructure risk B. Threats to critical business processes C. Critical business processes for ascertaining the priority for recovery D. Resources required for resumption of business

C is the correct answer. Justification A. Risk should be identified after the critical business processes have been identified. B. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. C. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. D. Identification of resources required for business resumption will occur after the identification of critical business processes.

To ensure structured disaster recovery, it is MOST important that the business continuity plan and disaster recovery plan are: A. stored at an alternate location. B. communicated to all users. C. tested regularly. D. updated regularly.

C is the correct answer. Justification A. Storing the BCP at an alternate location is useful in the case of complete site outage; however, the BCP is not useful during a disaster without adequate tests. B. Communicating to users is not of much use without actual tests. C. If the business continuity plan (BCP) is tested regularly, the BCP and disaster recovery plan team is adequately aware of the process and that helps in structured disaster recovery. D. Even if the plan is updated regularly, it is of less use during an actual disaster if it is not adequately tested.

Which of the following is the PRIMARY objective of the business continuity plan process? A. To provide assurance to stakeholders that business operations will continue in the event of disaster B. To establish an alternate site for IT services to meet predefined recovery time objectives C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster.

C is the correct answer. Justification A. The BCP in itself does not provide assurance of continuing operations; however, it helps the organization to respond to disruptions to critical business processes. B. Establishment of an alternate site is more relevant to disaster recovery than the BCP. C. The business continuity plan (BCP) process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations. D. The regulatory compliance requirements may help establish the recovery time objective (RTO) requirements.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

C is the correct answer. Justification A. The BCP, if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. B. Senior management approval is a prerequisite for designing and approving the BCP but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. C. The implementation of a business continuity plan (BCP) will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. D. Making a BCP available on an enterprise's intranet does not guarantee that personnel will be able to access, read or understand it.

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

C is the correct answer. Justification A. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. B. The recovery of the backups has no bearing on the notification system. C. If the notification system has been severely impacted by the damage, redundancy would be the best control. D. Storing the notification system in a vault would be of little value if the building is damaged.

Which of the following must exist to ensure the viability of a duplicate information processing facility? A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

C is the correct answer. Justification A. The site chosen should not be subject to the same natural disaster as the primary site. Being close may be a risk or an advantage, depending on the type of expected disaster. B. A reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. D. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure that the operation will continue to perform as planned.

The MAIN purpose for periodically testing offsite disaster recovery facilities is to: A. protect the integrity of the data in the database. B. eliminate the need to develop detailed contingency plans. C. ensure the continued compatibility of the contingency facilities. D. ensure that program and system documentation remains current.

C is the correct answer. Justification A. The testing of an offsite facility does nothing to protect the integrity of the database. It may test the validity of backups but does not protect their integrity. B. Testing an offsite location validates the value of the contingency plans and is not used to eliminate detailed plans. C. The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster. D. Program and system documentation should be reviewed continuously for currency. A test of an offsite facility may ensure that the documentation for that site is current, but this is not the purpose of testing an offsite facility.

An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? A. Allow changes to be made only with the database administrator (DBA) user account. B. Make changes to the database after granting access to a normal user account. C. Use the DBA user account to make changes, log the changes and review the change log the following day. D. Use the normal user account to make changes, log the changes and review the change log the following day. Solution

C is the correct answer. Justification A. The use of the database administrator (DBA) user account without logging would permit uncontrolled changes to be made to databases after access to the account was obtained. B. A normal user account should not have access to a database. This would permit uncontrolled changes to any of the databases. C. Use the database administrator (DBA) user account to make changes, log the changes and review the change log the following day The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. Because an abbreviated number of steps are used, this represents an adequate set of compensating controls. D. Users should not be able to make changes. Logging would only provide information on changes made but would not limit changes to only those who were authorized.

In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? A. Physical security measures B. Total number of subscribers C. Number of subscribers permitted to use a site at one time D. References by other users

C is the correct answer. Justification A. These are not always part of the contract, although they are an important consideration when choosing a third-party site. B. This is a consideration, but more important is whether the agreement limits the number of subscribers in a building or in a specific area. It is also good to know if other subscribers are competitors. C. The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers. D. The references that other users can provide are a consideration taken before signing the contract; it is by no means part of the contractual provisions.

An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: A. problem management procedures. B. software development procedures. C. backout procedures. D. incident management procedures.

C is the correct answer. Justification A. These are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. B. These procedures such as the software development life cycle (SDLC) are used to manage the creation or acquisition of new or modified software. C. These are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state. D. These are used to manage errors or problems with system operation. They are usually used by a help desk. One of the incident management procedures may be how to follow a fallback plan.

An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? A. Select a sample of change tickets and review them for authorization. B. Perform a walk-through by tracing a program change from start to finish. C. Trace a sample of modified programs to supporting change tickets. D. Use query software to analyze all change tickets for missing fields.

C is the correct answer. Justification A. This helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. B. This assists the IS auditor in understanding the process but does not ensure that all changes adhere to the normal process. C. This is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. D. This does not identify program changes that were made without supporting change tickets.

The PRIMARY benefit of an IT manager monitoring technical capacity is to: A. identify the need for new hardware and storage procurement. B. determine the future capacity need based on usage. C. ensure that the service level requirements are met. D. ensure that systems operate at optimal capacity.

C is the correct answer. Justification A. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. B. Determining future capacity is one definite benefit of technical capability monitoring. C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT. D. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business.

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? A. A size check B. A hash total C. A validity check D. A field check

C is the correct answer. Justification A. This is useful because passwords should have a minimum length, but it is not as strong of a control as validity. B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions. C. This would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.

While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor? A. Availability of customer data B. Integrity of customer data C. Confidentiality of customer data D. System storage performance

C is the correct answer. Justification A. This may be affected during an Internet connection outage, but this is of a lower concern than confidentiality. B. This is affected only if security controls are weak enough to permit unauthorized modifications to the data, and it may be tracked by logging of changes. Confidentiality of data is a larger concern. C. Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data. D. This may be a concern due to the volume of data. However, the bigger issue is that the information is protected.

IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: A. upgrading to a level 5 RAID. B. increasing the frequency of onsite backups. C. reinstating the offsite backups. D. establishing a cold site in a secure location.

C is the correct answer. Justification A. This will not address the problem of catastrophic failure of the data center housing all the data. B. This is not relevant to RAID 1 because all data are being mirrored already. C. A Redundant Array of Inexpensive Disks (RAID) system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups. D. A cold site is an offsite recovery location but will not provide for data recovery because a cold site is not used to store data.

During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: A. has performed background checks on all service personnel. B. escorts service personnel at all times when performing their work. C. performs maintenance during noncritical processing times. D. independently verifies that maintenance is being performed.

C is the correct answer. Justification A. While the trustworthiness of the service personnel is important, it is normal practice for these individuals to be escorted and supervised by the data center personnel. It is also expected that the service provider would perform this background check, not the customer. B. This is common and a good practice, but the greater risk in this case would be if work were performed during critical processing times. C. The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system maintenance be performed at these critical times. D. It is possible that the service provider is performing inadequate maintenance; therefore, this issue may need to be investigated; however, the bigger risk is maintenance being performed at critical processing times.

The GREATEST advantage of using web services for the exchange of information between two systems is: A. secure communication. B. improved performance. C. efficient interfacing. D. enhanced documentation.

C is the correct answer. Justification Communication is not necessarily more secure using web services. The use of web services will not necessarily increase performance. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used. There is no documentation benefit in using web services.

A disaster recovery plan for an organization's financial system specifies that the recovery point objective is zero and the recovery time objective is 72 hours. Which of the following is the MOST cost-effective solution? A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs B. Distributed database systems in multiple locations updated asynchronously C. Synchronous updates of the data and standby active systems in a hot site D. Synchronous remote copy of the data in a warm site that can be operational in 48 hours

D is the correct answer. Justification A. A hot site would meet the RTO but would incur higher costs than necessary. B. Asynchronous updates of the database in distributed locations do not meet the recovery point objective (RPO). C. These meet the RPO and RTO requirements but are costlier than a warm site solution. D. This is correct as it meets the required recovery time objective (RTO).

An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor? A. Disaster recovery plans may be invalid and need to be revised. B. Transactional business data may be lost in the event of system failure. C. The new maintenance vendor is not familiar with the organization's policies. D. Application owners were not informed of the change.

D is the correct answer. Justification A. Disaster recovery plans (DRPs) must support the needs of the business, but the greater risk is that application owners are not aware of the change in resolution time. B. Transactional business data loss is determined by data backup frequency and, consequently, the backup schedule. C. The vendor must abide by the terms of the contract and those should include compliance with the privacy policies of the organization, but the lack of application owner involvement is the most important concern. D. The greatest risk of making a change to the maintenance of critical systems is that the change could have an adverse impact on a critical business process. While there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business.

Which of the following provides the BEST evidence of an organization's disaster recovery capability readiness? A. A disaster recovery plan (DRP) B. Customer references for the alternate site provider C. Processes for maintaining the DRP D. Results of tests and exercises

D is the correct answer. Justification A. Having a plan is important, but a plan cannot be considered effective until it has been tested. B. Customer references may aid in choosing an alternate site provider but will not ensure the effectiveness of the plan. C. A DRP must be kept up to date through a regular maintenance and review schedule, but this is not as important as testing. D. Only tests and exercises demonstrate the adequacy of the plans and provide reasonable assurance of an organization's disaster recovery capability readiness.

Which of the following would BEST ensure uninterrupted operations in an organization with IT operation centers in several countries? A. Distribution of key procedural documentation B. Reciprocal agreement between business partners C. Strong senior management leadership D. Employee training on the business continuity plan

D is the correct answer. Justification A. Procedural documentation should always be up to date and distributed to major locations. However, documents alone are insufficient if employees do not know their role in the plan. B. A reciprocal agreement is an emergency processing agreement between two or more enterprises with similar equipment or applications. Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises. While it is integral to business continuity to have a location for business operations, it does not necessarily need to be a reciprocal agreement. For example, in some cases, business operations may be carried out from each employee's home. C. Senior management may not be readily available to provide leadership during a disaster. Therefore, it is most important that employees fully understand their roles in the BCP. D. During a disaster, the chain of command might be interrupted. Therefore, it is important that employees know their roles in the BCP, including where to report and how to perform their job functions. Employee training on the plan is especially important for businesses with offices that are geographically separated because there is a greater chance of communication disruption.

Which of the following is the BEST method to ensure that critical IT system failures do not recur? A. Invest in redundant systems. B. Conduct a follow-up audit. C. Monitor system performance. D. Perform root cause analysis.

D is the correct answer. Justification A. Redundancy may be a solution; however, a root cause analysis enables an educated decision to address the origin of the problem instead of simply assuming that system redundancy is the solution. B. While an audit may discover the root cause of the problem, an audit is not a solution to an operational problem. Identifying the origins of operational failures needs to be part of day-to-day IT processes and owned by the IT department. C. Use of monitoring tools is a means to gather data and can contribute to root cause analysis, but it does not by itself help prevent an existing problem from recurring. D. Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring.

When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: A. recommend that the database be normalized. B. review the conceptual data model. C. review the stored procedures. D. review the justification.

D is the correct answer. Justification A. The IS auditor should not recommend normalizing the database until further investigation takes place. B. This will not provide information about normalization or the justification for the level of normalization. C. This will not provide information about normalization. D. If the database is not normalized, the IS auditor should review the justification because, in some situations, denormalization is recommended for performance reasons.

While conducting an audit on the customer relationship management application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend? A. No action should be taken because the system meets current business requirements. B. IT should increase the network bandwidth to improve performance. C. Users should be provided with detailed manuals to use the system properly. D. Establish performance measurement criteria for the authentication servers.

D is the correct answer. Justification A. The IS auditor should not recommend taking no action because a delayed login process has a negative impact on employee productivity. B. Network bandwidth may or may not be the root cause of this issue. Performance measurement criteria may help determine the cause, which can then be remediated. C. Because the problem is related to logging on and not to processing, additional training for users would not be effective in this case. D. Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement for the availability of outsourced telecommunication services? A. Downtime reports on the telecommunication services generated by the ISP. B. A utilization report of automatic failover services generated by the enterprise C. A bandwidth utilization report provided by the ISP D. Downtime reports on the telecommunication services generated by the enterprise

D is the correct answer. Justification A. The ISP-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. B. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. These reports may not indicate compliance with the service level agreement, just that the failover systems had been used. C. Utilization reports are used to measure the usage of bandwidth, not uptime. D. The enterprise should use internally generated downtime reports to monitor the service provided by the Internet service provider (ISP) and, as available, to compare with the reports provided by the ISP.

An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? A. Malware on servers B. Firewall misconfiguration C. Increased spam received by the email server D. Unauthorized network activities

D is the correct answer. Justification A. The existence of malware on the organization's server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. B. This could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. C. The existence of spam on the organization's email server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. D. Unauthorized network activities—such as employee use of file or music sharing sites or online gambling or personal email containing large files or photos—could contribute to network performance issues. Because the IS auditor found the degraded performance during business hours, this is the most likely cause.