CISA Practice Questions

In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? Incorrect A. Maintaining system software parameters B. Ensuring periodic dumps of transaction logs C. Ensuring grandfather-father-son file backups D. Maintaining important data at an offsite location

You answered A. The correct answer is B. A. Maintaining system software parameters is important for all systems, not just online systems. B. Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historic data. Because online systems do not have a paper trail that can be used to recreate data, maintaining transaction logs is critically important to prevent data loss. The volume of activity usually associated with an online system may make other more traditional methods of backup impractical. C. Having generations of backups is best practice for all systems. D. All backups should consider offsite storage at a location that is accessible but not likely to be affected by the same disaster.

Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risk is managed. Incorrect B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediates between the imperatives of business and technology.

You answered B. The correct answer is D. A. Supplier and partner risk being managed is a risk management best practice, but not a strategic function. B. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice, but does not ensure strategic alignment. C. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice, but is not as effective as top management involvement in business and technology alignment. D. Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice.

A decision support system (DSS) is used to help high-level management: A. solve highly structured problems. B. combine the use of decision models with predetermined criteria. Correct C. make decisions based on data analysis and interactive models. D. support only structured decision-making tasks.

You are correct, the answer is C. A. A decision support system (DSS) is aimed at solving less structured problems. B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria. C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. D. A DSS supports semistructured decision-making tasks.

The sender of a public key would be authenticated by a: A. certificate revocation list (CRL). B. digital signature. Correct C. digital certificate. D. receiver's private key.

You are correct, the answer is C. A. A certificate revocation list (CRL) is the list of certificates that can no longer be trusted. B. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. D. The sender's public key cannot be opened by any key except the sender's private key.

Which of the following BEST ensures that business requirements are met prior to implementation? Incorrect A. Feasibility study B. User acceptance testing (UAT) C. Postimplementation review D. Implementation plan

You answered A. The correct answer is B. A. A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and therefore is of greater value. B. UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. C. The postimplementation review occurs after the implementation. D. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.

Which of the following is the initial step in creating a firewall policy? Incorrect A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods

You answered A. The correct answer is B. A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether: Incorrect A. all threats can be completely removed. B. a cost-effective, built-in resilience can be implemented. C. the recovery time objective (RTO) can be optimized. D. the cost of recovery can be minimized.

You answered A. The correct answer is B. A. It is impossible to remove all existing and future threats. B. It is critical to initially identify information assets that can be made more resilient to disasters, e.g., diverse routing, alternate paths or multiple communication carriers. Preventing a problem is always better than planning to address a problem when it happens. C. The optimization of the recovery time objective (RTO) comes later in the development of the disaster recovery strategy. D. Efforts to minimize the cost of recovery come later in the development of the disaster recovery strategy.

In a public key infrastructure (PKI), a registration authority: Correct A. verifies information supplied by the subject requesting a certificate. B. issues the certificate after the required attributes are verified and the keys are generated. C. digitally signs a message to achieve nonrepudiation of the signed message. D. registers signed messages to protect them from future repudiation.

You are correct, the answer is A. A. A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request a certificate on behalf of themselves or their organization. B. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed. C. The sender who has control of his/her private key signs the message, not the registration authority. D. Registering signed messages is not a task performed by registration authorities.

This question refers to the following diagram. Internet--Firewall1--Mail Gateway--Firewall2--IDS Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: Incorrect A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1.

You answered A. The correct answer is B. A. The first action taken by an intrusion detection system (IDS) will be to create a log entry and then alert the administrator. B. Creating an entry in the log is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet. C. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. After the IDS has logged the suspicious traffic, it may signal firewall-2 to close, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator, valuable time can be lost, in which a hacker could also compromise firewall-2. D. The IDS will usually only protect the internal network by closing firewall-2 and will not close the externally facing firewall-1.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Incorrect A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

You answered A. The correct answer is B. A. The quantity of data for each test case is not as important as having test cases that will address all types of operating conditions. B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. C. It is more important to have adequate test data than to complete the testing on schedule. D. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

What is the GREATEST risk of a bank outsourcing its data center? Incorrect A. Loss or leakage of information B. Noncompliance with regulatory requirements C. Vendor failure or bankruptcy D. Loss of internal knowledge and experience

You answered A. The correct answer is B. A. The risk of loss or leakage of information is a serious risk because it will lead to financial and other penalties if it happens; however, that may happen even if the bank does not outsource. The greatest risk is noncompliance with regulations because it will subject the bank to fines and sanctions regardless of whether a breach happens. B. The greatest risk is noncompliance with regulations because regulations are mandatory and a violation could lead to loss of the bank's charter to operate. C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in place then it should not materially affect the bank as much as noncompliance or a loss or leakage of information. D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that resulting from noncompliance or a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract termination, can also help mitigate the risk of loss of internal knowledge.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Incorrect A. Project sponsor B. System development project team (SDPT) C. Project steering committee D. User project team (UPT)

You answered A. The correct answer is C. A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

The reason for establishing a stop or freezing point on the design of a new system is to: Incorrect A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

You answered A. The correct answer is C. A. The stop point is intended to provide greater control over changes, but not to prevent them. B. The stop point is used for project control, but not to create an artificial fixed point that requires the design of the project to cease. C. Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period. D. A stop point is used to control requirements, not systems design.

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? Incorrect A. User acceptance testing (UAT) B. Project risk assessment C. Postimplementation review D. Management approval of the system

You answered A. The correct answer is C. A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review. B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Incorrect A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

You answered A. The correct answer is D. A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? A. Controls are eliminated as part of the BPR effort. Incorrect B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area.

You answered B. The correct answer is A. A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern. B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort. D. A recommended best practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern.

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? A. Review the parameter settings. Incorrect B. Interview the firewall administrator. C. Review the actual procedures. D. Review the device's log file for recent attacks.

You answered B. The correct answer is A. A. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. B. An interview with the firewall administrator will not ensure that the firewall is configured correctly. C. Reviewing the actual procedures is good, but will not ensure that the firewall rules are correct and compliant with policy. D. Recent attacks may indicate problems with the firewall, but will not ensure that it is correctly configured.

Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? A. Results of a risk assessment Incorrect B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls

You answered B. The correct answer is A. A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review. B. The relative value of an asset to the business is one element considered in the risk assessment; this alone does not determine the level of protection required. C. The results of a vulnerability assessment would be useful when creating the risk assessment; however, this would not be the primary focus. D. The cost of security controls is not a primary factor to consider because the expenditures on these controls are determined by the value of the information assets being protected.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? A. Whether key controls are in place to protect assets and information resources Incorrect B. Whether the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether the new system will support separation of duties

You answered B. The correct answer is A. A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. B. The system must meet the requirements of all customers not just corporate customers. This is not the IS auditor's main concern. C. The system must meet performance requirements, but this is of secondary concern to the need to ensure that key controls are in place. D. Separation of duties is a key control—but only one of the controls that should be in place to protect the assets of the organization.

An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? A. Chain of custody of electronic evidence Incorrect B. System breach notification procedures C. Escalation procedures to external agencies D. Procedures to recover lost data

You answered B. The correct answer is A. A. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. B. System breach notification is an important aspect and in many cases may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply. C. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation. D. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy Incorrect B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading

You answered B. The correct answer is A. A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID. B. That wavelength can be absorbed by the human body is a concern of less importance. C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.

Which of the following is the GREATEST concern to an IS auditor reviewing an organization's use of third-party-provided cloud services to store health care billing information? A. Disparate backup requirements Incorrect B. Availability of infrastructure C. Segregation of client data D. Integrity of data

You answered B. The correct answer is C. A. Although disparate backup requirements may present a challenge, the primary concern is maintaining segregation of client data. B. Availability of infrastructure is an inherent benefit of cloud services, and as such is not a primary concern. C. In a shared services infrastructure, several clients access the same set of services. Therefore, the primary concern is maintaining segregation of client data. D. Although integrity of data is important, maintaining confidentiality of the data through segregation is a greater concern.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process? A. The encryption algorithm format Incorrect B. The detailed internal control procedures C. The necessary communication processes D. The proposed trusted third-party agreement

You answered B. The correct answer is C. A. Encryption algorithms are too detailed for this phase. They would only be outlined and any cost or performance implications shown. B. Internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. C. The communications processes must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. D. Third-party agreements are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)? A. Risk such as single point-of-failure and infrastructure risk Incorrect B. Threats to critical business processes C. Critical business processes for ascertaining the priority for recovery D. Resources required for resumption of business

You answered B. The correct answer is C. A. Risk should be identified after the critical business processes have been identified. B. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. C. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. D. Identification of resources required for business resumption will occur after the identification of critical business processes.

The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? A. Database digital signatures Incorrect B. Database encryption nonces and other variables C. Database media access control (MAC) address authentication D. Database initialization parameters

You answered B. The correct answer is D. A. Digital signatures are used for authentication and nonrepudiation, and are not commonly used in databases. As a result, this is not an area in which the IS auditor should investigate. B. A nonce is defined as a "parameter that changes over time" and is similar to a number generated to authenticate one specific user session. Nonces are not related to database security (they are commonly used in encryption schemes). C. A media access control (MAC) address is the hardware address of a network interface. MAC address authentication is sometimes used with wireless local area network (WLAN) technology, but is not related to database security. D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle DBMS), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.

Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the: A. customer over the authenticity of the hosting organization. B. hosting organization over the authenticity of the customer. Incorrect C. customer over the confidentiality of messages from the hosting organization. D. hosting organization over the confidentiality of messages passed to the customer.

You answered C. The correct answer is A. A. Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. B. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. C. The customer cannot be assured of the confidentiality of messages from the host because many people have access to the public key and can decrypt the messages from the host. D. The host cannot be assured of the confidentiality of messages sent out, because many people have access to the public key and can decrypt it.

The risk of dumpster diving is BEST mitigated by: A. implementing security awareness training. B. placing shred bins in copy rooms. Incorrect C. developing a media disposal policy. D. placing shredders in individual offices.

You answered C. The correct answer is A. A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system. Incorrect C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

You answered C. The correct answer is B. A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? A. Payment terms B. Uptime guarantee Incorrect C. Indemnification clause D. Default resolution

You answered C. The correct answer is B. A. Payment terms are typically included in the master agreement rather than in the service level agreement (SLA). B. The most important element of an SLA is the measurable terms of performance, such as uptime agreements. C. The indemnification clause is typically included in the master agreement rather than in the SLA. D. The default resolution would only apply in case of a default of the SLA; therefore, it is more important to review the performance conditions of the SLA.

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. Incorrect C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

You answered C. The correct answer is D. A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types. B. Component-based development is no better than many other development methods at modeling complex relationships. C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose. D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

Disaster recovery planning (DRP) addresses the: A. technological aspect of business continuity planning (BCP). B. operational part of business continuity planning. C. functional aspect of business continuity planning. Incorrect D. overall coordination of business continuity planning.

You answered D. The correct answer is A. A. Disaster recovery planning (DRP) is the technological aspect of business continuity plan (BCP) that focuses on IT systems and operations. B. Business resumption planning addresses the operational part of BCP. C. Disaster recovery addresses the technical components of business recovery. D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recommend? A. Review of the access control privilege authorization process B. Implementation of an identity management system (IMS) C. Enhancement of procedures to audit changes made to sensitive customer data Incorrect D. Granting of fire call accounts only to managers

You answered D. The correct answer is A. A. In this case, the IS auditor should recommend reviewing the process of access control management. Emergency system administration-level access should only be granted on an as-needed basis and configured to a predefined expiration date. Accounts with temporary privileges require strong controls to limit the lifetime of the privileges and use of these accounts should be closely monitored. B. While implementing an identity management system (IMS) may solve the problem, it would be most cost-efficient to first review access privileges. C. Enhancing procedures to audit changes made to sensitive customer data does not prevent the misuse of these accounts and should be performed after reviewing the process. D. It is not realistic to grant fire call accounts only to managers.

An IS auditor should recommend the use of library control software to provide reasonable assurance that: A. program changes have been authorized. B. only thoroughly tested programs are released. C. modified programs are automatically moved to production. Incorrect D. source and executable code integrity is maintained.

You answered D. The correct answer is A. A. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. C. Programs should not be moved automatically into production without proper authorization. D. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

Involvement of senior management is MOST important in the development of: A. strategic plans. B. IT policies. C. IT procedures. Incorrect D. standards and guidelines.

You answered D. The correct answer is A. A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan. C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures. D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A. there is an integration of IT and business personnel within projects. B. there is a clear definition of the IT mission and vision. C. a strategic information technology planning scorecard is in place. Incorrect D. the plan correlates business objectives to IT goals and objectives.

You answered D. The correct answer is A. A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.

The PRIMARY benefit of an enterprise architecture (EA) initiative would be to: A. enable the organization to invest in the most appropriate technology. B. ensure that security controls are implemented on critical platforms. C. allow development teams to be more responsive to business requirements. Incorrect D. provide business units with greater autonomy to select IT solutions that fit their needs.

You answered D. The correct answer is A. A. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. C. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.

Where would an IS auditor MOST likely see a hash function applied? A. Authentication B. Identification C. Authorization Incorrect D. Encryption

You answered D. The correct answer is A. A. The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources. B. Hash functions are not used for identification. They are used to validate the authenticity of the identity. C. Hash functions are not typically used to provide authorization. Authorization is provided after the authentication has been established. D. Hash functions are algorithms that map or translate one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result using the same algorithm. Hash functions do not encrypt data.

The PRIMARY purpose of an IT forensic audit is: A. to participate in investigations related to corporate fraud. B. the systematic collection and analysis of evidence after a system irregularity. C. to assess the correctness of an organization's financial statements. Incorrect D. to preserve evidence of criminal activity.

You answered D. The correct answer is B. A. Forensic audits are not limited to corporate fraud. B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. C. Assessing the correctness of an organization's financial statements is not the primary purpose of most forensic audits. D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? Correct A. The group walks through the different scenarios of the plan, from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

You are correct, the answer is A. A. A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. B. The ability of the group to ensure that specific systems can actually perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings. C. Group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business. D. While improving communication is important, it is not the most valued method to ensure that the plan is up to date.

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. Incorrect D. Immediately investigate the source and nature of the incident.

You answered D. The correct answer is B. A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down. B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management. D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.

In a client-server architecture, a domain name service (DNS) is MOST important because it provides the: A. address of the domain server. B. resolution service for the name/address. C. IP addresses for the Internet. Incorrect D. domain name system.

You answered D. The correct answer is B. A. The domain name service (DNS) enables users to access the Internet using URLs based on words instead of needing to know the IP addresses of a website. B. DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. Because names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned. C. The DNS is a translation or cross-reference tool; it does not provide the IP addresses for the Internet. D. The DNS within an organization is part of the global Domain Name System; it does not provide the name system, it supports it.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? A. Recommend redesigning the change management process. B. Gain more assurance on the findings through root cause analysis. C. Recommend that program migration be stopped until the change process is documented. Incorrect D. Document the finding and present it to management.

You answered D. The correct answer is B. A. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed. B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. C. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed. D. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? A. That changes are authorized by IT managers at all times B. That user acceptance testing (UAT) is performed and properly documented C. That test plans and procedures exist and are closely followed Incorrect D. That capacity planning is performed as part of each development project

You answered D. The correct answer is C. A. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. B. User acceptance testing (UAT) is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. D. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? Correct A. Use of a point-to-point leased line B. Use of a firewall rule to allow only the Internet protocol (IP) address of the remote site C. Use of two-factor authentication D. Use of a nonstandard port for Telnet

You are correct, the answer is A. A. A leased line will effectively extend the local area network (LAN) of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet. B. A firewall rule at the headquarters network to only allow Telnet connections from the Internet protocol (IP) address assigned to the remote site would make the connection more secure; however, there is the possibility that the source address could be spoofed by an attacker and, therefore, a dedicated leased line would be more secure. C. While two-factor authentication would enhance the login security, it would not secure the transmission channel against eavesdropping, and, therefore, a leased line would be a better option. D. Attacks on network services start with the assumption that network services use the standard transmission control protocol (TCP)/IP port number assigned for the service, which is port 23 for Telnet. By reconfiguring the host and client, a different port can be used. Assigning a nonstandard port for services is a good general security practice because it makes it more difficult to determine what service is using the port; however, in this case, creating a leased-line connection to the remote site would be a better solution.

Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program? Correct A. A system downtime log B. Vendors' reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule

You are correct, the answer is A. A. A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. B. Vendor's reliability figures are not an effective measure of a preventive maintenance program. C. Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. D. A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? Correct A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers.

You are correct, the answer is A. A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. B. Implementing a two-factor authentication would prevent unauthorized access to the database, but would not record the activity of the user when using the database. C. Using table views would restrict users from seeing data that they should not be able to see, but would not record what users did with data they were allowed to see. D. Separating database and application servers may help in better administration or even in implementing access controls, but does not address the accountability issues.

To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against: Correct A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. B. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key. C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key. D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key.

You are correct, the answer is A. A. Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key creates a digital signature and addresses nonrepudiation. Encrypting the message with a symmetric key most efficiently addresses the confidentiality of the message, thereafter enciphering the symmetric key using the receiver's public key, which transports (distributes) the symmetric key securely to the receiver. B. Only hashing a part of the message would only verify the integrity of that part of the message. C. Enciphering the message with a public key would be much too slow to be practical. D. Enciphering the entire message with a public key would be too slow to be practical.

Which of the following is widely accepted as one of the critical components in networking management? Correct A. Configuration management B. Topological mappings C. Application of monitoring tools D. Proxy server troubleshooting

You are correct, the answer is A. A. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Configuration management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services. B. Topological mappings provide outlines of the components of the network and its connectivity. This is important to address issues such as single points of failure and proper network isolation, but is not the most critical component of network management. C. Application monitoring is not a critical part of network management. D. Proxy server troubleshooting is used for troubleshooting purposes, and managing a proxy is only a small part of network management.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: Correct A. increase. B. decrease. C. remain the same. D. be unpredictable.

You are correct, the answer is A. A. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place. B. The implementation of a DRP will always result in additional costs to the organization. C. The implementation of a DRP will always result in additional costs to the organization. D. The costs of a DRP are fairly predictable and consistent.

Which of the following acts as a decoy to detect active Internet attacks? Correct A. Honeypots B. Firewalls C. Trapdoors D. Traffic analysis

You are correct, the answer is A. A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. B. A firewall is basically a preventive measure. C. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. D. Traffic analysis is a type of passive attack based on capturing network traffic.

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: Correct A. the users may not remember to manually encrypt the data before transmission. B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability.

You are correct, the answer is A. A. If the data is not encrypted, an unauthorized external party may download sensitive company data. B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it. C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. D. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)? Correct A. Contact information of key personnel B. Server inventory documentation C. Individual roles and responsibilities D. Procedures for declaring a disaster

You are correct, the answer is A. A. In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. B. Asset inventory is important and should be linked to the change management process of the organization, but having access to key people may compensate for outdated records. C. Individual roles and responsibilities are important, but in a disaster many people could fill different roles depending on their experience. D. The procedures for declaring a disaster are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.

Which one of the following could be used to provide automated assurance that proper data files are being used during processing? Correct A. Internal labeling, including file header records B. Version usage C. Parity checking D. File security controls

You are correct, the answer is A. A. Internal labeling, including file header records, is correct because it can provide assurance that proper data files are being used and it allows for automatic checking. B. Version usage is not correct because this may not necessarily allow for automatic checking. This helps only in respect to assurance that the correct file and version are being used. C. Parity checking is not correct because it is a data integrity validation method typically used by a data transfer program. While parity checking may help to ensure that data and program files are transferred successfully, it does not help to ensure that the proper data or program files are being used. D. File security controls is not correct because they cannot be used to provide assurance that proper data files are being used and cannot allow for automatic checking. They can be used to provide assurance that unauthorized users do not have access to the application and/or access to read or alter the data in an unauthorized manner.

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? Correct A. Nonrepudiation B. Encryption C. Authentication D. Integrity .

You are correct, the answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication. D. Integrity ensures that transactions are accurate but does not provide the identification of the customer

The PRIMARY purpose of a business impact assessment (BIA) is to: Correct A. define recovery strategies. B. identify the alternate site. C. improve recovery testing. D. calculate the annual loss expectancy (ALE).

You are correct, the answer is A. A. One of the primary outcomes of a business impact assessment (BIA) is the recovery time objective (RTO) and the recovery point objective (RPO), which help in defining the recovery strategies. B. A BIA, itself, will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project. C. A BIA, itself, will not help improve recovery testing. That is done during the implementation and testing phase of the project. D. The annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: Correct A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

You are correct, the answer is A. A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency. C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment. D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments.

An IS auditor is reviewing a corporate web server. Which of the following should be of MOST concern to the IS auditor? Correct A. System patches are not applied. B. The server is not accessed through a virtual private network (VPN). C. Server logs are not being captured. D. The network address translation is not enabled.

You are correct, the answer is A. A. Web servers should have up-to-date patches because they are accessible to the Internet and are prone to attack. B. It is not typically required that the web server be accessed by a virtual private network (VPN) because the web server contains public information. C. While logging is important, lack of system patching is a more significant issue. D. Network address translation does not have any impact on server security and therefore is not a concern.

When selecting audit procedures, an IS auditor should use professional judgment to ensure that: Correct A. sufficient evidence will be collected. B. all significant deficiencies identified will be corrected within a reasonable period. C. all material weaknesses will be identified. D. audit costs will be kept at a minimum level.

You are correct, the answer is A. A. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. B. The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process. C. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected. D. Professional judgment will ensure that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: Correct A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.

You are correct, the answer is A. A. The applications have been operated intensively; but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. B. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load. C. Because users were able to connect to and use the system, the response time must have been satisfactory. D. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.

The effect of which of the following should have priority in planning the scope and objectives of an IS audit? Correct A. Applicable statutory requirements B. Applicable corporate standards C. Applicable industry best practices D. Organizational policies and procedures

You are correct, the answer is A. A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements. B. Statutory requirements always take priority over corporate standards. C. Industry best practices help plan an audit; however, best practices are not mandatory and can be deviated from to meet organization objectives. D. Organizational policies and procedures are important, but statutory requirements always take priority. Organizational policies must be in alignment with statutory requirements.

An IS auditor is reviewing the backup strategy and the backup technology in use by an organization. The IS auditor would be MOST concerned if: Correct A. data restoration tests are not being regularly performed. B. disk subsystems are being backed up to other disks, and not to tape. C. daily backup logs are purged quarterly. D. backups of critical company data are not encrypted.

You are correct, the answer is A. A. The only way to ensure with certainty that a backup is working is to perform a data restoration test. If this were not being done regularly, it would be a concern. B. Current backup technology utilizes disk-to-disk backup technology, which is considered to be reliable and will have a faster recovery time than tape, so this would not be a concern. C. While it is important to maintain logs to document that the backup process is operating effectively, not retaining the logs would not be a major concern. D. Encrypting backup data may be required in certain cases to protect valuable data, but data that are critical may not necessarily be classified as being confidential. Because encryption adds time and expense to the backup process, it would only be used when required to meet the security requirements rather than in all cases.

Determining the service delivery objective (SDO) should be based PRIMARILY on: Correct A. the minimum acceptable operational capability. B. the cost-effectiveness of the restoration process. C. meeting the recovery time objectives (RTOs). D. the allowable interruption window (AIW).

You are correct, the answer is A. A. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. B. The cost-effectiveness of the restoration process is not the main consideration of determining the SDO. C. Meeting the recovery time objectives (RTO) may be one of the considerations in determining the SDO, but it is a secondary factor. D. The allowable interruption window (AIW) may be one of the factors secondary to determining the SDO.

A characteristic of User Datagram Protocol (UDP) in network communications is: Correct A. packets may arrive out of order. B. increased communication latency. C. incompatibility with packet broadcast. D. error correction may slow down processing.

You are correct, the answer is A. A. User Datagram Protocol (UDP) utilizes a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped. B. The advantage of UDP is that the lack of error checking allows for reduced latency. Time-sensitive applications, such as online video or audio, often use UDP because of the reduced latency of this protocol. C. UDP is compatible with packet broadcast (sending to all on the local network) and multicasting (sending to all subscribers). D. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.

During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? A. A denial-of-service (DoS) attack Correct B. Spoofing C. Port scanning D. A man-in-the-middle attack

You are correct, the answer is B. A. A denial-of-service (DoS) attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (botnets) and may involve attacks from multiple computers at once. B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources. C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server, but would not normally create a log entry that indicated external traffic from an internal server address. D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead might be designed to hijack an authorized connection between a workstation and the payroll server.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. Increase the time allocated for system testing. Correct B. Implement formal software inspections. C. Increase the development staff. D. Require the sign-off of all project deliverables.

You are correct, the answer is B. A. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. C. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. D. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? A. Confidentiality of the information stored in the database Correct B. The hardware being used to run the database application C. Backups of the information in the overseas database D. Remote access to the backup database

You are correct, the answer is B. A. Confidentiality of the information stored in the database is not a major concern, because the information is intended for public use. B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. C. Backups of the information in the overseas database are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. D. Remote access to the backup database does not impact availability.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged. Correct B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment.

You are correct, the answer is B. A. Having a log is not a control; reviewing the log is a control. B. The matching of hash keys over time would allow detection of changes to files. C. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? A. Hubs Correct B. Switches C. Routers D. Firewalls

You are correct, the answer is B. A. Hubs will broadcast all data to all network ports. B. Switches are at a low level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device. C. Routers allow packets to be given or denied access based on the addresses of the sender and receiver, and the type of packet. D. Firewalls are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization.

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures? A. Review software migration records and verify approvals. Correct B. Identify changes that have occurred and verify approvals. C. Review change control documentation and verify approvals. D. Ensure that only appropriate staff can migrate changes into production.

You are correct, the answer is B. A. Software migration records may not have all changes listed—changes could have been made that were not included in the migration records. B. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved. C. Change control records may not have all changes listed. D. Ensuring that only appropriate staff can migrate changes into production is a key control process but, in itself, does not verify compliance.

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: A. stop-or-go sampling. Correct B. substantive testing. C. compliance testing. D. discovery sampling.

You are correct, the answer is B. A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case. B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. C. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case. D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.

IT governance is PRIMARILY the responsibility of the: A. chief executive officer (CEO). Correct B. board of directors. C. IT steering committee. D. audit committee.

You are correct, the answer is B. A. The chief executive officer (CEO) is instrumental in implementing IT governance according to the directions of the board of directors. B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information (PHI). Which of the follow contractual terms would be the GREATEST risk to the customer organization? A. Data ownership is retained by the customer organization. Correct B. The third-party provider reserves the right to access data to perform certain operations. C. Bulk data withdrawal mechanisms are undefined. D. The customer organization is responsible for backup, archive and restore.

You are correct, the answer is B. A. The customer organization would want to retain data ownership and, therefore, this would not be a risk. B. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information (PHI), regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure. C. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider. D. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's processes. This would only be a risk if the customer organization was unable to perform these activities itself.

During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study Correct B. Requirements definition C. Implementation planning D. Postimplementation review

You are correct, the answer is B. A. The feasibility study is too early for such detailed user involvement. B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. D. User acceptance testing should be completed prior to implementation.

Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? A. Compliance with the master agreement Correct B. Agreed-on key performance metrics C. Results of business continuity tests D. Results of independent audit reports

You are correct, the answer is B. A. The master agreement typically includes terms, conditions and costs, but does not typically include service levels. B. Metrics allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. C. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. D. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? A. Preventing the compromise of the source code during the implementation process Correct B. Ensuring that vendor default accounts and passwords have been disabled C. Removing the old copies of the program from escrow to avoid confusion D. Verifying that the vendor is meeting support and maintenance agreements

You are correct, the answer is B. A. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation. B. Disabling vendor default accounts and passwords is a critical part of implementing a new application. C. Because this is a new application, there should not be any problem with older versions in escrow. D. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.

Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness? A. Paper test B. Posttest Correct C. Preparedness test D. Walk-through

You are correct, the answer is C. A. A paper test is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. B. A posttest is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. C. A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. D. A walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A. are aligned with globally accepted industry best practices. B. are approved by the board of directors and senior management. Correct C. strike a balance between business and security requirements. D. provide direction for implementing security procedures.

You are correct, the answer is C. A. An organization is not required to base its IT policies on industry best practices. Policies must be based on the culture and business requirements of the organization. B. It is essential that policies be approved; however, that is not the primary focus during the development of the policies. C. Information security policies must be first of all aligned with an organization's business and security objectives. D. Policies cannot provide direction if they are not aligned with business requirements.

An IS auditor who is auditing an application determines that, due to resource constraints, one user holds roles as both a developer and a release coordinator. Which of the following options would the IS auditor MOST likely recommend? A. Revoke the user's developer access. B. Revoke the user's release coordinator access. Correct C. Management review of user activities D. Periodic audit of user activities

You are correct, the answer is C. A. Given the resource constraints, revoking access would prevent the developer from performing assigned duties. In this case, due to resource constraints, the segregation of duties issue cannot be eliminated; however, secondary controls in the form of management review can be applied. B. Given the resource constraints, revoking access would prevent the release coordinator from performing assigned duties. In this case, due to resource constraints, the segregation of duties issue cannot be eliminated; however, secondary controls in the form of management review can be applied. C. If an individual requires roles with conflicting segregation of duties, the best control given the circumstances is to monitor that individual's access in the production environment. Although this is not the preferred method of resolving segregation of duties conflicts, it is the best compensating control given the current business circumstances. D. Periodic independent reviews, such as an audit, while useful, would not serve as an adequate control in this situation.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: A. eavesdropping. B. spoofing. Correct C. traffic analysis. D. masquerading.

You are correct, the answer is C. A. In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties. B. Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. D. In masquerading, the intruder presents an identity other than the original identity. This is an active attack.

Which of the following will MOST successfully identify overlapping key controls in business application systems? A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility (ITF) Correct C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

You are correct, the answer is C. A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible. B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

Which of the following is the MOST common concern for an IS auditor regarding audit logs? A. Logs can be examined only by system administrators. B. Logs require special tools for collection and review. C. Logs are typically not backed up regularly. Correct D. Logs are collected but not analyzed.

You are correct, the answer is D. A. Logs can be accessed and reviewed by authorized personnel with a minimal amount of training; however, in most cases no one is reviewing the logs on a regular basis. B. Log analysis tools range from simple filters to complex security event and incident management (SEIM) systems. C. Logs are rarely backed up and may be subject to alteration by administrators. D. One of the most common problems with audit logs is that they are collected but not analyzed. In most circumstances, audit logs are reviewed only in the case of an incident, error or exception.

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? A. One-for-one checking B. Data file security Correct C. Transaction logs D. File updating and maintenance authorization

You are correct, the answer is C. A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account. C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. D. File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.

Which of the following BEST ensures the integrity of a server's operating system (OS)? A. Protecting the server in a secure location B. Setting a boot password Correct C. Hardening the server configuration D. Implementing activity logging

You are correct, the answer is C. A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

Which of the following is the MOST effective type of antivirus software to detect an infected application? A. Scanners B. Active monitors Correct C. Integrity checkers D. Vaccines

You are correct, the answer is C. A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files. C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.

An organization has implemented a disaster recovery plan (DRP). Which of the following steps should be carried out next? A. Obtain senior management sponsorship. B. Identify business needs. Correct C. Conduct a paper test. D. Perform a system restore test.

You are correct, the answer is C. A. Senior management sponsorship should have been obtained prior to implementing the plan. B. Business needs identification should have been obtained prior to implementing the plan. C. A best practice would be to conduct a paper test. This tests the plan in a non-hazardous manner by stepping through the plan with key members of the recovery team. D. A paper test should be conducted first, followed by system or full testing.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting Correct C. Table lookups D. Tracing and tagging

You are correct, the answer is C. A. Transaction logs are a detective control and provide audit trails. B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? A. Two-factor authentication B. A digital certificate Correct C. Audit trails D. Single sign-on authentication

You are correct, the answer is C. A. Two-factor authentication would enhance security while logging into the human resource management system (HRMS) application; however, it will not establish accountability for actions taken subsequent to login. B. A digital certificate will also enhance login security to conclusively authenticate users logging into the application. However, it will not establish accountability because user ID and transaction details will not be captured without an audit trail. C. Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users. D. Single sign-on authentication allows users to log in seamlessly to the application, thus easing the authentication process. However, this would also not establish accountability.

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A. User acceptance testing (UAT) B. Project risk assessment Correct C. Postimplementation review D. Management approval of the system

You are correct, the answer is C. A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review. B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: A. variable sampling. B. substantive testing. Correct C. compliance testing. D. stop-or-go sampling.

You are correct, the answer is C. A. Variable sampling is used to estimate numerical values such as dollar values. B. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. D. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. Correct D. user participation in defining the system's requirements was inadequate.

You are correct, the answer is D. A. Although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project. B. Projects may fail as the needs of the users increase; however, this can be mitigated through better change control procedures. C. Rarely do hardware limitations affect the usability of the project as long as the requirements were correctly documented at the beginning of the project. D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse? A. Validated daily backups B. Change management procedures C. Data dictionary maintenance Correct D. A read-only restriction

You are correct, the answer is D. A. Backups address availability, not integrity. Validated backups ensure that the backup will work when needed. B. Adequate change management procedures protect the data warehouse and the systems with which the data warehouse interfaces from unauthorized changes, but are not usually concerned with the data. C. Data dictionary maintenance procedures provide for the definition and structure of data that are input to the data warehouse. This will not affect the integrity of data already stored. D. Because most data in a data warehouse are historic and do need to be changed, applying read-only restrictions prevents data manipulation.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. B. validation checks. C. input controls. Correct D. database commits and rollbacks.

You are correct, the answer is D. A. Database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point. B. Validation checks will prevent introduction of corrupt data, but will not address system failure. C. Input controls are important to protect the integrity of input data, but will not address system failure. D. Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. Correct D. is aligned with the business plan.

You are correct, the answer is D. A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern? A. Test or training user IDs B. Shared IDs C. Administrative IDs Correct D. User IDs of past employees

You are correct, the answer is D. A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk. B. The use of shared IDs, while not a best practice, is not as great a risk as having a terminated employee with access to the network. There can be many situations in which a shared ID is necessary. The risk with shared IDs is that accountability cannot be established. C. Administrative IDs are commonly found on a network and are not cause for concern. D. If a user's network ID is not disabled on termination, the user or other unauthorized individual could potentially gain access to the network. User IDs of past employees pose the greatest risk because users can access the network via the Internet. In addition, many applications rely on network credentials to identify and authenticate access.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. Correct D. request all standards that have been adopted by the organization.

You are correct, the answer is D. A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.

An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: A. the controls already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring the risk related to the assets. Correct D. the threats/vulnerabilities affecting the assets.

You are correct, the answer is D. A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address. B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address. C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk. D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.

An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action? A. Analyze the need for the structural change. B. Recommend restoration to the originally designed structure. C. Recommend the implementation of a change control process. Correct D. Determine whether the modifications were properly approved.

You are correct, the answer is D. A. The first action taken by the IS auditor should be to verify whether the changes were authorized. Then the question can be asked, if necessary, whether the changes were required. B. The IS auditor should not recommend reverting to the former design until validating the approval and need for the change. C. A change control process should be in place and may just not have been followed. After the details of this are learned, a recommendation can be made regarding a change control process. D. An IS auditor should first determine whether the modifications were properly approved, and perhaps why this change happened without properly updating the documentation.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. Correct D. identify and evaluate the existing controls.

You are correct, the answer is D. A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place. B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed. C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated. D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk proactively? A. Use of computer-assisted audit techniques (CAATs) B. Quarterly risk assessment C. Sampling of transaction logs Correct D. Continuous auditing

You are correct, the answer is D. A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results. B. Quarterly risk assessment may be a good technique, but not as responsive as continuous auditing. C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis. D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and determined that he/she is the only user with administrative rights to the system. What should the IS auditor's initial determination be? A. The SAN is secure and no significant risk exists. B. The SAN presents a potential risk because soft zoning should be used. C. The SAN presents a potential risk because audit logs are not reviewed in a timely manner. Correct D. The SAN presents a potential risk because only one employee has access.

You are correct, the answer is D. A. While the storage area network (SAN) may have been implemented with good controls, the greatest risk is that only one person has the knowledge and ability to maintain the system. B. Hard zoning is more secure and is preferred to soft zoning. Zoning is used to separate different data sources from each other (for instance, to ensure that payroll and human resource [HR] data are stored separately from sales data). Hard zones are enforced by the infrastructure (in hardware) and are therefore more secure than soft zones, which are implemented in software or firmware. C. The question does not provide information regarding whether logs are reviewed in a timely manner, and thus, the IS auditor does not have enough information to determine whether this is a risk area. D. The largest potential risk in this scenario is the risk that the SAN administrator represents a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN in his/her absence. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. If the SAN is securely configured, using hard zoning, logging and monitoring, and disabling of unused ports, no significant risk appears to exist regarding that configuration.