Domain 2: Governance and IT Management

¡Supera tus tareas y exámenes ahora con Quizwiz!

The GREATEST benefit of having well-defined data classification policies and procedures is: a. a more accurate inventory of information assets. b. a decreased cost of controls. c. a reduced risk of inappropriate system access. d. an improved regulatory compliance.

. ba decreased cost of controls. lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, costlier than is required based on the data classification.

IT Project Portfolio Analysis

Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

Software escrow

These clauses in a contract ensure that the software source code will still be available to the organization in the event of a vendor issue, such as insolvency and copyright issues.

Fidelity Coverage

This type of insurance covers the loss arising from dishonest or fraudulent acts by employees.

universal serial bus drives

USB

Indemnity Clause

a contractual transfer of risk between two contractual parties generally to prevent loss or compensate for a loss which may occur as a result of a specified event

Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department? a. Allocating resources b. Adapting to changing technologies c. Conducting control self-assessments d. Evaluating hardware needs

a. Allocating resources The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately.

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? a. Approving IT project plans and budgets b. Aligning IT to business objectives c. Advising on IT compliance risk d. Promoting IT governance practices

a. Approving IT project plans and budgets An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee, because it provides insight and advice to the board

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? a. Assimilation of the framework and intent of a written security policy by all appropriate parties

a. Assimilation of the framework and intent of a written security policy by all appropriate parties This is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. **Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount.

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? a. Existing IT mechanisms enabling compliance b. Alignment of the policy to the business strategy c. Current and future technology initiatives d. Regulatory compliance objectives defined in the policy

a. Existing IT mechanisms enabling compliance The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.

When implementing an IT governance framework in an organization the MOST important objective is: a. IT alignment with the business. b. accountability. c. value realization with IT. d. enhancing the return on IT investments.

a. IT alignment with business The goals of IT governance are to improve IT performance, deliver optimum business value and ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies.

An IS auditor wants to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness? a. Observation of a logged event b. Review of the procedure manual c. Interview with management d. Interview with security personnel

a. Observation of a logged event This is how we used to test physical access

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? a. Three users with the ability to capture and verify their own messages b. Five users with the ability to capture and send their own messages c. Five users with the ability to verify other users and to send their own messages d. Three users with the ability to capture and verify the messages of other users and to send their own messages

a. Three users with the ability to capture and verify their own messages The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message. essentially approving own messages = SOD issue

Sharing risk is a key factor in which of the following methods of managing risk? a. Transferring risk b. Tolerating risk c. Terminating risk d. Treating risk

a. Transferring risk This (e.g., by taking an insurance policy) is a way to share risk.

Overall quantitative business risk for a particular threat can be expressed as: a. a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability. b. the magnitude of the impact if a threat source successfully exploits the vulnerability. c.

a. a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.

Value delivery from IT to the business is MOST effectively achieved by: a. aligning the IT strategy with the enterprise strategy. b. embedding accountability in the enterprise. c. providing a positive return on investment. d. establishing an enterprise wide risk management process.

a. aligning the IT strategy with the enterprise strategy.

When reviewing an organization's strategic IT plan, an IS auditor should expect to find: a. an assessment of the fit of the organization's application portfolio with business objectives. b. actions to reduce hardware procurement cost. c. a listing of approved suppliers of IT contract resources. d. a description of the technical architecture for the organization's network perimeter security

a. an assessment of the fit of the organization's application portfolio with business objectives. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This assessment drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc. can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives.

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: a. effectiveness of the QA function because it should interact between project management and user management. b. efficiency of the QA function because it should interact with the project implementation team. c. effectiveness of the project manager because the project manager should interact with the QA function. d. efficiency of the project manager because the QA function needs to communicate with the project implementation team.

a. effectiveness of the QA function because it should interact between project management and user management. To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product. ** doesn't matter how fast, matters they communicate accurate info to management -- reporting to management (think QRM, they dont interact with staff)

The PRIMARY benefit of an enterprise architecture initiative is to: a. enable the organization to invest in the most appropriate technology. b. ensure security controls are implemented on critical platforms. c. allow development teams to be more responsive to business requirements. d. provide business units with greater autonomy to select IT solutions that fit their needs.

a. enable the organization to invest in the most appropriate technology. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

The ultimate purpose of IT governance is to: a. encourage optimal use of IT. b. reduce IT costs. c. decentralize IT resources across the organization. d. centralize control of IT.

a. encourage optimal use of IT. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: a. is driven by an IT department's objectives. b. is published, but users are not required to read the policy. c. does not include information security procedures. d. has not been updated in over a year.

a. is driven by an IT department's objectives. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.

The success of control self-assessment depends highly on: a. line managers assuming a portion of the responsibility for control monitoring. b. assigning staff managers, the responsibility for building controls. c. the implementation of a stringent control policy and rule-driven controls. d. the implementation of supervision and monitoring of controls of assigned duties.

a. line managers assuming a portion of the responsibility for control monitoring. self-assessment goal is to have management assume a portion of the risk

In the context of effective information security governance, the primary objective of value delivery is to: a. optimize security investments in support of business objectives b. implement a standard set of security practices. c. institute a standards-based solution. d. implement a continuous improvement culture.

a. optimize security investments in support of business objectives In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives.

The PRIMARY objective of implementing corporate governance is to: a. provide strategic direction. b. control business operations. c. align IT with business. d. implement good practices.

a. provide strategic direction.

An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern? a. Senior management has limited involvement. b. Return on investment is not measured. c. Chargeback of IT cost is not consistent. d. Risk appetite is not quantified.

a. senior management has limited involvement To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance.

A top-down approach to the development of operational policies helps to ensure: a. that they are consistent across the organization b. that they are implemented as a part of risk assessment. c. compliance with all policies. d. that they are reviewed periodically.

a. that they are consistent across the organization Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: a. there is an integration of IT and business personnel within projects. b. there is a clear definition of the IT mission and vision. c. a strategic information technology planning scorecard is in place. d. the plan correlates business objectives to IT goals and objectives.

a. there is an integration of IT and business personnel within projects. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a framework for the IT short-range plan.

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? a. Sign-off is required on the enterprise's security policies for all users. b. An indemnity clause is included in the contract with the service provider. c. Mandatory security awareness training is implemented for all users. d. Security policies should be modified to address compliance by third-party users.

b. An indemnity clause is included in the contract with the service provider. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely.

When developing a security architecture, which of the following steps should be executed FIRST? a. Developing security procedures b. Defining a security policy c. Specifying an access control methodology d. Defining roles and responsibilities

b. Defining a security policy Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies often set the stage in terms of the tools and procedures that are needed for an organization.

Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? a. Ensure that assurance objectives are defined. b. Determine stakeholder requirements and involvement. c. Identify relevant risk and related opportunities. d. Determine relevant enablers and their applicability.

b. Determine stakeholder requirements and involvement. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: a. enterprise data model. b. IT balanced scorecard. c. IT organizational structure. d. historical financial statements.

b. IT balanced scorecard.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? a. Review the strategic alignment of IT with the business. b. Implement accountability rules within the organization. c. Ensure that independent IS audits are conducted periodically d. Create a chief risk officer role in the organization.

b. Implement accountability rules within the organization. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? a. User acceptance testing occurs for all reports before release into production b. Organizational data governance practices are put in place c. Standard software tools are used for report development d. Management signs-off on requirements for new reports

b. Organizational data governance practices are put in place This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative.

An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? a. Network administrators are responsible for quality assurance. b. System administrators are application programmers. c. End users are security administrators for critical applications. d. Systems analysts are database administrators.

b. System administrators are application programmers. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following is the GREATEST risk? a. Project management and progress reporting is combined in a project management office that is driven by external consultants. b. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. c. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other organization's legacy systems. d. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

b. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house-developed legacy applications.

Which of the following is the MAIN reason to perform a risk assessment in the planning phase of an IS audit? a. To ensure management's concerns are addressed b. To provide reasonable assurance material items will be addressed c. To ensure the audit team will perform audits within budget d. To develop the audit program and procedures to perform the audit

b. To provide reasonable assurance material items will be addressed A risk assessment helps to focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is also important.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement with an external IT service provider? a. Payment terms b. Uptime guarantee c. Indemnification clause d. Default resolution

b. Uptime guarantee the most important element of a service level agreement (SLA) is the measurable terms of performance, such as uptime agreements.

What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should: a. interface with various types of enterprise resource planning software and databases. b. accurately capture data from the organization's systems without causing excessive performance problems. c. introduce audit hooks into the company's financial systems to support continuous auditing. d. be customizable and support inclusion of custom programming to aid in investigative analysis.

b. accurately capture data from the organization's systems without causing excessive performance problems.

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: a. quality management systems comply with good practices. b. continuous improvement targets are being monitored. c. standard operating procedures of IT are updated annually. d. key performance indicators are defined.

b. continuous improvement targets are being monitored. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). *** Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.

Before implementing an IT balanced scorecard, an organization must: a. deliver effective and efficient services. b. define key performance indicators. c. provide business value to IT projects. d. control IT expenses.

b. define key performance indicators.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement between the organization and vendor should be the provisions for: a. documentation of staff background checks. b. independent audit reports or full audit access. c. reporting the year-to-year incremental cost reductions. d. reporting staff turnover, development or training.

b. independent audit reports or full audit access. When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. ** cost reduction isnt as important as audit access

When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT: a. has all the personnel and equipment it needs. b. plans are consistent with management strategy. c. uses its equipment and personnel efficiently and effectively. d. has sufficient excess capacity to respond to changing directions.

b. plans are consistent with management strategy. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans.

Which of the following is MOST important to consider when reviewing the classification levels of information assets? a. Potential loss b. Financial cost c. Potential threats d. Cost of insurance

b. potential loss The best basis for asset classification is an understanding of the total losses a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic. need to know what the loss would be to identify the threat

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? a. Risk reduction b. Risk transfer c. Risk avoidance d. Risk mitigation

b. risk transfer This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.

Establishing the level of acceptable risk is the responsibility of: a. quality assurance management. b. senior business management. c. the chief information officer. d. the chief security officer.

b. senior business management Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.

Which of the following is of MOST interest to an IS auditor reviewing an organization's risk strategy? a. All risk is mitigated effectively. b. Residual risk is zero after control implementation. c. All likely risk is identified and ranked. d. The organization uses an established risk framework.

c. All likely risk is identified and ranked. Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy. gives most coverage

Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations? a. Process maturity b. Performance indicators c. Business risk d. Assurance reports

c. Business risk Priority should be given to those areas that represent a known risk to the enterprise operations.

Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? a. Have the current configuration approved by operations management. b. Ensure that there is an audit trail for all existing accounts. c. Implement individual user accounts for all staff. d. Amend the IT policy to allow shared accounts.

c. Implement individual user accounts for all staff. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario.

Which of the following BEST supports the prioritization of new IT projects? a. Internal control self-assessment b. Information systems audit c. Investment portfolio analysis d. Business risk assessment

c. Investment portfolio analysis It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy but also provide the rationale for terminating nonperforming IT projects.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? a. Define a balanced scorecard for measuring performance. b. Consider user satisfaction in the key performance indicators. c. Select projects according to business benefits and risk. d. Modify the yearly process of defining the project portfolio.

c. Select projects according to business benefits and risk. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities.

An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? a. An audit clause is present in all contracts. b. The service level agreement of each contract is substantiated by appropriate key performance indicators. c. The contractual warranties of the providers support the business needs of the organization. d. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

c. The contractual warranties of the providers support the business needs of the organization. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. ***All service level agreements should be measurable and reinforced through key performance indicators—but the first step is to ensure that the SLAs are aligned with business requirements.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? a. User management coordination does not exist. b. Specific user accountability cannot be established. c. Unauthorized users may have access to modify data. d. Audit recommendations may not be implemented.

c. Unauthorized users may have access to modify data. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization. The ability of unauthorized users to modify data is greater than the risk of authorized user accounts not being controlled properly.

The initial step in establishing an information security program is the: a. development and implementation of an information security standards manual. b. performance of a comprehensive security control review by the IS auditor. c. adoption of a corporate information security policy statement. d. purchase of security access control software.

c. adoption of a corporate information security policy statement. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. policies come first

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: a. control self-assessments. b. a business impact analysis. c. an IT balanced scorecard. d. business process reengineering.

c. an IT balanced scorecard. an it balance scorecard bridges the gap between IT and business objectives by supplementing the traditional evaluation with measures to evaluate customer satisfaction, internal process and the ability to innovate

The risk associated with electronic evidence gathering is MOST likely reduced by an email: a. destruction policy. b. security policy. c. archive policy. d. audit policy.

c. archive policy With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.

When developing a formal enterprise security program, the MOST critical success factor is the: a. establishment of a review board. b. creation of a security unit. c. effective support of an executive sponsor. d. selection of a security process owner.

c. effective support of an executive sponsor. The executive sponsor is in charge of supporting the organization's strategic security program and aids in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor.

During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should: a. ensure the risk assessment is aligned to management's risk assessment process. b. identify information assets and the underlying systems. c. disclose the threats and impacts to management. d. identify and evaluate the existing controls.

c. identify and evaluate the existing controls. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

A decision support system is used to help high-level management: a. solve highly structured problems. b. combine the use of decision models with predetermined criteria. c. make decisions based on data analysis and interactive models. d. support only structured decision-making tasks.

c. make decisions based on data analysis and interactive models. A decision support system (DSS) emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.

To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: a. avoidance. b. transfer. c. mitigation. d. acceptance.

c. mitigation Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By requiring the system's administrator to sign off on the completion of the backups, this is an administrative control that can be validated for compliance. mitigating the risk of someone not reviewing the backups bc secondary approval needed

An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: a. an effective preventive control. b. a valid detective control. c. not an adequate control. d. a corrective control.

c. not an adequate control. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control).

The output of the risk management process is an input for making: a. business plans. b. audit charters. c. security policy decisions. d. software design decisions.

c. security policy decisions. the risk management process is about making specific, security-related decisions, such as the level of acceptable risk.

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: a. are aligned with globally accepted industry good practices. b. are approved by the board of directors and senior management. c. strike a balance between business and security requirements. d. provide direction for implementing security procedures.

c. strike a balance between business and security requirements. Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies. ***it is essential that policies be approved; however, that is not the primary focus during the development of the policies.

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: a. the security controls of the application may not meet requirements. b. the application may not meet the requirements of the business users. c. the application technology may be inconsistent with the enterprise architecture. d. the application may create unanticipated support issues for IT

c. the application technology may be inconsistent with the enterprise architecture. he primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.

An IS auditor reviews an organizational chart PRIMARILY for: a. an understanding of the complexity of the organizational structure. b. investigating various communication channels. c. understanding the responsibilities and authority of individuals. d. investigating the network connected to different employees.

c. understanding the responsibilities and authority of individuals. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. ** complexity isnt explained in org chart

An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? a. Inspection b. inquiry c. walkthrough d. reperformance

c. walkthrough These procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. inspection alone is not enough

An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? a. A cost analysis b. The security risk of the current technology c. Compatibility with existing systems d. A risk analysis

d. A risk analysis Prior to implementing new technology, an organization should perform a risk analysis, which is then presented to business unit management for review and acceptance.

Which of the following goals do you expect to find in an organization's strategic plan? a. Results of new software testing b. An evaluation of information technology needs c. Short-term project plans for a new planning system d. Approved suppliers for products offered by the company

d. Approved suppliers for products offered by the company Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan.

Which of the following would be expected to approve the audit charter? a. Chief financial officer b. Chief executive officer c. Audit steering committee d. Audit committee

d. Audit committee One of the primary functions of the audit committee is to create and approve the audit charter.

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? a. Development of an audit program b. Define the audit scope c. Identification of key information owners d. Development of a risk assessment

d. Development of a risk assessment A risk assessment should be performed to determine how internal audit resources should be allocated to ensure that all material items will be addressed.

A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario? a. Hire a second DBA and split the duties between the two individuals. b. Remove the DBA's root access on all UNIX servers. c. Ensure that all actions of the DBA are logged and that all logs are backed up to tape. d. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.

d. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access. By creating logs that the DBA cannot erase or modify, segregation of duties is enforced.

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? a. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. b. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. c. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. d. Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.

d. Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. first step is to identify risk - want to keep mitigation efforts up to date

Which of the following is the MOST important function to be performed by IT management when a service has been outsourced? a. Ensuring that invoices are paid to the provider b. Participating in systems design with the provider c. Renegotiating the provider's fees d. Monitoring the outsourcing provider's performance

d. Monitoring the outsourcing provider's performance In an outsourcing environment, the enterprise is dependent on the performance of the service provider. Therefore, it is critical that the outsourcing provider's performance bis monitored to ensure that services are delivered to the enterprise as required.

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern? a. Maximum acceptable downtime metrics have not been defined in the contract. b. The IT department does not manage the relationship with the cloud vendor. c. The help desk call center is in a different country, with different privacy requirements d. Organization-defined security policies are not applied to the cloud application.

d. Organization-defined security policies are not applied to the cloud application. Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.

An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor? a. The IT department's projects will not be adequately funded. b. IT projects are not following the system development life cycle process. c. IT projects are not consistently formally approved. d. The IT department may not be working toward a common goal.

d. The IT department may not be working toward a common goal. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process? a. The maturity of the project management process b. The regulatory environment c. Past audit findings d. The IT project portfolio analysis

d. The IT project portfolio analysis Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

Which of the following IT governance good practices improves strategic alignment? a. Supplier and partner risk is managed. b. A knowledge base on customers, products, markets and processes is in place. c. A structure is provided that facilitates the creation and sharing of business information. d. Top management mediates between the imperatives of business and technology.

d. Top management mediates between the imperatives of business and technology.

When an employee is terminated from service, the MOST important action is to: a. hand over all of the employee's files to another designated employee. b. complete a backup of the employee's work. c. notify other employees of the termination. d. disable the employee's logical access.

d. disable the employee's logical access. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: a. does not exceed the existing IT budget. b.is aligned with the investment strategy. c. has been approved by the IT steering committee. d. is aligned with the business plan.

d. is aligned with the business plan. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

Effective IT governance requires organizational structures and processes to ensure that: a. risk is maintained at a level acceptable for IT management. b. the business strategy is derived from an IT strategy. c. IT governance is separate and distinct from the overall governance. d. the IT strategy extends the organization's strategies and objectives

d. the IT strategy extends the organization's strategies and objectives IT strategy should be aligned with business/org strategy

An enterprise's risk appetite is BEST established by: a. the chief legal officer. b. security management. c. the audit committee. d. the steering committee.

d. the steering committee This group is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

vouching

the use of documentation to support recorded transactions or amounts

Secondary employment

when an employee obtains a job in addition to the role they have in your business

Service Level Agreement

A service-level agreement (SLA) defines the level of service you expect from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved. It is a critical component of any technology vendor contract. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time.

port scanning attack

An attack where an attacker scans your systems to see which ports are listening in an attempt to find a way to gain unauthorized access. target the external firewall of the organization. Use of wireless will not affect this.

Which of the following BEST provides assurance of the integrity of new staff? a. Background screening b. References c. Bonding d. Qualifications listed on a résumé

Background screening - can lie on the resume - references can lie - may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc.

business interruption insurance

Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization.

An enterprise selected a vendor to develop and implement a new software system. To ensure that the enterprise's investment in software is protected, which of the following security clauses is MOST important to include in the master services agreement? a. Limitation of liability b. Service level requirements c. Software escrow d. Version control

C. Software Escrow These clauses in a contract ensure that the software source code will still be available to the organization in the event of a vendor issue, such as insolvency and copyright issues.

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? a. Controls are implemented based on cost-benefit analysis. b. The risk management framework is based on global standards. c. The approval process for risk response is in place. d. IT risk is presented in business terms.

D - IT risk is presented in business terms. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

enterprise architecture (EA) requirements

EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? a. Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC. b. IT projects could suffer from cost overruns. c. Misleading indications of IT performance may be presented to management. d. IT service level agreements may not be accurate.

Misleading indications of IT performance may be presented to management is correct. The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators [KPIs]) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions.

Data loss prevention

This is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders. ex: think of deloitte when u try to send an email with an attachment to an external user it validates it

Errors and Omissions insurance

This type of insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client.

Service level requirements Clause

These specify financial penalties for not meeting standards, but these do not address issues of vendor insolvency

source code escrow agreement

This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.

When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? a. Controls are eliminated as part of the streamlining BPR effort b. Resources are not adequate to support the BPR process. c. The audit department does not have a consulting role in the BPR effort. d. The BPR effort includes employees with limited knowledge of the process area.

a. Controls are eliminated as part of the streamlining BPR effort

Steering Committee

a form of corporate governance made up of high-level executives, authorities, or stakeholders who provide strategic oversight and guidance to one or more projects within an organization. The IT steering committee enforces governance on behalf of the board of directors. An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee, because it provides insight and advice to the board

Capability Maturity Model (CMM)

a methodology used to develop and refine an organization's software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes.

Zachman Framework for Enterprise Architecture

a model framework that is a starting point for many contemporary EA projects the helps move IT projects from abstract to physical using models and representations with progressively greater levels of detail

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? a. A cost-benefit analysis b. An annual loss expectancy calculation c. A comparison of the cost of the IPS and firewall and the cost of the business systems d. A business impact analysis

a. A cost-benefit analysis In a cost-benefit analysis, the total expected purchase and operational/support costs, and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option.

Which of the following is the MOST critical to the quality of data in a data warehouse? a. Accuracy of the source data b. Credibility of the data source c. Accuracy of the extraction process d. Accuracy of the data transformation

a. Accuracy of the source data Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse.

Which of the following should be considered FIRST when implementing a risk management program? a. An understanding of the organization's threat, vulnerability and risk profile b. A determination of risk management priorities that are based on potential consequences c. An understanding of the risk exposures and the potential consequences of compromise d. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

a. An understanding of the organization's threat, vulnerability and risk profile need to understand the risk before you can address it /mitigate it

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? a. Assimilation of the framework and intent of a written security policy by all appropriate parties b. Management support and approval for the implementation and maintenance of a security policy c. Enforcement of security rules by providing punitive actions for any violation of security rules d. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

a. Assimilation of the framework and intent of a written security policy by all appropriate parties If a policy is not assimilated into daily actions, it will not be effective.

Which of the following is normally a responsibility of the chief information security officer? a. Periodically reviewing and evaluating the security policy b. Executing user application and software testing and evaluation c. Granting and revoking user access to IT resources d. Approving access to data and applications

a. Periodically reviewing and evaluating the security policy The role of the chief information security officer is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.

For a health care organization, which one of the following reasons MOST likely indicates that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? a. There are regulations regarding data privacy. b. Member service representative training cost will be much higher. c. It is harder to monitor remote databases. d. Time zone differences could impede customer service.

a. There are regulations regarding data privacy. Regulations prohibiting the cross-border flow of personally identifiable information may make it impossible to locate a data warehouse containing customer/member information in another country. ex: think VG can't use USI

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: a. consider the entire IT environment. b. address all of the network risk. c. result in the identification of vulnerability tolerances. d. be tracked over time against the IT strategic plan.

a. consider the entire IT environment When assessing IT security risk, it is important to consider the entire IT environment.

The PRIMARY benefit of an enterprise architecture initiative is to: a. enable the organization to invest in the most appropriate technology. b. ensure security controls are implemented on critical platforms. c. allow development teams to be more responsive to business requirements. d. provide business units with greater autonomy to select IT solutions that fit their needs.

a. enable the organization to invest in the most appropriate technology. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

A benefit of open system architecture is that it: a. facilitates interoperability within different systems. b. facilitates the integration of proprietary components. c. will be a basis for volume discounts from equipment vendors. d. allows for the achievement of more economies of scale for equipment.

a. facilitates interoperability within different systems. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: a. one person knowing all parts of the system b. dependency on a single person. c. inadequate succession planning. d. a disruption of operations.

a. one person knowing all parts of the system this could lead to SOD issues or people knowing how to game the system Cross-training is a process of training more than one individual to perform a specific job or procedure. However, before using this approach, it is prudent to assess the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege.

An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy: a. payroll reports should be compared to input forms. b. gross payroll should be recalculated manually. c. checks should be compared to input forms. d. checks should be reconciled with output reports.

a. payroll reports should be compared to input forms. the best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. the best way to confirm accuracy is to compare the input of the org (forms such as terminations) to the output of the bank (payroll report)

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: a. requirement for protecting confidentiality of information can be compromised. b. contract may be terminated because prior permission from the outsourcer was not obtained. c. other service provider to whom work has been outsourced is not subject to audit. d. outsourcer will approach the other service provider directly for further work.

a. requirement for protecting confidentiality of information can be compromised. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.

As an outcome of information security governance, strategic alignment provides: a. security requirements driven by enterprise requirements. b. baseline security following good practices. c. institutionalized and commoditized solutions. d. an understanding of risk exposure.

a. security requirements driven by enterprise requirements. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements.

Involvement of senior management is MOST important in the development of: a. strategic plans. b. IT policies. c. IT procedures. d. standards and guidelines.

a. strategic plans These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. policies are created based on the strategic plan

The Secure Sockets Layer protocol ensures the confidentiality of a message by using: a. symmetric encryption. b. message authentication codes c. hash function. d. digital signature certificates.

a. symmetric encryption

An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: a. this lack of knowledge may lead to unintentional disclosure of sensitive information b. information security is not critical to all functions. c. IS audit should provide security training to the employees. d. the audit finding will cause management to provide continuous training to staff.

a. this lack of knowledge may lead to unintentional disclosure of sensitive information All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.

Which of the following should be included in an organization's information security policy? a. A list of key IT resources to be secured b. The basis for access control authorization c. Identity of sensitive security assets d. Relevant software security features

b - The basis for access control authorization

Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? a. Compliance with the master agreement b. Agreed-on key performance metrics c. Results of business continuity tests d. Results of independent audit reports

b. Agreed-on key performance metrics Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time.

IT governance is PRIMARILY the responsibility of the: a. chief executive officer. b. board of directors. c. IT steering committee. d. audit committee.

b. Board of Directors IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).

Which of the following insurance types provide for a loss arising from fraudulent acts by employees? a. Business interruption b. Fidelity coverage c. Errors and omissions d. Extra expense

b. Fidelity Coverage This type of insurance covers the loss arising from dishonest or fraudulent acts by employees.

Which of the following is the BEST enabler for strategic alignment between business and IT? a. A maturity model b. Goals and metrics c. Control objectives d. A responsible, accountable, consulted and informed (RACI) chart

b. Goals and metrics these ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization? a. Review software migration records and verify approvals. b. Identify changes that have occurred and verify approvals. c. Review change control documentation and verify approvals. d. Ensure that only appropriate staff can migrate changes into production.

b. Identify changes that have occurred and verify approvals. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved. think how we test change management at clients

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? a. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. b. Job descriptions contain clear statements of accountability for information security. c. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. d. No actual incidents have occurred that have caused a loss or a public embarrassment.

b. Job descriptions contain clear statements of accountability for information security. Job descriptions contain clear statements of accountability for information security is correct. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security.

To support an organization's goals, an IT department should have: a. a low-cost philosophy. b. long- and short-term plans. c. leading-edge technology. d. plans to acquire new hardware and software.

b. Long- and short-term plans To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals.

Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? a. Inclusion of a blanket legal statement in each policy b. Periodic review by subject matter experts c. Annual sign-off by senior management on organizational policies d. Policy alignment to the most restrictive regulations

b. Periodic review by subject matter experts Ex; a lawyer (SME) reviews the policies Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements.

An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? a. A policy ensuring systems are patched in a timely manner does not exist. b. The information security policy is not periodically reviewed by senior management. c. The audit committee did not review the organizations' global mission statement. d. An organizational policy related to information asset protection does not exist.

b. The information security policy is not periodically reviewed by senior management. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern. top level support is fundamental to information security governance.

An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern? a. The corporate network is using an intrusion prevention system. b. This part of the network is isolated from the corporate network. c. A single sign-on has been implemented in the corporate network. d. Antivirus software is in place to protect the corporate network.

b. This part of the network is isolated from the corporate network. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.

Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? a. To conduct a feasibility study to demonstrate IT value b. To ensure that investments are made according to business requirements c. To ensure that proper security controls are enforced d. To ensure that a standard development methodology is implemented

b. To ensure that investments are made according to business requirements theme: IT always needs to be following business strategy/needs

From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy: a. is cost-effective. b. is future thinking and innovative. c. is aligned with the business strategy. d. has the appropriate priority level assigned.

c. is aligned with the business strategy

Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees? a. To prevent the misuse of corporate resources b. To prevent conflicts of interest c. To prevent employee performance issues d. To prevent theft of IT assets

b. To prevent conflicts of interest The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing organization. Conflicts of interest can result in serious risk such as fraud, theft of intellectual property or other improprieties. EX: deloitte would make u report if you got another job and would have to approve it

Which of the following does an IS auditor FIRST reference when performing an IS audit? a. Implemented procedures b. Approved policies c. Internal standards d. Documented practices

b. approved policies Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy. Ex; think starting point at nypa

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: a. strategic alignment. b. performance measurement. c. value delivery. d. resource management.

b. performance measurement This includes setting and monitoring measurable objectives of that which the IT processes need to deliver (process outcome), and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement, because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: a. pre-BPR process flowcharts. b. post-BPR process flowcharts. c. BPR project plans d. continuous improvement and monitoring plans.

b. post-BPR process flowcharts. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: a. recommend that this separate project be completed as soon as possible. b. report this issue as a finding in the audit report. c. recommend the adoption of the Zachmann framework. d. re-scope the audit to include the separate project as part of the current audit.

b. report this issue as a finding in the audit report. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: a. recovery b. retention c. rebuilding d. re-use

b. retention Ex; can't keep client emails in inbox for extended time as this leads to more risk if someone gets into your mailbox

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? a. Data retention, backup and recovery b. Return or destruction of information c. Network and intrusion detection d. A patch management process

b. return or destruction of information this is important to the privacy of the data when the contract with the cloud provider ends

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: a. it has not been determined how the project fits into the overall project portfolio. b. the organizational impact of the project has not been assessed. c. not all IT stakeholders have been given an opportunity to provide input. d. the environmental impact of the data center has not been considered.

b. the organizational impact of the project has not been assessed. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy

An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: a. the setup is geographically dispersed. b. the servers are clustered in one site. c. a hot site is ready for activation. d. diverse routing is implemented for the network.

b. the servers are clustered in one site. if all the servers are in one site they become susceptible to natural disaster or other disruptive events

An organization allows for the use of universal serial bus drives to transfer operational data between offices. Which of the following is the GREATEST risk associated with the use of these devices? a. Files are not backed up b. Theft of the devices c. Use of the devices for personal purposes d. Introduction of malware into the network

b. theft of devices because universal serial bus (USB) drives tend to be small, they are susceptible to theft or loss. This represents the greatest risk to the organization.

An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? a. Require the vendor to provide monthly status reports. b. Have periodic meetings with the client IT manager. c. Conduct periodic audit reviews of the vendor. d. Require that performance parameters be stated within the contract.

c. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with which they want to continue to work.

Which of the following controls helps prevent duplication of vouchers during data entry? a. A range check b. Transposition and substitution c. A sequence check d. A cyclic redundancy check

c. A sequence check this involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What is the next task? a. Immediately report the risk to the chief information officer and chief executive officer. b. Examine the e-business application in development c. Identify threats and the likelihood of occurrence. d. Check the budget available for risk management.

c. Identify threats and the likelihood of occurrence. to determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.

Which of the following is an implementation risk within the process of decision support systems? a. Management control b. Semistructured dimensions c. Inability to specify purpose and usage patterns d. Changes in decision processes

c. Inability to specify purpose and usage patterns you can have a DSS with no purpose or patterns, the DSS works off of patterns

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? a. Project database b. Policy documents c. Project portfolio database d. Program organization

c. Project portfolio database portfolio covers multiple projects

A company's development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects? a. Functional verification of the prototypes is assigned to end users. b. The project is implemented while minor issues are open from user acceptance testing. c. Project responsibilities are not formally defined at the beginning of a project d. Program documentation is inadequate.

c. Project responsibilities are not formally defined at the beginning of a project Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.

As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? a. Use cloud providers for low-risk operations. b. Revise compliance enforcement processes. c. Request that senior management accept the risk. d. Postpone low-priority security procedures.

c. Request that senior management accept the risk. Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? a. The reporting of the mean time between failures over time b. The overall mean time to repair failures c. The first report of the mean time between failures d. The overall response time to correct failures

c. The first report of the mean time between failures The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: a. compute the amortization of the related assets. b. calculate a return on investment. c. apply a qualitative approach. d. spend the time needed to define the loss amount exactly.

c. apply a qualitative approach The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). think that the exact cost of the risk would be ever changing so not beneficial to spend time calculating

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: a. incorporates state of the art technology. b. addresses the required operational controls. c. articulates the IT mission and vision. d. specifies project management practices.

c. articulates the IT mission and vision. The IT strategic plan must include a clear articulation of the IT mission and vision.

The MAIN purpose for periodically testing offsite disaster recovery facilities is to: a. protect the integrity of the data in the database b. eliminate the need to develop detailed contingency plans. c. ensure the continued compatibility of the contingency facilities. d. ensure that program and system documentation remains current.

c. ensure the continued compatibility of the contingency facilities. The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster.

A local area network (LAN) administrator normally is restricted from: a. having end-user responsibilities. b. reporting to the end-user manager. c. having programming responsibilities. d. being responsible for LAN security administration.

c. having programming responsibilities. A local area network (LAN) administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.

An IT steering committee should: a. include a mix of members from different departments and staff levels. b. ensure that IS security policies and procedures have been executed properly. c. maintain minutes of its meetings and keep the board of directors informed. d. be briefed about new trends and products at each meeting by a vendor.

c. maintain minutes of its meetings and keep the board of directors informed. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee. The board of directors should be informed about those decisions on a timely basis. think board of directors is the top boss and they need to stay informed

An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the: a. hardware configuration. b. access control software. c. ownership of intellectual property. d. application development methodology.

c. ownership of intellectual property The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.

Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to ensure: a. adequate cross-training exists between functions. b. an effective internal control environment is in place by increasing morale. c. potential irregularities in processing are identified by a temporary replacement. d. the risk of processing errors is reduced.

c. potential irregularities in processing are identified by a temporary replacement.

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: a. reliable products are guaranteed. b. programmers' efficiency is improved. c. predictable software processes are followed. d. security requirements are designed.

c. predictable software processes are followed. By evaluating the organization's development projects against the capability maturity model, an IS auditor determines whether the development organization follows a stable, predictable software development process.

The MOST likely effect of the lack of senior management commitment to IT strategic planning is: a. a lack of investment technology b. a lack of a methodology for systems development c. technology not aligning with organization objectives. d. an absence of control over technology contracts.

c. technology not aligning with organization objectives. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is aligned with organization strategy.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? a. The policy has not been updated in more than one yea b. The policy includes no revision history. c. The policy is approved by the security administrator. d. The company does not have an information security policy committee.

c. the policy is approved by the security administrator The IS policy should have an owner who is in management. management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.

Which of the following is responsible for the approval of an information security policy? a. IT department b. Security committee c. Security administrator d. Board of directors

d. Board of Directors Normally, the approval of an information systems security policy is the responsibility of top management or the board of director

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? a. Minimizing costs for the services provided b. Prohibiting the provider from subcontracting services c. Evaluating the process for transferring knowledge to the IT department d. Determining if the services were provided as contracted

d. Determining if the services were provided as contracted the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements.

While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? a. Monthly committee meetings include the subcontractor's IS manager b. Management reviews weekly reports from the subcontractor c. Permission is obtained from the government agent regarding the contract d. Periodic independent audit of the work delegated to the subcontractor

d. Periodic independent audit of the work delegated to the subcontractor Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised. ex; think SOC reports

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: a. validation controls. b. internal credibility checks. c. clerical control procedures. d. automated systems balancing.

d. automated systems balancing. This would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: a. can deliver on the immediate contract. b. is of similar financial standing as the organization. c. has significant financial obligations that can impose liability to the organization. d. can support the organization in the long term.

d. can support the organization in the long term. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: a. most valuable information assets. b. IS audit resources to be deployed. c. auditee personnel to be interviewed. d. control objectives and activities.

d. control objectives and activities. after the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.

An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend? a. Encrypted mail accounts b. Training and awareness c. Activity monitoring d. Data loss prevention

d. data loss prevention This is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders. This is a better choice than relying on training and awareness because it works equally well when there is intent to steal data.

Which of the following is the PRIMARY objective of an IT performance measurement process? a. Minimize errors b. Gather performance data c. Establish performance baselines d. Optimize performance

d. optimize performance the objective of measuring the performance process is to increase performance An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions.

An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: a. the systems staff of the organization is trained to handle any event. b. a backup server is available to run ETCS operations with up-to-date data. c. a backup server is loaded with all relevant software and data. d. source code of the ETCS application is placed in escrow.

d. source code of the ETCS application is placed in escrow. Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure: a. the confidentiality of the message. b. nonrepudiation by the sender. c. the authenticity of the message. d. the integrity of data transmitted by the sender.

d. the integrity of data transmitted by the sender. If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test. SUM = if the numbers add up differently its been tampered with

An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: a. controls in place. b. effectiveness of the controls. c. mechanism for monitoring the risk d. threats/vulnerabilities affecting the assets.

d. threats/vulnerabilities affecting the assets. must first know what the risks are to the info systems before knowing if they are evaluated correctly

An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include: a. vouching. b. authorizations. c. corrections. d. tracing.

d. tracing This is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.

IS management recently replaced its existing wired local area network with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? a. Port scanning b. Back door c. Man-in-the-middle d. War Driving

d. war driving This attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.

war driving

driving around looking for unprotected home or corporate wireless networks to hack

Feasibility study

investigation that gauges the probability of success/strategic benefits of a proposed project and provides a rough assessment of the project's feasibility the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc.

IT Balanced Scorecard (BSC)

is a business framework used for tracking and managing an organization's strategy. The BSC framework is based on the balance between leading and lagging indicators, which can respectively be thought of as the drivers and outcomes of your company goals. When used in the Balanced Scorecard framework, these key indicators tell you whether or not you're accomplishing your goals and whether you're on the right track to accomplish future goals.

business process reengineering (BPR)

is a systematic, disciplined approach to reducing organizational costs and redundant business processes involving the analysis of existing human and automated workflows.

Decision Support System (DSS)

is an interactive information system that analyzes large volumes of data for informing business decisions ex: GPS route planning. A DSS can be used to plan the fastest and best routes between two points by analyzing the available options. These systems often include the capability to monitor traffic in real-time to route around congestion.

Limitation of Liability Clause

provision in a contract stating that one of the parties shall not be liable for damages in case of breach; also called an exculpatory clause A limitation of liability clause protects the financial exposure of the organization but not its software investment.

interoperability

the capability of two or more computer systems to share data and resources, even though they are made by different manufacturers

secure socket layer (SSL)

the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details via symmetric encryption It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

Extra expense insurance

this type of insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.


Conjuntos de estudio relacionados

Handling Difficult Customer Situations - Chapter 5

View Set

6.RP.1 Ratio (Basics and Practice)

View Set