November 16th Domain 2 226 Questions

You are correct, the answer is A. A. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. B. Closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems. C. The ability to obtain volume discounts is achieved through the use of bulk purchasing or a primary vendor, not through open system architecture. D. Open systems may be less expensive than proprietary systems depending on the supplier, but the primary benefit of open system architecture is its interoperability between vendors.

A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment.

You are correct, the answer is B. A. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate recovery. B. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention policy of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. C. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate rebuilding. D. Email policy should address the business and legal requirements of email retention. Reuse of email is not a policy matter.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse.

You answered B. The correct answer is A. A. An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee because it provides insight and advice to the board. B. Aligning IT to business objectives is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. C. Issues related to compliance are tasks usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. D. IT governance is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets.

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? A. Approving IT project plans and budgets B. Aligning IT to business objectives C. Advising on IT compliance risk D. Promoting IT governance practices

You are correct, the answer is A. A. The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulated recovery exercise. This exercise would test the new recovery infrastructure under controlled conditions. B. Assuming that recovery options have been actively considered during development (as they would need to be for a mission-critical system), a paper walk-through would be of limited value because it is only a modification to an existing plan. C. A security assessment or penetration test is vital for any application exposed to the Internet, but should have been performed much earlier in the process. D. Performing a failover test should only be done after the more basic tests of a simulation and walk-through have been completed.

A financial institution has recently developed and installed a new deposit system which interfaces with its customer web site and its automated teller machines (ATMs). During the project, the development team and the business continuity team maintained good communication and the business continuity plan (BCP) has been updated to include the new system. A suitable BCP test to perform at this point in time would be: A. using actual resources to perform a simulation of a system crash. B. a detailed paper walk-through of the plan. C. a penetration test for the web site interface application. D. performing a failover of the system at the designated secondary site.

You are correct, the answer is D. A. Length of service will not ensure technical competency. B. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. C. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements. D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: A. length of service, because this will help ensure technical competence. B. age, because training in audit techniques may be impractical. C. IT knowledge, because this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IT relationships.

You answered C. The correct answer is D. A. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. B. The walk-through test is a basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. C. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. The IT plan has been tested repeatedly so a disaster recovery test would not help in verifying the administrative and organizational parts of the BCP, which are not IT-related. D. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

You are correct, the answer is C. A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define the loss amount exactly.

You answered A. The correct answer is C. A. After selecting a strategy, a specific business continuity planning (BCP) can be developed, tested and implemented. B. After selecting a strategy, a specific BCP can be developed, tested and implemented. C. Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA. D. After selecting a strategy, a specific BCP can be developed, tested and implemented.

After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? A. Test and maintain the plan. B. Develop a specific plan. C. Develop recovery strategies. D. Implement the plan.

You are correct, the answer is B. A. In postmerger integration programs, it is common to form project management offices (often staffed with external experts) to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. B. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. C. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process. D. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

You answered C. The correct answer is A. A. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. B. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. C. Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals. D. Employee award programs provide motivation; however, they do not minimize dependency on key individuals.

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training and: A. succession planning. B. staff job evaluation. C. responsibilities definitions. D. employee award programs.

You answered D. The correct answer is B. A. Auditing the cloud vendor would be useful; however, this would only be useful if the vendor is contractually required to provide disaster recovery (DR) services. B. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Without the contractual language, the vendor is not required to provide DR services. C. An independent auditor's report, such as SSAE 16, on DR capabilities can be reviewed to ascertain the vendor's DR capabilities; however, this will only be fruitful if the vendor is contractually required to provide DR services. D. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services.

An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application that is hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A. Plan an audit of the cloud vendor. B. Review the vendor contract to determine its disaster recovery (DR) capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the disaster recovery plan (DRP) from the cloud vendor.

You answered D. The correct answer is A. A. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. B. Information security is everybody's business, and all staff should be trained in how to handle information correctly. C. Providing security awareness training is not an IS audit function. D. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness.

An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information. B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. the audit finding will cause management to provide continuous training to staff.

You answered C. The correct answer is B. A. The IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. C. The company is free to choose any EA framework, and the IS auditor should not recommend a specific framework. D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: A. recommend that this separate project be completed as soon as possible. B. report this issue as a finding in the audit report. C. recommend the adoption of the Zachmann framework. D. re-scope the audit to include the separate project as part of the current audit.

You are correct, the answer is C. A. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. B. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C. Conducting periodic reviews of the vendor will ensure that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements (SLAs) as well as the client's requirements for security controls may become less of a focus for the vendor and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with whom they wish to continue to work. D. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met.

An IS auditor has been asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A. Require the vendor to provide monthly status reports. B. Have periodic meetings with the client IT manager. C. Conduct periodic audit reviews of the vendor. D. Require that performance parameters be stated within the contract.

You answered A. The correct answer is C. A. All other choices are important, but the first step is to ensure that the contracts support the business—only then can an audit process be valuable. B. All service level agreements (SLAs) should be measureable and reinforced through key performance indicators (KPIs)—but the first step is to ensure that the SLAs are aligned with business requirements. C. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered C. The correct answer is B. A. Recommending that user acceptance testing (UAT) occur for all reports before release into production does not address the root cause of the problem described. B. This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. C. Recommending standard software tools be used for report development does not address the root cause of the problem described. D. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports

You answered B. The correct answer is A. A. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the role of senior management when evaluating the soundness of IT governance. B. Ensuring revenue is a part of the objectives in the IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. C. Introduction of a cost allocation system is part of the objectives in an IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. D. Estimation of risk appetite is important; however, at the same time, management should ensure that controls are in place. Therefore, checking only on risk appetite does not verify soundness of IT governance.

An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern? A. Senior management has limited involvement. B. Return on investment (ROI) is not measured. C. Chargeback of IT cost is not consistent. D. Risk appetite is not quantified.

You answered C. The correct answer is D. A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

You are correct, the answer is B. A. A capability maturity model (CMM) would not help determine the optimal portfolio of capital projects because it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. C. A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. D. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? A. A capability maturity model (CMM) B. Portfolio management C. Configuration management D. Project management body of knowledge (PMBOK)

You are correct, the answer is B. A. Data retention, backup and recovery are important controls; however, they do not guarantee data privacy. B. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. C. Network and intrusion detection are helpful when securing the data, but on their own do not guarantee data privacy stored at a third-party provider. D. A patch management process helps secure servers, and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A. Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process

You answered B. The correct answer is C. A. Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. B. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals; thus, the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. C. When assessing IT security risk, it is important to take into account the entire IT environment. D. Measures of security risk do not identify tolerances.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

You answered D. The correct answer is C. A. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and recovery point objective (RPO), then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. B. The lack of training on the new disaster recovery (DR) strategy creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups. C. The RPO is defined in the ISACA glossary as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without availability of the necessary data, all other DR considerations are not useful. D. The lack of testing of the revised plan creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups.

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. D. The plan has not been tested with the new RPO.

You are correct, the answer is D. A. Absence of management approval is an important (material) finding and while it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved. B. While the IS auditor would likely recommend that the policies should be approved as soon as possible, and may also remind management of the critical nature of this issue, the first step would be to report this issue to the relevant stakeholders. C. The first step is to report the finding and provide recommendations later. D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit.

An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? A. Ignore the absence of management approval because employees follow the policies. B. Recommend immediate management approval of the policies. C. Emphasize the importance of approval to management. D. Report the absence of documented approval.

You answered C. The correct answer is B. A. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. B. When individuals serve multiple roles this represents a separation of duties problem with associated risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. C. In some distributed environments, especially with small staffing levels, users may also manage security. D. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.

An IS auditor of a large organization is reviewing the roles and responsibilities for the IT function and has found some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? A. Network administrators are responsible for quality assurance. B. Security administrators are system programmers. C. End users are security administrators for critical applications. D. Systems analysts are database administrators.

You are correct, the answer is C. A. The hardware configuration is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. B. The access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. C. The contract must specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. D. The development methodology should be of no real concern in an outsourcing contract.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

You answered A. The correct answer is D. A. The IT steering committee is responsible for project approval and prioritization. B. The IT steering committee is responsible for oversight of the development of the long-term IT plan. C. The IT steering committee advises the board of directors on the status of developments in IT. D. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around.

An IS auditor reviewing the IT organization would be MOST concerned if the IT steering committee: A. is responsible for project approval and prioritization. B. is responsible for developing the long-term IT plan. C. reports the status of IT projects to the board of directors. D. is responsible for determining business goals.

You are correct, the answer is A. A. Monitoring systems performance and tracking problems as a result of program changes would be outside the role and responsibilities of a telecommunications analyst. B. The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes. C. The responsibilities of a telecommunications analyst include assessing the impact of network load or terminal response times and network data transfer rates. D. The responsibilities of a telecommunications analyst include recommending network balancing procedures and improvements.

An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements.

You are correct, the answer is C. A. The risk can only be determined after the threats, likelihood and vulnerabilities are all documented. B. The first step is to identify the risk levels to existing applications and then to apply those to applications in development. Risk can only be identified after the threats and likelihood have also been determined. C. To determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. D. The budget available for risk management is not relevant at this point because the risk has not yet been determined.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? A. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). B. Examine the e-business application in development. C. Identify threats and the likelihood of occurrence. D. Check the budget available for risk management.

You are correct, the answer is C. A. Only senior management or high-level staff members should be on this committee because of its strategic mission. B. Ensuring that information security policies and procedures have been executed properly is not a responsibility of this committee, but the responsibility of IT management and the security administrator. C. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee, and the board of directors should be informed about those decisions on a timely basis. D. A vendor should be invited to meetings only when appropriate.

An IT steering committee should: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. maintain minutes of its meetings and keep the board of directors informed. D. be briefed about new trends and products at each meeting by a vendor.

You are correct, the answer is B. A. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. B. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies because any violations discovered would lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. C. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. D. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? A. Sign-off is required on the enterprise's security policies for all users. B. An indemnity clause is included in the contract with the service provider. C. Mandatory security awareness training is implemented for all users. D. Security policies should be modified to address compliance by third-party users.

You answered B. The correct answer is A. A. Reviewing whether the service provider's business continuity plan (BCP) process is aligned with the organization's BCP and contractual obligations is the correct answer because an adverse effect or disruption to the business of the service provider has a direct bearing on the organization and its customers. B. Reviewing whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster is not the correct answer because the presence of penalty clauses, although an essential element of an SLA, is a last resort and not a primary concern. C. The methodology adopted by the organization in choosing a service provider is a possible concern, but of lesser importance than ensuring that the service provider can be relied on in the event of a disaster. D. The accreditation of the third-party service provider's staff is a possible concern, but of lesser importance than the requirement to ensure that the service provider can provide service in the event of a disruption.

An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)? A. Review whether the service provider's BCP process is aligned with the organization's BCP and contractual obligations. B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster. C. Review the methodology adopted by the organization in choosing the service provider. D. Review the accreditation of the third-party service provider's staff.

You answered C. The correct answer is B. A. A full operational test is conducted after the paper and preparedness test and is quite expensive. B. A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. C. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test, but a paper test (deskcheck) is not sufficient to test the viability of the plan. D. A regression test is not a disaster recovery plan test and is used in software development and maintenance.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? A. Full operational test B. Preparedness test C. Paper test D. Regression test

You are correct, the answer is D. A. A disaster recovery plan (DRP) will recover most critical systems first according to business priorities. B. Depending on business priorities, financial systems may or may not be the first to be recovered. C. The business manager, not the IS manager, will determine priorities for system recovery. D. Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.

An organization's disaster recovery plan (DRP) should address early recovery of: A. all information systems processes. B. all financial processing applications. C. only those applications designated by the IS manager. D. processing in priority order, as defined by business management.

You answered B. The correct answer is A. A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency. C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment. D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments.

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

You are correct, the answer is A. A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. B. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions, is a part of value delivery. C. Value delivery addresses the effectiveness and efficiency of solutions, but is not a result of strategic alignment. D. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure.

As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterprise requirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

You are correct, the answer is C. A. Having the current configuration approved is a recommendation that is not in compliance with the enterprise's own policy and would violate best practice. B. Having an audit trail for existing shared accounts would not provide accountability or resolve the problem of noncompliance with policy. C. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. D. Shared user IDs do not allow for accountability of transactions and would not reflect best practice.

Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A. Have the current configuration approved by operations management. B. Ensure that there is an audit trail for all existing accounts. C. Implement individual user accounts for all staff. D. Amend the IT policy to allow shared accounts.

You answered B. The correct answer is A. A. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. B. The plans do not necessarily have to be integrated into one single plan. C. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. D. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

You answered C. The correct answer is A. A. Disaster recovery planning (DRP) is the technological aspect of business continuity plan (BCP) that focuses on IT systems and operations. B. Business resumption planning addresses the operational part of BCP. C. Disaster recovery addresses the technical components of business recovery. D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

Disaster recovery planning (DRP) addresses the: A. technological aspect of business continuity planning (BCP). B. operational part of business continuity planning. C. functional aspect of business continuity planning. D. overall coordination of business continuity planning.

You are correct, the answer is A. A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's BCP. C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.

During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan (BCP) is to: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. review the experience of the vendor's staff. D. test the BCP.

You are correct, the answer is D. A. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. B. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. C. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization. D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management.

You are correct, the answer is D. A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, HR applications are usually not mission-critical and, therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy. D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D. Company-defined security policies are not applied to the cloud application.

You are correct, the answer is C. A. The responsibility for maintaining the business continuity plan is decided after the selection or design of the appropriate recovery strategy and development of the plan. B. The criteria for selecting a recovery site provider are decided after the selection or design of the appropriate recovery strategy. C. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis (BIA). D. The responsibilities of key personnel are decided after the selection or design of the appropriate recovery strategy during the plan development phase.

During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: A. responsibility for maintaining the business continuity plan. B. criteria for selecting a recovery site provider. C. recovery strategy. D. responsibilities of key personnel.

You answered B. The correct answer is C. A. The business continuity plan (BCP), if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. B. Senior management approval is a prerequisite for designing and approving the BCP, but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. C. The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. D. Making a BCP available on an enterprise's intranet does not guarantee that personnel will be able to access, read or understand it.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

You answered A. The correct answer is B. A. Measurement at consistent intervals is important, but only if the key performance indicators (KPIs) are related to specific goals. B. The most important metric is the extent to which the key goal indicators (KGIs) are aligned with specific goals that are relevant and meaningful to the organization. C. Critical success factors (CSFs) are important considerations for determining that a goal is being achieved, but are not metrics in themselves. D. Quantitative measures are usually preferable, but not always possible and not essential.

For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that: A. KPIs are measured at consistent intervals. B. specific goals are defined. C. critical success factors (CSFs) are considered. D. KPIs are purely quantitative measures.

You are correct, the answer is A. A. An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. B. Control objectives provide the actual objectives for implementing controls, and may or may not be based on best practices. C. Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself. D. A security policy mandates the use of IS controls, but the controls are not used to understand policy.

IS control objectives are useful to IS auditors because they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IS security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.

You are correct, the answer is B. A. The chief executive officer (CEO) is instrumental in implementing IT governance according to the directions of the board of directors. B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.

IT governance is PRIMARILY the responsibility of the: A. chief executive officer (CEO). B. board of directors. C. IT steering committee. D. audit committee.

You are correct, the answer is D. A. Denying the clerk access to the production environment would prevent work from being performed unless additional staff were retained, which is not a realistic solution and may not be economically viable for a small organization. B. Segregation of duties will prevent a combination of conflicting functions, but it may not be practical in a small business to hire and maintain additional staff to achieve the desired segregation of duties. C. Logging of program changes in the production environment will detect changes after they have been implemented, but will not prevent unauthorized changes. D. Procedures to verify and review that only approved changes are implemented would be an effective control in this scenario.

In a small manufacturing business, an employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario? A. Access restrictions to prevent the clerk from accessing the production environment B. Segregation of duties implemented by hiring additional staff C. Automated logging of all program changes in the production environment D. Procedures to verify that only approved program changes are implemented

You answered B. The correct answer is D. A. The first step is to review the baseline to ensure that it is adequate or sufficient to meet the security requirements of the organization. Then the IS auditor will ensure that it is implemented and measure compliance. B. Compliance cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. D. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A. implementation. B. compliance. C. documentation. D. sufficiency.

You answered A. The correct answer is B. A. Testing the business continuity plan's (BCP) requirements is not related to IT project management. B. Integrating the BCP into the development process ensures complete coverage of the requirements through each phase of the project. C. A transaction flowchart aids in analyzing an application's controls, but does not affect business continuity. D. A BCP will not directly address the detailed processing needs of the users.

Integrating the business continuity plan (BCP) into IT project management aids in: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.

You answered D. The correct answer is A. A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan. C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures. D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.

Involvement of senior management is MOST important in the development of: A. strategic plans. B. IT policies. C. IT procedures. D. standards and guidelines.

You answered B. The correct answer is A. A. Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability, and provides the best measure of the risk to an asset. B. The calculation of risk must consider impact and likelihood of a threat (not a threat source) exploiting a vulnerability. C. Considering only the likelihood of an exploit and not the impact or damage caused is not sufficient to determine the overall risk. D. The collective judgment of the risk assessment team is a part of qualitative risk assessment, but must be combined with calculations of the impact on the business to determine overall risk.

Overall quantitative business risk for a particular threat can be expressed as: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

You are correct, the answer is D. A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.

You answered C. The correct answer is D. A. A business impact analysis (BIA) helps determine the recovery strategy, which sets the starting point for planning how to resume operations after a disaster. The plan, however, is not an outcome of the BIA. B. The perception of an organization's physical and logical security is not the primary objective of a BIA. The BIA determines critical business processes and time lines for recovery. C. The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP). D. A BIA helps one understand the cost of an interruption and identifies which applications and processes are most critical to the continued functioning of the organization.

The PRIMARY outcome of a business impact analysis (BIA) is: A. a plan for resuming operations after a disaster. B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan (DRP). D. an understanding of the cost of an interruption.

You answered C. The correct answer is A. A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. B. The type of outage is not as important to the activation of the plan as the length or duration of the outage. C. The probability of the outage would be relevant to the frequency of incidents, not the need to activate the plan. The plan is designed to be activated after an event of a certain duration occurs. D. The cause of the outage may affect the response plan to be activated, but not the decision to activate the plan. The plan will be activated any time an event of a predetermined duration occurs.

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: A. duration of the outage. B. type of outage. C. probability of the outage. D. cause of the outage.

You answered B. The correct answer is A. A. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place. B. The implementation of a DRP will always result in additional costs to the organization. C. The implementation of a DRP will always result in additional costs to the organization. D. The costs of a DRP are fairly predictable and consistent.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: A. increase. Incorrect B. decrease. C. remain the same. D. be unpredictable.

You are correct, the answer is B. A. The lack of the right to audit clause presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. C. If the source code is held by the provider and not provided to the organization, the lack of source code escrow presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. D. The lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? A. The right to audit clause was not included in the contract. B. The business case was not established. C. There was no source code escrow agreement. D. The contract does not cover change management procedures.

You answered A. The correct answer is C. A. The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. B. Audit and monitoring of controls related to the program can only come after the program is set up. C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. D. Access control software is an important security control, but only after the policy and program are defined.

The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.

You answered B. The correct answer is C. A. Control self-assessments (CSAs) are used to improve monitoring of security controls, but are not used to align IT with organizational objectives. B. A business impact analysis (BIA) is used to calculate the impact on the business in the event of an incident that affects business operations, but it is not used to align IT with organizational objectives. C. An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. D. Business process reengineering (BPR) is an excellent tool to review and improve business processes, but is not focused on aligning IT with organizational objectives.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).

You are correct, the answer is B. A. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments in IT assets. B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way the auditor can measure the success of the IT investment and strategy. C. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity, but does not ensure effectiveness of IT investment. D. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

You answered B. The correct answer is C. A. It is a common mistake to overemphasize financial value rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. B. The business strategy (which is often a long-term view) does not have a direct impact at this point in time. C. To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. D. The mere number of recovered systems does not have a direct impact at this point in time. The importance is to recover systems that would impact business survival.

To optimize an organization's business continuity plan (BCP), an IS auditor should recommend a business impact analysis (BIA) to determine: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. B. the priorities and order for recovery to ensure alignment with the organization's business strategy. C. the business processes that must be recovered following a disaster to ensure the organization's survival. D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame.

You are correct, the answer is B. A. A low-cost philosophy is one objective, but more important is the cost/benefit and the relation of IT investment cost to business strategy. B. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. C. Leading-edge technology is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals. D. Plans to acquire new hardware and software could be a part of the overall plan, but would be required only if hardware or software is needed to achieve the organizational goals.

To support an organization's goals, an IT department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

You answered A. The correct answer is B. A. Risk transfer is the transference of risk to a third party, e.g., buying insurance for activities that pose a risk. B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan (DRP), it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. When an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it, that is risk acceptance.

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

You answered C. The correct answer is B. A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

You are correct, the answer is A. A. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. B. The storage capacity of the archiving solution would be irrelevant if the proper email messages have not been properly preserved and others have been deleted. C. The level of user awareness concerning email use would not directly affect the completeness and accuracy of the archived email. D. The support and stability of the archiving solution manufacturer is secondary to the need to ensure a retention policy. Vendor support would not directly affect the completeness and accuracy of the archived email.

When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer.

You answered D. The correct answer is C. A. Business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP), but not for gaining an understanding of the business. B. Resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy, but not for gaining an understanding of the business. C. Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. D. The role gap analysis can play in BCP is to identify deficiencies in a plan, but not for gaining an understanding of the business.

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? A. Business continuity self-audit B. Resource recovery analysis C. Risk assessment D. Gap analysis

You are correct, the answer is C. A. Establishment of a review board is not effective without visible sponsorship of top management. B. The creation of a security unit is not effective without visible sponsorship of top management. C. The executive sponsor would be in charge of supporting the organization's strategic security program, and would aid in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). D. The selection of a security process owner is not effective without visible sponsorship of top management.

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner.

You are correct, the answer is A. A. The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies. B. Accountability is important, but the most important objective of IT governance is to ensure that IT investment and oversight is aligned with business requirements. C. IT must demonstrate value to the organization, but this value is dependent on the ability of IT to align with, and support, business requirements. D. Enhancing return is a requirement of the IT governance framework, but this requirement is only demonstrated through aligning IT with business requirements.

When implementing an IT governance framework in an organization the MOST important objective is: A. IT alignment with the business. B. accountability. C. value realization with IT. D. enhancing the return on IT investments.

You answered D. The correct answer is C. A. Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. B. Like internal CSA, IS audits are mostly a detective control and may provide only part of the picture for the prioritization of IT projects. C. It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. D. Business risk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.

Which of the following BEST supports the prioritization of new IT projects? A. Internal control self-assessment (CSA) B. Information systems audit C. Investment portfolio analysis D. Business risk assessment

You answered B. The correct answer is A. A. The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. B. Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication. C. Full-scale testing involves enterprisewide participation and full involvement of external organizations. D. Deskcheck testing requires the least effort of the options given. Its aim is to ensure the plan is up to date and promote familiarity of the BCP to critical personnel from all areas.

Which of the following business continuity plan (BCP) tests involves participation of relevant members of the crisis management/response team to practice proper coordination? A. Tabletop B. Functional C. Full-scale D. Deskcheck

You answered C. The correct answer is D. A. Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls

You answered D. The correct answer is A. A. The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. B. Having user management involved in identifying critical systems will not provide assurance that the recovery can be achieved in the event of a disaster. C. Having copies of the plan available offsite will not provide assurance that the plan will work in the event of a disaster. D. Providing feedback to management is important but must be based on assurance that the plan will work. This can only be obtained through testing and review.

Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C. Copies of the plan are kept at the homes of key decision-making personnel. D. Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current.

You answered B. The correct answer is D. A. An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA). B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk assessment and a BIA. D. A determination of acceptable downtime is made only in a BIA.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment? A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime

You answered B. The correct answer is A. A. The information security policy states the organization's approach to managing information security. The policy contains the company's security objectives and explains the security policies, principles and standards and mandates compliance and accountability for the employee to adhere to policy. In addition, the policy outlines requirements such as compliance with regulations and employee education, training and awareness. B. The acceptable usage policy is a subset of the information security policy and outlines guidelines and rules for employee use of the company's information resources. It is focused and does not include requirements for security awareness training. C. The HR policy refers to the information security policy, but does not specifically list the requirements for security awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity and ethics, and compliance with regulations. D. The end-user computing policy is a subset of the information security policy and describes the parameters and usage of desktop tools by users. It does not contain requirements for security awareness training.

Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training? A. Information security policy B. Acceptable usage policy C. Human resources (HR) policy D. End-user computing policy

You answered B. The correct answer is D. A. Testing a new accounting package is a tactical or short-term goal and would not be included in a strategic plan. B. Performing an evaluation of information technology needs is a way to identify needs and measure performance, but not a goal to be found in a strategic plan. C. Implementing a new project planning system within the next 12 months is project-oriented and is a method of implementing a goal, but not the goal in itself. The goal would be to have better project management—the new system is how to achieve that goal. D. Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization's strategic plan.

Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

You answered D. The correct answer is A. A. Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. B. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. C. Punitive actions are needed to enforce the policy, but are not the key to successful implementation. D. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

You answered A. The correct answer is D. A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is often signed after employee orientation and during periodic user awareness training. The policy is used to enforce controls over use of systems—not just to create awareness. B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic. Information security policies are much broader in overall content and include a wider audience. C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary objective of the acceptable use policy; prevention is the primary objective. D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios, including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such risk, a policy supported by guidelines is put into effect to define how information system resources will be used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to acknowledge that they are aware.

Which of the following is a PRIMARY objective of an acceptable use policy? A. Creating awareness about the secure use of proprietary resources B. Ensuring compliance with information security policies C. Defining sanctions for noncompliance D. Controlling how proprietary information systems are used `

You are correct, the answer is D. A. The IT department is responsible for the execution of the policy, having no authority in framing the policy. B. The security committee also functions within the broad security policy framed by the board of directors. C. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.

Which of the following is responsible for the approval of an information security policy? A. The IT department B. The security committee C. The security administrator D. The board of directors

You answered C. The correct answer is B. A. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but is not as meaningful as having job descriptions that require all staff to be responsible for information security. B. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. C. Funding is important, but having funding does not ensure that the security program is effective or adequate. D. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but is not a criterion for evaluating a security program.

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

You are correct, the answer is B. A. The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment. B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing company. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. C. Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment. D. Theft of assets is a problem but not necessarily related to secondary employment.

Which of the following is the BEST reason to implement a policy which places conditions on secondary employment for IT employees? A. To ensure that employees are not misusing corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets

You answered D. The correct answer is B. A. Compliance with security standards is important, but there is no way to verify or prove that is the case without an independent review. B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. C. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak. D. Compliance with organizational security policies is important, but there is no way to verify or prove that that is the case without an independent review.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

You are correct, the answer is B. A. The recovery site should be far enough away to avoid being affected by the same disaster that strikes the primary site, but that is not the most important part of the business continuity plan (BCP). It is more important that the plan is tested. B. Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. The other options are more tactical considerations that are secondary to the need for testing. C. Having tested backups is important, but only addresses a part of the BCP. It is more important that the entire plan is tested. D. Network redundancy is important for many organizations, but not as important as the need to test the plan.

Which of the following is the MOST important aspect of effective business continuity management? A. The recovery site is secure and located an appropriate distance from the primary site. B. The recovery plans are tested periodically. C. Fully tested backup hardware is available at the recovery site. D. Network links are available from multiple service providers.

You answered C. The correct answer is B. A. A scorecard is an excellent tool to implement a program based on good governance, but the most important factor in implementing governance is alignment with organizational strategies. B. The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective. C. A risk assessment is important to ensure that the security program is based on areas of highest risk, but risk assessment must be based on organizational strategies. D. A policy is a key part of security program implementation, but even the policy must be based on organizational strategies.

Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy

You answered D. The correct answer is B. A. Not all resources need to participate in a test—only the personnel involved in the actual test scenario. A disaster recovery plan (DRP) should be flexible enough to adapt to using whatever personnel are available. B. Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the test is critical to the success of the disaster recovery testing. C. Advance notice for the impacted employees is not necessarily required if the test exercise is not expected to create service disruptions or other issues. D. A test scenario approved by business management approval is more likely to reflect the needs of the business. IT management may select a test scenario more focused on IT priorities, which may be less effective.

Which of the following is the MOST important requirement for the successful test of a disaster recovery plan (DRP)? A. Participation by all of the resources identified in the plan B. Management approval of the test scenario C. Advance notice for all of the impacted employees D. IT management approval of the test scenario

You answered C. The correct answer is D. A. Minimizing errors is an aspect of performance, but not the primary objective of performance management. B. Gathering performance data is necessary to measure IT performance, but is not the objective of the process. C. The performance measurement process compares actual performance with baselines, but that is not the objective of the process. The objective is to optimize performance. D. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions.

Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors. B. Gather performance data. C. Establish performance baselines. D. Optimize performance.

You answered A. The correct answer is C. A. The business continuity plan (BCP) in itself does not provide assurance of continuing operations; however, it helps the organization to respond to disruptions to critical business processes. B. Establishment of an alternate site is more relevant to disaster recovery than the BCP. C. The BCP process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations. D. The regulatory compliance requirements may help establish the recovery time objective (RTO) requirements.

Which of the following is the PRIMARY objective of the business continuity plan (BCP) process? A. To provide assurance to stakeholders that business operations will continue in the event of disaster B. To establish an alternate site for IT services to meet predefined recovery time objectives (RTOs) C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster

You answered D. The correct answer is B. A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods

You are correct, the answer is C. A. The site chosen should not be subject to the same natural disaster as the primary site. Being close may be a risk or an advantage, depending on the type of expected disaster. B. A reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. D. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure that the operation will continue to perform as planned.

Which of the following must exist to ensure the viability of a duplicate information processing facility? A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

You answered B. The correct answer is D. A. The number of stakeholders, including employees, trained provides a metric for measuring the coverage of a security awareness program, but does not help assess its content or effectiveness. B. Coverage of training at all locations provides a metric for measuring the coverage of a security awareness program, but does not help assess its content or effectiveness. C. The implementation of security devices from different vendors may be a policy of the organization, but it does not relate to the adequacy of an awareness program. D. The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices.

Which of the following provides the BEST evidence of the adequacy of a security awareness program? A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise C. The implementation of security devices from different vendors D. Periodic reviews and comparison with best practices

You are correct, the answer is C. A. Ensuring that employees are properly cross-trained in multiple functions improves the skills of employees and provides for succession planning, but is not the primary purpose of mandatory vacations. B. Improving employee morale helps in reducing employee burnout, but is not the primary reason for mandatory vacations. C. Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal controls or processes take a mandatory vacation annually is often a regulatory requirement and, most important, a good way to uncover fraud. D. Mandatory vacations may or may not be a cost-saving measure, depending on the enterprise.

Which of the following reasons BEST describes the purpose of a mandatory vacation policy? A. To ensure that employees are properly cross-trained in multiple functions B. To improve employee morale C. To identify potential errors or inconsistencies in business processes D. To be used as a cost-saving measure

You answered A. The correct answer is C. A. Compliance with regulatory requirements is not user-focused and will not reduce the impact of social engineering attacks. B. Promoting ethical understanding is important to direct user behavior, but will not effectively reduce the impact of social engineering attacks. C. Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. D. Effective performance incentives will not help reduce the impact of social engineering. Social engineering is based on deception, not on performance.

Which of the following reduces the potential impact of social engineering attacks? A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives

You answered D. The correct answer is B. A. Daily full backups may not be required if incremental or differential backups are in place. B. To be effective, the business impact analysis (BIA) should be conducted with input from a wide array of stakeholders. The business requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery. Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical assets being overlooked. C. As long as the service delivery objective is met and data are handled in alignment with the data classification and handling policy, it is appropriate for "sensitive" functions to be performed manually in the case of a business continuity plan (BCP) event. D. The frequency of testing is less important than business involvement in the creation of the BCP.

Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan (BCP) of an organization? A. Daily full backups are not performed for critical production files. B. A team of IT and information security staff conducted the business impact analysis (BIA). C. Sensitive information processes are manually performed during a disruption. D. An annual test of the BCP is not being performed.

You answered A. The correct answer is B. A. Developing a recovery strategy will come after performing a business impact analysis (BIA). B. The first step in any disaster recovery plan (DRP) is to perform a BIA. C. The BIA will identify critical business processes and the systems that support those processes. Mapping software systems, hardware and network components will come after performing a BIA. D. Appointing recovery teams with defined personnel, roles and hierarchy will come after performing a BIA.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

You answered B. The correct answer is C. A. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. B. The recovery of the backups has no bearing on the notification system. C. If the notification system has been severely impacted by the damage, redundancy would be the best control. D. Storing the notification system in a vault would be of little value if the building is damaged.

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

You are correct, the answer is C. A. If the performance indicators are not objectively measurable, the most significant risk would be the presentation of misleading performance results to management. This could result in a false sense of assurance and, as a result, IT resources may be misallocated or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management. B. Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. C. The IT BSC is designed to measure IT performance. To measure performance, a sufficient number of "performance drivers" or KPIs must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading. D. Although performance management issues related to SLAs could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.

While reviewing the IT governance processes of an organization, an auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? A. Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. B. IT projects could suffer from cost overruns. C. Misleading indications of IT performance may be presented to management. D. IT service level agreements (SLAs) may not be accurate.

You are correct, the answer is A. A. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. B. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards and the results of tests of the plan. C. To evaluate effectiveness, the IS auditor should review the results from previous tests or incidents. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. D. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization has implemented plans to allow for an effective response.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

You answered C. The correct answer is A. A. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that should be concerned. B. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, but should cover business requirements. D. Multisourcing is an acceptable way to reduce risk associated with a single point of failure.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.

You answered A. The correct answer is C. A. While security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. While the use of standard supported technology may be more secure, this is not the primary benefit of the EA. B. When selecting an application, the business requirements as well as the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they would be more likely to choose a solution that fit their business process the best with less emphasis on how compatible and supportable the solution would be in the enterprise, and this would not be a concern. C. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system (OS) that is not part of the EA for the business, this would increase the cost and complexity of the solution and ultimately deliver less value to the business. D. While any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: A. the security controls of the application may not meet requirements. B. the application may not meet the requirements of the business users. C. the application technology may be inconsistent with the enterprise architecture (EA). D. the application may create unanticipated support issues for IT.

You are correct, the answer is A. A. If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment. B. In situations in which there is no dedicated testing group, the business analyst is often the one to perform testing because the analyst has detailed knowledge of how the system must function as a result of writing the requirements. C. It is acceptable in a small team for the IT manager to perform system administration, as long as the manager does not also develop code. D. It may be part of the database administrator's duties to perform data backups.

A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? A. The developers promote code into the production environment. B. The business analyst writes the requirements and performs functional testing. C. The IT manager also performs systems administration. D. The database administrator (DBA) also performs data backups.

You answered C. The correct answer is A. A. A structured walk-through test of a disaster recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete, and can be implemented when required. B. To practice executing a plan is a simulation test to prepare and train the personnel who will be required to respond to disasters and disruptions. C. Moving the systems to an alternate facility is a form of parallel testing to ensure that critical systems will perform satisfactorily in the alternate site. D. Distributing copies of the plan for review is a checklist test.

A structured walk-through of a disaster recovery plan involves: A. representatives from each of the functional areas coming together to go over the plan. B. all employees who participate in the day-to-day operations coming together to practice executing the plan. C. moving the systems to the alternate processing site and performing processing operations. D. distributing copies of the plan to the various functional areas for review.

You are correct, the answer is A. A. Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to implement the optimal level of control subject to legal limitations. B. This is not acceptable because it subjects the subsidiary to local fines and penalties. C. This is a less desirable alternative because the organization's overarching original policy may provide a superior or more suitable level of control and risk reduction from which the remainder of the organization should continue to benefit. D. Tracking the issue as a policy violation fails to satisfactorily resolve the issue and recognize the need for flexibility.

A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to: A. create a provision to allow local policies to take precedence where required by law. B. have the subsidiary revise its policies to conform to the parent organization's policies. C. revise the parent organization's policies so that they match the subsidiary's policies. D. track the issue as a violation of policy with a note of the extenuating circumstances.

You are correct, the answer is A. A. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. B. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C. A top-down approach, of itself, does not ensure compliance. D. A top-down approach, of itself, does not ensure that policies are reviewed.

A top-down approach to the development of operational policies helps ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

You answered D. The correct answer is A. A. In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option. B. The annualized loss expectancy (ALE) is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls, but is not sufficient alone. C. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. D. Potential business impact is only one part of the cost-benefit analysis.

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? A. A cost-benefit analysis B. An annualized loss expectancy (ALE) calculation C. A comparison of the cost of the IPS and firewall and the cost of the business systems D. A business impact analysis (BIA)

You answered B. The correct answer is D. A. Censuring the deputy CEO will not improve the current situation and is generally not within the scope of an IS auditor to recommend. B. Establishing a board to review the DRP (which is two years out of date) may achieve an updated DRP, but is not likely to be a speedy operation; issuing the existing DRP would be folly without first ensuring that it is workable. C. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit. D. The primary concern is to establish a workable DRP, which reflects current processing volumes to protect the organization from any disruptive incident.

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: --The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. --The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting their attention. --The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for failure to approve the plan. B. a board of senior managers is set up to review the existing plan. C. the existing plan is approved and circulated to all key management and staff. D. a manager coordinates the creation of a new or revised plan within a defined time limit.

You answered A. The correct answer is C. A. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a best practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. B. The lack of a revision history with respect to the IS policy document is an issue, but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet. C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. D. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D. The company does not have an information security policy committee.

You are correct, the answer is A. A. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. B. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. C. Current and future technology initiatives should be driven by the needs of the business and would not affect an organization's ability to comply with the policy. D. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state, and would not aid in achieving compliance.

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors would the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? A. Existing IT mechanisms that enable compliance B. Alignment of the policy to the business strategy C. Current and future technology initiatives D. Regulatory compliance objectives that are defined in the policy

You answered A. The correct answer is D. A. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract, but should be to provide assurance of sustainability over a longer time frame. B. Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. C. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor. D. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: A. can deliver on the immediate contract. B. is of similar financial standing as the organization. C. has significant financial obligations that can impose liability to the organization. D. can support the organization in the long term.

You are correct, the answer is C. A. Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. B. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals; thus, the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. C. When assessing IT security risk, it is important to take into account the entire IT environment. D. Measures of security risk do not identify tolerances.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

You are correct, the answer is D. A. Security policies are important; however, they are not designed to align IT to the business. B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a good basis to assess alignment of IT with the business. D. The IT balanced scorecard (BSC) represents the translation of the business objectives into what IT needs to do to achieve these objectives.

An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business? A. Security policies B. Operational procedures C. Project portfolio D. IT balanced scorecard (BSC)

You answered C. The correct answer is B. A. While an agreement for an alternate processing site is important, a large organization with multiple locations will most likely have other alternate processing sites within the organization without needing a third-party processing center. Data could be sent to another site within the organization, but if the backup data are not reliable, the risk to availability is not managed. B. Testing backups provides assurance that the backup data are reliable and will be available when needed. Without backup data, the organization is not addressing the risk of availability. C. While it is important to periodically test the disaster recovery plan (DRP), it is also effective to periodically test the DRP using certain scenarios instead of testing the entire plan. In many cases the restoration of backup media will not change for different disasters. For organizations with high availability requirements, data must be reliable and available when needed. If the primary processing center is not available, recovery of backup media is typically the same for each location as long as it is reliable and available. D. The DRP must be available to all personnel involved with recovery efforts. With the availability of the Internet, there are alternative methods of delivery/retrieval of the plan. Reliability and availability of backup data are priorities for organizations that require high availability.

An IS auditor is reviewing the disaster recovery plan (DRP) for a large organization with multiple locations requiring high systems availability. Which of the following causes the GREATEST concern? A. There is no agreement for a third-party alternate processing center. B. Backup media are not tested. C. The entire DRP is not periodically tested. D. A physical copy of the plan is not available at the alternate processing site.

You answered B. The correct answer is D. A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. C. Approvals for risk response come later in the process. D. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.

You are correct, the answer is C. A. The threats facing each of the organization's assets should be analyzed according to their value to the organization. This would occur after identifying and ranking assets. B. Analyzing how these weaknesses, in the absence of mitigating controls, would impact the organization's information assets would occur after the assets and weaknesses have been identified. C. Identification and ranking of information assets—e.g., data criticality, sensitivity, locations of assets—will set the tone or scope of how to assess risk in relation to the organizational value of the asset. D. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectiveness of mitigating controls. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses.

An IS auditor performing an audit of the risk assessment process should FIRST confirm that: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.

You are correct, the answer is C. A. Cross-training helps decrease dependence on a single person. B. Cross-training assists in succession planning. C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. D. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations.

You are correct, the answer is A. A. The role of an IT steering committee is to ensure that the IS department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. B. Assessing proposed additional functionality and managing proposed changes to an IT system is a role of the IT steering committee, but is only a part of the committee's role of ensuring that IT systems support business requirements. C. Evaluating software stability is too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals. D. The complexity of technology is too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals.

An IT steering committee should review information systems PRIMARILY to assess: A. whether IT processes support business requirements. B. whether proposed system functionality is adequate. C. the stability of existing software. D. the complexity of installed technology.

You answered C. The correct answer is D. A. Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite. B. The security management team is concerned with managing the security posture, but not with determining the posture. C. The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise. D. The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

An enterprise's risk appetite is BEST established by: A. the chief legal officer. B. security management. C. the audit committee. D. the steering committee.

You are correct, the answer is A. A. A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover and security must be considered during this phase. B. The recovery strategy and plan development precede the test plan. C. Training can only be developed once the business continuity plan (BCP) is in place. D. A strategy must be determined before the BCP is developed.

An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop: A. a business continuity strategy. B. a test and exercise plan. C. a user training program. D. the business continuity plan (BCP).

You are correct, the answer is B. A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. B. Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. C. Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. D. Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation

You are correct, the answer is A. A. The business continuity plan should be reviewed every time a risk assessment is completed for the organization. B. Performing a simulation should be completed after the business continuity plan has been deemed adequate for the organization. C. Training of the employees should be performed after the business continuity plan has been deemed adequate for the organization. D. There is no reason to notify the business continuity plan contacts at this time.

An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? A. Review and evaluate the business continuity plan for adequacy B. Perform a full simulation of the business continuity plan C. Train and educate employees regarding the business continuity plan D. Notify critical contacts in the business continuity plan

You answered B. The correct answer is C. A. Risk should be identified after the critical business processes have been identified. B. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. C. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. D. Identification of resources required for business resumption will occur after the identification of critical business processes.

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)? A. Risk such as single point-of-failure and infrastructure risk B. Threats to critical business processes C. Critical business processes for ascertaining the priority for recovery D. Resources required for resumption of business

You are correct, the answer is B. A. A BSC is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. C. A BSC will measure the value of IT to business, not the other way around. D. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC.

Before implementing an IT balanced scorecard (BSC), an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses.

You are correct, the answer is A. A. Protecting human resources during a disaster-related event should be addressed first. Having separate business continuity plans (BCPs) could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. B. Recovery priorities may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed. C. Backup strategies are not critical to the integration of the plans for the various departments. Life safety is always the first priority. D. Communication during a crisis is always a challenge, but the call tree is not as important as ensuring life safety first.

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST? A. Evacuation plan B. Recovery priorities C. Backup storages D. Call tree

You answered C. The correct answer is B. A. Quality assurance (QA) is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. B. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization. C. The establishment of acceptable risk levels is a senior management responsibility. The chief information officer (CIO) is the most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest. D. The establishment of acceptable risk levels is a senior management responsibility. The chief security officer (CSO) is responsible for enforcing the decisions of the senior management team.

Establishing the level of acceptable risk is the responsibility of: A. quality assurance (QA) management. B. senior business management. C. the chief information officer (CIO). D. the chief security officer (CSO).

You answered D. The correct answer is C. A. Job rotation is a valuable control to ensure continuity of operations, but not the most serious human resources policy risk. B. Holding an exit interview is desirable when possible to gain feedback, but is not a serious risk. C. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of company property issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. D. Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a lack of an NDA is not the most serious risk listed.

In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a: A. requirement for job rotation on a periodic basis. B. process for formalized exit interviews. C. termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination. D. requirement for new employees to sign a nondisclosure agreement (NDA).

You answered B. The correct answer is A. A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A. there is an integration of IT and business personnel within projects. B. there is a clear definition of the IT mission and vision. C. a strategic information technology planning scorecard is in place. D. the plan correlates business objectives to IT goals and objectives.

You are correct, the answer is A. A. In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. B. The tools and techniques for implementing value delivery include implementation of a standard set of security practices; however, implementation of standards is a means to achieve the objective of supporting value delivery, not the objective itself. C. Value delivery may be supported through the use of standards-based solutions, but the use of standards-based solutions is not the goal of value delivery. D. Continuous improvement culture in relation to a security program is a process, not an objective.

In the context of effective information security governance, the primary objective of value delivery is to: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.

You answered B. The correct answer is D. A. The IT strategy committee plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. B. The CIO plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. C. The audit committee plays a significant role in monitoring and overseeing the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.

Responsibility for the governance of IT should rest with the: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

You answered D. The correct answer is A. A. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. C. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.

The PRIMARY benefit of an enterprise architecture (EA) initiative would be to: A. enable the organization to invest in the most appropriate technology. B. ensure that security controls are implemented on critical platforms. C. allow development teams to be more responsive to business requirements. D. provide business units with greater autonomy to select IT solutions that fit their needs.

You are correct, the answer is B. A. Recommendations, visions and objectives of the IS auditor are usually addressed within a security program, but they would not be the major benefit. B. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. C. Recommendations, visions and objectives of the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. D. The cost of IT security may or may not be reduced.

The PRIMARY benefit of implementing a security program as part of a security governance framework is the: A. alignment of the IT activities with IS audit recommendations. B. enforcement of the management of security risk. C. implementation of the chief information security officer's (CISO's) recommendations. D. reduction of the cost for IT security.

You are correct, the answer is A. A. Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. B. Business operations are directed and controlled based on the strategic direction. C. Corporate governance applies strategic planning, monitoring and accountability to the entire organization, not just to IT. D. Governance is applied through the use of best practices, but this is not the objective of corporate governance.

The PRIMARY objective of implementing corporate governance is to: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement best practices.

You are correct, the answer is D. A. Familiarizing employees with the business continuity plan is a secondary benefit of a test. B. It is not cost-effective to address all residual risk in a business continuity plan. C. It is not practical to test all possible disaster scenarios. D. Testing the business continuity plan provides the best evidence of any limitations that may exist.

The PRIMARY objective of testing a business continuity plan is to: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

You answered D. The correct answer is B. A. Aligning IT risk management with enterprise risk management (ERM) is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the vectors of likelihood and impact to facilitate the prioritization of risk responses.

The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.

You answered B. The correct answer is D. A. Utilizing an intrusion detection system to report incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. B. Mandating the use of passwords is a policy decision, not an awareness issue. C. Installing an efficient user log system is not a part of an awareness program. D. Regular training is an important part of a security awareness program.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Utilizing of intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

You are correct, the answer is C. A. The email retention policy would include the destruction or deletion of emails. This must be compliant with legal requirements to retain emails. B. A security policy is too high level and would not address the risk of inadequate retention of emails or the ability to provide access to emails when required. C. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible. D. An audit policy would not address the legal requirement to provide emails as electronic evidence.

The risk associated with electronic evidence gathering would MOST likely be reduced by an email: A. destruction policy. B. security policy. C. archive policy. D. audit policy.

You answered C. The correct answer is A. A. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. B. CSA requires managers to participate in the monitoring of controls. C. The implementation of stringent controls will not ensure that the controls are working correctly. D. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness, but would work best when used in a formal process such as CSA.

The success of control self-assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties.

You answered A. The correct answer is C. A. Elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight. Assessing risk and determining which risk is acceptable and which risk has the potential for impact are functions of risk management. B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels. Areas within acceptable risk levels may be optimized by reducing control measures or assuming more risk. C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment. Risk management includes risk assessment, risk response and ongoing evaluation and monitoring of risk. All areas of the organization are therefore to be considered in a risk management effort. D. When assessing and responding to risk, all areas of the organization must be reviewed to determine which risk is acceptable, which risk exceeds acceptable levels and which risk has the potential for impact.

To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only areas that have potential impact.

You are correct, the answer is C. A. To comply with requirements, the IS auditor must first know what the requirements are. They can vary from one jurisdiction to another. The IT infrastructure is related to the implementation of the requirements. B. The policies of the organization are subject to the legal requirements and should be checked for compliance after the legal requirements are reviewed. C. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures. D. Checking for compliance is only done after the IS auditor is assured that the policies, standards and procedures are aligned with the legal requirements.

To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: A. the IT infrastructure. B. organizational policies, standards and procedures. C. legal and regulatory requirements. D. adherence to organizational policies, standards and procedures.

You answered A. The correct answer is B. A. The risk of loss or leakage of information is a serious risk because it will lead to financial and other penalties if it happens; however, that may happen even if the bank does not outsource. The greatest risk is noncompliance with regulations because it will subject the bank to fines and sanctions regardless of whether a breach happens. B. The greatest risk is noncompliance with regulations because regulations are mandatory and a violation could lead to loss of the bank's charter to operate. C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in place then it should not materially affect the bank as much as noncompliance or a loss or leakage of information. D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that resulting from noncompliance or a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract termination, can also help mitigate the risk of loss of internal knowledge.

What is the GREATEST risk of a bank outsourcing its data center? A. Loss or leakage of information B. Noncompliance with regulatory requirements C. Vendor failure or bankruptcy D. Loss of internal knowledge and experience

You are correct, the answer is A. A. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. B. Cancelling the audit is an inappropriate action. C. Ignoring the fact that some systems are not covered would violate audit standards that require reporting all material findings and is an inappropriate action. D. Postponing the audit is an inappropriate action. The audit should be completed according to the initial scope with identification to management of the risk of systems not being covered.

When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor? A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan (DRP). D. Postpone the audit until the systems are added to the DRP.

You are correct, the answer is D. A. IT security employees cannot be supervised in the traditional sense unless the supervisor were to monitor each keystroke entered on a workstation, which is obviously not a realistic option. B. Retaining backups of the transaction logs does not prevent the files from unauthorized modification prior to backup. C. The log files themselves are the main evidence that an unauthorized change was made, which is a sufficient detective control. Protecting the log files from modification requires preventive controls such as securely writing the logs. D. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

When auditing a role-based access control system (RBAC), the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? A. Ensure that these employees are adequately supervised. B. Ensure that backups of the transaction logs are retained. C. Implement controls to detect the changes. D. Ensure that transaction logs are written in real time to Write Once and Read Many (WORM) drives.

You answered B. The correct answer is A. A. The IT risk assessment should have a clearly defined scope to be efficient and meet the objectives of risk identification. The IT risk assessment should include relationships with risk assessments in other areas, if appropriate. B. It is most likely that the IT security officer is not in a position to approve risk ratings, and the results of the workshop may need to be compiled and analyzed following the workshop, making approval during the workshop improbable. C. The facilitator of the workshop should encourage input from all parties without causing embarrassment or intimidation. However, the IT security officer is not expected to accept risk—that is a senior management function. D. The purpose of a workshop is to brainstorm and draw out the input of all participants, not just to address commonly accepted risk.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? A. Ensure that the IT security risk assessment has a clearly defined scope. B. Require the IT security officer to approve each risk rating during the workshop. C. Suggest that the IT security officer accept the business unit risk and rating. D. Select only commonly accepted risk with the highest submitted rating.

You answered A. The correct answer is C. A. The assets need to be identified first. A listing of the threats that can affect the assets is a later step in the process. B. Data classification is required for defining access controls and in criticality analysis, but the assets (including data) need be identified before doing classification. C. Identification of the assets to be protected is the first step in the development of a risk management program. D. Criticality analysis is a later step in the process after the assets have been identified.

When developing a risk management program, what is the FIRST activity to be performed? A. Threat assessment B. Classification of data C. Inventory of assets D. Criticality analysis

You are correct, the answer is B. A. Policy is used to provide direction for procedures, standards and baselines. Therefore, developing security procedures should be executed only after defining a security policy. B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. C. Specifying an access control methodology is an implementation concern and should be executed only after defining a security policy. D. Defining roles and responsibilities should be executed only after defining a security policy.

When developing a security architecture, which of the following steps should be executed FIRST? A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

You are correct, the answer is A. A. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. B. Operational efficiency initiatives, including cost reduction of purchasing and maintenance activities of systems, belong to tactical planning, not strategic planning. C. A list of approved suppliers of IT contract resources is a tactical rather than a strategic concern. D. An IT strategic plan would not normally include detail of a specific technical architecture.

When reviewing an organization's strategic IT plan, an IS auditor should expect to find: A. an assessment of the fit of the organization's application portfolio with business objectives. B. actions to reduce hardware procurement cost. C. a listing of approved suppliers of IT contract resources. D. a description of the technical architecture for the organization's network perimeter security.

You answered B. The correct answer is C. A. An organization is not required to base its IT policies on industry best practices. Policies must be based on the culture and business requirements of the organization. B. It is essential that policies be approved; however, that is not the primary focus during the development of the policies. C. Information security policies must be first of all aligned with an organization's business and security objectives. D. Policies cannot provide direction if they are not aligned with business requirements.

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A. are aligned with globally accepted industry best practices. B. are approved by the board of directors and senior management. C. strike a balance between business and security requirements. D. provide direction for implementing security procedures.

You answered B. The correct answer is D. A. Supplier and partner risk being managed is a risk management best practice, but not a strategic function. B. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice, but does not ensure strategic alignment. C. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice, but is not as effective as top management involvement in business and technology alignment. D. Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice.

Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risk is managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediates between the imperatives of business and technology.

You answered A. The correct answer is D. A. While frequent review of audit logs is a compensating control, if there is no clear segregation of duties, this is an ineffective control. An IT person with administrative access to a system could potentially delete audit logs or disable audit logging altogether. From a practical perspective, logs typically contain large volumes of data; an in-depth review of these data would be a time-consuming and impractical method for finding issues related to segregation of duties conflicts. B. User provisioning is the process of granting access to an application or system. While a normal part of the provisioning process is to make sure that no segregation of duties conflicts exist, this cannot be done in the present case due to the small size of the IT department. Therefore, tighter controls over user provisioning would be of limited value. C. While it important to ensure that only authorized individuals have administrative access to critical systems to prevent segregation of duties conflicts, in this case those conflicts cannot be prevented. Therefore, a frequent review of administrative access would be of limited value as a control. D. In this scenario, management should review administrator level activity to ensure that personnel with administrator access are not performing unauthorized functions.

Which of the following compensating controls should management implement when a segregation of duties conflict exists because an organization has a small IT department? A. More frequent review of audit logs B. Tighter controls over user provisioning C. More frequent reviews of administrative access D. Independent review of administrator level activity

You answered B. The correct answer is A. A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review. B. The relative value of an asset to the business is one element considered in the risk assessment; this alone does not determine the level of protection required. C. The results of a vulnerability assessment would be useful when creating the risk assessment; however, this would not be the primary focus. D. The cost of security controls is not a primary factor to consider because the expenditures on these controls are determined by the value of the information assets being protected.

Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? A. Results of a risk assessment B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls

You answered C. The correct answer is D. A. The maturity of the project management process is more important with respect to managing the day-to-day operations of IT versus performing strategic planning. B. Regulatory requirements may drive investment in certain technologies and initiatives; however, having to meet regulatory requirements is not typically the main focus of the IT and business strategy. C. Past audit findings may drive investment in certain technologies and initiatives; however, having to remediate past audit findings is not the main focus of the IT and business strategy. D. Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio would provide comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process? A. The maturity of the project management process B. The regulatory environment C. Past audit findings D. The IT project portfolio analysis

You are correct, the answer is A. A. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are taking action as a consequence of the awareness program. B. The existence of evidence that all employees have signed the security policy does not ensure that security responsibilities have been understood and applied. C. One of the objectives of the security awareness program is to inform the employees of what is expected of them and what their responsibilities are, but this knowledge does not ensure that employees will perform their activities in a secure manner. D. The documentation of roles and responsibilities in job descriptions is not an indicator of the effectiveness of the awareness program.

Which of the following is MOST indicative of the effectiveness of an information security awareness program? A. Employees report more information regarding security incidents. B. All employees have signed the information security policy. C. Most employees have attended an awareness session. D. Information security responsibilities have been included in job descriptions.

You answered D. The correct answer is B. A. A pilot test is used for implementing a new process or technology and is not appropriate for a business continuity plan (BCP). B. A paper test (sometimes called a deskcheck) is appropriate for testing a BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP's execution who reason out what may happen in a particular disaster. C. A unit test is used to test new software components and is not appropriate for a BCP. D. A system test is an integrated test used to test a new IT system but is not appropriate for a BCP.

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? A. Pilot B. Paper C. Unit D. System

You answered B. The correct answer is A. A. The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include: empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement. B. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors. C. Limited employee participation is an attribute of a traditional audit approach. D. Policy-driven is an attribute of a traditional audit approach.

Which of the following is an attribute of the control self-assessment (CSA) approach? A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven

You are correct, the answer is A. A. The role of the chief security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. B. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. C. Granting and revoking access to IT resources is usually a function of system, network or database administrators. D. Approval of access to data and applications is the duty of the data or application owner.

Which of the following is normally a responsibility of the chief security officer (CSO)? A. Periodically reviewing and evaluating the security policy B. Executing user application and software testing and evaluation C. Granting and revoking user access to IT resources D. Approving access to data and applications

You answered B. The correct answer is A. A. A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. B. The ability of the group to ensure that specific systems can actually perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings. C. Group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business. D. While improving communication is important, it is not the most valued method to ensure that the plan is up to date.

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? A. The group walks through the different scenarios of the plan, from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

You answered B. The correct answer is C. A. The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk. B. User accountability is important, but not as great a risk as the actions of unauthorized users. C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. D. The failure to implement audit recommendations is a management problem, but not as serious as the ability of unauthorized users making modifications.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.

You answered A. The correct answer is B. A. The alternate location should be at a sufficient geographic distance from the main processing facility, but this is not the main objective. Geographic distance is important; however, the same event such as an earthquake could affect two geographically diverse processing facilities. B. The likelihood of the occurrence of a natural disaster is a consideration in overall business continuity planning and in whether there is a business case to set up an alternate site. The alternate site should be at a location that does not expose it to the same threats as the main processing facility. C. The alternate site must sustain operations so that normal business activities are disrupted for only a reasonable duration. This does not mandate that capacity of the alternate site be identical to the main site. Focus must be on critical business services receiving adequate support and resources to prevent disruption. D. Proximity to local fire and other emergency response facilities is an advantage, but not a criterion for choosing the alternate location.

Which of the following is the MOST important criterion for selecting an alternate processing site? A. Total geographic distance between the two sites B. Likelihood of the same natural event occurring at both sites C. Matching processing capacity at both sites D. Proximity of the alternate site to local fire, emergency response and hospital facilities

You answered C. The correct answer is B. A. Payment terms are typically included in the master agreement rather than in the service level agreement (SLA). B. The most important element of an SLA is the measurable terms of performance, such as uptime agreements. C. The indemnification clause is typically included in the master agreement rather than in the SLA. D. The default resolution would only apply in case of a default of the SLA; therefore, it is more important to review the performance conditions of the SLA.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? A. Payment terms B. Uptime guarantee C. Indemnification clause D. Default resolution

You answered C. The correct answer is A. A. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. B. Reducing audit expenses is not a key benefit of CSA. C. Improved fraud detection is important, but not as important as control ownership, and is not a principal objective of CSA. D. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.

Which of the following is the key benefit of a control self-assessment (CSA)? A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection will be improved because internal business staff are engaged in testing controls. D. Internal auditors can shift to a consultative approach by using the results of the assessment.

You answered A. The correct answer is C. A. Measures such as a balanced scorecard (BSC) are helpful, but do not guarantee that the projects are aligned with business strategy. B. Key performance indicators (KPIs) are helpful to monitor and measure IT performance, but they do not guarantee that the projects are aligned with business strategy. C. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the BEST measure for achieving alignment of the project portfolio to an organization's strategic priorities. D. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is closely tied to organizational strategies.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard (BSC) for measuring performance. B. Consider user satisfaction in the key performance indicators (KPIs). C. Select projects according to business benefits and risk. D. Modify the yearly process of defining the project portfolio.

You are correct, the answer is C. A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the chief information officer (CIO). Pragmatically, lack of documenting test results could have more significant consequences. B. The contact lists are an important part of the business continuity plan (BCP); however, they are not as important as documenting the test results. C. The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc. D. If test results are documented, a need for training will be identified and the BCP will be updated.

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

You are correct, the answer is B. A. A list of key IT resources to be secured is more detailed than that which should be included in a policy. B. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C. The identity of sensitive security assets is more detailed than that which should be included in a policy. D. A list of the relevant software security features is more detailed than that which should be included in a policy.

Which of the following should be included in an organization's information security policy? A. A list of key IT resources to be secured B. The basis for access control authorization C. Identity of sensitive security assets D. Relevant software security features

You are correct, the answer is A. A. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. B. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. C. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. D. Policies should be reviewed annually, but might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations.

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: A. is driven by an IT department's objectives. B. is published, but users are not required to read the policy. C. does not include information security procedures. D. has not been updated in over a year.

You are correct, the answer is C. A. Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party—not the internal libraries. B. Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party. C. A software escrow is a legal agreement between a software vendor and a customer, to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement. D. Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software.

Which of the following situations is addressed by a software escrow agreement? A. The system administrator requires access to software to recover from a disaster. B. A user requests to have software reloaded onto a replacement hard drive. C. The vendor of custom-written software goes out of business. D. An IT auditor requires access to software code written by the organization.

You answered C. The correct answer is A. A. Process owners are essential in identifying the critical business functions, recovery times and resources needed. B. A business continuity plan (BCP) is concerned with the continuity of business processes, while applications may or may not support critical business processes. C. The board of directors might approve the plan, but they are typically not involved in the details of developing the BCP. D. IT management will identify the IT resources, servers and infrastructure needed to support the critical business functions as defined by the business process owners.

Which of the following stakeholders is the MOST important in terms of developing a business continuity plan (BCP)? A. Process owners B. Application owners C. The board of directors D. IT management

You answered C. The correct answer is A. A. The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor will ensure that the resources are being managed adequately. B. Investments in IT need to be aligned with top management strategies rather than be relevant to short-term planning and focus on technology for technology's sake. C. Conducting control self-assessments is not as critical as allocating resources during short-term planning for the IS department. D. Evaluating hardware needs is not as critical as allocating resources during short-term planning for the IT department.

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IT department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs

You answered D. The correct answer is B. A. The BCP circulation will ensure that the BCP document is received by all users. Although essential, this does not contribute significantly to the success of the BCP. B. The involvement of user departments in the BCP is crucial for the identification of the business processing priorities and the development of an effective plan. C. A BCP approved by senior management would not necessarily ensure the effectiveness of the BCP. D. An audit would not necessarily improve the quality of the BCP.

Which of the following would contribute MOST to an effective business continuity plan (BCP)? A. The document is circulated to all interested parties. B. Planning involves all user departments. C. The plan is approved by senior management. D. An audit is performed by an external IS auditor.

You answered D. The correct answer is B. A. Generally, best practices are adopted according to business requirements and, therefore, conforming to best practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if they are not being monitored.

While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems (QMSs) comply with best practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined.