CISA Chapter 4 Practice

with their named account to make the changes (Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes.)

A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: A: with their named account to make the changes B: with the shared DBA account to make the changes C: to the server administrative account to make the changes D: to the user's account to make the changes

Alternative standby processor at another network node

A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? A. Offsite storage of daily backups B. Alternative standby processor onsite C. Installation of duplex communication links D. Alternative standby processor at another network node

system and the IT operations team can sustain operations in the emergency environment. (The applications have been operated intensively, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. B is wrong because the test involved intensive usage and the backup would seem able to handle the transaction load. C is wrong because users were able to connect to and use the system, and the response time must have been satisfactory. D is wrong because the intensive tests by the business indicated that the workflow systems worked correctly. Environmental changes could pose a future problem, but it is working correctly now.)

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.

recovery point objective (RPO).

After a disaster declaration, the media creation date at a warm recovery site is based on the: A. recovery point objective (RPO). B. recovery time objective (RTO). C. service delivery objective (SDO). D. maximum tolerable outage (MTO).

Develop recovery strategies. (Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA. The other options are wrong because after selecting a strategy, a specific business continuity planning (BCP) can be developed, tested and implemented.)

After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? A. Test and maintain the plan. B. Develop a specific plan. C. Develop recovery strategies. D. Implement the plan.

Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. (The matching of hash keys over time would allow detection of changes to files. A is wrong because having a log is not a control; reviewing the log is a control. C is wrong because the access was already granted at the command line level. It will be possible for the developers to bypass the control. D is wrong because removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.)

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged. B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment.

Default passwords are not changed when installing network devices.

An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? A. Wireless mobile devices are not password-protected. B. Default passwords are not changed when installing network devices. C. An outbound web proxy does not exist. D. All communication links do not utilize encryption.

A tabletop exercise using the procedures was conducted. (If IT conducted a paper-based test of the procedures with all responsible members, this would help ensure that the procedures meet requirements and are useful and practical during a real disaster. A is wrong because even though documented procedures were approved by management, this does not ensure that there is nothing missing. B is wrong because while comparing the procedures with documented industry good practices is useful, a paper test would be a better indicator that the procedures meet requirements. D is wrong because the documentation of recovery teams and their responsibilities would be part of the procedures, not necessarily validating that the procedures meet requirements.)

An IS auditor is conducting a review of the disaster recovery (DR) procedures for a data center. Which of the following indicators is the BEST to show that the procedures meet the requirements? A. Documented procedures were approved by management. B. Procedures were reviewed and compared with industry good practices. C. A tabletop exercise using the procedures was conducted. D. Recovery teams and their responsibilities are documented.

Ensure that all persons in the data center are evacuated. (In an emergency, life safety is always the priority; the complete and orderly evacuation of facility staff would be the most important activity. A is wrong because notifying the fire department is unnecessary because most data center alarms are configured to report to local authorities automatically. B is wrong because fire suppression systems are designed to operate automatically, and activation when staff are not yet evacuated could create confusion and panic, leading to injuries or fatalities. Manual system triggering is necessary under certain conditions, but only after the safe evacuation of all other data center personnel. D is wrong because removing data center backup tapes is inappropriate because it could delay personnel evacuation. Most companies would have offsite storage backup tapes to mitigate the risk of data loss for this type of disaster.)

An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure that all persons in the data center are evacuated. D. Remove all backup tapes from the data center.

Return or destruction of information (When reviewing a third-party agreement, the most important consideration concerning the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. A is wrong because data retention, backup, and recovery are important controls; however, they do not guarantee data privacy. C is wrong because network and intrusion detection are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. D is wrong because a patch management process helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.)

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A .Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process

The default configurations are changed. (Default database configurations, such as default passwords and services, need to be changed; otherwise, malicious code and intruders could easily compromise the database. B is wrong because the normalization of a database is related more to performance than security. C is wrong because limiting access to stored procedures is a valid security consideration but not as critical as changing default configurations. D is wrong because changing the service port used by the database is a component of the configuration changes that could be made to the database. However, other more critical configuration changes should be made first.)

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening? A. The default configurations are changed. B. All tables in the database are normalized. C. Stored procedures and triggers are encrypted. D. The service port used by the database server is changed.

IT management (Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management's approval would be most important to verify that the system resources will be available if a disaster event is triggered. A is wrong because although executive management's approval is essential, the IT department is responsible for managing system resources and their availability related to disaster recovery (DR). C is wrong because the board of directors may review and approve the DRP. However, the IT department is responsible for managing system resources. Their availability as related to DR. D is wrong because the steering committee would determine the requirements for disaster recovery (recovery time objective [RTO] and recovery point objective [RPO]); however, the IT department is responsible for managing system resources and their availability as related to DR.)

An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? A. Executive management B. IT management C. Board of directors D. Steering committee

fallback procedures. (Fallback procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process that specifies what procedures should be followed when software is being upgraded, but the upgrade does not work and requires a fallback to its former state. A is wrong because problem management procedures are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. B is wrong because software development procedures such as the SDLC are used to manage the creation or acquisition of new or modified software. D is wrong because incident management procedures are used to manage errors or problems with system operation. A help desk usually uses them. One of the incident management procedures may be how to follow a fallback plan.)

An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: A .problem management procedures. B. software development procedures. C. fallback procedures. D. incident management procedures.

the level of information security required when business recovery procedures are invoked. (Businesses should consider whether information security levels required during recovery should be the same, lower, or higher than when a business usually operates. In particular, any special rules for access to confidential data during a crisis must be identified. B is wrong because, during a time of crisis, the security needs of the organization may increase. After all, there are many controls that are missing, such as separation of duties. C is wrong because identifying resource requirements for information security as part of the BCP is important. Still, it is more important to set out the security levels required for protected information. D is wrong because change management procedures can help keep a BCP up to date but are irrelevant to this scenario.)

An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include: A. the level of information security required when business recovery procedures are invoked. B. information security roles and responsibilities in the crisis management structure. C. information security resource requirements. D. change management procedures for information security that could affect business continuity arrangements.

The third-party provider reserves the right to access data to perform certain operations. (Some providers reserve the right to access customer information to perform certain transactions and provide certain services. PHI regulations may restrict certain access, and organizations must review regulatory environment in which the cloud provider operates because it may have restrictions. Organizations must determine whether the cloud provides appropriate controls for data security. A is wrong because the customer organization would want to retain data. C is wrong because an organization may wish to discontinue with a third party. They would then like to remove its data from the system and ensure the service provider clears the system. Some providers do not offer automated or bulk data withdrawal mechanisms; the organization needs data migration. D is wrong because an organization may need to plan data recovery processes.)

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information (PHI). Which of the follow contractual terms would be the GREATEST risk to the customer organization? A. Data ownership is retained by the customer organization. B. The third-party provider reserves the right to access data to perform certain operations. C. Bulk data withdrawal mechanisms are undefined. D. The customer organization is responsible for backup, archive and restore.

A clause providing a "right to audit" the service provider (A missing "right to audit" clause would potentially prevent the auditor from investigating any aspect of supplier performance moving forward. It would be a concern for the auditor because it would require more work for the organization to assess implementation of appropriate controls. B is wrong because not all contracts require the payment of penalties for poor performance. C is wrong because as long as the requirement for service-level reporting is included, there must be predefined reporting templates. D is wrong because a missing limitation of liability clause for the service provider would expose the provider to unlimited liability. This would be to the advantage of the outsourcing company, so while the auditor might highlight the absence of such a clause, it would not be a concern.)

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? A. A clause providing a "right to audit" the service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability

regularly reviewed and updated. (The plan should be reviewed at appropriate intervals, depending upon the nature of the business and the rate of change of systems and personnel. Otherwise, it may become outdated and ineffective. The plan must be subjected to regular testing, but the period between tests will again depend on the organizational nature and the relative importance of IS. Three months or even annually may be appropriate in different circumstances. Although the disaster recovery plan should receive the approval of senior management. For a purely IS-related plan, the executive responsible for technology may have approved the plan. Similarly, although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document only relevant to IS and communications staff.)

An IS auditor reviewing an organization's IS disaster recovery plan should verify that it is: A. tested every six months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every department head in the organization.

program changes have been authorized. (Library control software should be used to separate tests from production libraries in mainframe and/or client-server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B is wrong because library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. C is wrong because programs should not be moved automatically into production without proper authorization. D is wrong because library control software provides reasonable assurance that the source code and executable code are matched when a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.)

An IS auditor should recommend the use of library control software to provide reasonable assurance that: A. program changes have been authorized. B. only thoroughly tested programs are released. C. modified programs are automatically moved to production. D. source and executable code integrity is maintained.

Ensure that supervisory approval and review are performed for critical changes. (Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee. A is wrong because audit trails are a detective control and, in many cases, can be altered by those with privileged access. B is wrong because staff proficiency is important, and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. C is wrong because performing background checks is a basic control and will not effectively prevent or detect errors or malfeasance.)

An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? A. Ensure that audit trails are accurate and specific. B. Ensure that personnel have adequate training. C. Ensure that personnel background checks are performed for critical personnel. D. Ensure that supervisory approval and review are performed for critical changes.

Unauthorized access (Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. A is wrong because while untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B is wrong because untested CGI scripts do not inherently lead to malware exposures. D is wrong because while untested CGIs can cause the end-user web application to be compromised, this is not likely to impact system integrity significantly.)

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity

Conduct a paper test. (A best practice would be to conduct a paper test. This tests the plan in a non-hazardous manner by stepping through the plan with key recovery team members. A is wrong because senior management sponsorship should have been obtained before implementing the plan. B is wrong because identifying business needs should have been obtained before implementing the plan. D is wrong because a paper test should be conducted first, followed by system or full testing.)

An organization has implemented a disaster recovery plan (DRP). Which of the following steps should be carried out next? A. Obtain senior management sponsorship. B. Identify business needs. C. Conduct a paper test. D. Perform a system restore test.

the cloud provider's physical data centers are in multiple cities and countries (Having data in multiple countries is the most significant concern because HR applicant data could contain PII. There may be legal compliance issues if the data is stored in a country with different privacy laws. The organization would be bound by privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. A is wrong because this application may have strict requirements for availability and assumes the SLA would contain these same elements. B is wrong because the right-to-audit clause is good but limits how a cloud provider may interpret this requirement. Reviewing and assessing all the controls would be costly and time-consuming. C is wrong because the SLA specifies uptime requirements, and the means used to achieve those goals are not reviewed in-depth.)

An organization is planning to deploy an outsourced cloud based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor? A. the SLA ensures strict limits for uptime and performance B. the cloud provider will not agree to an unlimited right to audit as part of the SLA C. the SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider D. the cloud provider's physical data centers are in multiple cities and countries

Critical business processes for ascertaining the priority for recovery

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)? A. Risk such as single point-of-failure and infrastructure risk B. Threats to critical business processes C. Critical business processes for ascertaining the priority for recovery D. Resources required for resumption of business

each plan is consistent with one another. (Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. B is wrong because the plans do not necessarily have to be integrated into one plan. C is wrong because although each plan may be independent, each must be consistent with other plans to have a viable business continuity planning strategy. D is wrong because it may not be possible to define a sequence in which plans must be implemented because it may depend on the nature of the disaster, criticality, recovery time, etc.)

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

the minimum acceptable operational capability. (The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. B is wrong because the cost-effectiveness of the restoration process is not the main consideration in determining the SDO. C is wrong because meeting the recovery time objectives (RTO) may be one of the considerations in determining the SDO, but it is a secondary factor. D is wrong because the allowable interruption window (AIW) may be one of the factors secondary to determining the SDO.)

Determining the service delivery objective (SDO) should be based PRIMARILY on: A. the minimum acceptable operational capability. B. the cost-effectiveness of the restoration process. C. meeting the recovery time objectives (RTOs). D. the allowable interruption window (AIW).

technological aspect of business continuity planning (BCP). (Disaster recovery planning (DRP) is the technological aspect of a business continuity plan (BCP) that focuses on IT systems and operations. B is wrong because business resumption planning addresses the operational part of BCP. C is wrong because disaster recovery addresses the technical components of business recovery. D is wrong because the overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.)

Disaster recovery planning (DRP) addresses the: A. technological aspect of business continuity planning (BCP). B. operational part of business continuity planning. C. functional aspect of business continuity planning. D. overall coordination of business continuity planning.

Performing preventive maintenance on electrical systems (Preventive maintenance activities should be scheduled for non-peak times of the day, preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker could result in unplanned downtime. A is wrong because performing data migration may impact performance but would not cause downtime. C is wrong because promoting applications into a staging environment (not production) should not affect systems operations significantly. D is wrong because reconfiguring a standby router should not cause unexpected downtime because the router is not operational, and any problems should not affect network traffic.)

Doing which of the following during peak production hours could result in unexpected downtime? A. Performing data migration or tape backup B. Performing preventive maintenance on electrical systems C. Promoting applications from development to the staging environment D. Reconfiguring a standby router in the data center

Catastrophic service interruption (If a new disaster recovery plan (DRP) is not tested, the most critical risk is the possibility of a catastrophic service interruption that the organization cannot recover from. B is wrong because a DRP that has not been tested may lead to a higher consumption of resources than expected, but that is not the most critical risk. C is wrong because an untested DRP may be inefficient and lead to extraordinary costs, but the most serious risk is the failure of critical services. D is wrong because testing educates users and recovery teams to execute the DRP effectively, but the most critical risk is the failure of core business services.)

Due to changes in IT, the disaster recovery plan (DRP) of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? A. Catastrophic service interruption B. High consumption of resources C. Total cost of the recovery may not be minimized D. Users and recovery teams may face severe difficulties when activating the plan

Provide and monitor separate login IDs that the developer will use for programming and for production support. (Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the developer's activity.)

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? A. Provide and monitor separate login IDs that the developer will use for programming and for production support. B. Capture activities of the developer in the production environment by enabling audit trails. C. Back up all affected records before allowing the developer to make production changes. D. Ensure that all changes are approved by the change manager.

Foreign key structure (Referential integrity in a relational database refers to consistency between coupled (linked) tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table declared a foreign key should contain only values from a parent table's primary key or a candidate key. A is wrong because field definitions describe the table layout but are not directly related to referential integrity. B is wrong because the master table definition describes the database structure but is not directly related to referential integrity. C is wrong because composite keys describe how the keys are created but are not directly related to referential integrity.)

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed? A. Field definition B. Master table definition C. Composite keys D. Foreign key structure

The organization and client must comply with open source software license terms. (Each open-source software license has different terms and conditions. Some licensing allows using software components freely but requires a complete software product to allow the same rights. If the development organization is careful, its products could uphold licensing terms by selling for profit. The auditor should be concerned with compliance to avoid unintended intellectual property risks or legal consequences. A is wrong because a benefit of open-source software is that it's free. The developing organization and client should be concerned about licensing terms and software component conditions. C is wrong because open-source software should be tested for security flaws and part of the SDLC process. D is wrong because open-source software doesn't lack quality. It should be tested for reliability and part of the SDLC process.)

During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? A. The client did not pay for the open source software components. B. The organization and client must comply with open source software license terms. C. Open source software has security vulnerabilities. D. Open source software is unreliable for commercial use.

The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. (Losing a backup tape is significant for working with confidential patient data. Privacy laws specify severe penalties for these events, and the reputation could be damaged due to reporting requirements. The organization should perform audit tests and evaluate third-party controls to ensure tapes are correctly handled. A is wrong because restoration testing doesn't increase the risk of unauthorized information leakage, and not performing these tests poses a risk. B is wrong because lack of data backup and retention policy review may be concerning if there have been changes in the past 3 years. Audit tests should verify the validity of existing procedures. D is wrong because failed backup alerts not followed up on imply certain data is not backed up.)

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? A. Restoration testing for backup media is not performed; however, all data restore requests have been successful. B. The policy for data backup and retention has not been reviewed by the business owner for the past three years. C. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. D. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

Implement a properly documented process for application role change requests. (The auditor should recommend implementing processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. B is wrong because while it is preferred that strict SoD be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. C is wrong because an automated process for managing application roles may not be practical to prevent improper changes from being made by the IS director, who also has the most privileged access to the application. D is wrong because making the existing process available on the enterprise intranet would not provide any value to protect the system.)

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? A. Implement a properly documented process for application role change requests. B. Hire additional staff to provide a segregation of duties (SoD) for application role changes. C. Implement an automated process for changing application roles. D. Document the current procedure in detail, and make it available on the enterprise intranet.

The support model was not properly developed and implemented. (The greatest concern for the IS auditor is that the support model was not developed and implemented correctly to prevent or react to potential outages. Incidents could cost the business significant money, and a support model should be implemented with the project. This should be a step within the SDLC and procedures; if missed on one project, it may be a symptom of an overall breakdown in the process. The other options are important, but the more critical issue is whether the support model was not properly developed and implemented.)

During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern? A. The support model was not approved by senior management. B. The incident resolution time specified in the SLA is not realistic. C. There are inadequate resources to support the applications. D. The support model was not properly developed and implemented.

performs maintenance during noncritical processing times. (The biggest risk to normal operations in a data center would be if an incident or mishap happened during critical peak processing times; therefore, ensuring that no system maintenance is performed in these critical times would be prudent. A is wrong because while the trustworthiness of the service personnel is essential, it is normal practice for these individuals to be escorted and supervised by the data center personnel. B is wrong because escorting service personnel is common and good practice, but the greater risk, in this case, would be if work were performed during critical processing times. D is wrong because the service provider may be performing inadequate maintenance; therefore, this issue may need to be investigated; however, the bigger risk is maintenance being performed at critical processing times.)

During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: A. has performed background checks on all service personnel. B. escorts service personnel at all times when performing their work. C. performs maintenance during noncritical processing times. D. independently verifies that maintenance is being performed.

management reviews and approves the changes after they have occurred. (Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable period after they occur. B is wrong because although peer review provides some accountability, management should review and approve all changes, even if that review and approval must occur after the fact. C is wrong because documenting the event does not replace the need for a review and approval process. D is wrong because it is not a good control practice for management to ignore its responsibility by preapproving all emergency changes in advance without reviewing them. Unauthorized changes could then be made without management's knowledge.)

Emergency changes that bypass the normal change control process are MOST acceptable if: A. management reviews and approves the changes after they have occurred. B. the changes are reviewed by a peer at the time of the change. C. the changes are documented in the change control system by the operations department. D. management has preapproved all emergency changes.

last-mile circuit protection. (Last-mile circuit protection provides telecommunication continuity through many recovery facilities, providing redundant combinations of local carrier T-1s, microwave, and/or coaxial cable to access the local communication loop in the event of a disaster. It protects the link from the organization to the telecommunication provider. B is wrong because long-haul network diversity provides diverse long-distance network availability utilizing T-1 circuits among major long-distance carriers. It ensures long-distance access should any one carrier experience a network failure. C is wrong because diverse routing is a routing traffic method through split or duplicate-cable facilities. D is wrong because alternative routing is routing information via an alternative medium like copper cable or fiber optics.)

Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines (E-1 lines in Europe), microwaves and/or coaxial cables to access the local communication loop is: A. last-mile circuit protection. B. long-haul network diversity. C. diverse routing. D. alternative routing.

communicated to appropriate personnel. (The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. A is wrong because the BCP, if kept in a safe place, will not reach the users; users will never implement the BCP; thus, the BCP will be ineffective. B is wrong because senior management approval is a prerequisite for designing and approving the BCP but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. D is wrong because making a BCP available on an enterprise's intranet does not guarantee that personnel can access, read, or understand it.)

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: A. stored in a secure, offsite facility. B. approved by senior management. C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

Real-time replication to a remote site (With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information in the remote site. This assumes that both sites were not affected by the same disaster. A is wrong because daily tape backup recovery could result in losing a day's data work. C is wrong because hard disk mirroring to a local server occurs in the same data center and could be affected by the same disaster. D is wrong because real-time data backup to the local storage area network (SAN) takes place in the same data center and could possibly be affected by the same disaster.)

In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database? A. Daily data backup to tape and storage at a remote site B. Real-time replication to a remote site C. Hard disk mirroring to a local server D. Real-time data backup to the local storage area network (SAN)

recovery time objective (RTO). (RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery timeframe based on MTO and available recovery alternatives. B is wrong because the RPO has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. C is wrong because MTO is the amount of time allowed to recover a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse. D is wrong because an information security policy does not address recovery procedures.)

Recovery procedures for an information processing facility are BEST based on: A. recovery time objective (RTO). B. recovery point objective (RPO). C. maximum tolerable outage (MTO). D. information security policy.

recovery time objective (RTO). (The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery timeframe based on maximum tolerable outage (MTO) and available recovery alternatives. B is wrong because the recovery point objective (RPO) most influences the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. C is wrong because MTO is the amount of time allowed to recover a business function or resource after a disaster occurs; it represents the time the service must be restored before the organization faces the threat of collapse. D is wrong because an information security policy does not address recovery procedures.)

Recovery procedures for an information processing facility are BEST based on: A. recovery time objective (RTO). B. recovery point objective (RPO). C. maximum tolerable outage (MTO). D. information security policy.

examine object code to find instances of changes and trace them back to change control records. (The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. A is wrong because checking the change control system will not detect changes that were not recorded in the control system. B is wrong because reviewing access control permissions will not identify unauthorized changes made previously. D is wrong because reviewing change approved designations will not identify unauthorized changes.)

The BEST audit procedure to determine if unauthorized changes have been made to production code is to: A. examine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system.

results from previous tests. (Previous test results will provide evidence of the effectiveness of the business continuity plan. A is wrong because comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. C is wrong because reviewing emergency procedures would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness. D is wrong because reviewing offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness.)

The BEST method for assessing the effectiveness of a business continuity plan is to review the: A. plans and compare them to appropriate standards. B. results from previous tests. C. emergency procedures and employee training. D. offsite storage and environmental controls.

downtime. (The longer the period of time a client cannot be serviced, the greater the severity (impact) of the incident. A is wrong because the cost of recovery could be minimal, yet the service downtime could have a major impact. B is wrong because negative public opinion is a symptom of an incident; it is a factor in determining impact but not the most important one. C is wrong because geographic location does not determine the severity of the incident.)

The MAIN criterion for determining the severity level of a service disruption incident is:Select an answer: A. cost of recovery. B. negative public opinion. C. geographic location. D. downtime.

define recovery strategies. (One of the primary outcomes of a business impact assessment (BIA) is the recovery time objective (RTO) and the recovery point objective (RPO), which help define recovery strategies. B is wrong because a BIA itself will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project. C is wrong because a BIA itself will not help improve recovery testing. That is done during the implementation and testing phase of the project. D is wrong because the annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.)

The PRIMARY purpose of a business impact assessment (BIA) is to: A. define recovery strategies. B. identify the alternate site. C. improve recovery testing. D. calculate the annual loss expectancy (ALE).

use this information to launch attacks (An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines, and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigating risks arising from security failures and to prevent additional security incidents resulting from the same threat. B is wrong because forwarding the security alert is not harmful to the organization. C is wrong because implementing individual solutions is unlikely and inefficient, but not a serious risk. D is wrong because users failing to understand the threat would not be a serious concern.)

The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. an IS auditor's GREATEST concern should be that the users may: A: use this information to launch attacks B: forward the security alert C: implement individual solutions D: fail to understand the threat

increase. (Due to the additional cost of testing, maintaining, and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place. B and C are wrong because implementing a DRP will always incur additional costs to the organization. D is wrong because the costs of a DRP are fairly predictable and consistent.)

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: A. increase. B. decrease. C. remain the same. D. be unpredictable.

Contact information of key personnel (In the event of a disaster, it is important to have a current updated list of personnel who are key to the plan's operation. B is wrong because asset inventory is important and should be linked to the organization's change management process, but having access to key people may compensate for outdated records. C is wrong because individual roles and responsibilities are important, but many people could fill different roles in a disaster depending on their experience. D is wrong because the procedures for declaring a disaster are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.)

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)? A. Contact information of key personnel B. Server inventory documentation C. Individual roles and responsibilities D. Procedures for declaring a disaster

the software has not been subsequently modified. (Code signing ensures that the executable code came from a reputable source and has not been modified after signing. B is wrong because signing code will not ensure that it will integrate with other applications. C is wrong because code signing will provide assurance of the source but will not ensure that the source is trusted. The code signing will, however, ensure that the code has not been modified. D is wrong because compromising the sender's private key would result in a loss of trust and is not the purpose of code signing.)

The purpose of code signing is to provide assurance that: A. the software has not been subsequently modified. B. the application can safely interface with another signed application. C. the signer of the application is trusted. D. the private key of the signer has not been compromised.

Date-and-time stamping source code and object code (Date-and-time stamping for both the source and object code will help ensure the code is in sync. The other options are good practice, but they will not ensure that the source and object codes are the same version.)

The synchronization of production source code and object code is best controlled by which of the following? A. Comparing version releases of source code and object code B. Restricting any changes to source code C. Restricting any access to source code and object code D. Date-and-time stamping source code and object code

End users are able to develop their own applications without the help of programmers

What is End-User Computing? A. End users access to computing resources B. End users are able to develop their own applications without the help of programmers C. When programmers and end users collaborate on application development D. Policies regarding appropriate end user computing use

Update the IT asset inventory (Updating the IT assets should be the first step. Once the inventory is updated, the other options can be followed.)

What is the first step after the replacement of hardware? A. Sync the hardware with the hot site B. Update the IT asset inventory C. Identify and assess the vulnerability D. Conduct risk assessment

Identify assets (CISA aspirants should understand the following sequential activities for the development of a risk management program: the identification of assets, the identification vulnerabilities and threats, impact analysis, risk prioritization, control evaluation, and the implementation of appropriate controls.)

What is the first step in developing a risk management program? A. Assess vulnerability B. Assess control C. Identify assets D. Map risk owners

Create an inventory of IT assets (The first step for implementing an access control rule is to create a list of IT assets as an inventory. This will be followed by categorization and grouping.)

What is the first step in the implementation of access control? A. Group IT assets B. Categorize IT assets C. Implement an access control list D. Create an inventory of IT assets

Avoidance (Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. A is wrong because business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP) but not for understanding the business. B is wrong because resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy but not for understanding the business. D is wrong because of the role gap analysis can play in BCP, which is identifying deficiencies in a plan but needing to understand the business.)

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

past incidents were handled appropriately. (Compliance reviews focus on performance of a process measured against set policy or standard. It can be achieved when the auditor determines past incidents were appropriately handled and align with established policies and procedures. A is wrong because roles and responsibilities may be established in the policy or separately documented and are important for the auditor to understand. The policy should be reviewed first. B is wrong because the importance of protecting incident response data is not the main focus of the incident response compliance review. A compliance audit focuses on the performance of a process measured against the set policy or standard. C is wrong because ensuring incident response staff members are qualified is part of a compliance assessment. It is performed after auditor reviews policies and procedures to ensure what they review the process against.)

When conducting a compliance review of an organization's incident response process, the BEST approach for the IS auditor is to determine whether: A. roles and responsibilities are clearly defined. B. incident response data are secure. C. incident response staff members are qualified. D. past incidents were handled appropriately.

Risk assessment (Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. A is wrong because the business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP) but not for understanding the business. B is wrong because resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy but not for gaining an understanding of the business. D is wrong because of the role gap analysis can play in BCP, which is identifying deficiencies in a plan but not understanding the business.)

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? A. Business continuity self-audit B. Resource recovery analysis C. Risk assessment D. Gap analysis

Use an automated tool to verify the availability of updated patches (An automated tool can be used to generate reports for the availability of security update patches in each critical server. The other options may not be as efficient and effective as automated tools.)

Which is these is the best method of determining the availability of updated security patches for critical servers? A. Verify the patch update process B. Manually verify each critical server C. Review the change management log D. Use an automated tool to verify the availability of updated patches

Employee training on the business continuity plan (BCP) (The chain of command might be interrupted during a disaster. Therefore, employees must know their roles in the BCP, including where to report and how to perform their job functions. Employee training on the plan is essential for businesses with geographically separated offices because there is a greater chance of communication disruption. A is wrong because procedural documentation should continually be updated and distributed to major locations. B is wrong because a reciprocal agreement is an emergency processing agreement between two or more enterprises with similar equipment or applications. Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises. C is wrong because senior management may not be required to remove daily availability to provide leadership during a disaster.)

Which of the following BEST ensures uninterrupted operations in an organization with IT operation centers in several countries? A. Distribution of key procedural documentation B. Reciprocal agreement between business partners C. Strong senior management leadership D. Employee training on the business continuity plan (BCP)

Ensure that partnering organizations are separated geographically. (If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. A is wrong because while disaster recovery exercises are important but difficult to perform in a reciprocal agreement, geographic proximity is a greater risk. C is wrong because a business impact analysis (BIA) will help both organizations identify critical applications, but separation is a more important consideration when entering reciprocal agreements. D is wrong because selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.)

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? A. Perform disaster recovery exercises annually. B. Ensure that partnering organizations are separated geographically. C. Regularly perform a business impact analysis (BIA). D. Select a partnering organization with similar systems.

Switches

Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? A. Hubs B. Switches C. Routers D. Firewalls

Preventive maintenance (Preventive maintenance should be conducted during non-peak times to avoid any downtime. Other activities may not directly impact system availability.)

Which of the following activities should not be conducted during peak production hours to avoid unexpected downtime? A. Data migration B. Tape back-up C. Preventive maintenance D. Configuration of the standby router

Date and time-stamp reviews of source and object code (Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used. A is wrong because using version control software and comparing source and object code is good practice, but may not detect a problem where the source code is a different version than the object code. B is wrong because all production libraries should be protected with access controls, which may protect source code from tampering. However, this will not ensure that source and object codes are based on the same version. C is wrong because it is a good practice to protect all source and object code—even in development. However, this will not ensure source and object code synchronization.)

Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code

Table link/reference checks (Performing table link/reference checks serve to detect table linking errors (such as completeness and accuracy of the contents of the database). It thus provides the greatest assurance of database integrity. A is wrong because audit log procedures enable the recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure the completeness or accuracy of the database contents. C is wrong because querying/monitoring table access time checks helps designers improve database performance but not integrity. D is wrong because the rollback and roll forward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.)

Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and rollforward database features

Extent of data loss that is acceptable (The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. A is wrong because the recovery time objective (RTO) is the time allowed to recover a business function or resource after a disaster. B is wrong because the determination of the recovery point objective (RPO) already takes cost into consideration. D is wrong because the service delivery objective (SDO) is directly related to the business needs. The SDO is the level of services reached during the alternate process mode until the normal situation is restored.)

Which of the following is MOST important to determine the recovery point objective (RPO) for a critical process in an enterprise? A. Number of hours of acceptable downtime B. Total cost of recovering critical systems C. Extent of data loss that is acceptable D. Acceptable reduction in the level of service

Approval from the information asset owner (It is most important that information owners approve any changes to production systems to ensure that no serious business disruption occurs due to the patch release. A is wrong because while testing is important for any patch, in this case, it should be assumed that the operating system (OS) vendor tested the patch before releasing it. Before this OS patch is put into production, the organization should do system testing to ensure that no issues will occur. C is wrong because the security officer does not normally need to approve every OS patch. D is wrong because security patches, including alternate sites, must be deployed consistently across the organization. However, approval from the information asset owner is still the most important consideration.)

Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment? A. Successful regression testing by the developer B. Approval from the information asset owner C. Approval from the security officer D. Patch installation at alternate sites

Resolved incidents are closed without reference to end users. (The help desk function is a service-oriented unit. The end users must sign off before an incident is considered closed. A is wrong because although this is of concern, it should be expected. A problem escalation procedure should be developed to handle such scenarios. B is wrong because a help desk team should ideally have dedicated lines, but this exception is not as serious as the technical team unilaterally closing an incident. D is wrong because instant messaging is an add-on to improve the effectiveness of the help desk team. Its absence cannot be seen as a major concern as long as calls can still be made.)

Which of the following is a MAJOR concern during a review of help desk activities? A. Certain calls could not be resolved by the help desk team. B. A dedicated line is not assigned to the help desk team. C. Resolved incidents are closed without reference to end users. D. The help desk instant messaging has been down for over six months.

Preparedness test (This is a plan walk-through involving significant players who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes this test. This test phase comprises a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel, and deleting all company data from third-party systems. This is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to obtain evidence about the plan's effectiveness gradually. It also provides a means to improve the plan in increments. This a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.)

Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness? A. Paper test B. Posttest C. Preparedness test D. Walk-through

A few jobs having been overridden by the operator (The overriding of scheduled jobs should be restricted as this can lead to unauthorized changes to programs or data. This is a major concern as overriding a scheduled job is only done by following the appropriate approval process. The other options are less significant than overriding the schedule.)

Which of the following is a major concern for an auditor reviewing the job scheduling process? A. High instances of emergency changes B. A few jobs not having completed on time C. A few jobs having been overridden by the operator D. A job failure analysis being done by the IT manager

Protocol analyzer (Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached. A is wrong because online monitors measure telecommunication transmissions and determine whether transmissions are accurate and complete. B is wrong because downtime reports track the availability of telecommunication lines and circuits. C is wrong because help desk reports are prepared by the help desk, which is staffed or supported by IS technical support personnel trained to handle problems occurring during IS operations.)

Which of the following is a network diagnostic tool that monitors and records network information? A. Online monitor B. Downtime report C. Help desk report D. Protocol analyzer

Maintenance activities being conducted during non-peak hours (As far as possible, maintenance functions should be performed during non-peak times. Mishaps or incidents during maintenance activities can interrupt business processes if maintenance is carried out during peak hours. It is prudent to conduct any maintenance activity during non-peak hours only)

Which of the following is most important for an IS audit reviewing the preventive maintenance activity processes of a data center by a third-party service provider? A. Background verification of service personnel B. Escorting service personnel during maintenance activities C. Maintenance activities being conducted during non-peak hours D. A review of maintenance activities by the IT manager

The system downtime report (The system downtime log indicates the effectiveness of preventive maintenance programs. High downtime indicates that preventive maintenance is not effective. Effective preventive maintenance should result in zero or very minimal downtime. Other options will not directly indicate the efficiency of preventive maintenance programs.)

Which of the following is of great help when determining the efficiency of preventive maintenance programs? A. The system downtime report B. The service provider's report C. The maintenance log D. The preventive maintenance schedule

Perform a business impact analysis (BIA). (A business impact analysis (BIA) will give the impact of the loss of each application. A BIA is conducted with business representatives who can accurately describe the criticality of a system and its importance to the business. A is wrong because interviews with the application programmers will provide limited information related to the criticality of the systems. B is wrong because a gap analysis is relevant to system development and project management but does not determine application criticality. C is wrong because the audits may not contain the required information about application criticality or may not have been done recently.)

Which of the following is the BEST method for determining the criticality of each application system in the production environment? A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA).

The group walks through the different scenarios of the plan from beginning to end. (A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. B is wrong because the group's ability to ensure that specific systems can perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings. C is wrong because group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business. D is wrong because while improving communication is important, there are more valued methods to ensure the plan is current.)

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? A. The group walks through the different scenarios of the plan from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

Develop a scenario and perform a structured walk-through. (A structured walk-through, including incident response and business continuity personnel, provides the best opportunity to identify gaps or misalignments between the plans. Publishing an enterprise-level incident response plan would be effective only if business continuity aligned with incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to action, ensuring the interface between plans is workable. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.)

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a cross-departmental working group to share perspectives. C. Develop a scenario and perform a structured walk-through. D. Develop a project plan for end-to-end testing of disaster recovery.

Segregation of client data (Several clients access the same set of services in a shared services infrastructure. Therefore, the primary concern is maintaining the segregation of client data. A is wrong because although disparate backup requirements may present a challenge, the primary concern is maintaining the segregation of client data. B is wrong because the availability of infrastructure is an inherent benefit of cloud services and, as such, is not a primary concern. D is wrong because although data integrity is important, maintaining confidentiality of the data through segregation is a greater concern.)

Which of the following is the GREATEST concern to an IS auditor reviewing an organization's use of third-party-provided cloud services to store health care billing information? A. Disparate backup requirements B. Availability of infrastructure C. Segregation of client data D. Integrity of data

Offsite storage of backup data (Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. B is wrong because having a list of key contacts is important but not as important as having adequate data backup. C is wrong because a DRP may use a replacement data center or another solution, such as a mobile site, reciprocal agreement, or outsourcing agreement. D is wrong because having a clearly defined recovery time objective (RTO) is especially important for business continuity planning (BCP). However, the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.)

Which of the following is the MOST critical element of an effective disaster recovery plan (DRP)?Select an answer: A. Offsite storage of backup data B. Up-to-date list of key disaster recovery contacts C. Availability of a replacement data center D. Clearly defined recovery time objective (RTO)

Perform an end-to-end walk-through of the process (Observation is the best and most effective method to test changes to ensure that the process is effectively designed. A is wrong because testing a sample population of changes tests operating effectiveness to ensure users submit the proper documentation/requests. It does not test the effectiveness of the design. B is wrong because testing changes that have been authorized may not provide sufficient assurance of the entire process. After all, it does not test the elements of the process related to authorization or detect changes that bypass the controls. C is wrong because interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it.)

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

the recovery plans are periodically tested (Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. The other options are more tactical considerations that are secondary to the need for testing. A is wrong because the recovery site should be far enough away to avoid being affected by the same disaster that strikes the primary site. However, that is not the most important part of the business continuity plan (BCP). It is more important that the plan is tested. C is wrong because testing backups is important, but only addresses a part of the BCP. It is more important that the entire plan is tested. D is wrong because network redundancy is important for many organizations, but not as important as the need to test the plan.)

Which of the following is the MOST important aspect of effective business continuity management? A: the recovery site is secure and located an appropriate distance from the primary site B: the recovery plans are periodically tested C: fully tested backup hardware is available at the recovery site D: network links are available from multiple service providers

Likelihood of the same natural event occurring at both sites (A likely natural disaster is considered in business continuity planning and whether a business case exists to set one up. The alternate site should be at a location that doesn't expose it to the same threats as the main site. A is wrong because the alternate site should be sufficiently far from the main site. Geographic distance is important; however, the same event, such as an earthquake, could affect two geographically diverse sites. C is wrong because the alternate site must sustain operations, so normal business activities are disrupted for a reasonable duration, and the capacity of the alternate site can be different. The focus must be on critical business services receiving adequate support and resources to prevent disruption. D is wrong because proximity to local fire and other emergency response is an advantage but not a criteria.)

Which of the following is the MOST important criterion for selecting an alternate processing site? A. Total geographic distance between the two sites B. Likelihood of the same natural event occurring at both sites C. Matching processing capacity at both sites D. Proximity of the alternate site to local fire, emergency response and hospital facilities

physically separated from the data center and not subject to the same risk. (It is important that there is an offsite storage location for IS files and that it is in a location not subject to the same risk as the primary data center. B is wrong because the offsite location may be shared with other companies and, therefore, has an even higher level of protection than the primary data center. C is wrong because an offsite location may be owned by a third party or the organization itself. D is wrong because physical protection is important but not as important as not being affected by the same crisis.)

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: A. physically separated from the data center and not subject to the same risk. B. given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities.

Improved cost-effectiveness of IT service delivery and operational support (A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage disparate platforms and operating systems. In addition, implementing enhanced operational support tools is simplified and can help the organization reduce IT service delivery costs and operational support. B is wrong because a standardized infrastructure results in a more homogeneous environment, which is more prone to attacks. C is wrong because while standardization can reduce support costs, transitioning to a standardized kit can be expensive; therefore, the overall IT infrastructure investment will not likely be reduced. D is wrong because a standardized infrastructure may simplify the testing of changes but does not reduce the need for such testing.)

Which of the following is the MOST likely benefit of implementing a standardized infrastructure? A. Improved cost-effectiveness of IT service delivery and operational support B. Increased security of the IT service delivery center C. Reduced level of investment in the IT infrastructure D. Reduced need for testing future application changes

Cold site (Generally, a cold site is contracted longer at a lower cost. It is generally used for noncritical applications because it requires more time to make a cold site operational. A is wrong because a warm site is generally available at a medium cost, requires less time to become operational, and is suitable for sensitive operations that should be recovered in a moderate amount of time. B is wrong because a mobile site is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site depends upon the scale of operations. C is wrong because a hot site is contracted for a shorter period at a higher cost and is better suited for recovering vital and critical applications.)

Which of the following is the MOST reasonable option for recovering a noncritical system? A. Warm site B. Mobile site C. Hot site D. Cold site

Staging and job setup (Bypassing or ignoring tape header records may result in loading the wrong tape and deleting a loaded time. Staging and job setup is useful in compensating for weaknesses in tape label control. Through staging, data is stored in an intermediate place (between the data source and the data target) and processing is done. This ensures data integrity and effective operations.)

Which of the following is the best compensating control for tape management system where some parameters are set to bypass or ignore tape header records? A. A review of logs B. Staging and job setup C. A full back-up of tapes D. Storage of tapes at an offsite location

The lack of a documented end-user computing policy End-user computing refers to a system wherein a non-programmer can create their application. This also reduces pressure on the IT department, which can concentrate on more critical and complex applications. End-user computing is subject to some inherent risks. The documented policy of end-user computing must be available to address the risks. The other options are less significant than the lack of documented policy.)

Which of the following is the greatest concern for an IS auditor reviewing the end user computing process? A. The lack of a documented end-user computing policy B. The lack of training for the end-user C. No involvement of the IT department in the development of applications D. Applications not being subject to audit

Installed software not being approved (The installation of unapproved software is a serious violation that carries major legal, financial, and security risks. Processes should be in place to install only standard-approved software. The other options are not as significant as option C.)

Which of the following is the major concern for an IS auditor reviewing desktop software compliance? A. Installed software not being updated in IT department records B. Users not being trained in the usage of software C. Installed software not being approved D. The license renewal process not being centralized

Review changes in the software version control system. (It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software promoted to production. Only moving the versions on the VCS program will prevent the transfer of development or earlier versions. A is wrong because even if replication is conducted manually with due care, there remains a risk of copying unauthorized software from one server to another. C is wrong because if developers introduce unauthorized code onto the backup server, controls on the production server and the software version control system should mitigate this risk. D is wrong because a review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.)

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

Availability reports (IS inactivity, such as downtime, are addressed by availability reports. These reports provide the periods during which the computer was available for utilization by users or other processes. A is wrong utilization reports document the use of computer equipment and can be used by management to predict how, where, and/or when resources are required. B is wrong hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. These error reports may not indicate actual system uptime. C is wrong because system logs record the system's activities. They may not indicate availability.)

Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? A. Utilization reports B. Hardware error reports C. System logs D. Availability reports

The availability report (An availability report indicates the time period during which the system is up and available for use. An IS auditor can determine downtime with the help of availability reports. Utilization reports determine the level of use of systems. A utilization report is used to predict resource requirements. Asset management reports include an inventory of assets. Hardware error reports identify system failures and other issues.)

Which of the following reports should an IS auditor verify to determine compliance with the uptime requirement defined in the SLA? A. The availability report B. The utilization report C. The hardware error report D. The asset management report

The risk of eavesdropping (RFID tags are exposed to the risk of eavesdropping. It is the same as a wireless device. RFID, by its nature, is not subject to other exposure, such as social engineering, phishing, or malicious code.)

Which of the following risks is applicable to active RFID? A. The risk of social engineering B. The risk of phishing C. The risk of eavesdropping D. The risk of malicious code

Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center (Of the given choices, this is the most suitable answer. The disaster recovery plan (DRP) includes a hot site located sufficiently away from the main data center and will allow recovery during a major disaster. Not having real-time backups may be a problem depending on the recovery point objective (RPO). B is wrong because data backups are necessary, but not having a replication site would be insufficient for the critical application. C is wrong because, depending on the type of disaster, a hot site should normally be located more than 500 meters from the main facility. However, real-time backups may be the best option, depending on the data RPO. D is wrong because a warm site may take days to recover, so it may not be a suitable solution.)

Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications? A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center B. Daily data backups that are stored onsite in a fireproof safe C. Real-time data replication between the main data center and the hot site located 500 meters from the main site D. Daily data backups that are stored offsite with a warm site located 70 kilometers from the main data center

A read-only restriction (Because most data in a data warehouse are historical and do not need to be changed, applying read-only restrictions prevents data manipulation. A is wrong because backup address availability is not integrity. Validated backups ensure that the backup will work when needed. B is wrong because adequate change management procedures protect the data warehouse and the systems with which the data warehouse interfaces from unauthorized changes but are not usually concerned with the data. C is wrong because data dictionary maintenance procedures provide for the definition and structure of data input to the data warehouse. This will not affect the integrity of data already stored.)

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse? A. Validated daily backups B. Change management procedures C. Data dictionary maintenance D. A read-only restriction

Implement column- and row-level permissions

Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in the data warehouse? A. Implement column- and row-level permissions B. Enhance user authentication via strong passwords C. Organize the data warehouse into subject matter-specific databases D. Log user access to the data warehouse

Containment at the facility (The first priority (after addressing life safety) is to contain the incident at the facility so that the spread of the damage is minimized. The incident team must gain control of the situation. A is wrong because restoration ensures that the affected systems or services are restored to a condition specified in the restore point objective. This action will be possible only after the containment of the damage. B is wrong because facility documentation should be prepared to inform management of the incident; however, damage must be contained first. D is wrong because monitoring the facility is important, although containment must take priority to avoid spreading the damage.)

Which of the following should an incident response team address FIRST after a major incident in an information processing facility? A. Restoration at the facility B. Documentation of the facility C. Containment at the facility D. Monitoring of the facility

Test results are not adequately documented. (The effectiveness of a BCP can best be determined through tests. If the results of tests are not documented, then there is no basis for feedback, updates, etc. A is wrong because ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the chief information officer (CIO). Pragmatically, a lack of documentation of test results could have more significant consequences. B is wrong because the contact lists are an important part of the BCP; however, they are not as important as documenting the test results. D is wrong because if test results are documented, a need for training will be identified, and the BCP will be updated.)

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

Media reliability (To comply with regulatory requirements, the media should be reliable enough to ensure an organization's ability to recover the data should it be required for any reason. A is wrong because a full backup window is less critical than reliability. B is wrong because media price is a consideration but should not be more important than the ability to provide the required reliability. Using low-cost but inadequate media may lead to penalties if data cannot be accessed when required. C is wrong because the restore window is the data recovery time. Because these are compliance-related backup data and are not being used for production, this is less critical than reliability.)

Which of the following should be the MOST important criterion in evaluating a backup solution for sensitive data that must be retained for a long period of time due to regulatory requirements? A. Full backup window B. Media costs C. Restore window D. Media reliability

Application programmers are implementing changes to production programs.

Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. C. Operations support staff members are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

Perform a business impact analysis (BIA). (The first step in any disaster recovery plan (DRP) is to perform a BIA. A is wrong because developing a recovery strategy will come after performing a business impact analysis (BIA). C is wrong because the BIA will identify critical business processes and the systems that support those processes. Mapping software systems, hardware, and network components will come after performing a BIA. D is wrong because appointing recovery teams with defined personnel, roles, and hierarchy will come after performing a BIA.)

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

Identify changes that have occurred and verify approvals. (The most effective method is to determine what changes have been made (check logs and modified dates) and verify that they have been approved. A is wrong because software migration records may not have all changes listed—changes that were not included in the migration records could have been made. C is wrong because change control records may not list all the changes. D is wrong because ensuring that only appropriate staff can migrate changes into production is a key control process but does not verify compliance.)

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures? A. Review software migration records and verify approvals. B. Identify changes that have occurred and verify approvals. C. Review change control documentation and verify approvals. D. Ensure that only appropriate staff can migrate changes into production.

Resuming critical processes (The resumption of critical processes has the highest priority because it enables business processes to begin immediately after the interruption and not later than the maximum tolerable period of disruption (MTPD) or maximum tolerable downtime (MTD). B is wrong because recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. C is wrong because repairing and restoring the site to its original status and resuming the business operations are time-consuming and not the highest priority. D is wrong because relocating operations to an alternative site, either temporarily or permanently, depending on the interruption, is time-consuming; moreover, relocation may not be required.)

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)? A. Resuming critical processes B. Recovering sensitive processes C. Restoring the site D. Relocating operations to an alternative site