CISA Practise Question Database 2013-2014

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Select an answer: A. Prioritize the identified risk. B. Define the audit universe. C. Identify the critical controls. D. Determine the testing approach.

1.1 The correct answer is B. A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. D. The testing approach is based on the risk ranking.

Which of the following is in the BEST position to approve changes to the audit charter? Select an answer: A. Board of directors B. Audit committee C. Executive management D. Director of internal audit

1.1 You answered A. The correct answer is B. A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter. D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: Select an answer: A. can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control.

1.1 You are correct, the answer is A. CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of IS auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them. Choice D is incorrect, because CSA does not allow management to relinquish its responsibility for control.

An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been updated. D. plan follow-up audits of the undocumented devices.

1.1 You are correct, the answer is B. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc. It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram. In this case, there is simply a mismatch in timing between the completion of the approval process and when the IS audit began. There is no control deficiency to be reported. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope.

Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than 10 years of experience? A. Supervision is required to comply with internal quality requirements. B. Supervision is required to comply with the audit guidelines. C. Supervision is required to comply with the audit methodology. D. Supervision is required to comply with professional standards.

1.1 You are correct, the answer is D. A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards. D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? Select an answer: A. Development of an audit program B. Review of the audit charter C. Identification of key information owners D. Performance of a risk assessment

1.1 You are correct, the answer is D. A. The results of the risk assessment are used for the input for the audit program. B. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is not related to the audit planning phase because it is part of the internal audit governance structure that provides independence for the function. C. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed.

The PRIMARY advantage of a continuous audit approach is that it: Select an answer: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately on all information collected. C. can improve system security when used in time-sharing environments that process a large number of transactions. D. does not depend on the complexity of an organization's computer systems.

1.1. The correct answer is C. The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization's computer systems.

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? Select an answer: A. Usefulness B. Reliability C. Relevance D. Adequacy

1.2 The correct answer is B. A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does. D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: Select an answer: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.

1.2 You answered A. The correct answer is D. A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed. D. Once the business process is identified, the IS auditor should first identify the control objectives and activities that should be validated in the audit.

The extent to which data will be collected during an IS audit should be determined based on the: Select an answer: A. availability of critical and required information. B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant evidence. D. purpose and scope of the audit being done.

1.2 You answered A. The correct answer is D. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the IS auditor's familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence.

An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: Select an answer: A. the controls already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring the risk related to the assets. D. the threats/vulnerabilities affecting the assets.

1.2 You answered B. The correct answer is D. One of the key factors to be considered while assessing the risk related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risk related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.

An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to: Select an answer: A. obtain an understanding of the control objective. B. confirm that the control is operating as designed. C. determine the integrity of data controls. D. determine the reasonableness of financial reporting controls.

1.2 You answered C. The correct answer is B. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. Understanding the control objectives is key, but it is not the reason for conducting a compliance test. Substantive tests, not compliance tests, are associated with data integrity and financial reporting.

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? Select an answer: A. Usefulness B. Reliability C. Relevance D. Adequacy

1.2 You are correct, the answer is B. A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does. D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? Select an answer: A. Inherent B. Detection C. Control D. Business

1.2 You are correct, the answer is B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company's management. Business risk is usually not directly affected by an IS auditor.

An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company network and email systems, which were newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented enterprise resource planning (ERP) application. How should the IS auditor respond? Select an answer: A. Audit the new ERP application as requested by the IT manager. B. Audit the e-commerce server since it was not audited last year. C. Determine the highest-risk systems and plan the audit based on the results. D. Audit both the e-commerce server and the ERP application.

1.2 You are correct, the answer is C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning), Substandard S03, states that "The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and in determining priorities for the effective allocation of IS audit resources." The IS auditor should not rely on the prior-year audit plan since it may not have been designed to reflect a risk-based approach (the newest systems are not necessarily the systems with the highest risk). Auditing the new ERP application does not reflect a risk-based approach and thus is not the correct answer. Although ERP systems typically contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to audit the ERP system is not a risk-based decision. Auditing the e-commerce server because it was not audited last year does not reflect a risk-based approach and thus is not the correct answer. In addition, the IT manager may know about problems with the e-commerce server and may be intentionally trying to steer the audit away from that vulnerable area. Although at first glance e-commerce may seem to be the most risky area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager. Auditing both the e-commerce server and the ERP application does not reflect a risk-based approach and thus this is not the correct answer.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: Select an answer: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.

1.2 You are correct, the answer is D. A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed. D. Once the business process is identified, the IS auditor should first identify the control objectives and activities that should be validated in the audit.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: Select an answer: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.

1.2 You are correct, the answer is D. A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed. D. Once the business process is identified, the IS auditor should first identify the control objectives and activities that should be validated in the audit.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: Select an answer: A. most valuable information assets. B. IS audit resources to be deployed. C. auditee personnel to be interviewed. D. control objectives and activities.

1.2 You are correct, the answer is D. A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. B. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. C. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed. D. Once the business process is identified, the IS auditor should first identify the control objectives and activities that should be validated in the audit.

Which of the following would normally be the MOST reliable evidence for an IS auditor? Select an answer: A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management

1.3 The correct answer is A. Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: Select an answer: A. perform an additional analysis. B. report the problem to the audit committee. C. conduct a security risk assessment. D. recommend that the owner of the IDM system fix the workflow issues.

1.3 The correct answer is A. The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two. The other options are not correct because the IS auditor does not have enough information to report the problem, conduct a risk assessment or recommend fixing the workflow issues.

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. D. Immediately investigate the source and nature of the incident.

1.3 The correct answer is B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. The other options are actions that should be directed by management during incident response.

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? Select an answer: A. Variable sampling B. Stratified mean per unit C. Attribute sampling D. Unstratified mean per unit

1.3 The correct answer is C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of control is being evaluated, and therefore attribute sampling should be used to determine whether the purchase orders have been approved. Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values. Stratified mean per unit and unstratified mean per unit are used in variable sampling.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? Select an answer: A. Process narrative B. Inquiry C. Reperformance D. Walk-through

1.3 The correct answer is D. A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of the control. D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? Select an answer: A. Attribute sampling B. Computer Aided Audit Techniques (CAATs) C. Test data D. Integrated test facility (ITF)

1.3 You answered A. The correct answer is B. CAATs would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records the IS auditor should check all of the items that meet the criteria and not just a sample of the items. Test data are used to verify program processing, but will not identify duplicate records. An ITF allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? Select an answer: A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

1.3 You answered A. The correct answer is B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: Select an answer: A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling.

1.3 You answered A. The correct answer is C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? Select an answer: A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.

1.3 You answered A. The correct answer is C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical because issues such as processing delays, errors or even emergency changes are acceptable as long as they are properly documented as part of the process.

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: Select an answer: A. lower confidence coefficient, resulting in a smaller sample size. B. higher confidence coefficient, resulting in a smaller sample size. C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size.

1.3 You answered B. The correct answer is A. A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sample size. C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. D. A lower confidence coefficient will result in the use of a smaller sample size.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. D. identify and evaluate the existing controls.

1.3 You answered B. The correct answer is D. It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets.

General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach? Select an answer: A. Reduction of IT person-hours to support the audit B. Reduction of the likelihood of errors in the extraction process C. Greater flexibility for the audit department D. Greater assurance of data validity

1.3 You answered B. The correct answer is D. A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B. The risk of errors would increase because IS auditors generally have a wider, but less detailed, technical knowledge of the internal data structure and database technicalities. C. This task requires a precise coordination with the database and operations departments to avoid interference with operations and assure data consistency and completeness. D. If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.

When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Select an answer: A. Develop an alternate testing procedure. B. Report the finding to management as a deficiency. C. Perform a walk-through of the change management process. D. Create additional sample changes to programs.

1.3 You answered C. The correct answer is A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. There is not enough evidence to report the finding as a deficiency. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.

The effect of which of the following should have priority in planning the scope and objectives of an IS audit? A. Applicable statutory requirements B. Applicable corporate standards C. Applicable industry best practices D. Organizational policies and procedures

1.3 You answered D. The correct answer is A. A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements. B. Statutory requirements always take priority over corporate standards. C. Industry best practices help plan an audit; however, best practices are not mandatory and can be deviated from to meet organization objectives. D. Organizational policies and procedures are important, but statutory requirements always take priority.

An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the IS auditor is an example of: Select an answer: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing.

1.3 You answered D. The correct answer is A. A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. D. Control testing is the same as compliance testing.

When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: Select an answer: A. perform an additional analysis. B. report the problem to the audit committee. C. conduct a security risk assessment. D. recommend that the owner of the IDM system fix the workflow issues.

1.3 You answered D. The correct answer is A. The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two. The other options are not correct because the IS auditor does not have enough information to report the problem, conduct a risk assessment or recommend fixing the workflow issues.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Select an answer: A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

1.3 You answered D. The correct answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard.

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? Select an answer: A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls can only be regarded as compensating D. Classification allows an IS auditor to determine which controls are missing

1.3 You are correct, the answer is A. An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. Choice D is incorrect and irrelevant, because the existence and function of controls is important, not the classification.

Which of the following does a lack of adequate controls represent? Select an answer: A. An impact B. A vulnerability C. An asset D. A threat

1.3 You are correct, the answer is B. A. Impact is the measure of the financial loss that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident.

The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is: Select an answer: A. control design testing. B. substantive testing. C. inspection of relevant documentation. D. distribution of a questionnaire.

1.3 You are correct, the answer is B. A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively. B. Among other methods, such as document review or walk-through, tests of controls are the most effective procedure to assess whether controls accurately support operational effectiveness. C. Control documents may not always describe the actual status in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended. D. A questionnaire may be used at the initial stage of control analysis to give auditors a broad understanding of the overall control environment.

Which of the following forms of evidence for the auditor would be considered the MOST reliable? Select an answer: A. An oral statement from the auditee B. The results of a test performed by an external IS auditor C. An internally generated computer accounting report D. A confirmation letter received from an outside source

1.3 You are correct, the answer is B. An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party since a letter does not conform to audit standards and is subjective. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and "reasonable" assurance that the controls, and test results, are accurate. Choices A and C are audit evidence, but not as reliable as choice B.

An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should: Select an answer: A. interface with various types of enterprise resource planning (ERP) software and databases. B. preserve data integrity and not modify source data in any way. C. introduce audit hooks into the company's financial systems to support continuous auditing. D. be customizable and support inclusion of custom programming to aid in investigative analysis.

1.3 You are correct, the answer is B. While all of the options above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool does not compromise data integrity or make changes to the systems being audited.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Select an answer: A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

1.3 You are correct, the answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Select an answer: A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

1.3 You are correct, the answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard.

During external audit, an IS auditor discovers that systems that are in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: Select an answer: A. remove the IS auditor from the engagement. B. cancel the engagement. C. disclose the issue to the client. D. take steps to restore the IS auditor's independence.

1.3 You are correct, the answer is C. A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries. B. Canceling the engagement is not called for. C. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. D. This is not a feasible solution.

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? Select an answer: A. Walk-through with the reviewer of the operation of the control B. System-generated exception reports for the review period with the reviewer's sign-off C. One sample system-generated exception report for the review period, with follow-up action items noted by the reviewer D. Management's confirmation of the effectiveness of the control for the review period

1.3 You are correct, the answer is C. Choice C represents the best possible evidence of the effective operation of the control because the reviewer has documented the actions to be taken based on the review of the exception report. A walk-through will highlight how a control is designed to work, but it seldom highlights exceptions or constraints in the process. Reviewer sign-off does not necessarily demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified. Management's confirmation of effectiveness of the control suffers from lack of independence—management might be biased toward the effectiveness of the controls put in place.

The internal audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the auditors? Select an answer: A. Stop-or-go B. Classical variable C. Discovery D. Probability-proportional-to-size

1.3 You are correct, the answer is C. Discovery sampling is used when an auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment. Classical variable sampling is associated with dollar amounts. Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? Select an answer: A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network

1.3 You are correct, the answer is C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach? Select an answer: A. Reduction of IT person-hours to support the audit B. Reduction of the likelihood of errors in the extraction process C. Greater flexibility for the audit department D. Greater assurance of data validity

1.3 You are correct, the answer is D. A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B. The risk of errors would increase because IS auditors generally have a wider, but less detailed, technical knowledge of the internal data structure and database technicalities. C. This task requires a precise coordination with the database and operations departments to avoid interference with operations and assure data consistency and completeness. D. If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness and therefore all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: Select an answer: A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of the finding and the risk of not correcting it. C. report the disagreement to the audit committee for resolution. D. accept the auditee's position since they are the process owners.

1.4 The correct answer is B. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.

The final decision to include a material finding in an audit report should be made by the: Select an answer: A. audit committee. B. auditee's manager. C. IS auditor. D. chief executive officer (CEO) of the organization.

1.4 You answered A. The correct answer is C. The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the IS auditor.

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition.

1.4 You answered C. The correct answer is D. A. While compensating controls may be a good idea, the primary response in this case should be to report the condition. B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition. D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.

An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: Select an answer: A. professional independence B. organizational independence. C. technical competence. D. professional competence.

1.4 You are correct, the answer is A. When an IS auditor recommends a specific vendor, that compromises the auditor's professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: A. apply the patch according to the patch's release notes. B. ensure that a good change management process is in place. C. thoroughly test the patch before sending it to production. D. approve the patch after doing a risk assessment.

1.4 You are correct, the answer is B. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? Select an answer: A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. D. Immediately investigate the source and nature of the incident.

1.4 You are correct, the answer is B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. The other options are actions that should be directed by management during incident response.

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? Select an answer: A. A size check B. A hash total C. A validity check D. A field check

1.5 You answered B. The correct answer is C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. The implementation of a field check would eliminate this important requirement and would be the least useful control for passwords. Passwords can, and should, be the same length. This check is useful because passwords should have a minimum length, but it is not as strong of a control as validity. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More importantly, a system should not accept incorrect values of a password, so a hash total as a control will not find any errors or omissions.

Overall business risk for a particular threat can be expressed as: Select an answer: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

2-8 The correct answer is A. Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process, but is often used and sometimes quite sensible.

Which of the following is the MOST important element for the successful implementation of IT governance? Select an answer: A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy

2.1 The correct answer is B. The key objective of an IT governance program is to support the business, thus the identification of organizational trategies

An IS steering committee should: Select an answer: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. maintain minutes of its meetings and keep the board of directors informed. D. be briefed about new trends and products at each meeting by a vendor.

2.1 You answered B. The correct answer is C. It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.

The ultimate purpose of IT governance is to: Select an answer: A. encourage optimal use of IT. B. reduce IT costs. C. decentralize IT resources across the organization. D. centralize control of IT.

2.1 You are correct, the answer is A. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact.

An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business? Select an answer: A. Security policies B. Operational procedures C. Project portfolio D. IT balanced scorecard (IT BSC)

2.1 You are correct, the answer is D. A. Security policies are important; however, they are not designed to align IT to the business. B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a good basis to assess alignment of IT with the business. D. The IT BSC represents the translation of the business objectives into what IT needs to do to achieve these objectives.

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? Select an answer: A. Pilot B. Paper C. Unit D. System

2.11 You answered A. The correct answer is B. A paper test is appropriate for testing a BCP. It is a walk-through of the entire plan, or part of the plan, involving major players in the plan's execution, who reason out what may happen in a particular disaster. Choices A, C and D are not appropriate for a BCP.

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: • The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. • The plan was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting their attention. • The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. The IS auditor's report should recommend that: Select an answer: A. the deputy CEO be censured for their failure to approve the plan. B. a board of senior managers is set up to review the existing plan. C. the existing plan is approved and circulated to all key management and staff. D. a manager coordinates the creation of a new or revised plan within a defined time limit.

2.11 You answered A. The correct answer is D. The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achieve this and is generally not within the scope of an IS auditor to recommend. Establishing a board to review the plan, which is two years out of date, may achieve an updated plan, but is not likely to be a speedy operation, and issuing the existing plan would be folly without first ensuring that it is workable. The best way to achieve a disaster recovery plan in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.

A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintained good communication and the business continuity plan (BCP) has been updated to include the new system. A suitable BCP test to perform at this point in time would be: Select an answer: A. using actual resources to simulate a system crash. B. a detailed paper walk-through of the plan. C. a penetration test for the web site interface application. D. performing a failover of the system at the designated secondary site.

2.11 You answered D. The correct answer is A. The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulated recovery exercise. This exercise would test the new recovery infrastructure under controlled conditions. Assuming that recovery options have been actively considered during development (as they would need to be for a mission-critical system), a paper walk-through would be of limited value. A security assessment or penetration test is vital for any application exposed to the Internet, but should have been performed much earlier in the process. Choice D is not correct because performing a failover test is not adequate to assess the degree to which the organization is prepared to recover from a wider range of problems.

Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

2.11 You are correct, the answer is A. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan. However, each plan has to be consistent with other plans to have a viable business continuity planning strategy. It may not be possible to define a sequence in which plans have to be implemented, as it may be dependent on the nature of disaster, criticality, recovery time, etc.

Which of the following would be of MOST concern to an IS auditor performing an audit of a disaster recovery plan (DRP)? Select an answer: A. The DRP has not been tested. B. New team members have not read the DRP. C. The manager responsible for the DRP recently resigned. D. The DRP manual is not updated regularly.

2.11 You are correct, the answer is A. If the DRP has not been tested, it is very likely that the plan is incomplete or inadequate. This situation would be of concern to an IS auditor because the organization would have no way to accurately assess whether the plan is workable. If new team members are unfamiliar with the plan, current members would be able to assist them, so this would not be a significant issue. While the loss of experienced personnel can create some issues, if the plan was proven to be adequate, less experienced personnel would likely to be able to perform the required job functions in the case of a disaster. A DRP manual which is not updated regularly is a secondary concern to having a DRP which has not been tested.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: Select an answer: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective.

2.11 You are correct, the answer is B. Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster.

Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)? Select an answer: A. Participation by all of the identified resources B. Management approval of the testing scenario C. Advance notice for all of the impacted employees D. IT management approval of the testing scenario

2.11 You are correct, the answer is B. Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the testing is critical to the success of the disaster recovery testing. Choice A is not correct because a DRP should be flexible enough to adapt to use of whatever personnel are available. Choice C is not correct because advance notice for the impacted employees is not necessarily required if the testing exercise is not expected to create service disruptions or other issues. Choice D is not correct because a testing scenario approved by business management approval is more likely to reflect the needs of the business. IT management may select a testing scenario more focused on IT priorities, which may be less effective.

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? Select an answer: A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

2.11 You are correct, the answer is C. A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the CIO. Pragmatically, lack of documenting test results could have more significant consequences. B. The contact lists are an important part of the BCP; however, they are not as important as documenting the test results. C. The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc. D. If test results are documented, a need for training will be identified and the BCP will be updated.

In determining the acceptable time period for the resumption of critical business processes: Select an answer: A. only downtime costs need to be considered. B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be evaluated. D. indirect downtime costs should be ignored.

2.11 You are correct, the answer is C. Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes. Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, e.g., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.

The PRIMARY objective of testing a business continuity plan is to: Select an answer: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

2.11 You are correct, the answer is D. Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective to address residual risk in a business continuity plan, and it is not practical to test all possible disaster scenarios.

When an employee is terminated from service, the MOST important action is to: Select an answer: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

2.2 D. disable the employee's logical access. Не успел среагировать

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? Select an answer: A. Set up an exit interview with human resources (HR). B. Initiate the handover process to ensure continuity of the project. C. Terminate the developer's logical access to IT resources. D. Ensure that management signs off on the termination paperwork.

2.2 The correct answer is C. In order to protect IT assets, terminating logical access to IT resources is the first and most important action to take once management has confirmed the employee's clear intention to leave the enterprise. The interview with HR is also an important process if it is conducted by the last date of employment, but it is of secondary importance. As long as the handover process to a designated employee is conducted by the last date of employment, there should be no problems. Ensuring that management signs off on termination paperwork is important, but not as critical as terminating access to the IT systems.

Which of the following would BEST provide assurance of the integrity of new staff? Select an answer: A. Background screening B. References C. Bonding D. Qualifications listed on a résumé

2.2 You are correct, the answer is A. A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bonding is directed at due-diligence compliance, not at integrity, and qualifications listed on a résumé may not be accurate.

An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should: Select an answer: A. report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy. B. verify that user access rights have been granted on a need-to-have basis. C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination. D. recommend that activity logs of terminated users be reviewed on a regular basis.

2.2 You are correct, the answer is C. Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the IS auditor, the time frame defined for deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes to the policy. Although the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted. Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.

Which of the following reduces the potential impact of social engineering attacks? Select an answer: A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives

2.2 You are correct, the answer is C. Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.

An IS auditor reviewing an organization's IT strategic plan should FIRST review: Select an answer: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.

2.3 The correct answer is B. The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

Rotating job responsibilities is a good security practice PRIMARILY because it: Select an answer: A. ensures that personnel are cross-trained. B. improves employee morale. C. maximizes employee performance. D. reduces the opportunity for fraud.

2.3 The correct answer is D. A. While cross-training is useful, it is not typically a security issue. B. Improving morale is important, but it is not a security concern. C. Job rotation may affect employee performance either positively or negatively. D. When individuals become familiar with systems and processes, they gain an understanding of the weaknesses of those systems and processes. If the individual is then motivated in some way to take advantage of the situation, various forms of fraud might occur. Job rotation reduces the opportunity and increases the likelihood of exposure of the fraud.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: Select an answer: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).

2.3 You answered B. The correct answer is C. An IT BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. CSA, BIA and BPR are insufficient to align IT with organizational objectives.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: Select an answer: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.

2.3 You answered C. The correct answer is D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor. Not every enterprise has an IT steering committee.

Which of the following goals would you expect to find in an organization's strategic plan? Select an answer: A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

2.3 You answered C. The correct answer is D. Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization's broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization's strategic plan. The other choices are project-oriented and do not address business objectives.

To support an organization's goals, an IS department should have: Select an answer: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

2.3 You are correct, the answer is B. To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

Which of the following is responsible for the development of an information security policy? Select an answer: A. The IS department B. The security committee C. The security administrator D. The board of directors

2.4 You answered B. The correct answer is D. Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? A. There are regulations regarding data privacy. B. Member service representative training cost will be much higher. C. It is harder to monitor remote databases. D. Time zone differences could impede customer service.

2.4 You are correct, the answer is A. Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another county. Training cost, remote database monitoring and time zone difference issues are common and manageable regardless of where the data warehouse resides.

Effective IT governance will ensure that the IT plan is consistent with the organization's: Select an answer: A. business plan. B. audit plan. C. security plan. D. investment plan.

2.4 You are correct, the answer is A. To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.

When developing a security architecture, which of the following steps should be executed FIRST? Select an answer: A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

2.4 You are correct, the answer is B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

Which of the following would impair the independence of a quality assurance team? Select an answer: A. Ensuring compliance with development methods B. Checking the testing assumptions C. Correcting coding errors during the testing process D. Checking the code to ensure proper documentation

2.5 You answered A. The correct answer is C. Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team's independence. The other choices are valid quality assurance functions.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: Select an answer: A. recommend that this separate project be completed as soon as possible. B. report this issue as a finding in the audit report. C. recommend the adoption of the Zachmann framework. D. re-scope the audit to include the separate project as part of the current audit.

2.6 You answered A. The correct answer is B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. Choice A is not correct because the IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the EA is not yet complete, so the auditor should be most concerned with reporting this issue. Choice C is not correct because the company is free to choose any EA framework and the IS auditor should not recommend a specific framework. Choice D is not correct because changing the scope of an audit to include the secondary project is not a realistic option.

Which of the following is MOST indicative of the effectiveness of an information security awareness program? Select an answer: A. Employees report more information regarding security incidents. B. All employees have signed the information security policy. C. Most employees have attended an awareness session. D. Information security responsibilities have been included in job descriptions.

2.6 You are correct, the answer is A. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. Choice A is the correct answer because the reporting of incidents implies that employees are taking action as a consequence of the awareness program. The existence of evidence that all employees have signed the security policy does not ensure that security responsibilities have been understood and applied. One of the objectives of the security awareness program is to inform the employees of what is expected of them and what their responsibilities are, but this knowledge does not ensure that employees will perform their activities in a secure manner. The documentation of roles and responsibilities in job descriptions is not an indicator of the effectiveness of the awareness program.

In the context of effective information security governance, the primary objective of value delivery is to: Select an answer: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.

2.7 You are correct, the answer is A. In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.

The PRIMARY control purpose of required vacations or job rotations is to: Select an answer: A. allow cross-training for development. B. help preserve employee morale. C. detect improper or illegal employee acts. D. provide a competitive employee benefit.

2.7 You are correct, the answer is C. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. While cross-training is a good practice for business continuity, it is not achieved through mandatory vacations. It is a best practice to maintain good employee morale, but this is not a primary reason to have a required vacation policy. Vacation time is a competitive benefit, but that is not a control.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? Select an answer: A. The right to audit clause was not included in the contract. B. The business case was not established. C. There was no source code escrow agreement. D. The contract does not cover change management procedures.

2.8 The correct answer is B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and formally approved by senior management. This situation presents the biggest risk to the organization. The lack of the right to audit clause, source code escrow or change management procedures each present risk to the organization; however, the risk is not as consequential as the lack of a business case.

What is the GREATEST risk of a bank outsourcing its data center? Select an answer: A. Loss or leakage of information B. Noncompliance with regulatory requirements C. Vendor failure or bankruptcy D. Loss of internal knowledge and experience

2.8 You are correct, the answer is A. A. The risk of loss or leakage of information is the greatest risk because it can subject the company to regulatory fines, lawsuits and reputation risk. B. Although noncompliance with regulations subjects a company to potential fines, it is not necessarily as great a risk as a security breach. C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in place then it should not materially affect the bank as much as a loss or leakage of information. D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that resulting from a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract termination, can also help mitigate the risk of loss of internal knowledge.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: Select an answer: A. meets or exceeds industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

2.8 You are correct, the answer is B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: Select an answer: A. meets or exceeds industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

2.8 You are correct, the answer is B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

2.8 You are correct, the answer is C. Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? Select an answer: A. A cost-benefit analysis B. An annualized loss expectancy (ALE) calculation C. A comparison of the cost of the IPS and firewall and the cost of the business systems D. A business impact analysis (BIA)

2.9 The correct answer is A. In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits in order to choose the best technical, most profitable, least expensive, or acceptable risk option. The ALE is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls, but is not sufficient alone. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. Potential business impact is only one part of the cost-benefit analysis.

The PRIMARY benefit of implementing a security program as part of a security governance framework is the: Select an answer: A. alignment of the IT activities with IS audit recommendations. B. enforcement of the management of security risk. C. implementation of the chief information security officer's (CISO) recommendations. D. reduction of the cost for IT security.

2.9 The correct answer is B. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risk. Recommendations, visions and objectives of the auditor and the CISO are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.

Which of the following is the MOST reliable sender authentication method? A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code

2.9 The correct answer is C. Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate. Message authentication code is used for message integrity verification.

Which of the following must exist to ensure the viability of a duplicate information processing facility? Select an answer: A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

2.9 The correct answer is C. Resource availability must be assured. The workload of the site must be monitored to ensure that availability for emergency backup use is not impaired. The site chosen should not be subject to the same natural disaster as the primary site. In addition, a reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure the operation will continue to perform as planned.

Overall business risk for a particular threat can be expressed as: Select an answer: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

2.9 You are correct, the answer is A. Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process, but is often used and sometimes quite sensible.

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: Select an answer: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals.

3.1 You answered A. The correct answer is C. Foremost among the risk associated with EDI is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although there is risk, are not as significant.

Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a Software as a Service (SaaS) model with an external provider? Select an answer: A. Workstation upgrades must be performed. B. Long-term software acquisition costs are higher. C. Contract with the provider does not include onsite technical support. D. Incident handling procedures with the provider are not well defined.

3.1 You are correct, the answer is D. An SaaS provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes. Unless organization workstations are obsolete, upgrading should not be an issue with an SaaS model because most applications running as SaaS use common technologies that allow a user to run the software on different devices. The reduction of software acquisition costs is one of the benefits of SaaS.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: Select an answer: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

3.14 You are correct, the answer is A. A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.

An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? Select an answer: A. Program evaluation review technique (PERT) B. Function point analysis (FPA) C. Counting source lines of code D. White box testing

3.2 You answered A. The correct answer is B. A. PERT is a project management technique used in the planning and control of system projects. B. FPA is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. C. The number of source lines of code gives a direct measure of program size, but it does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. D. White box testing involves a detailed review of the behavior of program code. It is a quality assurance technique suited to simpler applications during the design and building stage of development.

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? A. Adequate involvement of stakeholders B. Selection of a risk management framework C. Identification of risk mitigation strategies D. Understanding of the regulatory environment

3.2 You are correct, the answer is A. A. The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before proceeding. B. Selecting a risk management framework helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. C. Identifying risk mitigation strategies helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. D. Having an understanding of the regulatory environment is important to ensure that risk is addressed in the context of the applicable regulation, but adequate stakeholder involvement is required to ensure success.

An IS auditor has been asked to review the implementation of a customer relationship management (CRM) system for a large organization. The IS auditor discovered the project incurred significant overbudget expenses and scope creep caused the project to miss key dates. Which of the following should the IS auditor recommend for future projects? Select an answer: A. Project management training B. A software baseline C. A balanced scorecard (BSC) D. Automated requirements software

3.2 You are correct, the answer is B. A. While project management training is a good practice, it does not necessarily prevent scope creep without the use of a software baseline and a robust requirements change process. B. Use of a software baseline provides a cutoff point for the design of the system and allows the project to proceed as scheduled without being delayed by scope creep. C. A BSC is a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. It does not prevent scope creep. D. Use of automated requirements software does not decrease the risk of scope creep.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Select an answer: A. Project sponsor B. System development project team C. Project steering committee D. User project team

3.2 You are correct, the answer is C. A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The system development project team is not responsible for reviewing the progress of the project. A user project team completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A user project team is not responsible for reviewing the progress of the project.

A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects? Select an answer: A. Functional verification of the prototypes is assigned to end users. B. The project is implemented while minor issues are open from user acceptance testing (UAT). C. Project responsibilities are not formally defined at the beginning of a project. D. Program documentation is inadequate.

3.2 You are correct, the answer is C. A. Prototypes are verified by users. B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. D. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should: Select an answer: A. conclude that the project is progressing as planned since dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

3.2 You are correct, the answer is D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded. It is possible that the programmers are trying to take advantage of the time system, but if they are not paid extra for overtime, they may not want to work the extra hours.

When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: Select an answer: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later.

3.3 The correct answer is B. An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project.

Which of the following BEST helps ensure that deviations from the project plan are identified? Select an answer: A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria

3.3 You answered C. The correct answer is D. A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project, but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables, but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members, but does not wholly define the criteria used to measure project success. D. In order to identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.

Assessing IT risk is BEST achieved by: A. evaluating threats associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports.

3.4 The correct answer is A. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Select an answer: A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a testing tool to automate defect tracking.

3.4 The correct answer is A. Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. Choice B is not correct. When testing starts, a significant amount of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. Choice C is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant amount of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall testing time to increase rather than decrease. Choice D could help in improving testing efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? Select an answer: A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. D. Decision-making may be impaired due to diminished responsiveness to requests for information.

3.4 The correct answer is A. End-user computing is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. EUC systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to management's information requests.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.

3.4 The correct answer is C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical because issues such as processing delays, errors or even emergency changes are acceptable as long as they are properly documented as part of the process.

A decision support system (DSS): Select an answer: A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users. D. supports only structured decision making tasks.

3.4 The correct answer is C. DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semistructured decision making tasks.

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? Select an answer: A. Generalized audit software (GAS) B. Integrated test facility C. Systems control audit review file (SCARF) D. Snapshots

3.4 You answered A. The correct answer is C. SCARF works using predetermined exceptions. The constituents of "exceptions" have to be defined for the software to trap. GAS is a data analytic tool that does not require preset information. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions. Snapshots take pictures of information observed in the execution of program logic.

Information for detecting unauthorized input from a terminal would be BEST provided by the: Select an answer: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

3.4 You answered C. The correct answer is B. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.

Which of the following would BEST help to detect errors in data processing? Select an answer: A. Programmed edit checks B. Well-designed data entry screens C. Segregation of duties D. Hash totals

3.4 You answered C. The correct answer is D. The use of hash totals is an effective method to reliably detect errors in data processing. Automated controls such as programmed edit checks or well-designed data entry screens are preventive controls. Enforcing segregation of duties primarily ensures that a single individual does not have the authority to both create and approve a transaction; this is not considered to be a method to detect errors, but a method to help prevent errors.

Which of the following is an advantage of the top-down approach to software testing? Select an answer: A. Interface errors are identified early. B. Testing can be started before all programs are complete. C. It is more effective than other testing approaches. D. Errors in critical modules are detected sooner.

3.4 You answered D. The correct answer is A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? Select an answer: A. Whether key controls are in place to protect assets and information resources B. If the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether owners have been identified who will be responsible for the process

3.4 You answered D. The correct answer is A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but they are not the auditor's primary concern.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: Select an answer: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

3.4 You answered D. The correct answer is B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed.

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Select an answer: A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction rocess D. Accuracy of the data transformation

3.4 You are correct, the answer is A. Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data into quality (accurate) data.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Select an answer: A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a testing tool to automate defect tracking.

3.4 You are correct, the answer is A. Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. Choice B is not correct. When testing starts, a significant amount of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. Choice C is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant amount of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall testing time to increase rather than decrease. Choice D could help in improving testing efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? Select an answer: A. Whether key controls are in place to protect assets and information resources B. If the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether owners have been identified who will be responsible for the process

3.4 You are correct, the answer is A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but they are not the auditor's primary concern.

Which of the following is an advantage of prototyping? Select an answer: A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not added to the intended system.

3.4 You are correct, the answer is B. Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Select an answer: A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

3.4 You are correct, the answer is B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

Which of the following controls helps prevent duplication of vouchers during data entry? Select an answer: A. A range check B. Transposition and substitution C. A sequence check D. A cyclic redundancy check (CRC)

3.4 You are correct, the answer is C. A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. A range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. Transposition and substitution are used in encoding, but will not help in establishing unique voucher numbers. A CRC is used for completeness of data received over the network, but is not useful in application code level validations.

An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the: Select an answer: A. EDI trading partner agreements. B. physical controls for terminals. C. authentication techniques for sending and receiving messages. D. program change control procedures.

3.4 You are correct, the answer is C. Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.

Ideally, stress testing should be carried out in a: Select an answer: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data.

3.4 You are correct, the answer is C. Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: Select an answer: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

3.4 You are correct, the answer is C. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: Select an answer: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution.

3.4 You are correct, the answer is C. The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important.

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: Select an answer: A. isolation. B. consistency. C. atomicity. D. durability.

3.4 You are correct, the answer is C. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database be maintained with each transaction. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: Select an answer: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

3.4 You are correct, the answer is D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? Select an answer: A. Using a cryptographic hashing algorithm B. Enciphering the message digest C. Deciphering the message digest D. Using a sequence number and time stamp

3.4 You are correct, the answer is D. When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the transaction. When the message is deciphered by the receiver using the sender's public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process? Select an answer: A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement

3.4. The correct answer is C. Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: Select an answer: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

3.5 The correct answer is A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: Select an answer: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

3.5 The correct answer is B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? Select an answer: A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

3.5 The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

During which phase of software application testing should an organization perform the testing of architectural design? Select an answer: A. Acceptance testing B. System testing C. Integration testing D. Unit testing

3.5 You answered B. The correct answer is C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff have completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

The reason a certification and accreditation process is performed on critical systems is to ensure that: Select an answer: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model.

3.5 You answered D. The correct answer is A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment. A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Select an answer: A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

3.5 You are correct, the answer is A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. Program logic specification is a very technical task that is normally performed by a programmer. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. In addition, choices B, C and D could introduce a segregation of duties issue.

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? Select an answer: A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation.

3.5 You are correct, the answer is A. A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so. B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no backout plan.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: Select an answer: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

3.5 You are correct, the answer is A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

Which of the following situations would increase the likelihood of fraud? Select an answer: A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

3.5 You are correct, the answer is A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: Select an answer: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

3.5 You are correct, the answer is B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: Select an answer: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error, as it is not possible to get objective evidence for the software error.

3.5 You are correct, the answer is C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate, and neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to: Select an answer: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.

3.5 You are correct, the answer is C. An EDI system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. Encrypting sensitive messages is an appropriate step but does not apply to messages received.

During which phase of software application testing should an organization perform the testing of architectural design? Select an answer: A. Acceptance testing B. System testing C. Integration testing D. Unit testing

3.5 You are correct, the answer is C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff have completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

Which of the following is an implementation risk within the process of decision support systems (DSSs)? Select an answer: A. Management control B. Semistructured dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes

3.5 You are correct, the answer is C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. Choices A, B and D are not types of risk, but characteristics of a DSS.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner

3.5 You are correct, the answer is D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

What kind of software application testing is considered the final stage of testing and typically includes users outside the development team? Select an answer: A. Alpha testing B. White box testing C. Regression testing D. Beta testing

3.5. You are correct, the answer is D. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT), and generally involves a limited number of users who are external to the development effort. Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users. White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it's supposed to, at a functional level? White box testing does not typically involve external users. Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: A. assess whether the planned cost benefits are being measured, analyzed and reported. B. review control balances and verify that the system is processing data accurately. C. review subsequent program change requests for the first phase. D. determine whether the system's objectives were achieved.

3.6 You answered D. The correct answer is C. Since management is aware that the project had problems, reviewing the subsequent fixes will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in the subsequent phases. While all choices are valid, the postimplementation focus and primary objective should be assuring that the issues of the initial phase are addressed.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that: Select an answer: A. effective preventive controls are enforced. B. system integrity is ensured. C. errors can be corrected in a timely fashion. D. fraud can be detected more quickly.

3.6 You are correct, the answer is D. A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies. B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources. C. Error identification and handling is the primary responsibility of management. While audit's responsibility also is to find errors, audit can only report errors, not fix them. D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely fashion and allows auditors to focus on relevant data.

Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: Select an answer: A. downtime costs. B. resumption costs. C. recovery costs. D. walk-through costs.

4.1 The correct answer is A. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs can be expected to be lower. Walk-through costs are not a part of disaster recovery.

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: Select an answer: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.

4.1 You answered C. The correct answer is B. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project.

Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? Select an answer: A. Utilization reports B. Hardware error reports C. System logs D. Availability reports

4.1 You answered C. The correct answer is D. IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization reports document the use of computer equipment, and can be used by management to predict how/where/when resources are required. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. System logs are a recording of the system's activities.

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? Select an answer: A. The use of diskless workstations B. Periodic checking of hard drives C. The use of current antivirus software D. Policies that result in instant dismissal if violated

4.1 You are correct, the answer is B. The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded to the network. Antivirus software will not necessarily identify illegal software, unless the software contains a virus. Diskless workstations act as a preventive control and are not effective, since users could still download software from other than diskless workstations. Policies lay out the rules about loading the software, but will not detect the actual occurrence.

When reviewing the configuration of network devices, an IS auditor should FIRST identify: Select an answer: A. the best practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately.

4.1 You are correct, the answer is C. The first step is to understand the importance and role of the network device within the organization's network topology. After understanding the devices in the network, the best practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. Identification of which component or subcomponent is missing or being used inappropriately can only be known upon reviewing and understanding the topology and the best practice for deployment of the device in the network.

Which of the following BEST limits the impact of server failures in a distributed environment? Select an answer: A. Redundant pathways B. Clustering C. Dial backup lines D. Standby power

4.10 The correct answer is B. Clustering allows two or more servers to work as a unit, so that when one of them fails, the other takes over. Choices A and C are intended to minimize the impact of channel communications failures, but not a server failure. Choice D provides an alternative power source in the event of an energy failure.

An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a: Select an answer: A. cold site. B. warm site. C. dial-up site. D. duplicate processing facility.

4.10 You answered D. The correct answer is A. A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment—such as disk and tape units, controllers and central processing units (CPUs)—to operate an information processing facility. A duplicate information processing facility is a dedicated, self-developed recovery site that can back up critical applications.

An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include: Select an answer: A. the level of information security required when business recovery procedures are invoked. B. information security roles and responsibilities in the crisis management structure. C. information security resource requirements. D. change management procedures for information security that could affect business continuity arrangements.

4.10 You answered D. The correct answer is A. Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified. The other choices do not directly address the information confidentiality issue.

While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: Select an answer: A. shadow file processing. B. electronic vaulting. C. hard-disk mirroring. D. hot-site provisioning.

4.10 You answered D. The correct answer is A. In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.

Recovery procedures for an information processing facility are BEST based on: A. recovery time objective (RTO). B. recovery point objective (RPO). C. maximum tolerable outage (MTO). D. information security policy.

4.10 You are correct, the answer is A. A. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine acceptable data loss. B. The RPO has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. C. MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not have a direct influence on data recovery. D. An information security policy does not address recovery procedures.

While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: Select an answer: A. shadow file processing. B. electronic vaulting. C. hard-disk mirroring. D. hot-site provisioning.

4.10 You are correct, the answer is A. In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.

Network Data Management Protocol (NDMP) technology should be used for backup if: Select an answer: A. a network attached storage (NAS) appliance is required. B. the use of TCP/IP must be avoided. C. file permissions that cannot be handled by legacy backup systems must be backed up. D. backup consistency over several related data volumes must be ensured.

4.10 You are correct, the answer is A. NDMP defines three kind of services: 1. A data service that interfaces with the primary storage to be backed up or restored 2. A tape service that interfaces with the secondary storage (primarily a tape device) 3. A translator service performing translations including multiplexing multiple data streams into one data stream and vice versa. NDMP services interact with each other. The result of this interaction is the establishment of an NDMP control session if the session is being used to achieve control for the backup or restore operation. It would result in an NDMP data session if the session is being used to transfer actual file system or volume data (including metadata). Control sessions are always TCP/IP-based, but data streams can be TCP/IP-based or storage area network (SAN)-based. NDMP is more or less network attached storage-centric (NAS-centric) and defines a way to back up and restore data from a device, such as a NAS appliance, on which it is difficult to install a backup software agent. In the absence of NDMP, these data must be backed up as a shared drive on the local area network (LAN), which is accessed via network file protocols such as Common Internet File System (CIFS) or Network File System (NFS), degrading backup performance. NDMP works on a block level for transferring payload data (file content) but metadata and traditional file system information needs to be handled by legacy backup systems that initiate NDMP data movement. NDMP does not know about nor take care of consistency issues regarding related volumes (e.g., a volume to store database files, a volume to store application server data and a volume to store web server data). NDMP can be used to do backups in such an environment (e.g., SAP), but the logic required must be either put into a dedicated piece of software or must be scripted into the legacy backup software.

Which of the following ensures the availability of transactions in the event of a disaster? Select an answer: A. Send tapes hourly containing transactions offsite. B. Send tapes daily containing transactions offsite. C. Capture transactions to multiple storage devices. D. Transmit transactions offsite in real time.

4.10. The correct answer is D. The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility. Choices A and B are not in real time and, therefore, would not include all the transactions. Choice C does not ensure availability at an offsite location.

Which of the following is MOST important to ensure business continuity? Select an answer: A. Current contact information for key employees B. Backup data C. Access to funds for short-term needs D. Alternate processing site

4.11 The correct answer is B. Data are the most important of all options listed, and without data, a business cannot recover. Contact details are important as a first step, but cannot ensure business continuity. Access to funds for short-term needs is important and required for a temporary period to look after the recovery team's requirements, but not as critical as having backup data. Without backup data, an alternate processing site is of limited value.

A lower recovery time objective (RTO) results in: Select an answer: A. higher disaster tolerance. B. higher cost. C. wider interruption windows. D. more permissive data loss.

4.11 The correct answer is B. RTO is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss.

IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: Select an answer: A. upgrading to a level 5 RAID. B. increasing the frequency of onsite backups. C. reinstating the offsite backups. D. establishing a cold site in a secure location.

4.11 The correct answer is C. A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D do not compensate for the lack of offsite backup.

Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? Select an answer: A. Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year. B. During the test it was noticed that some of the backup systems were defective or not working, causing the test of these systems to fail. C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned. D. Every year, the same employees perform the test. The recovery plan documents are not used since every step is well known by all participants.

4.11 The correct answer is D. A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff since a disaster can occur when they are not available. It is common that not all systems can be tested in a limited test time frame. It is important, however, that those systems which are essential to the business are tested, and that the other systems are eventually tested throughout the year. One aim of the test is to identify and replace defective devices so that all systems can be replaced in the case of a disaster. Choice B would only be a concern if the number of discovered problems is systematically very high. In a real disaster, there is no need for a clean shutdown of the original production environment since the first priority is to bring the backup site up.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: Select an answer: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.

4.11 You answered B. The correct answer is A. The applications have been intensively operated; therefore, choices B, C and D have been actually tested, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested.

An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is: A. tested every six months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every department head in the organization.

4.11 You answered C. The correct answer is B. The plan should be reviewed at appropriate intervals, depending on the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective. The plan must be subjected to regular testing, but the period between tests will again depend on the nature of the organization and the relative importance of IS. Three months or even annually may be appropriate in different circumstances. Although the disaster recovery plan should receive the approval of senior management, it need not be the CEO if another executive officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. Similarly, although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document and only relevant to IS and communications staff.

For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies? Select an answer: A. Mobile site B. Redundant site C. Hot site D. Reciprocal agreements

4.11 You answered C. The correct answer is B. A redundant site contains either duplicate mirror facilities that are online at all times or computing facilities of a reduced capacity that can process at the acceptable service delivery objective (SDO) requirement. The data are live—there are no delays waiting for files to be restored. This site is in full operation and able to take over processing within seconds or minutes. The mobile site is usually a trailer, configured so that it is equivalent to the level of a hot or warm site, which means that its recovery time is between hours and days. A hot site is similar to a redundant site except that it is offline when not in use. Data files will take several hours to load from backup tapes before the system can go live. A hot site is, therefore, capable of being in operation within hours. Reciprocal agreements are traditionally both unenforceable and unrealistic, and because of this, the time of recovery is not very fast, if possible at all.

Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications? Select an answer: A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center B. Daily data backups that are stored onsite in a fireproof safe C. Real-time data replication between the main data center and the hot site located 500 meters from the main site D. Daily data backups that are stored offsite with a warm site located 70 kilometers from the main data center

4.11 You answered D. The correct answer is A. Of the given choices, choice A is the most suitable answer. The DRP includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. The other choices will not provide as complete a coverage as choice A. Choice C is incorrect because a hot site should be located more than 500 meters from the main facility.

An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate: A. a data loss of up to one minute, but the processing must be continuous. B. a one-minute processing interruption but cannot tolerate any data loss. C. a processing interruption of one minute or more. D. both a data loss and a processing interruption longer than one minute.

4.11 You are correct, the answer is A. RTO measures an organization's tolerance for downtime and RPO measures how much data loss can be accepted. Choices B, C and D are incorrect since they exceed the RTO limits set by the scenario.

Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? Select an answer: A. Catastrophic service interruption B. High consumption of resources C. Total cost of the recovery may not be minimized D. Users and recovery teams may face severe difficulties when activating the plan

4.11 You are correct, the answer is A. Choices B, C and D are all possible problems that might occur, and would cause difficulties and financial losses or waste of resources. However, if a new disaster recovery plan is not tested, the possibility of a catastrophic service interruption is the most critical of all risk.

When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST concerned with the lack of: Select an answer: A. process owner involvement. B. well-documented testing procedures. C. an alternate processing facility. D. a well-documented data classification scheme.

4.11 You are correct, the answer is A. Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the DRP. If the IS auditor determined that process owners were not involved, this would be a significant concern. While well-documented testing procedures are important, unless process owners are involved there is no way to know whether the testing procedures are valid. An alternate processing facility may be a requirement to meet the needs of the business; however, such a decision needs to be based on the BIA. A data classification scheme is important to ensure that controls over data are appropriate; however, this is a lesser concern than a lack of process owner involvement.

An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate: Select an answer: A. a data loss of up to one minute, but the processing must be continuous. B. a one-minute processing interruption but cannot tolerate any data loss. C. a processing interruption of one minute or more. D. both a data loss and a processing interruption longer than one minute.

4.11 You are correct, the answer is A. RTO measures an organization's tolerance for downtime and RPO measures how much data loss can be accepted. Choices B, C and D are incorrect since they exceed the RTO limits set by the scenario.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: Select an answer: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.

4.11 You are correct, the answer is A. The applications have been intensively operated; therefore, choices B, C and D have been actually tested, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested.

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)? Select an answer: A. Resuming critical processes B. Recovering sensitive processes C. Restoring the site D. Relocating operations to an alternative site

4.11 You are correct, the answer is A. The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. Repairing and restoring the site to original status and resuming the business operations are time consuming operations and are not the highest priority. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time consuming process; moreover, relocation may not be required.

An IS auditor is tasked to review the adequacy of an organization's technology recovery strategy. Which of the following factors would the auditor PRIMARILY review? Select an answer: A. Recovery time objective (RTO) B. Business impact analysis (BIA) C. Ability to recover from severe disaster D. Recovery point objective (RPO)

4.11 You are correct, the answer is B. The BIA identifies the financial, operational and service impacts that may result from a disruption in a business process or IT service and therefore the BIA is the primary driver for the technology recovery strategy. RTO is the requirement for how quickly a business process or an IT service must be restored after a disaster. The ability to recover from all types of incidents should be reviewed rather than the ability to recover from only the severe disaster scenario. The RPO is the point in time from which an organization must recover data.

To ensure structured disaster recovery, it is MOST important that the business continuity plan (BCP) and disaster recovery plan (DRP) are: Select an answer: A. stored at an alternate location. B. communicated to all users. C. tested regularly. D. updated regularly.

4.11 You are correct, the answer is C. If the BCP is tested regularly, the BCP/DRP team is adequately aware of the process and that helps in structured disaster recovery. Storing the BCP at an alternate location is useful in the case of complete site outage; however, the BCP is not useful during a disaster without adequate tests. Communicating to users is not of much use without actual tests. Even if the plan is updated regularly, it is of less use during an actual disaster if it is not adequately tested.

To address an organization's disaster recovery requirements, backup intervals should not exceed the: Select an answer: A. service level objective (SLO). B. recovery time objective (RTO). C. recovery point objective (RPO). D. maximum acceptable outage (MAO).

4.11 You are correct, the answer is C. RPO defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If service levels are not met, the usual consequences are penalty payments, not cessation of business. Organizations will try to set SLOs so as to meet established targets. The resulting time for the service level agreement (SLA) will usually be longer than the RPO. RTO defines the time period after the disaster in which normal business functionality needs to be restored. MAO is the maximum amount of system downtime that is tolerable. It can be used as a synonym for RTO. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as: Select an answer: A. critical. B. vital. C. sensitive. D. noncritical.

4.11 You are correct, the answer is C. Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore.

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? Select an answer: A. A clause providing a "right to audit" service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability

4.2 The correct answer is A. The absence of a "right to audit" clause would potentially prevent the auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the auditor since it would be difficult for the organization to assess whether the appropriate controls had been put in place. While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance and, when performance penalties are required, these penalties are often subject to negotiation on a case-by-case basis. As such, the absence of this information would not be as significant as choice A. Choice C is not correct because, while the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern. The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern.

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Select an answer: A. Postpone the audit until the agreement is documented. B. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments.

4.2 The correct answer is C. An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact that there is not a written agreement does not justify postponing the audit, and reporting to senior management is not necessary at this stage of the audit. Drafting an SLA is not the IS auditor's responsibility.

The PRIMARY objective of service-level management (SLM) is to: Select an answer: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management.

4.2 You are correct, the answer is A. The objective of SLM is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. This does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. SLM cannot ensure that costs for all services will be kept at a low or minimum level since costs associated with a service will directly reflect the customer's requirements. Monitoring and reporting legal noncompliance is not a part of SLM.

An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)? Select an answer: A. Overall number of users supported B. Percentage of incidents solved in the first call C. Number of incidents reported to the help desk D. Number of agents answering the phones

4.2. You are correct, the answer is B. Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service.

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? Select an answer: A. A hot site maintained by the business B. A commercial cold site C. A reciprocal arrangement between its offices D. A third-party hot site

4.3 The correct answer is C. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach to providing an acceptable level of confidence. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. Multiple cold sites leased for the multiple offices would lead to a costly solution with a high degree of confidence. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.

In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? Select an answer: A. Physical security measures B. Total number of subscribers C. Number of subscribers permitted to use a site at one time D. References by other users

4.3 You answered A. The correct answer is C. The contract should specify the number of subscribers permitted to use the site at any one time. Physical security measures are not always part of the contract, although they are an important consideration when choosing a third-party site. The total number of subscribers is not a consideration; what is important is whether the agreement limits the number of subscribers in a building or in a specific area. The references that other users can provide are a consideration taken before signing the contract; it is by no means part of the contractual provisions.

Which of the following is the GREATEST concern when an organization's backup facility is at a warm site? Select an answer: A. Timely availability of hardware B. Availability of heat, humidity and air conditioning equipment C. Adequacy of electrical power connections D. Effectiveness of the telecommunications network

4.3 You answered B. The correct answer is A. A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a primary concern.

Which of the following is the GREATEST concern when an organization's backup facility is at a warm site? Select an answer: A. Timely availability of hardware B. Availability of heat, humidity and air conditioning equipment C. Adequacy of electrical power connections D. Effectiveness of the telecommunications network

4.3 You are correct, the answer is A. A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a primary concern.

To verify that the correct version of a data file was used for a production run, an IS auditor should review: Select an answer: A. operator problem reports. B. operator work schedules. C. system logs. D. output distribution reports.

4.4 You are correct, the answer is C. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports are used by operators to log computer operation problems. Operator work schedules are maintained to assist in human resources planning. Output distribution reports identify all application reports generated and their distribution.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activities logs. B. verification of user authorization at the field level. C. review of data communication access activities logs. D. periodic review of changing data files.

4.5 You answered B. The correct answer is A. General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Choice D is a change control.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: Select an answer: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.

4.6 You answered A. The correct answer is D. Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.

In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table? A. Foreign key B. Primary key C. Secondary key D. Public key

4.6 You answered D. The correct answer is A. In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. It should not be possible to delete a row from a customer table when the customer number (primary key) of that row is stored with live orders on the orders table (the foreign key to the customer table). A primary key works in one table, so it is not able to provide/ensure referential integrity by itself. Secondary keys that are not foreign keys are not subject to referential integrity checks. Public key is related to encryption and not linked in any way to referential integrity.

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that: Select an answer: A. the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed. B. there is no way of reconstructing the lost information, except by deleting the dangling tuples and reentering the transactions. C. the database will immediately stop execution and lose more information. D. the database will no longer accept input data.

4.6 You are correct, the answer is A. When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. Choice B is incorrect since a system can recover the corrupted external key by reindexing the table. Choices C and D would not result from a corrupted foreign key.

During the audit of a database server, which of the following would be considered the GREATEST exposure? Select an answer: A. The password on the administrator account does not expire. B. Default global security settings for the database remain unchanged. C. Old data have not been purged. D. Database activity is not fully logged.

4.6 You are correct, the answer is B. Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as Choice B.

A cyclic redundancy check (CRC) is commonly used to determine the: Select an answer: A. accuracy of data input. B. integrity of a downloaded program. C. adequacy of encryption. D. validity of data transfer.

4.6 You are correct, the answer is D. A. Accuracy of data input can be enforced by data validation controls such as picklists, cross checks, reasonableness checks, control totals, allowed character checks and others. B. A checksum is commonly used to validate the integrity of a downloaded program or other transferred data. C. Encryption adequacy is driven by the sensitivity of the data to be protected and algorithms that determine how long it would take to break a specific encryption method. D. The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a CRC.

An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? Select an answer: A. Consistency B. Isolation C. Durability D. Atomicity

4.6 You are correct, the answer is D. Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an intermediate state, the transaction data are invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.

An IS auditor examining the security configuration of an operating system should review the: Select an answer: A. transaction logs. B. authorization tables. C. parameter settings. D. routing tables.

4.8 The correct answer is C. Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control environment. Improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage. Transaction logs are used to analyze transactions in master and/or transaction files. Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an operating system. Routing tables do not contain information about the operating system and, therefore, provide no information to aid in the evaluation of controls.

Which of the following would BEST maintain the integrity of a firewall log? Select an answer: A. Granting access to log information only to administrators B. Capturing log events in the operating system layer C. Writing dual logs onto separate storage media D. Sending log information to a dedicated third-party log server

4.8 You answered A. The correct answer is D. Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, the risk of unauthorized log modification will be mitigated, therefore improving the integrity of log information. To enforce segregation of duties, administrators should not have access to log files. This primarily contributes to the assurance of confidentiality rather than integrity. There are many ways to capture log information: through the application layer, network layer, operating systems layer, etc.; however, there is no log integrity advantage in capturing events in the operating systems layer. If it is a highly mission-critical information system, it may be nice to run the system with a dual log mode. Having logs in two different storage devices will primarily contribute to the assurance of the availability of log information, rather than to maintaining its integrity.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

4.8 You are correct, the answer is A. A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.

An IS auditor performing a review of incident tickets notices that a help desk support technician noted personal identifiable information (PII) within the ticket comments as part of the incident documentation. What preventive action should the auditor recommend to mitigate this situation? Select an answer: A. Quality assurance review of tickets B. Performance of data masking C. Privacy policy awareness training D. Encryption of the comments section

4.8 You are correct, the answer is C. A. Quality reviews are a detective control and will only discover exceptions after the information has been entered. B. Data masking is performed to assist with maintaining the privacy of customers from individuals that do not require access to customer data. This is not the case for incident tickets, where it is important that information can be shared effectively among the service desk staff. C. Privacy policy awareness training should be performed to assist the technician with understanding what should not be listed within the comments section of tickets. The technician may not know that other individuals can read the comments section, when in fact the information may be listed in reports or extracts and could be viewed by many individuals. D. Encrypting the comments section of an incident ticket is counterproductive because the purpose of the incident documentation is to ensure that such information is effectively shared among the service desk staff. Awareness training is a less expensive and more effective solution to ensure the privacy of customers.

During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which of the following would be considered an adequate set of compensating controls? Select an answer: A. Use the privileged administrative account, log the changes and review the change log on the following day. B. Use the normal user account to make changes, log the changes and review the change log on the following day. C. Allow changes to be made only after granting access to a normal user account, and review the change log on the following day. D. Use the database administrator (DBA) user account to make changes, log the changes and review the change log on the following day.

4.9 You answered A. The correct answer is D. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged accounts can be used by multiple users, and the use of a normal user account with no restrictions would allow uncontrolled changes to the databases. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained.

In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? A. Approve and document the change the next business day. B. Limit developer access to production to a specific time frame. C. Obtain secondary approval before releasing to production. D. Disable the compiler option in the production machine.

4.9 You answered C. The correct answer is A. It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. Restricting release time frame may help somewhat; however, it would not apply to emergency changes and cannot prevent unauthorized release of the programs. Choices C and D are not relevant in an emergency situation.

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: Select an answer: A. only systems administrators perform the patch process. B. the client's change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.

4.9 You answered C. The correct answer is B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. While system administrators would normally install patches and patches would normally undergo testing, it is more important that changes be made during nonproduction times; furthermore, parallel testing is not appropriate for security patches because some servers would still be vulnerable. An approval process could not directly prevent this type of incident from happening.

After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System

4.9 You answered C. The correct answer is D. Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances.

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the: Select an answer: A. application programmer copy the source program and compiled object module to the production libraries. B. application programmer copy the source program to the production libraries and then have the production control group compile the program. C. production control group compile the object module to the production libraries using the source program in the test environment. D. production control group copy the source program to the production libraries and then compile the program.

4.9 You answered C. The correct answer is D. The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity? A. Comparing source code B. Reviewing system log files C. Comparing object code D. Reviewing executable and source code integrity

4.9 You answered D. The correct answer is B. Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective, because the original programs were restored and do not exist. Reviewing executable and source code integrity is an ineffective control, because integrity between the executable and source code is automatically maintained.

The purpose of code signing is to provide assurance that: Select an answer: A. the software has not been subsequently modified. B. the application can safely interface with another signed application. C. the signer of the application is trusted. D. the private key of the signer has not been compromised.

4.9 You are correct, the answer is A. Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.

The BEST audit procedure to determine if unauthorized changes have been made to production code is to: Select an answer: A. examine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system.

4.9 You are correct, the answer is C. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Select an answer: A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

4.9 You are correct, the answer is D. A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization. C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change control process. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which of the following would be considered an adequate set of compensating controls? Select an answer: A. Use the privileged administrative account, log the changes and review the change log on the following day. B. Use the normal user account to make changes, log the changes and review the change log on the following day. C. Allow changes to be made only after granting access to a normal user account, and review the change log on the following day. D. Use the database administrator (DBA) user account to make changes, log the changes and review the change log on the following day.

4.9 You are correct, the answer is D. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged accounts can be used by multiple users, and the use of a normal user account with no restrictions would allow uncontrolled changes to the databases. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained.

An IS auditor reviewing the IS security policies should verify whether information security management roles and responsibilities are communicated to which of the following? Select an answer: A. Functional heads B. Organizational users C. The IS steering committee D. IS security management

5.1 The correct answer is B. All of the roles and responsibilities relating to IS security management should be defined. Documented responsibilities and accountabilities must be established and communicated to all enterprise users. The responsibilities may be defined by position (based on organizational structure), but should include all enterprise users. It would not be sufficient to communicate the IS security policies to only the select groups noted in the other options because the policies relate to the entire enterprise.

While investigating online transactions, an enterprise realizes that a transaction was fraudulent and requires involvement of law enforcement. What should the enterprise do FIRST? Select an answer: A. Document the analysis of the fraudulent transactions. B. Initiate recovery of funds lost due to fraud. C. Forensically preserve all log files. D. Unplug the system from the network.

5.1 You answered D. The correct answer is C. In the case of electronic evidence, it is necessary for evidence to be produced in an original form and to establish that the electronic evidence has not been tampered with. All other options are secondary.

An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? Select an answer: A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation

5.1 You are correct, the answer is C. If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to "the display of passwords." If the policy referred to "the display and printing of passwords" then it would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information). Impersonation refers to someone acting as an employee in an attempt to retrieve desired information.

An IS auditor reviewing the IS security policies should verify whether information security management roles and responsibilities are communicated to which of the following? Select an answer: A. Functional heads B. Organizational users C. The IS steering committee D. IS security management

5.1 Ответил A. Functional heads Пропустил ответ

An IS auditor observes that one of the servers on the perimeter network is running a vulnerable operating system. What is the MOST likely implication due to the existence of a system vulnerability? Select an answer: A. The server is susceptible to an attack. B. An attack will occur. C. A control must be designed as a countermeasure. D. The likelihood of threats will increase.

5.1. You are correct, the answer is A. Vulnerabilities, if not addressed, leave the server at a risk of being attacked. The existence of a vulnerability does not automatically imply that an attack will occur. A control may be designed only if it would be cost-effective. The existence of a vulnerability does not increase the likelihood of threats to a system.

A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase? Select an answer: A. The inclusion of technical information in error messages B. The use of stored procedures to handle transaction processes C. Server side input revalidation D. Controls that restrict access to system objects

5.2 The correct answer is A. A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities. B. It is a good practice to utilize stored procedures because the transaction is completed in a closed environment. C. It is a good practice to revalidate user entry on the server side to ensure that there is no malicious code or scripts sent from the client machine. D. It is generally desirable to minimize direct access to system objects such as files, directories, databases and other items.

When reviewing an implementation of a Voice-over IP (VoIP) system over a corporate wide area network (WAN), an IS auditor should expect to find: Select an answer: A. an integrated services digital network (ISDN) data link. B. traffic engineering. C. wired equivalent privacy (WEP) encryption of data. D. analog phone terminals.

5.2 The correct answer is B. To ensure that quality of service requirements are achieved, the VoIP service over the WAN should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an ISDN data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

5.2 The correct answer is D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.

Disabling which of the following would make wireless local area networks MORE secure against unauthorized access? Select an answer: A. MAC (Media Access Control) address filtering B. WPA (Wi-Fi Protected Access Protocol) C. LEAP (Lightweight Extensible Authentication Protocol) D. SSID (service set identifier) broadcasting

5.2 The correct answer is D. Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by encrypting the wireless traffic.

The BEST way to minimize the risk of communication failures in an e-commerce environment would be to use: Select an answer: A. compression software to minimize transmission duration. B. functional or message acknowledgments. C. a packet-filtering firewall to reroute messages. D. leased asynchronous transfer mode lines.

5.2 The correct answer is D. Leased asynchronous transfer mode lines are a way to avoid using public and shared infrastructures from the carrier or Internet service provider that have a greater number of communication failures. Choice A, compression software, is a valid way to reduce the problem, but is not as good as leased asynchronous transfer mode lines. Choice B is a control based on higher protocol layers and helps if communication lines are introducing noise, but not if a link is down. Choice C, a packet-filtering firewall, does not reroute messages.

Distributed denial-of-service (DDoS) attacks on Internet sites are typically evoked by hackers using which of the following?Select an answer: A. Logic bombs B. Phishing C. Spyware D. Trojan horses

5.2 The correct answer is D. Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDoS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via email, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.

Which of the following is the GREATEST concern for an IS auditor reviewing the security controls of an online job-search application? Select an answer: A. The web server is running an unsupported operating system (OS) and web server application. B. The web application has a Structured Query Language (SQL) injection vulnerability. C. The firewall has port 80 (HTTP), port 443 (HTTPS) and port 23 (Telnet) open. D. The access to the web server and its database have only minimal logging enabled.

5.2 You answered A. The correct answer is B. A. While outdated versions of the OS or web server can allow some vulnerabilities to exist, the more significant risk in this case is the SQL injection vulnerability. B. The biggest risk to any web application is security vulnerabilities that allow unvalidated input to be passed from the interface to the back-end system. An SQL injection vulnerability in a database-driven web application is a significant risk and is the greatest concern. C. While having unnecessary firewall ports open increases the security risk, the greater risk is that a vulnerability exists that can be accessed through the application. Therefore, the SQL injection vulnerability is the more significant risk. D. While maintaining audit logs is an important method to detect security intrusion attempts and application errors, having log configuration settings set to a high level may impact performance. Often, logging may be set to a minimal level for performance reasons. The more significant concern in this case is the SQL injection vulnerability.

An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? Select an answer: A. The corporate network is using an intrusion prevention system (IPS). B. This part of the network is isolated from the corporate network. C. A single sign-on has been implemented in the corporate network. D. Antivirus software is in place to protect the corporate network.

5.2 You answered A. The correct answer is B. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physically separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would ease authentication management. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.

When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor? Select an answer: A. Passwords are not shared. B. Password files are not encrypted. C. Redundant logon IDs are deleted. D. The allocation of logon IDs is controlled.

5.2 You answered A. The correct answer is B. When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon IDs and proper logon ID procedures are essential, but they are less important than ensuring that the password files are encrypted.

The MOST important success factor in planning a black box penetration test is: Select an answer: A. the documentation of the planned testing procedure. B. a realistic evaluation of the environment architecture to determine scope. C. knowledge by the management staff of the client organization. D. scheduling and deciding on the timed length of the test.

5.2 You answered A. The correct answer is C. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. Choices A and B are not valid for a black box penetration test. Choice D is important, but not as important to the success as choice C.

In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides: Select an answer: A. connectionless integrity. B. data origin authentication. C. antireplay service. D. confidentiality.

5.2 You answered A. The correct answer is D. Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.

Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? A. Proxy server B. Firewall installation C. Network administrator D. Password implementation and administration

5.2 You answered B. The correct answer is D. The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an element of risk remains. A proxy server is a type of firewall installation; thus, the same rules apply. The network administrator may serve as a control, but typ

Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily weighted spam keyword from being labeled as spam? Select an answer: A. Heuristic (rule-based) B. Signature-based C. Pattern matching D. Bayesian (statistical)

5.2 You answered B. The correct answer is D. Bayesian filtering applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable-length messages, because the calculated message-digest algorithm 5 (MD5) hash changes all the time. Finally, pattern matching is actually a degraded rule-based technique, where the rules operate at the word level using wildcards, and not at higher levels.

An IS auditor observed brute-force attacks on the administrator account. The BEST recommendation to prevent a successful brute-force attack would be to: Select an answer: A. increase the password length for the user. B. configure a session timeout mechanism. C. perform periodic vulnerability scans. D. configure a hard-to-guess username.

5.2 You answered B. The correct answer is D. Knowledge of both a username and password is required to successfully compromise an account using brute-force attack. If a username is guessable, brute-force attacks are much more feasible. Increasing the password length is not as good as having a username that cannot be discovered. Session timeouts do not prevent unauthorized access. Vulnerability scans typically test for default usernames and passwords, but do not prevent brute-force attacks. Performing periodic vulnerability scans is a good detective control, but does not prevent brute-force attacks.

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? A. Corruption of the address resolution protocol (ARP) cache in Ethernet switches B. Use of a default administrator password on the analog phone switch C. Deploying virtual local area networks (VLANs) without enabling encryption D. End users having access to software tools such as packet sniffer applications

5.2 You answered C. The correct answer is A. On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on VoIP traffic. Choice B is not correct because VoIP systems do not use analog switches and inadequate administrator security controls would not be an issue. Choice C is not correct because VoIP data are not normally encrypted in a LAN environment since the controls regarding VLAN security are adequate. Choice D is not correct because most software tools such as packet sniffers cannot make changes to LAN devices, such as the VLAN configuration of an Ethernet switch used for VoIP. Therefore, the use of software utilities of this type is not a risk

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? Select an answer: A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)

5.2 You answered C. The correct answer is B. The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party.

Receiving an electronic data interchange (EDI) transaction and passing it through the communication's interface stage usually requires: Select an answer: A. translating and unbundling transactions. B. routing verification procedures. C. passing data to the appropriate application system. D. creating a point of receipt audit log.

5.2 You answered C. The correct answer is B. The communication's interface stage requires routing verification procedures. EDI or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication's interface stage.

In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability? Select an answer: A. Appliances B. Operating system-based C. Host-based D. Demilitarized

5.2 You answered D. The correct answer is A. The software for appliances is embedded into chips. Firmware-based firewall products cannot be moved to higher capacity servers. Firewall software that sits on an operating system can always be scalable due to its ability to enhance the power of servers. Host-based firewalls operate on top of the server operating system and are scalable. A demilitarized zone is a model of firewall implementation and is not a firewall architecture.

When auditing a proxy-based firewall, an IS auditor should: Select an answer: A. verify that the firewall is not dropping any forwarded packets. B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresses. C. verify that the filters applied to services such as HTTP are effective. D. test whether routing information is forwarded by the firewall.

5.2 You answered D. The correct answer is C. A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between MAC and IP addresses is a task for protocols such as ARP/RARP.

A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase? A. The inclusion of technical information in error messages B. The use of stored procedures to handle transaction processes C. Server side input revalidation D. Controls that restrict access to system objects

5.2 You are correct, the answer is A. A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities. B. It is a good practice to utilize stored procedures because the transaction is completed in a closed environment. C. It is a good practice to revalidate user entry on the server side to ensure that there is no malicious code or scripts sent from the client machine. D. It is generally desirable to minimize direct access to system objects such as files, directories, databases and other items.

An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by: A. digitally signing all email messages. B. encrypting all email messages. C. compressing all email messages. D. password protecting all email messages.

5.2 You are correct, the answer is A. By digitally signing all email messages, the receiver will be able to validate the authenticity of the sender. Encrypting all email messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. Compressing all email messages would reduce the size of the message, but would not ensure the authenticity. Password protecting all email messages would ensure that only those who have the password would be able to open the message; however, it would not ensure the authenticity of the sender.

Validated digital signatures in an email software application will: Select an answer: A. help detect spam. B. provide confidentiality. C. add to the workload of gateway servers. D. significantly reduce available bandwidth.

5.2 You are correct, the answer is A. Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure their email server or client to automatically delete emails from specific senders. For confidentiality issues, one must use encryption, not a signature, although both methods can be based on qualified certificates. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check certificate revocation lists (CRLs), there is little overhead

The MOST common problem in the operation of an intrusion detection system (IDS) is: Select an answer: A. the detection of false positives. B. receiving trap messages. C. reject-error rates. D. denial-of-service attacks.

5.2 You are correct, the answer is A. Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls, such as IDS tuning, and incident handling procedures, such as the screening process to know if an event is a security incident or a false positive. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. Reject-error rate is related to biometric technology and is not related to IDSs. Denial-of-service is a type of attack and is not a problem in the operation of IDSs.

The MOST important difference between hashing and encryption is that hashing: Select an answer: A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end.

5.2 You are correct, the answer is A. Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving end to encrypt and decrypt.

Which of the following acts as a decoy to detect active Internet attacks? Select an answer: A. Honeypots B. Firewalls C. Trapdoors D. Traffic analysis

5.2 You are correct, the answer is A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack.

When installing an intrusion detection system (IDS), which of the following is MOST important? Select an answer: A. Properly locating it in the network architecture B. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quarantined D. Minimizing the rejection errors

5.2 You are correct, the answer is A. Proper location of an IDS in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its voice-over IP (VoIP) system and data traffic. Which of the following would meet this objective? Select an answer: A. VoIP infrastructure needs to be segregated using virtual local area networks (VLANs). B. Buffers need to be introduced at the VoIP endpoints. C. Ensure that end-to-end encryption is enabled in the VoIP system. D. Ensure that emergency backup power is available for all parts of the VoIP infrastructure.

5.2 You are correct, the answer is A. Segregating the VoIP traffic using VLANs would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). Choice B is not correct because the use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method. Choice C is not correct because encryption is used when VoIP calls use the Internet (not the local LAN) for transport since the assumption is that the physical security of the building as well as the Ethernet switch and VLAN security is adequate. Choice D is not correct because the design of the network and the proper implementation of VLANs is more critical than ensuring that all devices are protected by emergency power.

A company has decided to implement an electronic signature scheme based on public key infrastructure (PKI). The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is: Select an answer: A. use of the user's electronic signature by another person if the password is compromised. B. forgery by using another user's private key to sign a message with an electronic signature. C. impersonation of a user by substitution of the user's public key with another person's public key. D. forgery by substitution of another person's private key on the computer.

5.2 You are correct, the answer is A. The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice C would require subversion of the public key infrastructure mechanism, which is very difficult and least likely. Choice B would require that the message appear to have come from a different person and therefore the true user's credentials would not be forged. Choice D has the same consequence as Choice B.

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? Select an answer: A. Wiring and schematic diagram B. Users' lists and responsibilities C. Application lists and their details D. Backup and recovery procedures

5.2 You are correct, the answer is A. The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? Select an answer: A. Malicious code could be spread across the network. B. The VPN logon could be spoofed. C. Traffic could be sniffed and decrypted. D. The VPN gateway could be compromised.

5.2 You are correct, the answer is A. VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. Although choices B, C and D are types of security risk, VPN technology largely mitigates this risk.

During an IS audit of a global organization, the IS auditor discovers that the organization uses voice-over IP (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? A. Network equipment failure B. Distributed denial-of-service (DDoS) attack C. Premium-rate fraud (toll fraud) D. Social engineering attack

5.2 You are correct, the answer is B. The use of VoIP does not introduce any unique risk with respect to equipment failure, so choice A is not correct. A DDoS attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. Toll fraud occurs when someone compromises the phone system and makes unauthorized long-distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. Social engineering, which involves gathering sensitive information in order to launch an attack, can be exercised over any kind of telephony.

A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? Select an answer: A. Reviewing logs frequently B. Testing and validating the rules C. Training a local administrator at the new location D. Sharing firewall administrative duties

5.2 You are correct, the answer is B. A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important.

An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address? Select an answer: A. Simple Object Access Protocol (SOAP) B. Address Resolution Protocol (ARP) C. Routing Information Protocol (RIP) D. Transmission Control Protocol (TCP)

5.2 You are correct, the answer is B. ARP provides dynamic address mapping between an IP address and hardware address. SOAP is a platform-independent XML-based protocol, enabling applications to communicate with each other over the Internet, and does not deal with MAC addresses. RIP specifies how routers exchange routing table information. TCP enables two hosts to establish a connection and exchange streams of data.

Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)? Select an answer: A. Circuit gateway B. Application gateway C. Packet filter D. Screening router

5.2 You are correct, the answer is B. An application gateway firewall is effective in preventing applications such as FTPs from entering the organization network. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization's network. A packet filter firewall or screening router will allow or prevent access based on IP packets/address.

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software: Select an answer: A. is configured with an implicit deny rule as the last rule in the rule base. B. is installed on an operating system with default settings. C. has been configured with rules permitting or denying access to systems or networks. D. is configured as a virtual private network (VPN) endpoint.

5.2 You are correct, the answer is B. Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. Choices A, C and D are normal or best practices for firewall configurations.

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? Select an answer: A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)

5.2 You are correct, the answer is B. The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party.

During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing that the auditor should check? Select an answer: A. The signal strength outside of the building B. The configuration settings C. The number of clients connected D. The IP address allocation mechanism

5.2 You are correct, the answer is B. The IS auditor should first check the configuration settings for the current network layout and connectivity and then, based on this, decide whether the security requirements are adequate. The signal strength outside of the building would not be of concern if proper encryption and security settings are in effect. The number of clients connected is not usually a major concern, from a security perspective. The IP address allocation mechanism is not a security risk.

In a financial organization that deals with highly sensitive client data, an IS auditor is asked to provide recommendations for secure email communication. What is the MOST appropriate recommendation? Select an answer: A. Establish private keys with clients to encrypt email and exchange pass phrases. B. Require employees to use digital signatures when sending email. C. Establish public key/private key pairs with clients to encrypt email. D. Require employees to use two-factor authentication before sending email.

5.2 You are correct, the answer is C. A. Establishing private keys with preshared pass phrases is one option, but not the best option. Managing pass phrase changes is time consuming, and there is no trusted authority to vouch that the pass phrase is genuinely issued. B. Digital signatures conclusively establish the sender of the email and any unauthorized changes made to the message; however, they encrypt the email, which leaves the contents readable to any intercepting party. C. Public key/private key pairs are the best way to secure email communication and verify the authenticity of the senders. They also ensure that only the intended recipients are able to decrypt the email. In addition, the public keys/private keys that are generated by a trusted certificate authority ensure genuine communication. D. Two-factor authentication allows employees to securely log on; however, the email is not encrypted and therefore susceptible to being read by or modified by an intercepting party.

An IS auditor reviewing a web application discovers that multiple users are logging in with the same user ID and password. What is the auditor's PRIMARY concern regarding this practice? Select an answer: A. Violation of confidentiality B. Difficulty maintaining user accounts C. Lack of accountability D. Difficulty reviewing user accounts

5.2 You are correct, the answer is C. A. Shared user accounts do not allow the organization to establish accountability for actions executed under the account. Confidentiality is secondary in the described scenario. B. Shared user IDs do not add complexity to the user account administration process; they simplify the process because there are fewer IDs to administer. However, the risk of using shared user IDs outweighs the benefit derived from simplifying user account administration. C. The primary risk in the use of shared user IDs is the lack of user accountability. Transactions performed using a shared user ID cannot be traced to a specific individual. D. Shared user accounts do not impact the level of difficulty for reviewing the accounts. It is important to note that management should periodically review both, user accounts and the related account privileges, to ensure that accountability is established and the access that is being granted continues to be valid and in line with the individual's day-to-day job function.

Which of the following potentially blocks hacking attempts? Select an answer: A. Intrusion detection system (IDS) B. Honeypot system C. Intrusion prevention system (IPS) D. Network security scanner

5.2 You are correct, the answer is C. An IPS is deployed as an in-line device that can detect and block hacking attempts. An IDS normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.

The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is: Select an answer: A. that there will be too many alerts for system administrators to verify. B. decreased network performance due to IPS traffic. C. the blocking of critical systems or services due to false triggers. D. reliance on specialized expertise within the IT organization.

5.2 You are correct, the answer is C. An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the packets are coming from a spoofed address and the IPS is triggered based on previously defined behavior, it may block the service or connection of a critical internal system. The other choices are types of risk that are not as severe as blocking critical systems or services due to false triggers.

A human resources (HR) company offers free public wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? Select an answer: A. The password for the wireless network is changed on a weekly basis. B. A stateful inspection firewall is used between the public wireless and company networks. C. The public wireless network is physically segregated from the company network. D. An intrusion detection system (IDS) is deployed within the wireless network.

5.2 You are correct, the answer is C. Changing the password for the wireless network does not secure against unauthorized access to the company network, especially since a guest could gain access to the wireless local area network (WLAN) at any time prior to the weekly password change interval. A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises, although unlikely, are possible. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion. An IDS will detect intrusions but will not prevent unauthorized individuals from accessing the network.

An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to: Select an answer: A. review the integrity of system access controls. B. accept management's statement that effective access controls are in place. C. stress the importance of having a system control framework in place. D. review the background checks of the accounts payable staff.

5.2 You are correct, the answer is C. Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed. Intelligent design should permit additional detective and corrective controls to be established that don't have high ongoing costs, e.g., automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risk to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.

Neural networks are effective in detecting fraud because they can: Select an answer: A. discover new trends since they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.

5.2 You are correct, the answer is C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. Neural networks are inherently nonlinear and make no assumption about the shape of any curve relating variables to the output. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.

When using public key encryption to secure data being transmitted across a network: Select an answer: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.

5.2 You are correct, the answer is C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

The use of digital signatures: Select an answer: A. requires the use of a one-time password generator. B. provides encryption to a message. C. validates the source of a message. D. ensures message confidentiality.

5.2 You are correct, the answer is C. The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures.

Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: Select an answer: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

5.2 You are correct, the answer is D. Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? Select an answer: A. Analyzer B. Administration console C. User interface D. Sensor

5.2 You are correct, the answer is D. Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.

Which of the following is a passive attack to a network? Select an answer: A. Message modification B. Masquerading C. Denial of service D. Traffic analysis

5.2 You are correct, the answer is D. The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. Masquerading is an active attack in which the intruder presents an identity other than the original identity. Denial of service occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed.

Which of the following is the BEST control to implement in order to mitigate the risk of an insider attack? Select an answer: A. Ensure that a comprehensive incident response plan has been put into place. B. Log all user activity for critical systems. C. Perform a criminal background check on all employees or contractors. D. Limit access to what is required for an individual's job duties.

5.2 You are correct, the answer is D. The most critical factor to consider is to limit the access granted to an individual to only what is required for his/her job duties. The other options are not as critical. Insider attacks may be initiated by employees, consultants and/or contractors of an organization. Insider-related risk is the most difficult risk to defend against because insiders typically have been granted some physical and logical access to systems, applications and networks. Remote access to corporate networks and data also is common, due to technology such as virtual private networks (VPNs) and smartphones, and poses a great threat to corporate data. There is a need to put into place strong and effective controls to mitigate this risk, the most basic of which is limiting access to what users need to do their jobs.

From a control perspective, the PRIMARY objective of classifying information assets is to: Select an answer: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses.

5.3 You answered D. The correct answer is A. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.

Which of the following is the BEST basis for determining the appropriate levels of information resource protection? A. Asset classification B. A business case C. Vulnerability assessment D. Asset valuation

5.3 You are correct, the answer is A. A. Asset classification based on criticality and sensitivity provides the best basis for assigning levels of information resource protection. B. A business case may be useful to support the need for asset classification, but does not provide a basis for assignment at the individual resource level. C. Vulnerability assessment does not take into account criticality or sensitivity, which is the basis for assigning levels of information resource protection. D. Asset valuation is not an adequate basis for determining the needed level of protection. An asset can be negligible from a cost standpoint, but extremely critical to operations or sensitive if exposed.

The MOST effective control for reducing the risk related to phishing is: Select an answer: A. centralized monitoring of systems. B. including signatures for phishing in antivirus software. C. publishing the policy on antiphishing on the intranet. D. security training for all users.

5.3 You are correct, the answer is D. Phishing is a type of email attack that attempts to convince a user that the originator is genuine, with the intention of obtaining information. Phishing is an example of a social engineering attack. Any social engineering type of attack can best be controlled through security and awareness training.

The BEST overall quantitative measure of the performance of biometric control devices is: Select an answer: A. false-rejection rate (FRR). B. false-acceptance rate (FAR). C. equal-error rate (EER). D. estimated-error rate.

5.4 You answered A. The correct answer is C. A low EER is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device. Low FRRs or low FARs alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.

An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness? Select an answer: A. Observation of a logged event B. Review of the procedure manual C. Interview with management D. Interview with security personnel

5.4 You are correct, the answer is A. A. Observation of the process to reset an employee's security access to the server room and the subsequent logging of this event provide the best evidence of the adequacy of the physical security control. B. Although reviewing the procedure manual can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control. C. Although interviewing management can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control. D. Although interviewing security personnel can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.

In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate? Picture Select an answer: A. Virus attack B. Performance degradation C. Poor management controls D. Vulnerability to external hackers

5.4 You are correct, the answer is B. Hubs are internal devices that usually have no direct external connectivity, and thus are not prone to hackers. There are no known viruses that are specific to hub attacks. While this situation may be an indicator of poor management controls, choice B is more likely when the practice of stacking hubs and creating more terminal connections is used.

Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? Select an answer: A. Halon gas B. Wet-pipe sprinklers C. Dry-pipe sprinklers D. Carbon dioxide gas

5.4 You are correct, the answer is C. Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but it is environmentally damaging and very expensive. Water is an acceptable medium but the pipes should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatic release in a staffed site since it threatens life.

An accuracy measure for a biometric system is: Select an answer: A. system response time. B. registration time. C. input file size. D. false-acceptance rate (FAR).

5.4 You are correct, the answer is D. Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and FAR. FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures.

Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? Select an answer: A. Halon gas B. Wet-pipe sprinklers C. Dry-pipe sprinklers D. Carbon dioxide gas

5.4. The correct answer is C. Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but it is environmentally damaging and very expensive. Water is an acceptable medium but the pipes should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatic release in a staffed site since it threatens life.

A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? Select an answer: A. Rewrite the hard disk with random 0s and 1s. B. Low-level format the hard disk. C. Demagnetize the hard disk. D. Physically destroy the hard disk.

5.5 The correct answer is D. Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnetizing is an inefficient procedure, because it requires specialized and expensive equipment to be fully effective.

An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern? Select an answer: A. The service contract on the diesel generator is not current. B. The battery room does not contain hydrogen sensors. C. The door to the battery room is kept locked. D. The battery room is next to the diesel generator yard.

5.5 You answered A. The correct answer is B. Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequate ventilation systems. While a valid service contract is important, the bigger risk would be from a hydrogen explosion. It is good practice to keep the door to the battery room locked to prevent entry by unauthorized personnel. With the generators located outdoors, the risk of a hydrogen explosion caused by the generators is negligible. Hydrogen sensors would notify data center personnel of a potential gas buildup so they could take the appropriate measures.

The risk of dumpster diving is BEST mitigated by: Select an answer: A. implementing security awareness training. B. placing shred bins in copy rooms. C. developing a media disposal policy. D. placing shredders in individual offices.

5.5 You answered B. The correct answer is A. A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques.

The risk of dumpster diving is BEST mitigated by: A. implementing security awareness training. B. placing shred bins in copy rooms. C. developing a media disposal policy. D. placing shredders in individual offices.

5.5 You answered C. The correct answer is A. A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques

An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern? A. The service contract on the diesel generator is not current. B. The battery room does not contain hydrogen sensors. C. The door to the battery room is kept locked. D. The battery room is next to the diesel generator yard.

5.5 You are correct, the answer is B. Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequate ventilation systems. While a valid service contract is important, the bigger risk would be from a hydrogen explosion. It is good practice to keep the door to the battery room locked to prevent entry by unauthorized personnel. With the generators located outdoors, the risk of a hydrogen explosion caused by the generators is negligible. Hydrogen sensors would notify data center personnel of a potential gas buildup so they could take the appropriate measures.

An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? A. User-level permissions B. Role-based C. Fine-grained D. Discretionary

5.5 You are correct, the answer is B. Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise. Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.

A start-up company has a policy that requires strong encryption of all tape backups. As the volume of data has grown, the time necessary to back up all data has become operationally unacceptable. Which of the following is the BEST recommendation to fix this problem? Select an answer: A. Disable encryption so the backup process runs faster. B. Implement a data classification policy so that only classified data gets encrypted. C. Select a more efficient encryption algorithm so the backup process runs faster. D. Implement a data classification policy so that only critical data get backed up.

5.5 You are correct, the answer is B. A. While running backups without encryption would solve the performance issue, this does not meet security requirements. B. The primary benefit of performing data classification is so that the appropriate security controls can be applied based on the sensitivity of the data. The process of encrypting data for backup typically slows down the process considerably. There may be considerable amounts of data that are not sensitive and could be backed up faster without encryption enabled, but only a valid data classification process could make this possible. C. While some encryption methods can be faster or slower than others, the better solution in this case is to apply a data classification policy and only encrypt the data that require it according to the policy. D. While a data classification policy specifies both the sensitivity and criticality of the data, the better solution in this case is to apply the appropriate security controls and attempt to back up all data. Although data may be deemed noncritical, these data would still have some value to the business and should be backed up if possible.

An IS auditor discovers that URLs for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? Select an answer: A. IP spoofing B. Phishing C. Structured query language (SQL) injection D. Denial of service (DoS)

You are correct, the answer is B. URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. IP spoofing is used to change the source IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) packet, not in the HTTP protocol. Although URL shortening services can be used to perform SQL injections, their primary purpose is for phishing. DoS attacks are not affected by URL shortening services.

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: Select an answer: A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to top management and ask how they would like to proceed. D. consult with external legal counsel to determine the course of action to be taken.

The correct answer is A. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.

A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized? Select an answer: A. The system will not process the change until the clerk's manager confirms the change by entering an approval code. B. The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk's manager. C. The system requires the clerk to enter an approval code. D. The system displays a warning message to the clerk.

The correct answer is A. Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to management review. Choices C and D do not prevent the clerk from entering an unauthorized rate change.

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Select an answer: A. Prioritize the identified risk. B. Define the audit universe. C. Identify the critical controls. D. Determine the testing approach.

The correct answer is B. A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. C. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. D. The testing approach is based on the risk ranking.

An organization has purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following would help mitigate the risk relating to continued application support? Select an answer: A. A viability study on the vendor B. A software escrow agreement C. Financial evaluation of the vendor D. A contractual agreement for future enhancements

The correct answer is B. A. While a viability study on the vendor may provide some assurance on the long-term availability of the vendor's services to the entity, in this case it is more important that the company has the rights to the source code. B. Considering that the vendor has been in the business for only one year, the biggest concern is financial stability or viability of the vendor and the risk of the vendor going out of business. The best way that this risk can be addressed is to have a software escrow agreement for the source code of the application, which provides for access to the source code for the entity, in the event of the vendor going out of business. C. Considering that the vendor has been in business for only one year, financial evaluation of the vendor would not be of much value and cannot provide assurance on the long-term availability of the vendor's services to the entity. In this case, it is more important that the company has rights to the source code. D. A contractual agreement, while binding, is not enforceable in the event of bankruptcy.

Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? Select an answer: A. Server antivirus software B. Virus walls C. Workstation antivirus software D. Virus signature updating

The correct answer is B. An important means of controlling the spread of viruses is to detect the virus at the point of entry, before it has an opportunity to cause damage. In an interconnected corporate network, virus scanning software, used as an integral part of firewall technologies, is referred to as a virus wall. Virus walls scan incoming traffic with the intent of detecting and removing viruses before they enter the protected network. The presence of virus walls does not preclude the necessity for installing virus detection software on servers and workstations within the network, but network-level protection is most effective the earlier the virus is detected. Virus signature updating is a must in all circumstances, networked or not.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? Select an answer: A. Inherent B. Detection C. Control D. Business

The correct answer is B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company's management. Business risk is usually not directly affected by an IS auditor.

Which of the following will MOST successfully identify overlapping key controls in business application systems? Select an answer: A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility (ITF) C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

The correct answer is C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in control will not be possible. An ITF is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment? Select an answer: A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime

The correct answer is D. A. An inventory of critical assets is completed in both a risk assessment and a BIA. B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk assessment and a BIA. D. A determination of acceptable downtime is made only in a BIA.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? Select an answer: A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls

The correct answer is D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.

Responsibility for the governance of IT should rest with the: Select an answer: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

The correct answer is D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. The audit committee, the CIO and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.

Which of the following is the PRIMARY purpose for conducting parallel testing? Select an answer: A. To determine whether the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements

The correct answer is D. The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing are completed before parallel testing. Program interfaces with files are tested for errors during system testing.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? Select an answer: A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging

You answered A (2 attempts). The correct answer is C. Table lookups are preventive controls; data are checked against predefined tables, which prevent any undefined data to be entered. Transaction logs are a detective control and provide audit trails. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

The goal of IT risk analysis is to: Select an answer: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.

You answered A. The correct answer is B. A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the vectors of likelihood and impact to facilitate the prioritization of risk responses.

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit? A. Ensure that media are encrypted. B. Maintain a duplicate copy. C. Maintain chain of custody. D. Ensure that personnel are bonded.

You answered A. The correct answer is B. A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data. C. Chain of custody is an important control, but it will not mitigate a loss if a locked area is broken into and media removed or if media are lost while in an individual's custody. D. Bonded security, although good for preventing theft, will not protect against accidental loss or destruction.

Which of the following penetration testing methods is MOST effective in uncovering vulnerabilities relating to incident response capabilities? Select an answer: A. External B. Double-blind C. Internal D. Blind

You answered A. The correct answer is B. A. External testing is an intrusion attempt launched from outside the organization's perimeter, but it does not consider what information is known by the tester or the target. B. In double-blind testing, the incident response team is not informed that an intrusion is about to occur to gauge the depth of their response. Also, the penetration testers are not given prior knowledge of the infrastructure or target. C. Internal testing is launched from within the organizational network. The incident response team could have been informed earlier. D. In blind testing, the tester is not provided with information about the organization's network.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? Select an answer: A. Load testing B. Stress testing C. Recovery testing D. Volume testing

You answered A. The correct answer is B. A. Load testing evaluates the performance of the software at peak hours. B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users. C. Recovery testing evaluates the ability of a system to recover after a failure. D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Select an answer: A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation

You answered A. The correct answer is B. A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk reduction treats the risk, while risk transfer does not always address compliance risk. B. Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. C. Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. D. Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? Select an answer: A. Usefulness B. Reliability C. Relevance D. Adequacy

You answered A. The correct answer is B. A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. C. Relevance of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on relevance as reliability does. D. Adequacy of audit evidence pulled by CAATs is determined by the processes and personnel who author the data, and the use of CAATs does not have any impact on competence.

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? Select an answer: A. Perform disaster recovery exercises annually. B. Ensure that partnering organizations are separated geographically. C. Regularly perform a business impact analysis (BIA). D. Select a partnering organization with similar systems.

You answered A. The correct answer is B. A. While disaster recovery exercises are important, the greater risk is geographic proximity. B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. C. A BIA will help both organizations to identify critical applications, but separation is a more important consideration when entering reciprocal agreements. D. Selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.

Which of the following provides the GREATEST assurance for database password encryption? Select an answer: A. Secure hash algorithm-256 (SHA-256) B. Advanced encryption standard (AES) C. Secure shell (SSH) D. Triple data encryption standard (DES)

You answered A. The correct answer is B. A. While hashing functions are used to protect passwords, hashing is not encryption. B. The use of AES is a secure encryption algorithm that is appropriate for encrypting passwords. C. SSH can only be used to encrypt passwords that are being transmitted. It cannot encrypt data at rest. D. Triple DES is a valid encryption method; however, AES is a stronger and more recent encryption algorithm.

When using an integrated test facility (ITF), an IS auditor should ensure that: Select an answer: A. production data are used for testing. B. test data are isolated from production data. C. a test data generator is used. D. master files are updated with the test data.

You answered A. The correct answer is B. An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. While this ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data. An IS auditor is not required to use production data or a test data generator. Production master files should not be updated with test data.

An IS auditor performing a review of application controls would evaluate the: Select an answer: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. application's optimization.

You answered A. The correct answer is B. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of an audit restricted to a review of controls.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: Select an answer: A. recovery. B. retention. C. rebuilding. D. reuse.

You answered A. The correct answer is B. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the email policy would facilitate recovery, rebuilding and reuse.

Change control for business application systems being developed using prototyping could be complicated by the: Select an answer: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

You answered A. The correct answer is B. Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? Select an answer: A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

You answered A. The correct answer is B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST: Select an answer: A. draft an audit finding, and discuss it with the auditor in charge. B. determine the sensitivity of the information on the hard drives. C. discuss with the IT manager the best practice in data disposal. D. develop an appropriate data disposal policy for the enterprise.

You answered A. The correct answer is B. Even though a policy is not available, the auditor should make a determination as to the nature of the information on the hard drives to quantify, as much as possible, the risk. Drafting a finding without a quantified risk would be premature as would be discussing the best practice. An IS auditor never develops policies.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? Select an answer: A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization

You answered A. The correct answer is B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. While the strategic alignment of IT with business is important, it is not directly related to the gap identified in this scenario. Similarly, performing more frequent IS audits or recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: Select an answer: A. controls needed to mitigate risk are in place. B. vulnerabilities and threats are identified. C. audit risk is considered. D. a gap analysis is appropriate.

You answered A. The correct answer is B. In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risk are in place is a resultant effect of an audit. Audit risk is an inherent aspect of auditing, is directly related to the audit process and is not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be done to compare the actual state to an expected or desirable state.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: Select an answer: A. recommend that this separate project be completed as soon as possible. B. report this issue as a finding in the audit report. C. recommend the adoption of the Zachmann framework. D. re-scope the audit to include the separate project as part of the current audit.

You answered A. The correct answer is B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. Choice A is not correct because the IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the EA is not yet complete, so the auditor should be most concerned with reporting this issue. Choice C is not correct because the company is free to choose any EA framework and the IS auditor should not recommend a specific framework. Choice D is not correct because changing the scope of an audit to include the secondary project is not a realistic option.

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? Select an answer: A. A capability maturity model (CMM) B. Portfolio management C. Configuration management D. Project management body of knowledge (PMBOK)

You answered A. The correct answer is B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. A CMM would not help determine the optimum portfolio of capital projects since it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? Select an answer: A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

You answered A. The correct answer is B. Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? Select an answer: A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)

You answered A. The correct answer is B. The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? Select an answer: A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem

You answered A. The correct answer is B. The most significant risk after a payroll system conversion is not being able to pay employees in a timely and accurate manner. As a result, maintaining data integrity and accuracy during migration is paramount. The other options are not as important as long as the new payroll system functions as intended.

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: Select an answer: A. comply with regulatory requirements. B. provide a basis for drawing reasonable conclusions. C. ensure complete audit coverage. D. perform the audit according to the defined scope.

You answered A. The correct answer is B. The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required.

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: Select an answer: A. comply with regulatory requirements. B. provide a basis for drawing reasonable conclusions. C. ensure complete audit coverage. D. perform the audit according to the defined scope.

You answered A. The correct answer is B. The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required.

Which of the following should be included in an organization's information security policy? Select an answer: A. A list of key IT resources to be secured B. The basis for control access authorization C. Identity of sensitive security features D. Relevant software security features

You answered A. The correct answer is B. The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, C and D are more detailed than that which should be included in a policy.

Information for detecting unauthorized input from a terminal would be BEST provided by the: Select an answer: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

You answered A. The correct answer is B. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.

Which of the following would help to ensure the portability of an application connected to a database? Select an answer: A. Verification of database import and export procedures B. Usage of a structured query language (SQL) C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema

You answered A. The correct answer is B. The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entity-relation model will be helpful, but none of these contribute to the portability of an application connecting to a database.

During an IS audit of a global organization, the IS auditor discovers that the organization uses voice-over IP (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? A. Network equipment failure B. Distributed denial-of-service (DDoS) attack C. Premium-rate fraud (toll fraud) D. Social engineering attack

You answered A. The correct answer is B. The use of VoIP does not introduce any unique risk with respect to equipment failure, so choice A is not correct. A DDoS attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. Toll fraud occurs when someone compromises the phone system and makes unauthorized long-distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. Social engineering, which involves gathering sensitive information in order to launch an attack, can be exercised over any kind of telephony.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? Select an answer: A. User acceptance testing (UAT) occur for all reports before release into production B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports

You answered A. The correct answer is B. This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. The other choices, while sound development practices, do not address the root cause of the problem described.

IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: Select an answer: A. upgrading to a level 5 RAID. B. increasing the frequency of onsite backups. C. reinstating the offsite backups. D. establishing a cold site in a secure location.

You answered A. The correct answer is C. A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D do not compensate for the lack of offsite backup.

When using a digital signature, the message digest is computed: Select an answer: A. only by the sender. B. only by the receiver. C. by both the sender and the receiver. D. by the certificate authority (CA).

You answered A. The correct answer is C. A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm and compare results with what was sent to ensure the integrity of the message.

The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.

You answered A. The correct answer is C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Select an answer: A. Project sponsor B. System development project team C. Project steering committee D. User project team

You answered A. The correct answer is C. A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The system development project team is not responsible for reviewing the progress of the project. A user project team completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A user project team is not responsible for reviewing the progress of the project.

In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a: Select an answer: A. requirement for job rotation on a periodic basis. B. process for formalized exit interviews. C. termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination. D. requirement for employees to sign a form signifying that they have read the organization's policies.

You answered A. The correct answer is C. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of company property issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. While the other choices are best practices, they do not present a significant risk to the organization.

An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect? Select an answer: A. Control risk B. Compliance risk C. Inherent risk D. Residual risk

You answered A. The correct answer is C. A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.

An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: Select an answer: A. user accounts are not locked out after five failed attempts. B. passwords can be reused by employees within a defined time frame. C. system administrators use shared login credentials. D. password expiration is not automated.

You answered A. The correct answer is C. A. If user accounts are not locked after multiple failed attempts, a brute force attack could be used to gain access to the system. While this is a risk, a typical user would have limited system access compared to an administrator. B. The reuse of passwords is a risk. However, the use of shared login credentials by administrators is a more severe risk. C. The use of shared login credentials makes accountability impossible. D. If password expiration is not automated, it is most likely that employees will not change their passwords regularly. However, this is not as serious as passwords being shared, and the use of shared login credentials by administrators is a more severe risk.

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? Select an answer: A. Inspection B. Inquiry C. Walk-through D. Reperformance

You answered A. The correct answer is C. A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control. C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? Select an answer: A. Restoration testing for backup media is not performed; however, all data restore requests have been successful. B. The policy for data backup and retention has not been reviewed by the business owner for the past three years. C. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. D. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

You answered A. The correct answer is C. A. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. B. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. C. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. In order to gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. D. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

An IS auditor is reviewing a large financial institution's process of remotely managing network devices over the Internet. The IS auditor should be MOST concerned if: Select an answer: A. shared credentials are used. B. no login banner is displayed. C. Telnet access is enabled. D. device logs are not captured.

You answered A. The correct answer is C. A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk. B. Normally a login banner should indicate to unauthorized personnel that access is forbidden. Lack of a banner is a concern. However, the use of Telnet is a greater risk. C. Using Telnet over the Internet is not secure because it is not encrypted and is prone to intrusion. A more secure method, such as secure shell (SSH), should be used. D. Device logs should be captured and reviewed as a security control. However, the use of Telnet is a greater risk.

Which of the following types of risk could result from inadequate software baselining? Select an answer: A. Sign-off delays B. Software integrity violations C. Scope creep D. Inadequate controls

You answered A. The correct answer is C. A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious intrusions or user errors. Software baselining does not help prevent software integrity violations. C. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns. D. Inadequate controls are most likely present in situations in which information security is not duly considered from the beginning of system development; they are not a risk that can be adequately addressed by software baselining.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? Select an answer: A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

You answered A. The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

An IS auditor is conducting an audit of computer security incident response procedures for a large financial organization. Which of the following should be the IS auditor's GREATEST concern? Select an answer: A. The IT help desk is not trained to contain and resolve computer security incidents. B. Computer security incident response procedures do not identify a liaison to senior management. C. End users are not trained to identify and report on computer security incidents. D. Computer security incidents are not recorded in a centralized repository.

You answered A. The correct answer is C. A. While IT help desk personnel should be aware of computer security issues, containment and resolution is not their responsibility. The computer security incident response team is a team of specialists separate from the IT help desk, which is trained to handle computer security incidents. B. Lack of a liaison to senior management is a concern because significant computer security incidents should be reported to senior management as soon as possible. However, this is not as big a concern as the lack of end-user training to identify and report computer security incidents. C. End users that are trained to identify and report security incidents are critical to the success of computer security incident response. The biggest risk of not addressing a computer security incident is that users may fail to identify an event of significance and therefore may not report it. This may cause significant computer security incidents to remain unnoticed and/or unaddressed. D. Lack of a centralized repository to record computer security incidents is a concern. However, this is not as big a concern as the lack of end-user training to identify and report computer security incidents.

An IS auditor reviews an organizational chart PRIMARILY for: Select an answer: A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating the network connected to different employees.

You answered A. The correct answer is C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.

Which of the following will MOST successfully identify overlapping key controls in business application systems? Select an answer: A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility (ITF) C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

You answered A. The correct answer is C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in control will not be possible. An ITF is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

A decision support system (DSS): Select an answer: A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users. D. supports only structured decision making tasks.

You answered A. The correct answer is C. DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semistructured decision making tasks.

Which of the following physical access controls effectively reduces the risk of piggybacking? Select an answer: A. Biometric door locks B. Combination door locks C. Deadman doors D. Bolting door locks

You answered A. The correct answer is C. Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking. An individual's unique body features such as voice, retina, fingerprint or signature activate biometric door locks; however, they do not prevent or reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a numeric key pad or dial to gain entry. They do not prevent or reduce the risk of piggybacking since unauthorized individuals may still gain access to the processing center. Bolting door locks require the traditional metal key to gain entry. Unauthorized individuals could still gain access to the processing center along with an authorized individual.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

You answered A. The correct answer is C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). The calculation based on remaining budget does not take into account the speed at which the project has been progressing.

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? Select an answer: A. Inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism

You answered A. The correct answer is C. Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.

Which of the following append themselves to files as a protection against viruses? Select an answer: A. Behavior blockers B. Cyclical redundancy checkers (CRCs) C. Immunizers D. Active monitors

You answered A. The correct answer is C. Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. CRCs compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret disk operating system (DOS) and read only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions.

An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption: Select an answer: A. provides authenticity. B. is faster than asymmetric encryption. C. can cause key management to be difficult. D. requires a relatively simple algorithm.

You answered A. The correct answer is C. In a symmetric algorithm, each pair of users needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption is faster than asymmetric encryption. Symmetric algorithms require mathematical calculations, but they are not as complex as asymmetric algorithms.

Corporate IS policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A. Have the current configuration approved by operations management. B. Ensure that there is an audit trail for all existing accounts. C. Implement individual user accounts for all staff. D. Amend the IS policy to allow shared accounts.

You answered A. The correct answer is C. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. Choices A and B are recommendations that are not in compliance with the enterprise's own policy. Shared user IDs do not allow for accountability of transactions.

During which phase of software application testing should an organization perform the testing of architectural design? Select an answer: A. Acceptance testing B. System testing C. Integration testing D. Unit testing

You answered A. The correct answer is C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff have completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

You answered A. The correct answer is C. Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

An IS auditor examining the security configuration of an operating system should review the: Select an answer: A. transaction logs. B. authorization tables. C. parameter settings. D. routing tables.

You answered A. The correct answer is C. Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control environment. Improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage. Transaction logs are used to analyze transactions in master and/or transaction files. Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an operating system. Routing tables do not contain information about the operating system and, therefore, provide no information to aid in the evaluation of controls.

The reason for establishing a stop or freezing point on the design of a new system is to: Select an answer: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

You answered A. The correct answer is C. Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period.

The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to: Select an answer: A. achieve performance improvement. B. provide user authentication. C. ensure availability of data. D. ensure the confidentiality of data.

You answered A. The correct answer is C. RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does not improve performance, has no relevance to authentication and does nothing to provide for data confidentiality.

Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)? Select an answer: A. Palm scan B. Face recognition C. Retina scan D. Hand geometry

You answered A. The correct answer is C. Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest FAR among the current biometric methods. Use of palm scanning entails placing a hand on a scanner where a palm's physical characteristics are captured. Hand geometry, one of the oldest techniques, measures the physical characteristics of the user's hands and fingers from a three dimensional perspective. The palm and hand biometric techniques lack uniqueness in the geometry data. In face biometrics, a reader analyzes the images captured for general facial characteristics. Though considered a natural and friendly biometric, the main disadvantage of face recognition is the lack of uniqueness, which means that people looking alike can fool the device.

Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? Select an answer: A. A user from within could send a file to an unauthorized person. B. FTP services could allow a user to download files from unauthorized sources. C. A hacker may be able to use the FTP service to bypass the firewall. D. FTP could significantly reduce the performance of a DMZ server.

You answered A. The correct answer is C. Since FTP is considered an insecure protocol, it should not be installed on a server in a DMZ. FTP could allow an unauthorized user to gain access to the network. Sending files to an unauthorized person and the risk of downloading unauthorized files are not as significant as having a firewall breach. The presence of the utility does not reduce the performance of a DMZ server; therefore, performance degradation is not a threat.

Two months after a major application implementation, management, who assumes that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: Select an answer: A. determine whether the system's objectives were achieved. B. assess whether the planned cost benefits are being measured, analyzed and reported. C. review controls built into the system to assure that they are operating as designed. D. review subsequent program change requests.

You answered A. The correct answer is C. Since management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. Achieving the system objectives is important; however, there may not be enough data after two months to assess whether the objectives were achieved. It is also important to assess the effectiveness of the project, however, assuring that the production environment is adequately controlled after the implementation is of primary concern. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? Select an answer: A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging

You answered A. The correct answer is C. Table lookups are preventive controls; data are checked against predefined tables, which prevent any undefined data to be entered. Transaction logs are a detective control and provide audit trails. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

Regarding a disaster recovery plan, the role of an IS auditor should include: Select an answer: A. identifying critical applications. B. determining the external service providers involved in a recovery test. C. observing the tests of the disaster recovery plan. D. determining the criteria for establishing a recovery time objective (RTO).

You answered A. The correct answer is C. The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should: Select an answer: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define exactly the loss amount.

You answered A. The correct answer is C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? Select an answer: A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered A. The correct answer is C. The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.

A benefit of quality of service (QoS) is that the: Select an answer: A. entire network's availability and performance will be significantly improved. B. telecom carrier will provide the company with accurate service-level compliance reports. C. participating applications will have bandwidth guaranteed. D. communications link will be supported by security controls to perform secure online transactions.

You answered A. The correct answer is C. The main function of QoS is to optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic. Choice A is not true because the communication itself will not be improved. While the speed of data exchange for specific applications could be faster, availability will not be improved. The QoS tools that many carriers are using do not provide reports of service levels; however, there are other tools that will generate service-level reports. Even when QoS is integrated with firewalls, virtual private networks (VPNs), encryption tools and others, the tool itself is not intended to provide security controls.

Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit? Select an answer: A. Data backups are performed on a timely basis. B. A recovery site is contracted for and available as needed. C. Human safety procedures are in place. D. Insurance coverage is adequate and premiums are current.

You answered A. The correct answer is C. The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.

During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: Select an answer: A. an unauthorized user may use the ID to gain access. B. user access management is time consuming. C. user accountability is not established. D. passwords are easily guessed.

You answered A. The correct answer is C. The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable. The risk of an unauthorized user accessing the system with a shared ID is no greater than an unauthorized user accessing the system with a unique user ID. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.

To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: A. the company policy be changed. B. passwords are periodically changed. C. an automated password management tool be used. D. security awareness training is delivered.

You answered A. The correct answer is C. The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing their old password for a designated period of time. Choices A, B and D do not enforce compliance.

This question refers to the following diagram. Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: Select an answer: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1.

You answered A. The correct answer is C. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task? Select an answer: A. Computer-aided software engineering (CASE) tools B. Embedded data collection tools C. Trend/variance detection tools D. Heuristic scanning tools

You answered A. The correct answer is C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers. CASE tools are used to assist in software development. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or systems audit review file (SARF), is used to provide sampling and production statistics, but not to conduct an audit log analysis. Heuristic scanning tools are a type of virus scanning used to indicate possible infected codes.

ABC Inc. offers a number of services though its web site. During one day, senior executives of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to unauthorized individuals on the Internet. Postincident investigations revealed that ABC Inc.'s key servers were infected with a Trojan. The incident occurred after deployment of a newly acquired module from a software vendor, which was tested on test servers in accordance with functional specifications. The incident had gone unnoticed for a period of about four weeks. A potential cause of the leak may have been malware embedded in the new module. Which of the following tests would BEST indicate that a data leak has occurred due to the presence of malware? Select an answer: A. Memory usage analysis B. Storage utilization analysis C. Network behavior analysis D. Database performance analysis

You answered A. The correct answer is C. Unusual traffic captured via an intrusion detection system (IDS) or via filtering logs of the firewall is indicative of malware presence. When testing an application, it is common to perform network testing to identify the way in which the application works on the network. As part of this process, the packet capture would likely identify the communication initiated by a malware process. Memory usage analysis may not indicate whether data theft is occurring. Storage utilization analysis is not relevant in malware detection. Database performance analysis is not relevant in this context.

Which of the following is the BEST method for determining the criticality of each application system in the production environment? Select an answer: A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA).

You answered A. The correct answer is D. A BIA will give the impact of the loss of each application. Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is only relevant to systems development and project management. The audits may not contain the required information or may not have been done recently.

Which of the following is MOST important to an IS auditor reviewing an organization that allows the use of personal mobile devices on the organization's network? Select an answer: A. Organization's ability to track assets B. Risk of malware infection C. Patch management of device software D. Compliance with security specifications

You answered A. The correct answer is D. A. An organization should maintain a list of devices owned by users that access the organization's network, which would allow the organization to track the device in the event of theft or loss. However, compliance with security specifications is more important to ensure protection of the organization's data. B. The organization can enforce the use of anti-malware software on personally owned mobile devices through its security specification. Compliance with the security specification is most important. C. A personally owned device may not receive updates to software as needed. The organization should enforce patch management activities through its security specifications. Compliance with the security specification is most important. D. There are multiple issues associated with the use of personal mobile devices on the organization's network. The most important factor is that the device may not comply with the organization's security specifications. The organization should ensure that it can adequately enforce security specifications on personally owned mobile devices before allowing them to connect. The security specifications should enforce password configuration, screen time-out, encryption settings and remote data wipe capabilities to ensure that organization-owned data can be protected.

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? Select an answer: A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.

You answered A. The correct answer is D. A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. C. Approvals for risk response come later in the process. D. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

Which of the following is a PRIMARY objective of an acceptable use policy? Select an answer: A. Creating awareness about the secure use of proprietary resources B. Ensuring compliance with information security policies C. Defining sanctions for noncompliance D. Controlling how proprietary information systems are used

You answered A. The correct answer is D. A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is often signed after employee orientation and during periodic user awareness training. B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic. Information security policies are much broader in overall content and include a wider audience. C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary objective of the acceptable use policy; prevention is the primary objective. D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios, including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such risk, a policy supported by guidelines is put into effect to define how information system resources will be used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to acknowledge that they are aware.

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to: A. ensure that all failed authentication attempts are monitored. B. review log files regularly. C. ensure that all unused accounts are deactivated. D. mandate a strong password policy.

You answered A. The correct answer is D. A. Ensuring that all failed authentication attempts are monitored is a good practice; however, a strong password policy is a better preventive control. B. Reviewing the log files can increase the probability of detecting unauthorized access, but may not be effective in preventing unauthorized access. C. Ensuring that all unused accounts are deactivated is important; however, a strong password policy is a better preventive control. D. SSO is a great productivity boost for users and the IT organization because users do not need to enter user IDs and passwords repeatedly. SSO significantly reduces the number of IT help desk calls regarding lost passwords. For any authentication system, SSO or a strong password policy is crucial.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Select an answer: A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

You answered A. The correct answer is D. A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization. C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change control process. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility? Select an answer: A. Verify compatibility with the hot site B. Review the implementation report C. Perform a walk-through of the disaster recovery plan D. Update the IT asset inventory

You answered A. The correct answer is D. An IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure. The other choices are procedures required to update the disaster recovery plan after having updated the required assets inventory.

An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: Select an answer: A. the photo frame storage media could be used to steal corporate data. B. the drivers for the photo frame may be incompatible and crash the user's PC. C. the employee may bring inappropriate photographs into the office. D. the photo frame could be infected with malware.

You answered A. The correct answer is D. Any storage device can be a vehicle for infecting other computers with malware. Recently, it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs. While any storage device could be used to steal data, and other issues such as drivers or inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise.

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse? A. Validated daily backups B. Change management procedures C. Data dictionary maintenance D. A read-only restriction

You answered A. The correct answer is D. Applying read-only restrictions to historical information prevents data manipulation. Backups address availability, not integrity. Adequate change management and data dictionary maintenance procedures provide the integrity of historical information stored in a data warehouse; however, read-only restriction provides the most secure measure for integrity.

An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? Select an answer: A. Consistency B. Isolation C. Durability D. Atomicity

You answered A. The correct answer is D. Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an intermediate state, the transaction data are invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: Select an answer: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

You answered A. The correct answer is D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.

During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by a supervisor would represent the BEST compensating control? Select an answer: A. Audit trails that show the date and time of the transaction B. A summary daily report with the total numbers and dollar amounts of each transaction C. User account administration D. Computer log files that show individual transactions in the financial system

You answered A. The correct answer is D. Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data. An audit trail of only the date and time of the transaction would not be sufficient to compensate for the risk of multiple functions being performed by the same individual. Review of the summary financial reports would not compensate for the segregation of duties issue. Supervisor review of user account administration would be a good control; however, it may not detect inappropriate activities.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: Select an answer: A. recommend that mandatory access control (MAC) be implemented. B. report this as an issue. C. report this issue to the data owners to determine whether it is an exception. D. not report this issue since discretionary access controls (DACs) are in place.

You answered A. The correct answer is D. DAC allows data owners to modify access, which is a normal procedure and is a benefit of DAC. Recommending MAC is not correct because it is more appropriate for data owners to have DAC in a low-risk application. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: Select an answer: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.

You answered A. The correct answer is D. Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.

An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved? Select an answer: A. Self-assessment B. Reverse engineering C. Prototyping D. Gap analysis

You answered A. The correct answer is D. Gap analysis would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to best practices and which do not. Self-assessment may be one of the viable options with which to start; however, the results tend to become subjective and its effectiveness may be limited. Reverse engineering is a technique applied to analyze the functionality of certain programs and is not the best approach. Prototyping is applied to ensure user requirements prior to being engaged in a full-blown development process.

Responsibility for the governance of IT should rest with the: Select an answer: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

You answered A. The correct answer is D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. The audit committee, the CIO and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.

A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? Select an answer: A. Offsite storage of daily backups B. Alternative standby processor onsite C. Installation of duplex communication links D. Alternative standby processor at another network node

You answered A. The correct answer is D. Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications. Offsite storage of backups would not help, since EFT tends to be an online process and offsite storage will not replace the dysfunctional processor. The provision of an alternate processor onsite would be fine if it were an equipment problem, but would not help in the case of a power outage. Installation of duplex communication links would be most appropriate if it were only the communication link that failed.

When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: Select an answer: A. recommend that the database be normalized. B. review the conceptual data model. C. review the stored procedures. D. review the justification.

You answered A. The correct answer is D. If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.

An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope? Select an answer: A. Data availability B. Data confidentiality C. Currency of data D. Data integrity

You answered A. The correct answer is D. Integrity represents accuracy of data and confidentiality represents availability of data to the customers or persons authorized by customers. Although choices A, B and C are important, they are not as important in this case as accuracy.

A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of: Select an answer: A. concurrent access. B. deadlocks. C. unauthorized access to data. D. a loss of data integrity.

You answered A. The correct answer is D. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity. Deadlocks are not caused by denormalization. Access to data is controlled by defining user rights to information, and is not affected by denormalization.

A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of: Select an answer: A. concurrent access. B. deadlocks. C. unauthorized access to data. D. a loss of data integrity.

You answered A. The correct answer is D. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity. Deadlocks are not caused by denormalization. Access to data is controlled by defining user rights to information, and is not affected by denormalization.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? Select an answer: A. Advise on the adoption of application controls to the new database software. B. Provide future estimates of the licensing expenses to the project team. C. Recommend at the project planning meeting how to improve the efficiency of the migration. D. Review the acceptance test case documentation before the tests are carried out.

You answered A. The correct answer is D. Of the options presented, only the review of the test cases will facilitate the objective. Independence could be compromised if the IS auditor advises on the adoption of specific application controls. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence.

During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: Select an answer: A. event error log generated at the disaster recovery site. B. disaster recovery test plan. C. disaster recovery plan (DRP). D. configurations and alignment of the primary and disaster recovery sites.

You answered A. The correct answer is D. Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recovery test plan and the DRP would not contain information about the system configuration.

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? Select an answer: A. Digitalized signatures B. Hashing C. Parsing D. Steganography

You answered A. The correct answer is D. Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.

Which of the following provides the best evidence of the adequacy of a security awareness program? Select an answer: A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise C. The implementation of security devices from different vendors D. Periodic reviews and comparison with best practices

You answered A. The correct answer is D. The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.

During a postimplementation review of a firewall upgrade project, an IS auditor discovered that several ports were left open that were not required for business purposes. It was determined that the ports were opened for a test server that was no longer being used. What is the BEST control to recommend so that this situation will not recur? Select an answer: A. Firewall rule changes should happen only if the changes are properly documented. B. Test servers should never be connected via the production firewall. C. IT management should engage a third party to review the firewall rules and to conduct a penetration test on a quarterly basis. D. The security administrator should perform periodic reviews to validate firewall rules.

You answered A. The correct answer is D. The best and most effective method for the enterprise to verify that its firewall rule base is correct is to perform periodic reviews itself. While documenting firewall rule changes is important, the only way to gain assurance that these controls are functioning properly is to test the end result, which is the firewall rule base. There is no significant risk of performing testing of a web application on the production firewall as long as the proper security controls are in place for the test application. While a third-party review provides a high level of assurance that the firewall rule base is correct, the cost and coordination issues involved with this approach make this a less viable option.

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the: Select an answer: A. application programmer copy the source program and compiled object module to the production libraries. B. application programmer copy the source program to the production libraries and then have the production control group compile the program. C. production control group compile the object module to the production libraries using the source program in the test environment. D. production control group copy the source program to the production libraries and then compile the program.

You answered A. The correct answer is D. The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

The implementation of access controls FIRST requires: Select an answer: A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access control list. D. an inventory of IS resources

You answered A. The correct answer is D. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. Labeling of resources cannot be done without first determining the resources' classifications. The access control list (ACL) would not be done without a meaningful classification of resources.

Which of the following auditing techniques is the MOST appropriate for a retail business with a large volume of transactions to address emerging risk proactively? Select an answer: A. Use of Computer Assisted Audit Techniques (CAATs) B. Control self-assessment C. Sampling of transaction logs D. Continuous auditing

You answered A. The correct answer is D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes to achieve quicker implementation of corrective actions by management. Using software tools such as CAATs to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results. Control self-assessment helps process owners assess the control environment and educates them on control design and monitoring. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log and there may be a potential time lag in the analysis.

An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective? Select an answer: A. Run a low-level data wipe utility on all hard drives. B. Erase all data file directories. C. Format all hard drives. D. Physical destruction of the hard drive.

You answered A. The correct answer is D. The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed, exposing all data on the drive to unauthorized individuals.

Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risk is managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology.

You answered A. The correct answer is D. Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risk being managed is a risk management best practice. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should: Select an answer: A. conclude that the project is progressing as planned since dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

You answered A. The correct answer is D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded. It is possible that the programmers are trying to take advantage of the time system, but if they are not paid extra for overtime, they may not want to work the extra hours.

An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a: Select an answer: A. cold site. B. warm site. C. dial-up site. D. duplicate processing facility.

You answered B. The correct answer is A. A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment—such as disk and tape units, controllers and central processing units (CPUs)—to operate an information processing facility. A duplicate information processing facility is a dedicated, self-developed recovery site that can back up critical applications.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? Select an answer: A. Consider the feasibility of a separate user acceptance environment. B. Schedule user testing to occur at a given time each day. C. Implement a source code version control tool. D. Only retest high-priority defects.

You answered B. The correct answer is A. A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code. It is important that the development and testing code base be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate testing environment. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? Select an answer: A. To detect data transposition errors. B. To ensure that transactions do not exceed predetermined amounts. C. To ensure that data entered are within reasonable limits. D. To ensure that data entered are within a predetermined range of values.

You answered B. The correct answer is A. A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check.

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? Select an answer: A. Technical skills and knowledge within the organization related to sourcing and software development B. Privacy requirements as applied to the data processed by the application C. Whether the legacy system being replaced was developed in-house D. The users not devoting reasonable time to define the functionalities of the solution

You answered B. The correct answer is A. A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. B. Privacy regulations on the data impact the usage of the application, not its preparation. C. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make vs. buy decision. D. Unclear business requirements (functionalities) will similarly affect either development process, but are not the primary factor influencing the make vs. buy decision.

Which of the following is the BEST information source to obtain evidence when a server has been compromised by malware? Select an answer: A. Volatile data held in computer resources B. Operating system (OS) event log history C. Firewall event log history D. OS configuration files

You answered B. The correct answer is A. A. Information held in computer resources, such as the contents of a server's random access memory (RAM) memory, is the best information source when investigating a server compromise. B. OS logs are valuable; however, it is possible that the logs may have been tampered with or erased. Therefore, the volatile data are of greater value. C. Firewall event log history is a valid data source. However, the network intrusion may have happened over an authorized data port, and therefore there would not be a record of the intrusion in the firewall logs. D. OS configuration files may have been modified as part of the server compromise, so this would be a valid evidence source. However, volatile data held in the server's RAM memory are a better source of evidence.

Segmenting a highly sensitive database results in: Select an answer: A. reduced exposure. B. reduced threat. C. less criticality. D. less sensitivity.

You answered B. The correct answer is A. A. Segmenting data reduces the quantity of data exposed as a result of a particular event. B. The threat may remain constant, but each segment may represent a different vector against which it must be directed. C. Criticality of data is not affected by the manner in which it is segmented. D. Sensitivity of data is not affected by the manner in which it is segmented.

After a disaster declaration, the media creation date at a warm recovery site is based on the: Select an answer: A. recovery point objective (RPO). B. recovery time objective (RTO). C. service delivery objective (SDO). D. maximum tolerable outage (MTO).

You answered B. The correct answer is A. A. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. B. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. C. The SDO is directly related to the business needs, and is the level of service to be reached during the alternate process mode until the normal situation is restored. D. The MTO is the maximum time that an organization can support processing in alternate mode.

Which of the following is the BEST method of disposing of sensitive data on a former employee's laptop so that it can be reused by another employee? A. Overwrite the hard drive sectors. B. Degauss the hard drive. C. Reimage the computer. D. Format the hard drive.

You answered B. The correct answer is A. A. Using a utility to overwrite each sector of the hard drive is the best way to ensure that data are not recoverable from the laptop. This method writes a sequence of information across the entire drive, therefore securely erasing existing data. B. Degaussing the hard drive will demagnetize it, which will remove the data, but will also render the hard drive unusable. This will prevent the laptop from being reused by another employee. C. Reimaging the hard drive does not ensure the data are unrecoverable. Residual data could remain on the hard drive, creating a risk of unauthorized access of those data. D. Formatting a hard drive does not erase all existing data. Some residual data may remain on the hard drive.

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: Select an answer: A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to top management and ask how they would like to proceed. D. consult with external legal counsel to determine the course of action to be taken.

You answered B. The correct answer is A. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? Select an answer: A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

You answered B. The correct answer is A. Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education on the importance of security.

Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: Select an answer: A. downtime costs. B. resumption costs. C. recovery costs. D. walk-through costs.

You answered B. The correct answer is A. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs can be expected to be lower. Walk-through costs are not a part of disaster recovery.

A consulting firm has created an FTP site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: Select an answer: A. the FTP name and credentials are transmitted in cleartext during data transfer. B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability.

You answered B. The correct answer is A. Credentials that are transmitted in cleartext are vulnerable to compromise through the use of packet sniffers or other means. Once the site credentials are compromised, an unauthorized external party may download sensitive company data. Even though the data should be encrypted, there is always the possibility that since the process to encrypt the data was manual that a user forgot to encrypt sensitive data before transmitting them. Additionally, once the data have been accessed by an unauthorized external party, they may be cracked at leisure. While email transmittal of credentials is not optimal, the site address, user ID and password were sent in separate messages. The chance of all three messages being intercepted at random is low. The overall risk of using FTP is greater than the risk of password compromise via email. This is not a risk because personnel at the consulting firm require access to these data per the company's request. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

The FIRST step in data classification is to: Select an answer: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary.

You answered B. The correct answer is A. Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process.

Which of the following would normally be the MOST reliable evidence for an IS auditor? Select an answer: A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management

You answered B. The correct answer is A. Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activities logs. B. verification of user authorization at the field level. C. review of data communication access activities logs. D. periodic review of changing data files.

You answered B. The correct answer is A. General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Choice D is a change control.

An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: A. the probability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. the tolerable error rate cannot be determined.

You answered B. The correct answer is A. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling.

When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Select an answer: A. Develop an alternate testing procedure. B. Report the finding to management as a deficiency. C. Perform a walk-through of the change management process. D. Create additional sample changes to programs.

You answered B. The correct answer is A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. There is not enough evidence to report the finding as a deficiency. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.

An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor: Select an answer: A. implemented a specific functionality during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application system project team, but did not have operational responsibilities. D. provided consulting advice concerning application system best practices.

You answered B. The correct answer is A. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS auditor's independence. Choice D is incorrect because an IS auditor's independence is not impaired by providing advice on known best practices.

Which one of the following could be used to provide automated assurance that proper data files are being used during processing? Select an answer: A. Internal labeling, including file header records B. Version usage C. Parity checking D. File security controls

You answered B. The correct answer is A. Internal labeling, including file header records, is correct because it can provide assurance that proper data files are being used and it allows for automatic checking. Version usage is not correct because this may not necessarily allow for automatic checking. This helps only in respect to assurance that the correct file and version are being used. Parity checking is not correct because it is a data integrity validation method typically used by a data transfer program. While parity checking may help to ensure that data and program files are transferred successfully, it does not help to ensure that the proper data or program files are being used. File security controls is not correct because they cannot be used to provide assurance that proper data files are being used and cannot allow for automatic checking. They can be used to provide assurance that unauthorized users do not have access to the application and/or access to read or alter the data in an unauthorized manner.

The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all: Select an answer: A. outgoing traffic with IP source addresses external to the network. B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts.

You answered B. The correct answer is A. Outgoing traffic with an IP source address different than the IP range in the network is invalid. In most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: Select an answer: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

You answered B. The correct answer is A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: Select an answer: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

You answered B. The correct answer is A. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results from previous tests. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization had implemented plans to allow for the effective response.

A private enterprise has a project in place to modify the financial accounting system to comply with major changes in tax laws. Prior to going live, the finance manager, who is the application owner, went on emergency leave and could not complete functional testing of the changes. The development team lead believes that the changes should be implemented without approval from the business process owner. Which of the following is TRUE? Select an answer: A. The changes can be moved to production without business process owner approval if appropriate testing is performed and the enterprise owner approves the move to production. B. Changes should never be promoted to production without application owner approval. If there is an urgent need to implement the change, the manager covering for the finance manager should review the testing and provide approval. C. The changes can be moved to production because the application has been in use for five years and has been stable; the development team lead can act as the backup to the finance manager approval and approve the changes. D. The changes can be moved to production without business process owner approval because the development team lead has significant knowledge in accounting and was also involved in development of the changes.

You answered B. The correct answer is A. The business process owner should be consulted for any changes to the application. The head of operations is ultimately accountable; in a privately owned enterprise, that would include the enterprise owner. Application owner approval is essential prior to implementing any application change; however, there may be particular circumstances that allow for a move to production without the formal approval of the application owner. Changes to the application always require prior independent testing to mitigate the risk of an inappropriate outcome from the changes. Application lifetime and stability are not significant factors for assessing whether changes are ready for a move to production. Changes to business-critical applications would always require independent testing to mitigate the risk of program or logic errors. Since the development head was involved in development of the changes, approval by the same individual would create a segregation of duties issue.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A. Rank requirements and test in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automate tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You answered B. The correct answer is A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress, i.e., introduced errors in parts of the system that were previously working correctly. For this reason, it is a best practice to undertake formal regression testing after defect fixes have been implemented.

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: Select an answer: A. duration of the outage. B. type of outage. C. probability of the outage. D. cause of the outage.

You answered B. The correct answer is A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: Select an answer: A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quality are only achieved if resource allocation is increased. C. decreases in delivery time can be achieved, even if resource allocation is decreased. D. decreases in delivery time can only be achieved if quality is decreased.

You answered B. The correct answer is A. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: Select an answer: A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quality are only achieved if resource allocation is increased. C. decreases in delivery time can be achieved, even if resource allocation is decreased. D. decreases in delivery time can only be achieved if quality is decreased.

You answered B. The correct answer is A. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: Select an answer: A. enrollment. B. identification. C. verification. D. storage.

You answered B. The correct answer is A. The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to: Select an answer: A. examine source program changes without information from IS personnel. B. detect a source program change made between acquiring a copy of the source and the comparison run. C. confirm that the control copy is the current version of the production program. D. ensure that all changes made in the current source copy are detected.

You answered B. The correct answer is A. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately. Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that: Select an answer: A. the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed. B. there is no way of reconstructing the lost information, except by deleting the dangling tuples and reentering the transactions. C. the database will immediately stop execution and lose more information. D. the database will no longer accept input data.

You answered B. The correct answer is A. When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. Choice B is incorrect since a system can recover the corrupted external key by reindexing the table. Choices C and D would not result from a corrupted foreign key.

The BEST overall quantitative measure of the performance of biometric control devices is: Select an answer: A. false-rejection rate (FRR). B. false-acceptance rate (FAR). C. equal-error rate (EER). D. estimated-error rate.

You answered B. The correct answer is C. A low EER is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device. Low FRRs or low FARs alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Select an answer: A. Project sponsor B. System development project team C. Project steering committee D. User project team

You answered B. The correct answer is C. A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The system development project team is not responsible for reviewing the progress of the project. A user project team completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A user project team is not responsible for reviewing the progress of the project.

An IS auditor is evaluating the controls around provisioning visitor access cards to the organization's IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should: Select an answer: A. disregard the lack of reconciliation because no discrepancies were discovered. B. recommend regular physical inventory counts be performed in lieu of daily reconciliation. C. report the lack of daily reconciliation as an exception. D. recommend the implementation of a biometric access system.

You answered B. The correct answer is C. A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control. B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and is not a management-mandated activity. D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the current process is deficient.

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? Select an answer: A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network (VPN). B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. D. Biometric system risk analysis was last conducted three years ago.

You answered B. The correct answer is C. A. Generally, VPN software provides a secure tunnel so that remote administration functions can be performed. This is not a concern. B. Biometric scanners are best located in restricted areas to prevent tampering, but video surveillance is an acceptable mitigating control. The greatest concern is lack of a securely encrypted tunnel between the scanners and the access control system. C. Data transmitted between the biometric scanners and the access controls system should use a securely encrypted tunnel to protect the confidentially of the biometric data. D. The biometric risk analysis should be reperformed periodically, but an analysis performed three years ago is not necessarily a cause for concern.

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? Select an answer: A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

You answered B. The correct answer is C. A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the CIO. Pragmatically, lack of documenting test results could have more significant consequences. B. The contact lists are an important part of the BCP; however, they are not as important as documenting the test results. C. The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc. D. If test results are documented, a need for training will be identified and the BCP will be updated.

Which of the following types of risk could result from inadequate software baselining? Select an answer: A. Sign-off delays B. Software integrity violations C. Scope creep D. Inadequate controls

You answered B. The correct answer is C. A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious intrusions or user errors. Software baselining does not help prevent software integrity violations. C. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns. D. Inadequate controls are most likely present in situations in which information security is not duly considered from the beginning of system development; they are not a risk that can be adequately addressed by software baselining.

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Select an answer: A. Postpone the audit until the agreement is documented. B. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments.

You answered B. The correct answer is C. An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact that there is not a written agreement does not justify postponing the audit, and reporting to senior management is not necessary at this stage of the audit. Drafting an SLA is not the IS auditor's responsibility.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: Select an answer: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).

You answered B. The correct answer is C. An IT BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. CSA, BIA and BPR are insufficient to align IT with organizational objectives.

Which of the following will MOST successfully identify overlapping key controls in business application systems? Select an answer: A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility (ITF) C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

You answered B. The correct answer is C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in control will not be possible. An ITF is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: Select an answer: A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling.

You answered B. The correct answer is C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of: Select an answer: A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling.

You answered B. The correct answer is C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization, and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives? Select an answer: A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing C. Establishing an electronic data interchange (EDI) system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format D. Reengineering the existing processing and redesigning the existing system

You answered B. The correct answer is C. EDI is the best answer. Properly implemented (e.g., agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls), EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.

After installing a network, an organization implemented a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools? Select an answer: A. Differential reporting B. False-positive reporting C. False-negative reporting D. Less-detail reporting

You answered B. The correct answer is C. False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.

After installing a network, an organization implemented a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools? Select an answer: A. Differential reporting B. False-positive reporting C. False-negative reporting D. Less-detail reporting

You answered B. The correct answer is C. False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.

When creating a password, a system generates the initial password and then forces the user to change the password when the user logs on for the first time. The system allows the user to enter the same password generated by the system as the user's own/new password. Which of the following would be the MOST effective control? Select an answer: A. Instituting a security awareness and an education program B. Rewriting the company's password policy C. Establishing a system that does not accept an old password as a new password D. Establishing a system that ensures that users change passwords more frequently

You answered B. The correct answer is C. Hardening the password parameters so that old passwords are not accepted as new passwords is the most effective control because it is system enforced. Although education is important and users should be aware of the need for strong authentication, educating users through security awareness programs and training will not result in the most effective control. Policies document the company's requirements; the company then must implement the processes and tools to support those requirements. Rewriting the company's password policy will effectively communicate the company's position, but it is not the most effective control to enforce the password change. Even though the system will force users to change passwords more frequently, users can still choose to key in their old passwords.

Which of the following append themselves to files as a protection against viruses? Select an answer: A. Behavior blockers B. Cyclical redundancy checkers (CRCs) C. Immunizers D. Active monitors

You answered B. The correct answer is C. Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. CRCs compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret disk operating system (DOS) and read only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions.

Which of the following is the MOST effective type of antivirus software? Select an answer: A. Scanners B. Active monitors C. Integrity checkers D. Vaccines

You answered B. The correct answer is C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret disk operating system (DOS) and read only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective.

Which of the following is the MOST effective type of antivirus software? Select an answer: A. Scanners B. Active monitors C. Integrity checkers D. Vaccines

You answered B. The correct answer is C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret disk operating system (DOS) and read only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective.

An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern to the IS auditor? Select an answer: A. The owner of the system was not present at the time of the evidence retrieval. B. The system was powered off by an investigator. C. There are no documented logs of the transportation of evidence. D. The contents of the random access memory (RAM) were not backed up.

You answered B. The correct answer is C. It is very important that evidence be handled properly and never modified physically or, more important, logically. The goal of this process is to be able to testify truthfully in court that the technical investigator did not modify the data in any way. If the investigator does not have sufficient manual or digital evidence, the defense will try to prevent the admission of evidence based on the fact that it was tampered with or modified. Note that legal requirements for digital evidence preservation could vary from country to country, so local laws should be taken into consideration. The owner of the system may be present at the time of evidence retrieval, but this is not absolutely necessary. In some cases, the owner could be the subject of the investigation. In most cases, it is required that the investigator power off the machine in order to create a forensic image of the hard drive, so this is not an issue. Prior to powering off the machine, the investigator would normally photograph what is on the screen of the computer and identify what documents are open and any other information that may be relevant. It is important that the investigator power off the machine rather than performing a shutdown procedure. Many operating systems perform a cleanup of temporary files during shutdown, which would potentially destroy valuable evidence. Typical forensic investigation techniques do not involve copying the system-state of desktop or laptop computers, so this is not the correct answer.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

You answered B. The correct answer is C. Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

When implementing an application software package, which of the following presents the GREATEST risk? Select an answer: A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors

You answered B. The correct answer is C. Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Select an answer: A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

You answered B. The correct answer is C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before the migration. The hash total will only validate the data integrity at a batch level rather than at a transaction level. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. Comparing the control totals does not imply that the records are complete.

The BEST method of confirming the accuracy of a system tax calculation is by: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.

You answered B. The correct answer is C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations.

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)? Select an answer: A. Warm site B. Hot site C. Cold site D. Mobile recovery site

You answered B. The correct answer is C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. While a warm site may be a good solution, it would not be the most appropriate because it is more expensive than a cold site. A hot site is used for those systems classified as critical that have a low RTO. A mobile recovery site would not be as cost-effective as a cold site and would not be appropriate for systems with high RTOs.

Ideally, stress testing should be carried out in a: Select an answer: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data.

You answered B. The correct answer is C. Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately.

Which of the following is a function of an IS steering committee? Select an answer: A. Monitoring vendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring major projects, the status of IS plans and budgets D. Liaising between the IS department and the end users

You answered B. The correct answer is C. The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information's processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? Select an answer: A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered B. The correct answer is C. The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: Select an answer: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

You answered B. The correct answer is C. The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. Senior management approval is a prerequisite for designing the BCP. Making a BCP available on an enterprise's intranet does not guarantee that personnel will read or understand it.

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? Select an answer: A. That changes are authorized by IT managers at all times B. That user acceptance testing (UAT) is performed and properly documented C. That test plans and procedures exist and are closely followed D. That capacity planning is performed as part of each development project

You answered B. The correct answer is C. The most important control for ensuring system availability is to implement a sound testing plan and procedures which are consistently followed. The other options can be important considerations, but are not as important as the consistency and reliability of and testing before migration and "going live." The quality of the testing process is critical to ensure system availability.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Select an answer: A. Bottom up B. Sociability testing C. Top-down D. System test

You answered B. The correct answer is C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? Select an answer: A. Delete all copies of the unauthorized software. B. Inform the auditee of the unauthorized software, and follow up to confirm deletion. C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management. D. Warn the end users about the risk of using illegal software.

You answered B. The correct answer is C. The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.

To minimize the cost of a software project, quality management techniques should be applied: Select an answer: A. as close to their writing (i.e., point of origination) as possible. B. primarily at project start to ensure that the project is established in accordance with organizational governance standards. C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate. D. mainly at project close-down to capture lessons learned that can be applied to future projects.

You answered B. The correct answer is C. While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

Which of the following is the MOST important requirement for a robust change management process? Select an answer: A. Chain of custody B. Individual accountability C. Data entry controls D. Segregation of duties

You answered B. The correct answer is D. A. Chain of custody is applicable to forensic investigations and maintenance of data integrity. B. Individual accountability is important, and this is normally accomplished through the avoidance of group IDs. However, good change management is predicated on separating incompatible duties so that one person cannot introduce a change without the involvement of other personnel. C. Data entry controls include picklists, cross checks, reasonableness checks, control totals, allowed character checks, required fields, formatting checks and others. Data entry controls are not the most important requirement for a robust change management process. D. Segregation of incompatible duties is critical to good change management because the same individual should not initiate a change, approve the change and implement the change.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that: Select an answer: A. effective preventive controls are enforced. B. system integrity is ensured. C. errors can be corrected in a timely fashion. D. fraud can be detected more quickly.

You answered B. The correct answer is D. A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies. B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources. C. Error identification and handling is the primary responsibility of management. While audit's responsibility also is to find errors, audit can only report errors, not fix them. D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely fashion and allows auditors to focus on relevant data.

Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project? Select an answer: A. Critical path diagrams B. Program evaluation review technique (PERT) diagrams C. Function point analysis (FPA) D. Gantt charts

You answered B. The correct answer is D. A. Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time required for completing the project. B. PERT diagrams are a critical path method (CPM) technique in which three estimates (as opposed to one) of timelines required to complete activities are used to determine the critical path. C. FPA is a technique used to determine the size of a development task, based on the number of function points. D. Gantt charts help to identify activities that have been completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule.

Which of the following is a PRIMARY objective of an acceptable use policy? Select an answer: A. Creating awareness about the secure use of proprietary resources B. Ensuring compliance with information security policies C. Defining sanctions for noncompliance D. Controlling how proprietary information systems are used

You answered B. The correct answer is D. A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is often signed after employee orientation and during periodic user awareness training. B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic. Information security policies are much broader in overall content and include a wider audience. C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary objective of the acceptable use policy; prevention is the primary objective. D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios, including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such risk, a policy supported by guidelines is put into effect to define how information system resources will be used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to acknowledge that they are aware.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? Select an answer: A. Process narrative B. Inquiry C. Reperformance D. Walk-through

You answered B. The correct answer is D. A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of the control. D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? Select an answer: A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

You answered B. The correct answer is D. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk-through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are not IT-related.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: Select an answer: A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.

You answered B. The correct answer is D. An IDS cannot detect attacks within encrypted traffic, and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is also expected from a signature-based IDS, because it can only recognize attacks that have been previously identified.

An organization's IS audit charter should specify the: Select an answer: A. short- and long-term plans for IS audit engagements. B. objectives and scope of IS audit engagements. C. detailed training plan for the IS audit staff. D. role of the IS audit function.

You answered B. The correct answer is D. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. Short-term and long-term planning is the responsibility of audit management. The objectives and scope of each IS audit should be agreed to in an engagement letter. A training plan, based on the audit plan, should be developed by audit management.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted

You answered B. The correct answer is D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly? Select an answer: A. Backup time would steadily increase. B. Backup operational costs would significantly increase. C. Storage operational costs would significantly increase. D. Server recovery work may not meet the recovery time objective (RTO).

You answered B. The correct answer is D. In case of a crash, recovering a server with an extensive amount of data could require a significant amount of time. If the recovery cannot meet the RTO, there will be a discrepancy in IT strategies. It's important to ensure that server restoration can meet the RTO. Incremental backup would only take the backup of the daily differential, thus a steady increase in backup time is not always true. The backup and storage costs issues are not as significant as not meeting the RTO.

An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? Select an answer: A. Establish two physically separate networks. B. Implement virtual local area network (VLAN) segmentation. C. Install a dedicated router between the two networks. D. Install a firewall between the networks.

You answered B. The correct answer is D. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network. While having two physically separate networks would ensure the security of customer data, it would make it impossible for authorized wireless users to access that data. While a VLAN would provide separation of the two networks, it is possible, with sufficient knowledge, for an attacker to gain access to one VLAN from the other. Similarly, a dedicated router between the two networks would separate them; however, this would be less secure than a firewall.

The most common reason for the failure of information systems to meet the needs of users is that: Select an answer: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

You answered B. The correct answer is D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish.

During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: Select an answer: A. event error log generated at the disaster recovery site. B. disaster recovery test plan. C. disaster recovery plan (DRP). D. configurations and alignment of the primary and disaster recovery sites.

You answered B. The correct answer is D. Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recovery test plan and the DRP would not contain information about the system configuration.

The PRIMARY objective of testing a business continuity plan is to: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

You answered B. The correct answer is D. Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective to address residual risk in a business continuity plan, and it is not practical to test all possible disaster scenarios.

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the: Select an answer: A. application programmer copy the source program and compiled object module to the production libraries. B. application programmer copy the source program to the production libraries and then have the production control group compile the program. C. production control group compile the object module to the production libraries using the source program in the test environment. D. production control group copy the source program to the production libraries and then compile the program.

You answered B. The correct answer is D. The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? Select an answer: A. Downtime reports on the telecommunication services generated by the ISP B. A utilization report of automatic failover services generated by the enterprise C. A bandwidth utilization report provided by the ISP D. Downtime reports on the telecommunication services generated by the enterprise

You answered B. The correct answer is D. The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. The ISP-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. Utilization reports are used to measure the usage of bandwidth, not uptime.

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? Select an answer: A. Downtime reports on the telecommunication services generated by the ISP B. A utilization report of automatic failover services generated by the enterprise C. A bandwidth utilization report provided by the ISP D. Downtime reports on the telecommunication services generated by the enterprise

You answered B. The correct answer is D. The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. The ISP-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. Utilization reports are used to measure the usage of bandwidth, not uptime.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: Select an answer: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

You answered B. The correct answer is D. The first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards.

An IS auditor is performing a review of a network, and users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: Select an answer: A. use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment. B. take steps to increase the bandwidth of the connection to the Internet. C. create a baseline using a protocol analyzer and implement quality of service (QoS) to ensure that critical business applications work as intended. D. implement virtual LANs (vLANs) to segment the network and ensure performance.

You answered C. The correct answer is A. A. In this case, the first step is to identify whether there is a configuration issue or hardware malfunction, which is determined by using a protocol analyzer and reviewing the log files of the related switches or routers. B. While increasing Internet bandwidth may be required, this may not be needed if the performance issue is due to a different problem or error condition. C. While creating a baseline and implementing QoS will ensure that critical applications have the appropriate bandwidth, in this case the performance issue could be related to misconfiguration or equipment malfunction. D. While implementing vLANs may be a best practice for ensuring adequate performance, in this case the issue could be related to misconfigurations or equipment malfunction.

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: Select an answer: A. substantive testing. B. compliance testing. C. qualitative analysis. D. judgment sampling.

You answered C. The correct answer is A. A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made with the vendor invoices. B. Compliance testing involves testing the controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. C. Qualitative analysis is typically related to risk analysis and should not be used in this scenario. D. Judgment sampling is a sample that is selected subjectively or not at random, or in which the sampling results are not evaluated mathematically.

Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training? Select an answer: A. Information security policy B. Acceptable usage policy C. Human resources (HR) policy D. End-user computing policy

You answered C. The correct answer is A. A. The information security policy states the organization's approach to managing information security. The policy contains the company's security objectives and explains the security policies, principles and standards. In addition, the policy outlines requirements such as compliance with regulations and employee education, training and awareness. B. The acceptable usage policy outlines guidelines and rules for employee use of the company's information resources. It is focused and does not include requirements for security awareness training. C. The HR policy refers to the information security policy, but does not specifically list the requirements for security awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity and ethics, and compliance with regulations. D. The end-user computing policy describes the parameters and usage of desktop tools by users. It does not contain requirements for security awareness training.

Which of the following are the MOST important considerations when prioritizing the development of controls and countermeasures? Select an answer: A. Likelihood and impact B. Impact and exposure C. Criticality and sensitivity D. Value and classification

You answered C. The correct answer is A. A. The likelihood that a compromise will occur and the impact of that compromise are the two most important factors in determining risk, which in turn drives the development of controls and countermeasures. B. Impact and exposure combined do not address the likelihood that an incident will occur; these considerations are insufficient on their own. C. Criticality and sensitivity are the basis for asset classification, but only deal with possible impact, not likelihood. D. Valuation is a component of classification and addresses only possible impact.

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? Select an answer: A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls can only be regarded as compensating D. Classification allows an IS auditor to determine which controls are missing

You answered C. The correct answer is A. An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls. Choice D is incorrect and irrelevant, because the existence and function of controls is important, not the classification.

The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: Select an answer: A. connecting points are available in the facility to connect laptops to the network. B. users take precautions to keep their passwords confidential. C. terminals with password protection are located in insecure locations. D. terminals are located within the facility in small clusters under the supervision of an administrator.

You answered C. The correct answer is A. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. System passwords provide protection against unauthorized use of terminals located in insecure locations. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.

Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: Select an answer: A. downtime costs. B. resumption costs. C. recovery costs. D. walk-through costs.

You answered C. The correct answer is A. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs can be expected to be lower. Walk-through costs are not a part of disaster recovery.

An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? Select an answer: A. Project scope management B. Project time management C. Project risk management D. Project procurement management

You answered C. The correct answer is A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. Choice B is not correct because project time management is defined as the processes required to ensure timely completion of the project. The issue noted above does not mention whether projects were completed on time, so this is not the most likely cause. Choice C is not correct because project risk management is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. Choice D is not correct because project procurement management is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope.

IS management is considering a Voice-over IP (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate? Select an answer: A. Review and, where necessary, upgrade firewall capabilities. B. Install modems to allow remote maintenance support access. C. Create a physically distinct network to handle VoIP traffic. D. Redirect all VoIP traffic to allow clear text logging of authentication credentials.

You answered C. The correct answer is A. Firewalls used as entry points to a VoIP network should be VoIP-capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote support access is an important consideration. However, a virtual private network (VPN) would offer a more secure means of enabling this access than reliance on modems. Logically separating the VoIP and data network is a good idea. Options such as virtual LANS (VLANS), traffic shaping, firewalls and network address translation (NAT) combined with private IP addressing can be used; however, physically separating the networks will increase both cost and administrative complexity. Transmitting or storing clear text information, particularly sensitive information such as authentication credentials, will increase network vulnerability. When designing a VoIP network, it is important to avoid introducing any processing that will unnecessarily increase latency since this will adversely impact VoIP quality.

Functional acknowledgements are used: Select an answer: A. as an audit trail for electronic data interchange (EDI) transactions. B. to functionally describe the IS department. C. to document user roles and responsibilities. D. as a functional description of application software.

You answered C. The correct answer is A. Functional acknowledgments are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements.

While planning an audit, an assessment of risk should be made to provide: Select an answer: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.

You answered C. The correct answer is A. ISACA IT Audit and Assurance Guideline G15 on planning the IS audit states that, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

If a database is restored using before-image dumps, where should the process begin following an interruption? Select an answer: A. Before the last transaction B. After the last transaction C. As the first transaction after the latest checkpoint D. As the last transaction before the latest checkpoint

You answered C. The correct answer is A. If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program checkpoints are irrelevant in this situation.

Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A. Developments may result in hardware and software incompatibility. B. Resources may not be available when needed. C. The recovery plan cannot be tested. D. The security infrastructures in each company may be different.

You answered C. The correct answer is A. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. The plan can be tested by paper-based walk-throughs, and possibly by agreement between the companies. The difference in security infrastructures, while a risk, is not insurmountable.

An investment advisor emails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: A. encrypting the hash of the newsletter using the advisor's private key. B. encrypting the hash of the newsletter using the advisor's public key. C. digitally signing the document using the advisor's private key. D. encrypting the newsletter using the advisor's private key.

You answered C. The correct answer is A. It is not the intention of the investment advisor to maintain the confidentiality of the newsletter. The objective is to assure the receivers that it came to them without any modification (i.e., to give message integrity). Choice A is correct because the hash is encrypted using the advisor's private key. The recipients can open the newsletter, calculate its hash over the newsletter with the same algorithm, and decrypt the received hash using the advisor's public key. If the two hashes are equal, the newsletter was not modified in transit. Choice B is not feasible since only the investment advisor's private key is able to open it. Choice C addresses sender authentication but not message integrity. Choice D addresses confidentiality, but not message integrity, because anyone can obtain the investment advisor's public key, decrypt the newsletter, modify it and send it to others. The interceptor will not be able to use the advisor's private key because the interceptor does not have it. Anything encrypted using the interceptor's private key can be decrypted by the receiver only by using the interceptor's public key.

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? A. Nonrepudiation B. Encryption C. Authentication D. Integrity

You answered C. The correct answer is A. Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.

Which of the following situations would increase the likelihood of fraud? Select an answer: A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

You answered C. The correct answer is A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST? Select an answer: A. Evacuation plan B. Recovery priorities C. Backup storages D. Call tree

You answered C. The correct answer is A. Protecting human resources during a disaster-related event should be addressed first. Having separate BCPs could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. Choices B, C and D may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed.

During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? Select an answer: A. A test has not been made to ensure that local resources could maintain security and quality standards when recovering from a disaster or incident. B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.

You answered C. The correct answer is A. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. The other choices could affect the reliability of the plan in terms of assessing ability to recover and run in the event of an emergency, but the more critical issue would be whether the plan had not been tested at remote offices.

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and: A. succession planning. B. staff job evaluation. C. responsibilities definition. D. employee award programs.

You answered C. The correct answer is A. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. Staff responsibilities definition provides for well-defined roles and responsibilities, and employee award programs provide motivation; however, they do not minimize dependency on key individuals.

Which of the following would be the BEST access control procedure? Select an answer: A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables and the data owner sanctions them. C. The data owner and an IS manager jointly create and update the user authorization tables. D. The data owner creates and updates the user authorization tables.

You answered C. The correct answer is A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: Select an answer: A. duration of the outage. B. type of outage. C. probability of the outage. D. cause of the outage.

You answered C. The correct answer is A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives.

An IS auditor performing an application maintenance audit would review the log of program changes for the: Select an answer: A. authorization of program changes. B. creation date of a current object module. C. number of program changes actually made. D. creation date of a current source program.

You answered C. The correct answer is A. The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library management products, and not a change log would most likely contain date information for the source and executable modules.

When reviewing system parameters, an IS auditor's PRIMARY concern should be that: Select an answer: A. they are set to meet security and performance requirements. B. changes are recorded in an audit trail and periodically reviewed. C. changes are authorized and supported by appropriate documents. D. access to parameters in the system is restricted.

You answered C. The correct answer is A. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. Reviewing changes to ensure they are supported by appropriate documents is also a detective control. If parameters are set incorrectly, the related documentation and the fact that these are authorized does not reduce the impact. Restriction of access to parameters ensures that only authorized staff can access the parameters; however, if the parameters are set incorrectly, restricting access will still have an adverse impact.

An IS auditor who is auditing the software acquisition process will ensure that the: Select an answer: A. contract is reviewed and approved by the legal counsel before it is signed. B. requirements cannot be met with the systems already in place. C. requirements are found to be critical for the business. D. user participation is adequate in the process.

You answered C. The correct answer is A. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. Choice B is not correct because existing systems may meet the requirements, but management may choose to acquire software for other reasons. Choice C is not correct because the requirements do not necessarily need to support critical business needs. Choice D is not correct because user participation is not necessarily required in the software acquisition process. Instead, users would most likely participate in requirements definition and user acceptance testing (UAT).

An IS auditor should be concerned when a telecommunication analyst: Select an answer: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements.

You answered C. The correct answer is A. The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role.

The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to: Select an answer: A. understand the business process. B. comply with auditing standards. C. identify control weakness. D. plan substantive testing.

You answered C. The correct answer is A. Understanding the business process is the first step an IS auditor needs to perform. ISACA IT audit and assurance standards encourage adoption of the audit procedures/processes required to assist the IS auditor in performing IS audits more effectively. However, standards do not require an IS auditor to perform a process walk-through at the commencement of an audit engagement. Identifying control weaknesses is not the primary reason for the walk-through and typically occurs at a later stage in the audit. Planning for substantive testing is performed at a later stage in the audit.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff

You answered C. The correct answer is A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.

Two-factor authentication can be circumvented through which of the following attacks? Select an answer: A. Denial-of-service B. Man-in-the-middle C. Key logging D. Brute force

You answered C. The correct answer is B. A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-of-service attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication.

Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high? Select an answer: A. Warm site B. Cold site C. Hot site D. Mobile site

You answered C. The correct answer is B. A. If the RTO is high, it is financially reckless to use a warm site. B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations. C. If the RTO is high a hot site is not suitable. It should be used only when the RTO is low. D. A mobile site is more expensive than a cold site. Choosing a mobile site when the RTO is high does not reflect good financial sense.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? Select an answer: A. Load testing B. Stress testing C. Recovery testing D. Volume testing

You answered C. The correct answer is B. A. Load testing evaluates the performance of the software at peak hours. B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users. C. Recovery testing evaluates the ability of a system to recover after a failure. D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.

Which of the following is the BEST way to ensure that an off-the-shelf production system continues to operate as expected? Select an answer: A. Changes are executed and tested in the production environment. B. Changes are reviewed by the analysts who designed the application, prior to being applied. C. Users who request changes create the test cases. D. The application was created with a high level of user involvement.

You answered C. The correct answer is B. A. Modifications that are executed and tested in the production environment pose a greater risk of unauthorized modifications. B. If the changes are reviewed by the authors of the application there are less likely to be unwanted errors or side effects caused by improper or incomplete modifications. The analysts have a better understanding of the application they developed. C. User-developed test cases may not sufficiently cover the possibility of introducing unwanted effects in functional areas that are not directly involved in the change. D. While user involvement is important during system development and acceptance testing, it does not ensure system availability after the system has gone into production.

Which of the following is the BEST indicator that a newly developed system will be used after it is in production? A. Regression testing B. User acceptance testing (UAT) C. Sociability testing D. Parallel testing

You answered C. The correct answer is B. A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. UAT is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. C. Sociability test results indicate how the application works with other components within the environment and is not indicative of the user experience. D. Parallel testing is performed when the comparison of two applications is needed, but will not provide feedback on user satisfaction.

Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software? Select an answer: A. System testing B. Acceptance testing C. Integration testing D. Unit testing

You answered C. The correct answer is B. Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? Select an answer: A. Attribute sampling B. Computer Aided Audit Techniques (CAATs) C. Test data D. Integrated test facility (ITF)

You answered C. The correct answer is B. CAATs would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. Attribute sampling would aid in identifying records meeting specific conditions, but would not compare one record to another to identify duplicates. To detect duplicate invoice records the IS auditor should check all of the items that meet the criteria and not just a sample of the items. Test data are used to verify program processing, but will not identify duplicate records. An ITF allows the IS auditor to test transactions through the production system, but would not compare records to identify duplicates.

The objective of concurrency control in a database system is to: Select an answer: A. restrict updating of the database to authorized users. B. prevent integrity problems when two processes attempt to update the same data at the same time. C. prevent inadvertent or unauthorized disclosure of data in the database. D. ensure the accuracy, completeness and consistency of data.

You answered C. The correct answer is B. Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. Access controls restrict updating of the database to authorized users, and controls such as passwords prevent the inadvertent or unauthorized disclosure of data from the database. Quality controls, such as edits, ensure the accuracy, completeness and consistency of data maintained in the database.

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software: Select an answer: A. is configured with an implicit deny rule as the last rule in the rule base. B. is installed on an operating system with default settings. C. has been configured with rules permitting or denying access to systems or networks. D. is configured as a virtual private network (VPN) endpoint.

You answered C. The correct answer is B. Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. Choices A, C and D are normal or best practices for firewall configurations.

The MAIN purpose of a transaction audit trail is to: Select an answer: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning.

You answered C. The correct answer is B. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used to trace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc.

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: Select an answer: A. not be concerned since there may be other compensating controls to mitigate the risk. B. ensure that overrides are automatically logged and subject to review. C. verify whether all such overrides are referred to senior management for approval. D. recommend that overrides not be permitted.

You answered C. The correct answer is B. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume that compensating controls exist. As long as the overrides are policy-compliant, there is no need for senior management approval or a blanket prohibition.

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: Select an answer: A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of the finding and the risk of not correcting it. C. report the disagreement to the audit committee for resolution. D. accept the auditee's position since they are the process owners.

You answered C. The correct answer is B. If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.

A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue? Select an answer: A. The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology. B. The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability. C. The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase. D. The organization plans to rent a shared alternate site with emergency workplaces that has only enough room for half of the normal staff.

You answered C. The correct answer is B. It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses the four possible areas of impact in a disaster: premises, people, systems and suppliers and other dependencies. All scenarios can be reduced to these four categories and can be handled simultaneously. There are very few special scenarios which justify an additional separate analysis. It is a good idea to use best practices and external advice for such an important topic, especially since knowledge of the right level of preparedness and the judgment about adequacy of the measures taken is not available in every organization. The RTOs are based on the essential business processes required to ensure the organization's survival; therefore, it would be inappropriate for them to be based on IT capabilities. Best practice guidelines recommend having 20-40 percent of normal capacity available at an emergency site; therefore, a value of 50 percent would not be a problem if there are no additional factors.

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern? Select an answer: A. System administrators use shared accounts which never expire at the hot site. B. Disk space utilization data is not kept current. C. Physical security controls at the hot site are less robust than at the main site. D. Servers at the hot site do not have the same specifications as at the main site.

You answered C. The correct answer is B. Not knowing how much disk space is in use and therefore how much is needed at the disaster recovery site could create major issues in the case of a disaster. While it is not a best practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space. Physical security controls are important and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.

To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the sender's: Select an answer: A. public key and then encrypt the message with the receiver's private key. B. private key and then encrypt the message with the receiver's public key. C. public key and then encrypt the message with the receiver's public key. D. private key and then encrypt the message with the receiver's private key.

You answered C. The correct answer is B. Obtaining the hash of the message ensures integrity; signing the hash of the message with the sender's private key ensures the authenticity of the origin, and encrypting the resulting message with the receiver's public key ensures confidentiality. The other choices are incorrect.

After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? Select an answer: A. Obtaining management approval of the corrective actions B. Confirming factual accuracy of the findings C. Assisting management in the implementation of corrective actions D. Clarifying the scope and limitations of the audit

You answered C. The correct answer is B. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action. Management approval of the corrective actions is not required since this is not the role of the auditor. Implementation of corrective actions should be done after the factual accuracy of findings has been established, but the work of implementing corrective action is not typically assigned to the IS auditor since this would impair the auditor's independence. Clarifying the scope and limitations of the audit should be done during the entrance meeting, not during the exit meeting.

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

You answered C. The correct answer is B. The inclusion of security responsibilities in job descriptions is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criteria for evaluating security awareness training. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? Select an answer: A. Commands typed on the command line are logged. B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment.

You answered C. The correct answer is B. The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access was already granted—it does not matter how. Choice D is wrong because files can be copied to and from the production environment.

The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: Select an answer: A. confirm that the auditors did not overlook any important issues. B. gain agreement on the findings. C. receive feedback on the adequacy of the audit procedures. D. test the structure of the final presentation.

You answered C. The correct answer is B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings. The other choices, though related to the formal closure of an audit, are of secondary importance.

Information for detecting unauthorized input from a terminal would be BEST provided by the: Select an answer: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

You answered C. The correct answer is B. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.

The PRIMARY outcome of a business impact analysis (BIA) is: Select an answer: A. a plan for resuming operations after a disaster. B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan (DRP). D. an understanding of the cost of an interruption.

You answered C. The correct answer is D. A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logical security is not the primary objective of a BIA. C. The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP). D. A BIA helps one understand the cost of an interruption and identify which applications and processes are most critical to the continued functioning of the organization.

Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements? Select an answer: A. Benchmark test results B. Server logs C. Downtime reports D. Server utilization data

You answered C. The correct answer is D. A. Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. B. A server log contains data showing activities performed on the server, but does not contain the utilization data required to ensure the optimal configuration of servers. C. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure, but is not useful in determining optimal server configurations. D. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment (ROI).

An organization allows employees to connect company laptops to company-controlled wireless access points. To prevent unauthorized access to the organization's internal network, the BEST preventive control is to: Select an answer: A. enable media access control (MAC) filtering. B. disable wireless ID broadcast. C. employ strong encryption. D. disallow autoconnect.

You answered C. The correct answer is D. A. Enabling MAC filtering does not prevent mobile devices from connecting to unauthorized access points. MAC filters prevent unauthorized systems from connecting to the company's wireless access point. They do not prevent capturing login credentials that could be used to gain unauthorized access to the network. B. Disabling the broadcast does not prevent devices from connecting to unauthorized access points and capturing login credentials. C. Encryption enables confidentiality only and does not prevent laptops from connecting to unauthorized access points used to collect login credentials. D. Disallowing autoconnect will prevent users from connecting to unauthorized hotspots. With autoconnect enabled, devices send beacons searching for the preferred hotspot. An attacker could intercept these beacons, impersonate the hotspot and host fake web sites with the intention of capturing login credentials that could allow access to the organization's network.

The PRIMARY purpose of a postimplementation review is to ascertain that: Select an answer: A. the lessons learned have been documented. B. future enhancements can be identified. C. the project has been delivered on time and budget. D. project objectives have been met.

You answered C. The correct answer is D. A. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. B. Identifying future enhancements is not the primary objective of a postimplementation review. C. Although it is important to review whether the project was completed on time and budget, it is more important to determine whether the project met the business needs. D. A project manager performs a postimplementation review in order to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them.

An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern? Select an answer: A. Test or training user IDs B. Shared IDs C. Administrative IDs D. User IDs of past employees

You answered C. The correct answer is D. A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk. B. The use of shared IDs, while not a best practice, is not as great a risk as having a terminated employee with access to the network. There can be many situations in which a shared ID is necessary. The risk with shared IDs is that accountability cannot be established. C. Administrative IDs are commonly found on a network and are not cause for concern. D. If a user's network ID is not disabled on termination, the user or other unauthorized individual could potentially gain access to the network. User IDs of past employees pose the greatest risk because users can access the network via the Internet. In addition, many applications rely on network credentials to identify and authenticate access.

A message signed with a digital signature cannot be repudiated by the sender because a digital signature: Select an answer: A. authenticates the identity of the sender using public key infrastructure (PKI). B. uses a hashing algorithm to validate that message contents are valid. C. cannot be copied into another message. D. authenticates contents and sender at the time of signature.

You answered C. The correct answer is D. A. The digital signature validates both the identity of the sender and the content. B. Digital signatures have integrity features to ensure that the message content has not changed, which prevents an attacker from modifying and sending the message themselves. This is a basic property of any signature scheme. C. While an attacker could copy a digital signature into another message, that new message would fail validation when reviewed by the receiver. D. Digital signatures for the sender are attested by the certificate authority and can be verified by the recipient; therefore, repudiation is not possible. Additionally, the digital signature mechanism ensures the integrity of the message content by creating a one-way hash at both the source and destination and then comparing the two.

During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: Select an answer: A. user raises a change request and tests it in the test environment. B. programmer codes a change in the development environment and tests it in the test environment. C. manager approves a change request and then reviews it in production. D. manager initiates a change request and subsequently approves it.

You answered C. The correct answer is D. A. This option is in alignment with the principles of segregation of duties. Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. B. This option is in alignment with the principles of segregation of duties. Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. C. This option is in alignment with the principles of segregation of duties. Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. D. Initiating and subsequently approving a change request violates the principle of segregation of duties.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

You answered C. The correct answer is D. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk-through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are not IT-related.

When reviewing a hardware maintenance program, an IS auditor should assess whether: Select an answer: A. the schedule of all unplanned maintenance is maintained. B. it is in line with historical trends. C. it has been approved by the IS steering committee. D. the program is validated against vendor specifications.

You answered C. The correct answer is D. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications. For business reasons, an organization may choose a more aggressive maintenance program than the vendor's program. The maintenance program should include maintenance performance history, be it planned, unplanned, executed or exceptional. Unplanned maintenance cannot be scheduled. Hardware maintenance programs do not necessarily need to be in line with historical trends. Maintenance schedules normally are not approved by the steering committee.

An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action? Select an answer: A. Analyze the need for the structural change. B. Recommend restoration to the originally designed structure. C. Recommend the implementation of a change control process. D. Determine whether the modifications were properly approved.

You answered C. The correct answer is D. An IS auditor should first determine whether the modifications were properly approved. Choices A, B and C are possible subsequent actions should the IS auditor find that the structural modification had not been approved.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: Select an answer: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

You answered C. The correct answer is D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.

An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should: Select an answer: A. decline the assignment. B. inform management of the possible conflict of interest after completing the audit assignment. C. inform the business continuity planning (BCP) team of the possible conflict of interest prior to beginning the assignment. D. communicate the possibility of conflict of interest to management prior to starting the assignment.

You answered C. The correct answer is D. Communicating the possibility of a conflict of interest to management prior to starting the assignment is the correct answer. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment. Declining the assignment is not the correct answer because the assignment could be accepted after obtaining management approval. Informing management of the possible conflict of interest after completion of the audit assignment is not correct because approval should be obtained prior to commencement and not after the completion of the assignment. Informing the BCP team of the possible conflict of interest prior to starting of the assignment is not the correct answer since the BCP team would not have the authority to decide on this issue.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Select an answer: A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted

You answered C. The correct answer is D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Select an answer: A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted

You answered C. The correct answer is D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? Select an answer: A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted.

You answered C. The correct answer is D. Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. Sharing IP addresses and the existence of a firewall can be security measures.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: Select an answer: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy D. ensure that the procedure had been approved.

You answered C. The correct answer is D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be MOST based on the individual's experience and: A. length of service, since this will help ensure technical competence. B. age since training in audit techniques may be impractical. C. IS knowledge, since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships.

You answered C. The correct answer is D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not, in itself, ensure credibility. The IS audit department's needs should be defined and any candidate should be evaluated against those requirements. The length of service will not ensure technical competency. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? Select an answer: A. Advise on the adoption of application controls to the new database software. B. Provide future estimates of the licensing expenses to the project team. C. Recommend at the project planning meeting how to improve the efficiency of the migration. D. Review the acceptance test case documentation before the tests are carried out.

You answered C. The correct answer is D. Of the options presented, only the review of the test cases will facilitate the objective. Independence could be compromised if the IS auditor advises on the adoption of specific application controls. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence.

An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: Select an answer: A. the controls already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring the risk related to the assets. D. the threats/vulnerabilities affecting the assets.

You answered C. The correct answer is D. One of the key factors to be considered while assessing the risk related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risk related to assets should be put in place during the risk monitoring function that follows the risk assessment phase.

In a small manufacturing business, an IT employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario? Select an answer: A. Access restrictions to prevent the clerk from accessing the production environment B. Segregation of duties implemented by hiring additional staff C. Automated logging of all program changes in the production environment D. Procedures to verify that only approved program changes are implemented

You answered C. The correct answer is D. Procedures to verify and review that only approved changes are implemented would be an effective control in this scenario. Segregation of duties will prevent a combination of conflicting functions, but choice B is not correct because it may not be practical in a small business to hire and maintain additional staff in order to achieve the desired segregation of duties. Choice A is not correct because denying the clerk access to the production environment would prevent work from being performed unless additional staff were retained, which is not a realistic solution and may not be economically viable for a small organization. Choice C is not correct because logging of program changes in the production environment will detect changes after they have been implemented but will not prevent unauthorized changes.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: Select an answer: A. can deliver on the immediate contract. B. is of similar financial standing as the organization. C. has significant financial obligations that can impose liability to the organization. D. can support the organization in the long term.

You answered C. The correct answer is D. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time. The capability of the organization to support the enterprise should extend beyond the time of execution of the contract. The objective of financial evaluation should not be confined to the immediate contract, but to provide assurance over a longer time frame. The specific financial condition of the vendor would not be of primary concern.

Which of the following would BEST help to detect errors in data processing? Select an answer: A. Programmed edit checks B. Well-designed data entry screens C. Segregation of duties D. Hash totals

You answered C. The correct answer is D. The use of hash totals is an effective method to reliably detect errors in data processing. Automated controls such as programmed edit checks or well-designed data entry screens are preventive controls. Enforcing segregation of duties primarily ensures that a single individual does not have the authority to both create and approve a transaction; this is not considered to be a method to detect errors, but a method to help prevent errors.

An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: Select an answer: A. vouching. B. authorizations. C. corrections. D. tracing.

You answered C. The correct answer is D. Tracing involves following the transaction from the original source through to its final destination. In EFT transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions. Vouching is usually performed on manual or batch-processing systems. In this scenario, the funds are transferred electronically and there is no manual processing. In online processing, authorizations are normally done automatically by the system. Correction entries are normally done by an individual other than the person entrusted to do reconciliations.

An IS auditor evaluating logical access controls should FIRST: Select an answer: A. document the controls applied to the potential access paths to the system. B. test controls over the access paths to determine if they are functional. C. evaluate the security environment in relation to written policies and practices. D. obtain an understanding of the security risk to information processing.

You answered C. The correct answer is D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths—to determine if the controls are functioning. Lastly, the IS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices.

Documentation of a business case used in an IT development project should be retained until: Select an answer: A. the end of the system's life cycle. B. the project is approved. C. user acceptance of the system. D. the system is in production.

You answered D. The correct answer is A. A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals. Questions like, "why do we do that,""what was the original intent" and "how did we perform against the plan" can be answered, and lessons for developing future business cases can be learned. During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: Select an answer: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

You answered D. The correct answer is A. A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.

Which of the following types of firewalls would BEST protect a network from an Internet attack? Select an answer: A. Screened subnet firewall B. Application filtering gateway C. Packet filtering router D. Circuit-level gateway

You answered D. The correct answer is A. A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a package level. The screening controls at the package level, addresses and ports, but does not see the contents of the package. A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network.

Which of the following is the BEST way to satisfy a two-factor user authentication? Select an answer: A. A smart card requiring the user's personal identification number (PIN) B. User ID along with password C. Iris scanning plus fingerprint scanning D. A magnetic card requiring the user's PIN

You answered D. The correct answer is A. A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or PIN. An ID and password, what the user knows, is a single-factor user authentication. Choice C is not a two-factor user authentication because it is only biometric. Choice D is similar to choice A, but the magnetic card may be copied; therefore, choice A is the best way to satisfy a two-factor user authentication.

Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? Select an answer: A. To collect evidence while transactions are processed B. To reduce requirements for periodic internal audits C. To identify and report fraudulent transactions D. To increase efficiency of the audit function

You answered D. The correct answer is A. A. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.

An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? Select an answer: A. Production access is granted to the individual support ID when needed. B. Developers use a firefighter ID to promote code to production. C. A dedicated user promotes emergency changes to production. D. Emergency changes are authorized prior to promotion.

You answered D. The correct answer is A. A. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change. B. Some organizations may use a firefighter ID, which is a generic/shared ID, to promote changes to production. When needed, the developer can use this ID to access production. It may still be difficult to determine who made the change; therefore, although this process is commonly used, the use of a production support ID is a better choice. C. Having a dedicated user who promotes changes to production in an emergency is ideal, but is generally not cost-effective and may not be realistic for most organizations. D. Emergency changes are, by definition, unauthorized changes. Approvals usually are obtained following promotion of the change to production. All changes should be auditable, and that can best be accomplished by having a user ID added/removed to the production support group as needed.

An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the IS auditor is an example of: Select an answer: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing.

You answered D. The correct answer is A. A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. D. Control testing is the same as compliance testing.

To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against: Select an answer: A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. B. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key. C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key. D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key.

You answered D. The correct answer is A. Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses nonrepudiation. Encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the receiver's public key, most efficiently addresses the confidentiality of the message as well as the receiver's nonrepudiation. The other choices would address only a portion of the requirements.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? Select an answer: A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. D. Decision-making may be impaired due to diminished responsiveness to requests for information.

You answered D. The correct answer is A. End-user computing is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. EUC systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to management's information requests.

IS management is considering a Voice-over IP (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate? A. Review and, where necessary, upgrade firewall capabilities. B. Install modems to allow remote maintenance support access. C. Create a physically distinct network to handle VoIP traffic. D. Redirect all VoIP traffic to allow clear text logging of authentication credentials.

You answered D. The correct answer is A. Firewalls used as entry points to a VoIP network should be VoIP-capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote support access is an important consideration. However, a virtual private network (VPN) would offer a more secure means of enabling this access than reliance on modems. Logically separating the VoIP and data network is a good idea. Options such as virtual LANS (VLANS), traffic shaping, firewalls and network address translation (NAT) combined with private IP addressing can be used; however, physically separating the networks will increase both cost and administrative complexity. Transmitting or storing clear text information, particularly sensitive information such as authentication credentials, will increase network vulnerability. When designing a VoIP network, it is important to avoid introducing any processing that will unnecessarily increase latency since this will adversely impact VoIP quality.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Select an answer: A. Staging and job setup B. Supervisory review of logs C. Regular back-up of tapes D. Offsite storage of tapes

You answered D. The correct answer is A. If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none of which would serve as good compensating controls.

An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor: Select an answer: A. implemented a specific functionality during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application system project team, but did not have operational responsibilities. D. provided consulting advice concerning application system best practices.

You answered D. The correct answer is A. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS auditor's independence. Choice D is incorrect because an IS auditor's independence is not impaired by providing advice on known best practices.

As an outcome of information security governance, strategic alignment provides: Select an answer: A. security requirements driven by enterprise requirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

You answered D. The correct answer is A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.

The information security policy that states "each individual must have their badge read at every controlled door" addresses which of the following attack methods? Select an answer: A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation

You answered D. The correct answer is A. Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user to obtain sensitive information could be done by an unauthorized person who has gained access to areas using piggybacking, but this policy specifically refers to physical access control. Shoulder surfing would not be prevented by the implementation of this policy. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter; therefore, this policy would not address this attack method. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? Select an answer: A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators.

You answered D. The correct answer is A. Provided that data architecture, technical, and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion (choice B) is risky and is not a viable solution. On the other hand, punishing the violators (choice D) or delaying the project (choice C) would be an inappropriate suggestion because of the likely damage to the entire project profitability.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: Select an answer: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing.

You answered D. The correct answer is A. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.

Which of the following is an attribute of the control self-assessment (CSA) approach? A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven

You answered D. The correct answer is A. The CSA approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach.

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? Select an answer: A. Three users with the ability to capture and verify their own messages B. Five users with the ability to capture and send their own messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages

You answered D. The correct answer is A. The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.

Which of the following is an advantage of the top-down approach to software testing? Select an answer: A. Interface errors are identified early. B. Testing can be started before all programs are complete. C. It is more effective than other testing approaches. D. Errors in critical modules are detected sooner.

You answered D. The correct answer is A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? Select an answer: A. Whether key controls are in place to protect assets and information resources B. If the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether owners have been identified who will be responsible for the process

You answered D. The correct answer is A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but they are not the auditor's primary concern.

Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption? Select an answer: A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Greater strength for a given key length

You answered D. The correct answer is A. The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed.

An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: Select an answer: A. stress the importance of spending time at this point in the project to consider and document risk, and to develop contingency plans. B. accept the project manager's position as the project manager is accountable for the outcome of the project. C. offer to work with the risk manager when one is appointed. D. inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.

You answered D. The correct answer is A. The majority of project risk can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk. Appointing a risk manager is a good practice but waiting until the project has been impacted by risk is misguided. Risk management needs to be forward looking, allowing risk to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risk has emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

An IS auditor performing an application maintenance audit would review the log of program changes for the: Select an answer: A. authorization of program changes. B. creation date of a current object module. C. number of program changes actually made. D. creation date of a current source program.

You answered D. The correct answer is A. The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library management products, and not a change log would most likely contain date information for the source and executable modules.

An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test in order to ensure availability and confidentiality of the web application in production? Select an answer: A. Server configuration hardening B. Allocated physical resources are available. C. System administrators are trained to use the VM architecture. D. The VM server is included in the disaster recovery plan (DRP).

You answered D. The correct answer is A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all nonrequired functions before production, especially when production architecture is different from development and testing architecture. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Choice B is not correct because appropriate resource allocation does not guarantee confidentiality of data. Choices C and D are not related to the web application in production.

Which of the following would be BEST prevented by a raised floor in the computer machine room? Select an answer: A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water flood damage

You answered D. The correct answer is A. The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.

Assessing IT risk is BEST achieved by: Select an answer: A. evaluating threats associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports.

You answered D. The correct answer is A. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk.

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the: Select an answer: A. complexity and risk associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. project deliverables have been identified. D. a contract for external parties involved in the project has been completed.

You answered D. The correct answer is A. Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project.

An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: Select an answer: A. the setup is geographically dispersed. B. the network servers are clustered in one site. C. a hot site is ready for activation. D. diverse routing is implemented for the network.

You answered D. The correct answer is B. A clustered setup in one location makes the entire network vulnerable to natural disasters or other disruptive events. Dispersed geographic locations and diverse routing provide backup if a site has been destroyed. A hot site would also be a good alternative for a single point-of-failure site.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? Select an answer: A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

You answered D. The correct answer is B. A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements.

Which of the following does a lack of adequate controls represent? Select an answer: A. An impact B. A vulnerability C. An asset D. A threat

You answered D. The correct answer is B. A. Impact is the measure of the financial loss that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident.

Which of the following is the BEST indicator that a newly developed system will be used after it is in production? Select an answer: A. Regression testing B. User acceptance testing (UAT) C. Sociability testing D. Parallel testing

You answered D. The correct answer is B. A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. UAT is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. C. Sociability test results indicate how the application works with other components within the environment and is not indicative of the user experience. D. Parallel testing is performed when the comparison of two applications is needed, but will not provide feedback on user satisfaction.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Select an answer: A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation

You answered D. The correct answer is B. A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk reduction treats the risk, while risk transfer does not always address compliance risk. B. Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. C. Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. D. Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.

During a postimplementation review, an IS auditor finds that the delivered application does not meet end-user requirements. Which of the following is the BEST recommendation to prevent future problems with the project management process? Select an answer: A. Involve the application developers during the design phase. B. Use the waterfall method throughout the development process. C. Review and update project management policies and procedures. D. Involve the project steering committee early in the development process.

You answered D. The correct answer is B. A. The question implies that the application developer team is already involved. B. The waterfall method helps ensure that errors are detected early in the development process. Waterfall development is a procedure-focused development cycle with formal sign-off at the completion of each level. C. While updating policies and procedures is important, it does not change the development process. A better control is to change the approach that the organization uses to develop applications. D. The project steering committee should be involved early in the process; however, the development process is not functioning to deliver applications that meet user needs.

An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized? Select an answer: A. Prioritize changes with a low technical risk. B. Coordinate release management across projects and systems. C. Automate migration of code from test to production libraries. D. Defer changes to customer systems to quieter trading periods.

You answered D. The correct answer is B. A. This is acceptable as a short-term strategy. However, more complex changes cannot be deferred indefinitely and need to be managed effectively, particularly if being introduced by multiple development initiatives. Care also needs to be taken that individual projects do not manipulate risk assessments to suit their own development timetable. B. Coordinated release management across projects and systems is a suitable strategy to employ in a complicated, dynamic system environment. Under this option, changes are packaged into releases that are implemented according to a predetermined schedule. Determining what changes are included in a release can be done in accordance with business and technical priorities. With release management, the emphasis is on coordinating changes stemming from multiple sources that impact multiple interconnected systems. This approach should lower technical risk and reduce the potential for system outage. C. Automating code movement is good practice. However, it does not address the fundamental issue of coordinating concurrent changes from multiple sources that impact multiple systems. D. Deferring changes to customer systems is not as comprehensive an approach as coordinated release management. The external usage environment could be a consideration when packaging changes into a release and scheduling release implementation. While there may be reasons to implement changes during quieter business periods (or at least to avoid known high-stress periods such as holidays), at other times there may be business imperatives for implementing customer system changes as quickly as possible.

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? Select an answer: A. Perform disaster recovery exercises annually. B. Ensure that partnering organizations are separated geographically. C. Regularly perform a business impact analysis (BIA). D. Select a partnering organization with similar systems.

You answered D. The correct answer is B. A. While disaster recovery exercises are important, the greater risk is geographic proximity. B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. C. A BIA will help both organizations to identify critical applications, but separation is a more important consideration when entering reciprocal agreements. D. Selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.

A start-up company has a policy that requires strong encryption of all tape backups. As the volume of data has grown, the time necessary to back up all data has become operationally unacceptable. Which of the following is the BEST recommendation to fix this problem? Select an answer: A. Disable encryption so the backup process runs faster. B. Implement a data classification policy so that only classified data gets encrypted. C. Select a more efficient encryption algorithm so the backup process runs faster. D. Implement a data classification policy so that only critical data get backed up.

You answered D. The correct answer is B. A. While running backups without encryption would solve the performance issue, this does not meet security requirements. B. The primary benefit of performing data classification is so that the appropriate security controls can be applied based on the sensitivity of the data. The process of encrypting data for backup typically slows down the process considerably. There may be considerable amounts of data that are not sensitive and could be backed up faster without encryption enabled, but only a valid data classification process could make this possible. C. While some encryption methods can be faster or slower than others, the better solution in this case is to apply a data classification policy and only encrypt the data that require it according to the policy. D. While a data classification policy specifies both the sensitivity and criticality of the data, the better solution in this case is to apply the appropriate security controls and attempt to back up all data. Although data may be deemed noncritical, these data would still have some value to the business and should be backed up if possible.

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? Select an answer: A. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

You answered D. The correct answer is B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. Totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system, but rather considers only the accounting system. Checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded). A date/time stamp does not help account for transactions that are missing or incomplete by the accounting and delivery department.

When developing a security architecture, which of the following steps should be executed FIRST? Select an answer: A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

You answered D. The correct answer is B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? Select an answer: A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

You answered D. The correct answer is B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? Select an answer: A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

You answered D. The correct answer is B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? Select an answer: A. Function point analysis (FPA) B. Earned value analysis (EVA) C. Cost budget D. Program Evaluation and Review Technique (PERT)

You answered D. The correct answer is B. EVA is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. FPA is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for EACs and overall financial management.

Which of the following is the initial step in creating a firewall policy? Select an answer: A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods

You answered D. The correct answer is B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? Select an answer: A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

You answered D. The correct answer is B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Even if replication may be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. If unauthorized code were introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

The database administrator (DBA) suggests that database (DB) efficiency can be improved by denormalizing some tables. This would result in: Select an answer: A. loss of confidentiality B. increased redundancy. C. unauthorized accesses. D. application malfunctions.

You answered D. The correct answer is B. Normalization is a design or optimization process for a relational DB that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy which is usually considered positive when it is a question of resource availability is negative in a database environment, since it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons. It should not cause loss of confidentiality, unauthorized accesses or application malfunctions.

Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and rollforward database features

You answered D. The correct answer is B. Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database's contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: Select an answer: A. ensure the employee maintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potential disruption caused when an employee takes vacation one day at a time.

You answered D. The correct answer is B. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established.

Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees? Select an answer: A. To ensure that employees are not misusing corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets

You answered D. The correct answer is B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. The other options are not correct because issues such as the misuse of corporate resources, poor performance and theft of IT assets are not as severe as the possible ramifications of a conflict of interest.

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: Select an answer: A. only systems administrators perform the patch process. B. the client's change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.

You answered D. The correct answer is B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. While system administrators would normally install patches and patches would normally undergo testing, it is more important that changes be made during nonproduction times; furthermore, parallel testing is not appropriate for security patches because some servers would still be vulnerable. An approval process could not directly prevent this type of incident from happening.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: Select an answer: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

You answered D. The correct answer is B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? Select an answer: A. The organization does not encrypt all of its outgoing email messages. B. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. C. An individual's computer screen saver function is disabled. D. Server configuration requires the user to change the password annually.

You answered D. The correct answer is B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with PHI information in order to protect sensitive information. Encrypting all outgoing email is expensive and is not common business practice. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next? Select an answer: A. Obtain senior management sponsorship. B. Identify business needs. C. Conduct a paper test. D. Perform a system restore test.

You answered D. The correct answer is C. A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, followed by system or full testing.

What control detects transmission errors by appending calculated bits onto the end of each segment of data? Select an answer: A. Reasonableness check B. Parity check C. Redundancy check D. Check digits

You answered D. The correct answer is C. A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors.

An organization has bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems? Select an answer: A. Parallel testing B. Pilot testing C. Sociability testing D. Integration testing

You answered D. The correct answer is C. A. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and computing the results in parallel. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. B. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see whether the new system operates satisfactorily in one place before implementing it at other locations. C. The purpose of sociability testing is to ensure that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interface with other systems, as well as changes to the desktop in a client-server or web development. D. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure.

An IS auditor is assessing a biometric fingerprint system that protects a data center containing protected health information. The auditor should be MOST concerned with which of the following? Select an answer: A. False rejection rate (FRR) B. Crossover error rate (CER) C. False acceptance rate (FAR) D. Accuracy ratio

You answered D. The correct answer is C. A. The FRR is the probability (or percentage of times) that the system fails to detect a match between the input pattern and a matching template in the database. The FRR is the likelihood that a previously authorized individual's biometric print will be incorrectly rejected. This is a fail-safe condition. B. The CER is the rate at which accept and reject error rates are equal. The CER is an important measure of the accuracy of a biometric system. C. The FAR is the probability (or percentage of times) that the system incorrectly matches the input pattern to a nonmatching template in the database. The FAR is the likelihood that an invalid biometric input—from an impostor or unauthorized person—will be incorrectly accepted. This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data, such as protected health information. D. The accuracy ratio is equal to the CER; it is the rate at which accept and reject error rates are equal and an important measure of the accuracy of a biometric system.

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? Select an answer: A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity

You answered D. The correct answer is C. A. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

Java applets and Active X controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when: A. a firewall exists. B. a secure web connection is used. C. the source of the executable file is certain. D. the host web site is part of the organization.

You answered D. The correct answer is C. Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. It is virtually impossible at this time to filter at this level. A secure web connection or firewall is considered an external defense. A firewall will find it more difficult to filter a specific file from a trusted source. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. Hosting the web site as part of the organization is impractical. Enabling the acceptance of Java applets and/or Active X controls is an all-or-nothing proposition. The client will accept the program if the parameters are established to do so.

The MOST likely explanation for the use of applets in an Internet application is that: Select an answer: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve the performance of the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.

You answered D. The correct answer is C. An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web server and network—over which the server and client are connected—drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? Select an answer: A. Variable sampling B. Stratified mean per unit C. Attribute sampling D. Unstratified mean per unit

You answered D. The correct answer is C. Attribute sampling is the method used for compliance testing. In this scenario, the operation of control is being evaluated, and therefore attribute sampling should be used to determine whether the purchase orders have been approved. Variable sampling is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values. Stratified mean per unit and unstratified mean per unit are used in variable sampling.

When two or more systems are integrated, the IS auditor must review input/output controls in the: Select an answer: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems.

You answered D. The correct answer is C. Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other.

The PRIMARY benefit of an IT manager monitoring technical capacity is to: Select an answer: A. identify needs for new hardware and storage procurement. B. determine future capacity needs based on usage. C. ensure that the service level agreement (SLA) requirements are met. D. ensure that systems operate at optimal capacity.

You answered D. The correct answer is C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal SLA between the business and IT. It also helps in arriving at expected future capacity based on usage patterns. In addition, capacity monitoring also helps in initiating procurement based on the current usage and expected future capacity.

Data flow diagrams are used by IS auditors to: Select an answer: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.

You answered D. The correct answer is C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

The internal audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the auditors? Select an answer: A. Stop-or-go B. Classical variable C. Discovery D. Probability-proportional-to-size

You answered D. The correct answer is C. Discovery sampling is used when an auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment. Classical variable sampling is associated with dollar amounts. Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud.

Which of the following append themselves to files as a protection against viruses? Select an answer: A. Behavior blockers B. Cyclical redundancy checkers (CRCs) C. Immunizers D. Active monitors

You answered D. The correct answer is C. Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. CRCs compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret disk operating system (DOS) and read only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions.

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: Select an answer: A. schedule the audits and monitor the time spent on each audit. B. train the IS audit staff on current technology used in the company. C. develop the audit plan on the basis of a detailed risk assessment. D. monitor progress of audits and initiate cost control measures.

You answered D. The correct answer is C. Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

The BEST method of confirming the accuracy of a system tax calculation is by: Select an answer: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.

You answered D. The correct answer is C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations.

Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)? Select an answer: A. Virtual tape libraries B. Disk-based snapshots C. Continuous data backup D. Disk-to-tape backup

You answered D. The correct answer is C. RPO is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk-based snapshots and disk-to-tape backup would require time to complete the backup, while continuous data backup happens online (in real time).

An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as: Select an answer: A. critical. B. vital. C. sensitive. D. noncritical.

You answered D. The correct answer is C. Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions refer to those that can be performed manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore.

To verify that the correct version of a data file was used for a production run, an IS auditor should review: Select an answer: A. operator problem reports. B. operator work schedules. C. system logs. D. output distribution reports.

You answered D. The correct answer is C. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports are used by operators to log computer operation problems. Operator work schedules are maintained to assist in human resources planning. Output distribution reports identify all application reports generated and their distribution.

During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: Select an answer: A. has performed background checks on all service personnel. B. escorts service personnel at all times when performing their work. C. performs maintenance during noncritical processing times. D. independently verifies that maintenance is being performed.

You answered D. The correct answer is C. The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system maintenance be performed at these critical times. While the trustworthiness of the service personnel is important, it is normal practice for these individuals to be escorted and supervised by the data center personnel. It is also expected that the service provider would perform this background check, not the customer. Escorting service personnel is common and a best practice, but the greater risk in this case would be if work were performed during critical processing. It is possible that the service provider is performing inadequate maintenance, and therefore this issue may need to be investigated; however, the bigger risk is maintenance being performed at critical processing times.

Which of the following should an incident response team address FIRST after a major incident in an information processing facility? Select an answer: A. Restoration at the facility B. Documentation of the facility C. Containment at the facility D. Monitoring of the facility

You answered D. The correct answer is C. The first priority is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation. Restoration ensures that the affected systems or services are restored to a condition specified in the restore point objective (RPO). This action will be possible only after containment of the damage. Documentation of the facility should be prepared to inform management of the incident; however, damage must be contained first. Monitoring of the facility is important, although containment must take priority to avoid spread of the damage.

The PRIMARY advantage of a continuous audit approach is that it: Select an answer: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately on all information collected. C. can improve system security when used in time-sharing environments that process a large number of transactions. D. does not depend on the complexity of an organization's computer systems.

You answered D. The correct answer is C. The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization's computer systems.

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task? Select an answer: A. Computer-aided software engineering (CASE) tools B. Embedded data collection tools C. Trend/variance detection tools D. Heuristic scanning tools

You answered D. The correct answer is C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers. CASE tools are used to assist in software development. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or systems audit review file (SARF), is used to provide sampling and production statistics, but not to conduct an audit log analysis. Heuristic scanning tools are a type of virus scanning used to indicate possible infected codes.

An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop: Select an answer: A. a business continuity strategy. B. a test and exercise plan. C. a user training program. D. the business continuity plan (BCP).

You are correct, the answer is A. A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover and security must be considered during this phase. The recovery strategy and plan development precede the test plan. Training can only be developed once the BCP is in place. A strategy must be determined before the BCP is developed.

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: Select an answer: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

You are correct, the answer is A. A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? Select an answer: A. Review the parameter settings. B. Interview the firewall administrator. C. Review the actual procedures. D. Review the device's log file for recent attacks.

You are correct, the answer is A. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide audit evidence as strong as choice A.

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? Select an answer: A. The group walks through the different scenarios of the plan, from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

You are correct, the answer is A. A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. The ability of the group to ensure that specific systems can actually perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings. Group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business. While improving communication is important, it is not the most valued method.

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Select an answer: A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

You are correct, the answer is A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. Program logic specification is a very technical task that is normally performed by a programmer. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. In addition, choices B, C and D could introduce a segregation of duties issue.

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? Select an answer: A. To detect data transposition errors. B. To ensure that transactions do not exceed predetermined amounts. C. To ensure that data entered are within reasonable limits. D. To ensure that data entered are within a predetermined range of values.

You are correct, the answer is A. A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check.

Which of the following is the MOST likely benefit of implementing a standardized infrastructure? Select an answer: A. Improved cost-effectiveness of IT service delivery and operational support B. Increased security of the IT service delivery center C. Reduced level of investment in the IT infrastructure D. Reduced need for testing future application changes

You are correct, the answer is A. A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support. B. A standardized infrastructure results in a more homogeneous environment, which is more prone to attacks. C. While standardization can reduce support costs, the transition to a standardized kit can be expensive; therefore, the overall level of IT infrastructure investment is not likely to be reduced. D. A standardized infrastructure may simplify testing of changes, but it does not reduce the need for such testing.

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? Select an answer: A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources.

You are correct, the answer is A. A. CSAs require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present. C. CSAs may not reduce the audit function's workload and are not a major difference between the two approaches. D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? Select an answer: A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources.

You are correct, the answer is A. A. CSAs require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present. C. CSAs may not reduce the audit function's workload and are not a major difference between the two approaches. D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.

A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to: Select an answer: A. create a provision to allow local policies to take precedence where required by law. B. have the subsidiary revise its policies to conform to the parent organization's policies. C. revise the parent organization's policies so that they match the subsidiary's policies. D. track the issue as a violation of policy with a note of the extenuating circumstances.

You are correct, the answer is A. A. Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to implement the optimal level of control subject to legal limitations. B. This is not acceptable because it subjects the subsidiary to local fines and penalties. C. This is a less desirable alternative because the policy in question may provide a superior level of control and risk reduction from which the remainder of the organization should continue to benefit. D. Tracking the issue as a policy violation fails to satisfactorily resolve the issue and recognize the need for flexibility.

An IS auditor is reviewing the database backup and recovery plan developed by the organization's database administration team. Which of the following is of MOST importance to the auditor? Select an answer: A. Backup validation is being performed. B. The backup/recovery service level agreement (SLA) meets business recovery requirements. C. Backups are written to tape. D. Backups are stored onsite in the data center.

You are correct, the answer is A. A. Database backup validation allows the database administrator (DBA) to verify the backups without performing an actual restore and is critical to ensure integrity of the backups. Of course, actual database restore testing is the best method to ensure that backups will work if needed. Lack of testing may result in undetermined issues with the backups, such as integrity failures that may make recovery impossible. B. The SLA is only a contractual agreement to provide service in a specified time frame and will ensure that the database can be recovered when needed. Database backup validation is the most effective method to ensure recovery is possible. C. Backups do not necessarily need to be written to tape. Disk-to-disk backup is acceptable and decreases the time to recover. However, backing up to tape is a good archiving strategy. D. It is important to store a set of backups offsite even if a primary set of backups remains onsite. However, regardless of the location of backup storage, the backups must be validated to ensure recovery capability.

While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project: Select an answer: A. is behind schedule. B. is ahead of schedule. C. is on schedule. D. cannot be evaluated until the activity is completed.

You are correct, the answer is A. A. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed. B. EVA is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed. C. EVA is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed. D. EVA is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.

The PRIMARY objective of conducting a postimplementation review for a business process automation project is to: Select an answer: A. ensure that the project meets the intended business requirements. B. evaluate the adequacy of controls. C. confirm compliance with technological standards. D. confirm compliance with regulatory requirements.

You are correct, the answer is A. A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. B. Evaluating the adequacy of controls may be part of the review, but is not the primary objective. C. Confirming compliance with technological standards is normally not part of the postimplementation review because this should be addressed during the design and development phase. D. Confirming compliance with regulatory requirements is normally not part of the postimplementation review because this should be addressed during the design and development phase.

Value delivery from IT to the business is MOST effectively achieved by: Select an answer: A. aligning the IT strategy with the enterprise strategy. B. embedding accountability in the enterprise. C. providing a positive return on investment (ROI). D. establishing an enterprisewide risk management process.

You are correct, the answer is A. A. IT's value delivery to the business is driven by aligning IT with the enterprise's strategy. B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance). C. While ROI is important, it is not the only criterion by which the value of IT is assessed. D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy.

During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the: Select an answer: A. confidentiality of the data. B. accuracy of the data. C. completeness of the data. D. reliability of the data.

You are correct, the answer is A. A. Masking the data is used to ensure the confidentiality of data, especially in a UAT exercise in which the testers have access to data that they would not have access to in normal production environments. B. Masking the data does not ensure the accuracy of the data. If the underlying data are inaccurate, the masked data also would be inaccurate. C. Masking the data does not ensure the completeness of the data. If the underlying data are incomplete, the masked data also would be incomplete. D. Masking the data does not ensure the reliability of the data. If the underlying data are unreliable, the masked data also would be unreliable.

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? Select an answer: A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation.

You are correct, the answer is A. A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so. B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no backout plan.

Which of the following is the PRIMARY reason IS auditors conduct risk assessments? Select an answer: A. To focus effort on areas of highest business impact B. To maintain the organization's risk register C. To enable management to choose the correct risk response D. To provide assurance on the risk management process

You are correct, the answer is A. A. Risk assessments form the basis of audit department management and are used to determine potential areas on which to focus audit efforts and resources. A risk assessment is the process used to identify and evaluate risk and its potential effects. B. Updating the risk register is the responsibility of operations management, not the IT audit department. C. Management chooses the correct risk response strategy based on the enterprisewide risk assessment, evaluation and analysis. D. Assurance on risk management is not the main reason why risk assessments are performed by the audit department. The IT department performs risk assessments for two purposes: to create a risk-based audit schedule and to manage the risk related to each audit engagement from a delivery and project management perspective.

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: Select an answer: A. substantive testing. B. compliance testing. C. qualitative analysis. D. judgment sampling.

You are correct, the answer is A. A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made with the vendor invoices. B. Compliance testing involves testing the controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. C. Qualitative analysis is typically related to risk analysis and should not be used in this scenario. D. Judgment sampling is a sample that is selected subjectively or not at random, or in which the sampling results are not evaluated mathematically.

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: Select an answer: A. substantive testing. B. compliance testing. C. qualitative analysis. D. judgment sampling.

You are correct, the answer is A. A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made with the vendor invoices. B. Compliance testing involves testing the controls designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. C. Qualitative analysis is typically related to risk analysis and should not be used in this scenario. D. Judgment sampling is a sample that is selected subjectively or not at random, or in which the sampling results are not evaluated mathematically.

After a disaster declaration, the media creation date at a warm recovery site is based on the: Select an answer: A. recovery point objective (RPO). B. recovery time objective (RTO). C. service delivery objective (SDO). D. maximum tolerable outage (MTO).

You are correct, the answer is A. A. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. B. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. C. The SDO is directly related to the business needs, and is the level of service to be reached during the alternate process mode until the normal situation is restored. D. The MTO is the maximum time that an organization can support processing in alternate mode.

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Select an answer: A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation

You are correct, the answer is A. Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data into quality (accurate) data.

Which of the following is MOST indicative of the effectiveness of an information security awareness program? Select an answer: A. Employees report more information regarding security incidents. B. All employees have signed the information security policy. C. Most employees have attended an awareness session. D. Information security responsibilities have been included in job descriptions.

You are correct, the answer is A. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. Choice A is the correct answer because the reporting of incidents implies that employees are taking action as a consequence of the awareness program. The existence of evidence that all employees have signed the security policy does not ensure that security responsibilities have been understood and applied. One of the objectives of the security awareness program is to inform the employees of what is expected of them and what their responsibilities are, but this knowledge does not ensure that employees will perform their activities in a secure manner. The documentation of roles and responsibilities in job descriptions is not an indicator of the effectiveness of the awareness program.

When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor? Select an answer: A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan. D. Postpone the audit until the systems are added to the disaster recovery plan.

You are correct, the answer is A. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the disaster recovery plan. Cancelling the audit, ignoring the fact that some systems are not covered or postponing the audit are inappropriate actions to take.

When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor? Select an answer: A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan. D. Postpone the audit until the systems are added to the disaster recovery plan.

You are correct, the answer is A. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the disaster recovery plan. Cancelling the audit, ignoring the fact that some systems are not covered or postponing the audit are inappropriate actions to take.

An IS auditor is reviewing a software application that is built on the principles of service oriented architecture (SOA). What is the BEST first step? Select an answer: A. Understanding services and their allocation to business processes by reviewing the service repository documentation. B. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML). C. Reviewing the service level agreements (SLAs). D. Auditing any single service and its dependencies with others.

You are correct, the answer is A. An SOA relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services. Choices B and C are not correct because sampling the use of service security standards as represented by the SAML and reviewing the SLAs are essential follow-up steps to understanding services and their allocation to business, but are not first steps. Choice D is not correct because auditing any single service and its dependencies with others would be very time consuming and is not the standard way to start an SOA audit.

When reviewing an organization's strategic IT plan an IS auditor should expect to find: Select an answer: A. an assessment of the fit of the organization's application portfolio with business objectives. B. actions to reduce hardware procurement cost. C. a listing of approved suppliers of IT contract resources. D. a description of the technical architecture for the organization's network perimeter security.

You are correct, the answer is A. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. Operational efficiency initiatives belong to tactical planning, not strategic planning. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. A listing of approved suppliers of IT contract resources is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail of a specific technical architecture.

The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: Select an answer: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. D. fail to understand the threat.

You are correct, the answer is A. An organization's CSIRT should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. Forwarding the security alert is not harmful to the organization. Implementing individual solutions is unlikely and users failing to understand the threat would not be a serious concern.

The most likely error to occur when implementing a firewall is: Select an answer: A. incorrectly configuring the access lists. B. compromising the passwords due to social engineering. C. connecting a modem to the computers in the network. D. inadequately protecting the network and server from virus attacks.

You are correct, the answer is A. An updated and flawless access list is a significant challenge and, therefore, has the greatest chance for errors at the time of the initial installation. Passwords do not apply to firewalls, a modem bypasses a firewall and a virus attack is not an element in implementing a firewall.

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed? Select an answer: A. The time and cost implications caused by the change B. The risk that regression tests will fail C. Users not agreeing with the change D. The project team not having the skills to make the necessary change

You are correct, the answer is A. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. A change in scope does not necessarily impact the risk that regression tests will fail, that users will reject the change or that the project team will lack the skills to make the change.

A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. Which of the following would be of GREATEST concern during a forensic investigation? Select an answer: A. Audit logs are not enabled for the system. B. A logon ID for the technical lead still exists. C. Spyware is installed on the system. D. A Trojan is installed on the system.

You are correct, the answer is A. Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult.

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)? Select an answer: A. Business processes owners B. IT management C. Senior business management D. Industry experts

You are correct, the answer is A. Business process owners have the most relevant information to contribute since the BIA is designed to evaluate criticality, based on business needs. Choices B and C are not correct because, while IT management and senior management must be involved, they may not be fully aware of the business processes that need to be protected. Choice D is not correct because the BIA is dependent on the unique business needs of the organization.

An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include: Select an answer: A. the level of information security required when business recovery procedures are invoked. B. information security roles and responsibilities in the crisis management structure. C. information security resource requirements. D. change management procedures for information security that could affect business continuity arrangements.

You are correct, the answer is A. Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified. The other choices do not directly address the information confidentiality issue.

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: Select an answer: A. can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control.

You are correct, the answer is A. CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of IS auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them. Choice D is incorrect, because CSA does not allow management to relinquish its responsibility for control.

The reason a certification and accreditation process is performed on critical systems is to ensure that: Select an answer: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model.

You are correct, the answer is A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment. A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Select an answer: A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a testing tool to automate defect tracking.

You are correct, the answer is A. Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. Choice B is not correct. When testing starts, a significant amount of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. Choice C is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant amount of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall testing time to increase rather than decrease. Choice D could help in improving testing efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

Which of the following is widely accepted as one of the critical components in networking management? Select an answer: A. Configuration management B. Topological mappings C. Application of monitoring tools D. Proxy server troubleshooting

You are correct, the answer is A. Configuration management is widely accepted as one of the key components of any network, since it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Topological mappings provide outlines of the components of the network and its connectivity. Application monitoring is not essential and proxy server troubleshooting is used for troubleshooting purposes.

The PRIMARY objective of implementing corporate governance is to: Select an answer: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement best practices.

You are correct, the answer is A. Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.

A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: Select an answer: A. what amount of progress against schedule has been achieved. B. if the project budget can be reduced. C. if the project could be brought in ahead of schedule. D. if the budget savings can be applied to increase the project scope.

You are correct, the answer is A. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. To properly assess the project budget position it is necessary to know how much progress has actually been made and, given this, what level of expenditure would be expected. It is possible that project expenditure appears to be low because actual progress has been slow. Until the analysis of project against schedule has been completed, it is impossible to know whether there is any reason to reduce budget. If the project has slipped behind schedule, then not only may there be no spare budget but it is possible that extra expenditure may be needed to retrieve the slippage. The low expenditure could actually be representative of a situation where the project is likely to miss deadlines rather than potentially come in ahead of time. If the project is found to be ahead of budget after adjusting for actual progress, this is not necessarily a good outcome because it points to flaws in the original budgeting process; and, as said above, until further analysis is undertaken, it cannot be determined whether any spare funds actually exist. Further, if the project is behind schedule, then adding scope may be the wrong thing to do.

At a hospital, medical personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance? Select an answer: A. The handheld computers are properly protected to prevent loss of data confidentiality, in case of theft or loss. B. The employee who deletes temporary files from the local PC, after usage, is authorized to maintain PCs. C. Timely synchronization is ensured by policies and procedures. D. The usage of the handheld computers is allowed by the hospital policy.

You are correct, the answer is A. Data confidentiality is a major requirement of privacy regulations. Choices B, C and D relate to internal security requirements, and are secondary when compared to compliance with data privacy laws.

With the help of a security officer, granting access to data is the responsibility of: Select an answer: A. data owners. B. programmers. C. system analysts. D. librarians.

You are correct, the answer is A. Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening? Select an answer: A. The default configurations are changed. B. All tables in the database are normalized. C. Stored procedures and triggers are encrypted. D. The service port used by the database server is changed.

You are correct, the answer is A. Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily compromised by malicious code and by intruders. Choice B is not correct because it is related more to performance than to security. Limiting access to stored procedures is a valid security consideration, but not as critical as changing default configurations. Changing the service port used by the database is a component of the configuration changes which could be made to the database, but there are other more critical configuration changes which should be made first.

A hot site should be implemented as a recovery strategy when the: Select an answer: A. disaster tolerance is low. B. recovery point objective (RPO) is high. C. recovery time objective (RTO) is high. D. disaster tolerance is high.

You are correct, the answer is A. Disaster tolerance is the time gap during which the business can accept nonavailability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. The RPO is the earliest point in time at which it is acceptable to recover the data. A high RPO means that the process can wait for a longer time. In such cases, other recovery alternatives, such as warm or cold sites, should be considered. A high RTO means that additional time would be available for the recovery strategy, thus making other recovery alternatives—such as warm or cold sites—viable alternatives.

Which of the following would normally be the MOST reliable evidence for an IS auditor? Select an answer: A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management

You are correct, the answer is A. Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

Which of the following would normally be the MOST reliable evidence for an IS auditor? Select an answer: A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management

You are correct, the answer is A. Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activities logs. B. verification of user authorization at the field level. C. review of data communication access activities logs. D. periodic review of changing data files.

You are correct, the answer is A. General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Choice D is a change control.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activities logs. B. verification of user authorization at the field level. C. review of data communication access activities logs. D. periodic review of changing data files.

You are correct, the answer is A. General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Choice D is a change control.

The MOST important difference between hashing and encryption is that hashing: Select an answer: A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end.

You are correct, the answer is A. Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving end to encrypt and decrypt.

The waterfall life cycle model of software development is most appropriately used when: Select an answer: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requirements are well understood and the project is subject to time pressures. C. the project intends to apply an object-oriented design and programming approach. D. the project will involve the use of new technology.

You are correct, the answer is A. Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful. In these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. The ability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.

While planning an audit, an assessment of risk should be made to provide: Select an answer: A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.

You are correct, the answer is A. ISACA IT Audit and Assurance Guideline G15 on planning the IS audit states that, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: Select an answer: A. address audit objectives. B. collect sufficient evidence. C. specify appropriate tests. D. minimize audit resources.

You are correct, the answer is A. ISACA IT audit and assurance standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the IS auditor does not collect evidence in the planning stage of an audit. Choices C and D are incorrect because they are not the primary goals of audit planning. The activities described in choices B, C and D are all undertaken to address audit objectives and are thus secondary to choice A.

When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Select an answer: A. Develop an alternate testing procedure. B. Report the finding to management as a deficiency. C. Perform a walk-through of the change management process. D. Create additional sample changes to programs.

You are correct, the answer is A. If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. There is not enough evidence to report the finding as a deficiency. A walk-through should not be initiated until an analysis is performed to confirm that this could provide the required assurance. It would not be appropriate for an IS auditor to create sample data for the purpose of the audit.

In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table? Select an answer: A. Foreign key B. Primary key C. Secondary key D. Public key

You are correct, the answer is A. In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. It should not be possible to delete a row from a customer table when the customer number (primary key) of that row is stored with live orders on the orders table (the foreign key to the customer table). A primary key works in one table, so it is not able to provide/ensure referential integrity by itself. Secondary keys that are not foreign keys are not subject to referential integrity checks. Public key is related to encryption and not linked in any way to referential integrity.

Which of the following would BEST describe encrypting and decrypting data using an asymmetric encryption algorithm? Select an answer: A. Use the receiver's private key to decrypt data encrypted by the receiver's public key. B. Use the sender's private key to decrypt the data. C. Use the receiver's public key to decrypt the data encrypted by the sender's private key. D. Use the sender's public key to both encrypt and decrypt the data.

You are correct, the answer is A. In asymmetric encryption, if the message was encrypted by the receiver's public key, it can only be decrypted by the receiver's private key. It is impossible to use the sender's private key because it is supposed to be private. If the message is encrypted using the sender's private key, it can only be decrypted by the sender's public key and not the receiver's public key. This is usually the technique used for a digital signature, not for encryption, because the public key is available to everyone. In asymmetric encryption, one does not use the same key for both encryption and decryption; that technique would be used for symmetric encryption.

An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recommend? Select an answer: A. Review of the access control privilege authorization process B. Implementation of an identity management system (IMS) C. Enhancement of procedures to audit changes made to sensitive customer data D. Granting of fire call accounts only to managers

You are correct, the answer is A. In this case, the IS auditor should recommend reviewing the process of access control management. Emergency system administration-level access should only be granted on an as-needed basis and configured to a predefined expiration date. Accounts with temporary privileges require strong controls to limit the lifetime of the privileges and use of these accounts should be closely monitored. Choice B is not correct because, while implementing an IMS may solve the problem, it would be most cost-efficient to first review access privileges. Enhancing procedures to audit changes made to sensitive customer data (choice C) does not prevent the misuse of these accounts and should be performed after reviewing the process. It is not realistic to grant fire call accounts only to managers (choice D).

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: Select an answer: A. include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. B. not include the finding in the final report, because the audit report should include only unresolved findings. C. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. D. include the finding in the closing meeting for discussion purposes only.

You are correct, the answer is A. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.

As an outcome of information security governance, strategic alignment provides: Select an answer: A. security requirements driven by enterprise requirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

You are correct, the answer is A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.

Which of the following is an example of a passive attack initiated through the Internet? Select an answer: A. Traffic analysis B. Masquerading C. Denial of service D. Email spoofing

You are correct, the answer is A. Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-of-service attacks, dial-in penetration attacks, email bombing and spamming, and email spoofing.

The phases and deliverables of a system development life cycle (SDLC) project should be determined: Select an answer: A. during the initial planning stages of the project. B. after early planning has been completed, but before work has begun. C. throughout the work stages, based on risk and exposures. D. only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls.

You are correct, the answer is A. It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project.

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: Select an answer: A. physically separated from the data center and not subject to the same risk. B. given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities.

You are correct, the answer is A. It is important that there be an offsite storage location for IS files and that it be in a location not subject to the same risk as the primary data center. The other choices are all issues that must be considered when establishing the offsite location, but they are not as critical as the location selection.

A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: Select an answer: A. with their named account to make the changes. B. with the shared DBA account to make the changes. C. to the server administrative account to make the changes. D. to the user's account to make the changes.

You are correct, the answer is A. Logging in using the named user account before using the DBA account provides accountability by noting the person making the changes. The DBA account is typically a shared user account. The shared account makes it difficult to establish the identity of the support user who is performing the database update. The server administrative accounts are shared and may be used by multiple support users. In addition, the server privilege accounts may not have the ability to perform database changes. The use of a normal user account would not have sufficient privileges to make changes on the database.

A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: Select an answer: A. with their named account to make the changes. B. with the shared DBA account to make the changes. C. to the server administrative account to make the changes. D. to the user's account to make the changes.

You are correct, the answer is A. Logging in using the named user account before using the DBA account provides accountability by noting the person making the changes. The DBA account is typically a shared user account. The shared account makes it difficult to establish the identity of the support user who is performing the database update. The server administrative accounts are shared and may be used by multiple support users. In addition, the server privilege accounts may not have the ability to perform database changes. The use of a normal user account would not have sufficient privileges to make changes on the database.

Network Data Management Protocol (NDMP) technology should be used for backup if: A. a network attached storage (NAS) appliance is required. B. the use of TCP/IP must be avoided. C. file permissions that cannot be handled by legacy backup systems must be backed up. D. backup consistency over several related data volumes must be ensured.

You are correct, the answer is A. NDMP defines three kind of services: 1. A data service that interfaces with the primary storage to be backed up or restored 2. A tape service that interfaces with the secondary storage (primarily a tape device) 3. A translator service performing translations including multiplexing multiple data streams into one data stream and vice versa NDMP services interact with each other. The result of this interaction is the establishment of an NDMP control session if the session is being used to achieve control for the backup or restore operation. It would result in an NDMP data session if the session is being used to transfer actual file system or volume data (including metadata). Control sessions are always TCP/IP-based, but data streams can be TCP/IP-based or storage area network (SAN)-based. NDMP is more or less network attached storage-centric (NAS-centric) and defines a way to back up and restore data from a device, such as a NAS appliance, on which it is difficult to install a backup software agent. In the absence of NDMP, these data must be backed up as a shared drive on the local area network (LAN), which is accessed via network file protocols such as Common Internet File System (CIFS) or Network File System (NFS), degrading backup performance. NDMP works on a block level for transferring payload data (file content) but metadata and traditional file system information needs to be handled by legacy backup systems that initiate NDMP data movement. NDMP does not know about nor take care of consistency issues regarding related volumes (e.g., a volume to store database files, a volume to store application server data and a volume to store web server data). NDMP can be used to do backups in such an environment (e.g., SAP), but the logic required must be either put into a dedicated piece of software or must be scripted into the legacy backup software.

The use of object-oriented design and development techniques would MOST likely: Select an answer: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle.

You are correct, the answer is A. One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.

The use of object-oriented design and development techniques would MOST likely: Select an answer: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle.

You are correct, the answer is A. One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.

A benefit of open system architecture is that it: Select an answer: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment.

You are correct, the answer is A. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems. Choices C and D are not correct.

Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? Select an answer: A. Participating in the design of the risk management framework B. Advising on different implementation techniques C. Facilitating risk awareness training D. Performing due diligence of the risk management processes

You are correct, the answer is A. Participating in the design of the risk management framework involves designing controls, which will compromise the independence of the IS auditor to audit the risk management process. Advising on different implementation techniques will not compromise the auditor's independence because the IS auditor will not be involved in the decision-making process. Facilitating awareness training will not hamper the IS auditor's independence because the auditor will not be involved in the decision-making process. Due diligence reviews are a type of audit.

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: Select an answer: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack (DDoS). D. war dialing attack.

You are correct, the answer is A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute force attack is used to crack passwords. A DDoS attack floods its target with numerous packets, to prevent it from responding to legitimate requests. War dialing uses modem-scanning tools to hack private branch exchanges (PBXs).

Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan? Select an answer: A. Preparedness tests B. Paper tests C. Full operational tests D. Actual service disruption

You are correct, the answer is A. Preparedness tests involve simulation of the entire environment (in phases) and help the team to better understand and prepare for the actual test scenario. Choices B, C and D are not cost-effective methods to obtain evidence. Paper tests in a walk-through test the entire plan, but there is no simulation and less is learned. It also is difficult to obtain evidence that the team has understood the test plan. Choice D is not recommended in most cases, and choice C would require approval from management, is not easy nor practical to test in most scenarios, and may itself trigger a disaster.

Which of the following situations would increase the likelihood of fraud? Select an answer: A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

You are correct, the answer is A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

When installing an intrusion detection system (IDS), which of the following is MOST important? Select an answer: A. Properly locating it in the network architecture B. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quarantined D. Minimizing the rejection errors

You are correct, the answer is A. Proper location of an IDS in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.

Which of the following is the most important element in the design of a data warehouse? Select an answer: A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system

You are correct, the answer is A. Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse.

A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not available. What is the IS auditor's FIRST step to compensate for the lack of resources? Select an answer: A. Review the project plan and approach. B. Ask the vendor to provide additional external staff. C. Recommend that the company hire more people. D. Stop the project until all human resources (HR) are available.

You are correct, the answer is A. Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users. Adding external people to the project will not resolve the problem because they will not be able to decide on behalf of the internal employees who are usually end users from the business side. Hiring new people will take time and does not guarantee the readiness of new hires to make appropriate decisions in this project. Stopping the project could be a good option, but reviewing the project and considering all of the aspects should be done first.

A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not available. What is the IS auditor's FIRST step to compensate for the lack of resources? Select an answer: A. Review the project plan and approach. B. Ask the vendor to provide additional external staff. C. Recommend that the company hire more people. D. Stop the project until all human resources (HR) are available.

You are correct, the answer is A. Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users. Adding external people to the project will not resolve the problem because they will not be able to decide on behalf of the internal employees who are usually end users from the business side. Hiring new people will take time and does not guarantee the readiness of new hires to make appropriate decisions in this project. Stopping the project could be a good option, but reviewing the project and considering all of the aspects should be done first.

For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? Select an answer: A. There are regulations regarding data privacy. B. Member service representative training cost will be much higher. C. It is harder to monitor remote databases. D. Time zone differences could impede customer service.

You are correct, the answer is A. Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another county. Training cost, remote database monitoring and time zone difference issues are common and manageable regardless of where the data warehouse resides.

The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: Select an answer: A. symmetric encryption. B. message authentication code. C. hash function. D. digital signature certificates.

You are correct, the answer is A. SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication.

Which of the following activities performed by a database administrator (DBA) should be performed by a different person? Select an answer: A. Deleting database activity logs B. Implementing database optimization tools C. Monitoring database usage D. Defining backup and recovery procedures

You are correct, the answer is A. Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. A DBA should perform the other activities as part of the normal operations.

When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? Select an answer: A. The risk associated with the use of the products is periodically assessed. B. The latest version of software is listed for each product. C. Due to licensing issues, the list does not contain open source software. D. After-hours support is offered.

You are correct, the answer is A. Since the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be BEST incorporated into the IT risk management process. Choices B, C and D are possible considerations but would not be the most important.

The FIRST step in a successful attack to a system would be: Select an answer: A. gathering information. B. gaining access. C. denying services. D. evading detection.

You are correct, the answer is A. Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered.

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and: Select an answer: A. succession planning. B. staff job evaluation. C. responsibilities definition. D. employee award programs.

You are correct, the answer is A. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. Staff responsibilities definition provides for well-defined roles and responsibilities, and employee award programs provide motivation; however, they do not minimize dependency on key individuals.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: Select an answer: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

You are correct, the answer is A. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results from previous tests. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization had implemented plans to allow for the effective response.

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? Select an answer: A. Implement a properly documented process for application role change requests. B. Hire additional staff to provide a segregation of duties (SoD) for application role changes. C. Implement an automated process for changing application roles. D. Document the current procedure in detail, and make it available on the enterprise intranet.

You are correct, the answer is A. The IS auditor should recommend implementation of processes that could prevent improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. While it is preferred that a strict SoD be adhered to and that additional staff be recruited according to choice B, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes. Choices C and D may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application.

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? Select an answer: A. Three users with the ability to capture and verify their own messages B. Five users with the ability to capture and send their own messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages

You are correct, the answer is A. The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? Select an answer: A. A clause providing a "right to audit" service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability

You are correct, the answer is A. The absence of a "right to audit" clause would potentially prevent the auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the auditor since it would be difficult for the organization to assess whether the appropriate controls had been put in place. While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance and, when performance penalties are required, these penalties are often subject to negotiation on a case-by-case basis. As such, the absence of this information would not be as significant as choice A. Choice C is not correct because, while the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern. The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern.

Which of the following is an advantage of the top-down approach to software testing? Select an answer: A. Interface errors are identified early. B. Testing can be started before all programs are complete. C. It is more effective than other testing approaches. D. Errors in critical modules are detected sooner.

You are correct, the answer is A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.

Which of the following is an advantage of the top-down approach to software testing? Select an answer: A. Interface errors are identified early. B. Testing can be started before all programs are complete. C. It is more effective than other testing approaches. D. Errors in critical modules are detected sooner.

You are correct, the answer is A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.

Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? Select an answer: A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C. Copies of the plan are kept at the homes of key decision-making personnel. D. Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current.

You are correct, the answer is A. The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. All other choices ensure prioritization or the execution of the plan.

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? Select an answer: A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions

You are correct, the answer is A. The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.

What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? Select an answer: A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. B. The contingency plan for the organization cannot effectively test controlled access practices. C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. D. Removing access for those who are no longer authorized is complex.

You are correct, the answer is A. The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while technology is constantly changing, card keys have existed for some time and appear to be a viable option for the foreseeable future.

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: Select an answer: A. transition clause from the old supplier to a new supplier in the case of expiration or termination. B. late payment clause between the customer and the supplier. C. contractual commitment for service improvement. D. dispute resolution procedure between the contracting parties.

You are correct, the answer is A. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated. This would be the greatest risk to the organization. Contractual issues regarding payment, service improvement and dispute resolution are important, but not as critical as ensuring that service disruption, data loss or other significant events occur in the event that the organization switches to a new firm providing outsourced services.

Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? Select an answer: A. Assess the impact of patches prior to installation. B. Ask the vendors for a new software version with all fixes included. C. Install the security patch immediately. D. Decline to deal with these vendors in the future.

You are correct, the answer is A. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problems. New software versions with all fixes included are not always available and a full installation could be time consuming. Declining to deal with vendors does not take care of the flaw.

A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintained good communication and the business continuity plan (BCP) has been updated to include the new system. A suitable BCP test to perform at this point in time would be: Select an answer: A. using actual resources to simulate a system crash. B. a detailed paper walk-through of the plan. C. a penetration test for the web site interface application. D. performing a failover of the system at the designated secondary site.

You are correct, the answer is A. The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulated recovery exercise. This exercise would test the new recovery infrastructure under controlled conditions. Assuming that recovery options have been actively considered during development (as they would need to be for a mission-critical system), a paper walk-through would be of limited value. A security assessment or penetration test is vital for any application exposed to the Internet, but should have been performed much earlier in the process. Choice D is not correct because performing a failover test is not adequate to assess the degree to which the organization is prepared to recover from a wider range of problems.

A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintained good communication and the business continuity plan (BCP) has been updated to include the new system. A suitable BCP test to perform at this point in time would be: Select an answer: A. using actual resources to simulate a system crash. B. a detailed paper walk-through of the plan. C. a penetration test for the web site interface application. D. performing a failover of the system at the designated secondary site.

You are correct, the answer is A. The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulated recovery exercise. This exercise would test the new recovery infrastructure under controlled conditions. Assuming that recovery options have been actively considered during development (as they would need to be for a mission-critical system), a paper walk-through would be of limited value. A security assessment or penetration test is vital for any application exposed to the Internet, but should have been performed much earlier in the process. Choice D is not correct because performing a failover test is not adequate to assess the degree to which the organization is prepared to recover from a wider range of problems.

When assessing the design of network monitoring controls, an IS auditor should FIRST review network: Select an answer: A. topology diagrams. B. bandwidth usage. C. traffic analysis reports. D. bottleneck locations.

You are correct, the answer is A. The first step in assessing network monitoring controls should be the review of the adequacy of network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and the ability to diagnose problems will not be effective.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Select an answer: A. Rank requirements and test in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automate tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You are correct, the answer is A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress, i.e., introduced errors in parts of the system that were previously working correctly. For this reason, it is a best practice to undertake formal regression testing after defect fixes have been implemented.

An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should: Select an answer: A. do nothing since the inherent security features of GSM technology are appropriate. B. recommend that the CIO stop using the laptop computer until encryption is enabled. C. ensure that media access control (MAC) address filtering is enabled on the network so unauthorized wireless users cannot connect. D. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.

You are correct, the answer is A. The inherent security features of GSM technology combined with the use of a VPN are appropriate. Choice A would be the correct answer since the confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11b wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled. Choice B would not be correct because, as stated above, encryption is a part of the defined GSM technology and is already in use. Choices C and D may apply to a wireless LAN, but they do not apply to a GSM network device.

An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should: Select an answer: A. do nothing since the inherent security features of GSM technology are appropriate. B. recommend that the CIO stop using the laptop computer until encryption is enabled. C. ensure that media access control (MAC) address filtering is enabled on the network so unauthorized wireless users cannot connect. D. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.

You are correct, the answer is A. The inherent security features of GSM technology combined with the use of a VPN are appropriate. Choice A would be the correct answer since the confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11b wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled. Choice B would not be correct because, as stated above, encryption is a part of the defined GSM technology and is already in use. Choices C and D may apply to a wireless LAN, but they do not apply to a GSM network device.

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether: Select an answer: A. there is an integration of IS and business personnel within projects. B. there is a clear definition of the IS mission and vision. C. a strategic information technology planning methodology is in place. D. the plan correlates business objectives to IS goals and objectives.

You are correct, the answer is A. The integration of IS and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.

Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption? Select an answer: A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Greater strength for a given key length

You are correct, the answer is A. The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed.

An IS auditor should be concerned when a telecommunication analyst: Select an answer: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements.

You are correct, the answer is A. The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role.

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)? Select an answer: A. Resuming critical processes B. Recovering sensitive processes C. Restoring the site D. Relocating operations to an alternative site

You are correct, the answer is A. The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. Repairing and restoring the site to original status and resuming the business operations are time consuming operations and are not the highest priority. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time consuming process; moreover, relocation may not be required.

When evaluating IT outsourcing strategies, an IS auditor should be MOST concerned if which of the following elements is part of the strategy? Select an answer: A. Transfer of legal compliance responsibility B. Promoting long-term contracts rather than short-term contracts C. Use of only subsidiary companies for outsourcing D. Not forming a cross-functional contract management team

You are correct, the answer is A. The ultimate responsibility to comply with all applicable laws and regulations lies with the company that is outsourcing or contracting the service, not with the external service provider. Therefore, transferring such responsibility is neither feasible nor in the best interest of the company. While each of the choices may be an issue, an IS auditor should be most concerned if the strategy is to transfer an organization's legal compliance responsibility.

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? Select an answer: A. Wiring and schematic diagram B. Users' lists and responsibilities C. Application lists and their details D. Backup and recovery procedures

You are correct, the answer is A. The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.

Sharing risk is a key factor in which of the following methods of managing risk? Select an answer: A. Transferring risk B. Tolerating risk C. Terminating risk D. Treating risk

You are correct, the answer is A. Transferring risk (e.g., by taking an insurance policy) is a way to share risk. Tolerating risk means that the risk is accepted, but not shared. Terminating risk is unlikely to involve sharing the risk because some risk will remain. Treating or controlling the risk may involve sharing the risk, but it is not a key feature.

An IS auditor is reviewing the expansion plans for an organization which is opening a new office about 80 meters away from their existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-meter, Category 5 (Cat 5), unshielded twisted-pair (UTP) cable can be installed to provide the connectivity between both buildings. What is the PRIMARY risk that the IS auditor should identify with this expansion plan? Select an answer: A. The link between buildings may not meet the long-term business requirements. B. The fiber-optic cabling will be expensive to install and maintain. C. The implementation plan may not be achievable. D. The new building is too close to the existing facility (a single disaster could destroy both sites).

You are correct, the answer is A. Using Cat 5 UTP cabling for the link between the two buildings may meet short-term bandwidth requirements but, over time, additional new requirements may drive the need for more bandwidth that may not be delivered over UTP. The Cat 5 UTP can deliver an effective bandwidth of 100 Mbs within a 100-meter range. Fiber-optic cable would be the best choice for this solution. Fiber-optic cable is difficult and expensive to install; however, the cost incurred by using fiber-optic cable does not present as significant a risk compared with the use of UTP cable for the link between buildings. Based on the scenario given, there is no issue with respect to the plan being achievable. The new building is very close to the old one and the risk that a disaster could destroy both buildings is real, and potentially significant, but not very likely.

An IS auditor is reviewing the expansion plans for an organization which is opening a new office about 80 meters away from their existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-meter, Category 5 (Cat 5), unshielded twisted-pair (UTP) cable can be installed to provide the connectivity between both buildings. What is the PRIMARY risk that the IS auditor should identify with this expansion plan? Select an answer: A. The link between buildings may not meet the long-term business requirements. B. The fiber-optic cabling will be expensive to install and maintain. C. The implementation plan may not be achievable. D. The new building is too close to the existing facility (a single disaster could destroy both sites).

You are correct, the answer is A. Using Cat 5 UTP cabling for the link between the two buildings may meet short-term bandwidth requirements but, over time, additional new requirements may drive the need for more bandwidth that may not be delivered over UTP. The Cat 5 UTP can deliver an effective bandwidth of 100 Mbs within a 100-meter range. Fiber-optic cable would be the best choice for this solution. Fiber-optic cable is difficult and expensive to install; however, the cost incurred by using fiber-optic cable does not present as significant a risk compared with the use of UTP cable for the link between buildings. Based on the scenario given, there is no issue with respect to the plan being achievable. The new building is very close to the old one and the risk that a disaster could destroy both buildings is real, and potentially significant, but not very likely.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? Select an answer: A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

You are correct, the answer is A. Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

An IS auditor observes that one of the servers on the perimeter network is running a vulnerable operating system. What is the MOST likely implication due to the existence of a system vulnerability? Select an answer: A. The server is susceptible to an attack. B. An attack will occur. C. A control must be designed as a countermeasure. D. The likelihood of threats will increase.

You are correct, the answer is A. Vulnerabilities, if not addressed, leave the server at a risk of being attacked. The existence of a vulnerability does not automatically imply that an attack will occur. A control may be designed only if it would be cost-effective. The existence of a vulnerability does not increase the likelihood of threats to a system.

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that: Select an answer: A. the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed. B. there is no way of reconstructing the lost information, except by deleting the dangling tuples and reentering the transactions. C. the database will immediately stop execution and lose more information. D. the database will no longer accept input data.

You are correct, the answer is A. When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. Choice B is incorrect since a system can recover the corrupted external key by reindexing the table. Choices C and D would not result from a corrupted foreign key.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? Select an answer: A. Function point analysis B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development

You are correct, the answer is B. A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, while object-oriented system development is the process of solution specification and modeling.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? Select an answer: A. Recommend redesigning the change management process. B. Gain more assurance on the findings through root cause analysis. C. Recommend that program migration be stopped until the change process is documented. D. Document the finding and present it to management.

You are correct, the answer is B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.

Which of the following data validation edits is effective in detecting transposition and transcription errors? Select an answer: A. Range check B. Check digit C. Validity check D. Duplicate check

You are correct, the answer is B. A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, e.g., an incorrect, but valid, value substituted for the original. This control is effective in detecting transposition and transcription errors. A range check is checking data that matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system.

Before implementing an IT balanced scorecard (BSC), an organization must: Select an answer: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses.

You are correct, the answer is B. A definition of key performance indicators is required before implementing an IT BSC. Choices A, C and D are objectives.

Two-factor authentication can be circumvented through which of the following attacks? A. Denial-of-service B. Man-in-the-middle C. Key logging D. Brute force

You are correct, the answer is B. A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-of-service attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication.

A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? Select an answer: A. Reviewing logs frequently B. Testing and validating the rules C. Training a local administrator at the new location D. Sharing firewall administrative duties

You are correct, the answer is B. A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? Select an answer: A. Full operational test B. Preparedness test C. Paper test D. Regression test

You are correct, the answer is B. A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test. A full operational test is conducted after the paper and preparedness test. A regression test is not a disaster recovery plan test and is used in software maintenance.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? Select an answer: A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

You are correct, the answer is B. A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements.

For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies? A. Mobile site B. Redundant site C. Hot site D. Reciprocal agreements

You are correct, the answer is B. A redundant site contains either duplicate mirror facilities that are online at all times or computing facilities of a reduced capacity that can process at the acceptable service delivery objective (SDO) requirement. The data are live—there are no delays waiting for files to be restored. This site is in full operation and able to take over processing within seconds or minutes. The mobile site is usually a trailer, configured so that it is equivalent to the level of a hot or warm site, which means that its recovery time is between hours and days. A hot site is similar to a redundant site except that it is offline when not in use. Data files will take several hours to load from backup tapes before the system can go live. A hot site is, therefore, capable of being in operation within hours. Reciprocal agreements are traditionally both unenforceable and unrealistic, and because of this, the time of recovery is not very fast, if possible at all.

Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? Select an answer: A. To establish adequate staffing requirements to complete the IS audit B. To provide reasonable assurance that all material items will be addressed C. To determine the knowledge required to perform the IS audit D. To develop the audit program and procedures to perform the IS audit

You are correct, the answer is B. A. A risk assessment does not directly influence staffing requirements. B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. C. A risk assessment does not identify the knowledge required to perform an IS audit. D. A risk assessment does not result in the development of the audit program and procedures.

The goal of IT risk analysis is to: Select an answer: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.

You are correct, the answer is B. A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the vectors of likelihood and impact to facilitate the prioritization of risk responses.

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit? Select an answer: A. Ensure that media are encrypted. B. Maintain a duplicate copy. C. Maintain chain of custody. D. Ensure that personnel are bonded.

You are correct, the answer is B. A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data. C. Chain of custody is an important control, but it will not mitigate a loss if a locked area is broken into and media removed or if media are lost while in an individual's custody. D. Bonded security, although good for preventing theft, will not protect against accidental loss or destruction.

Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high? Select an answer: A. Warm site B. Cold site C. Hot site D. Mobile site

You are correct, the answer is B. A. If the RTO is high, it is financially reckless to use a warm site. B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations. C. If the RTO is high a hot site is not suitable. It should be used only when the RTO is low. D. A mobile site is more expensive than a cold site. Choosing a mobile site when the RTO is high does not reflect good financial sense.

An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized? Select an answer: A. Prioritize changes with a low technical risk. B. Coordinate release management across projects and systems. C. Automate migration of code from test to production libraries. D. Defer changes to customer systems to quieter trading periods.

You are correct, the answer is B. A. This is acceptable as a short-term strategy. However, more complex changes cannot be deferred indefinitely and need to be managed effectively, particularly if being introduced by multiple development initiatives. Care also needs to be taken that individual projects do not manipulate risk assessments to suit their own development timetable. B. Coordinated release management across projects and systems is a suitable strategy to employ in a complicated, dynamic system environment. Under this option, changes are packaged into releases that are implemented according to a predetermined schedule. Determining what changes are included in a release can be done in accordance with business and technical priorities. With release management, the emphasis is on coordinating changes stemming from multiple sources that impact multiple interconnected systems. This approach should lower technical risk and reduce the potential for system outage. C. Automating code movement is good practice. However, it does not address the fundamental issue of coordinating concurrent changes from multiple sources that impact multiple systems. D. Deferring changes to customer systems is not as comprehensive an approach as coordinated release management. The external usage environment could be a consideration when packaging changes into a release and scheduling release implementation. While there may be reasons to implement changes during quieter business periods (or at least to avoid known high-stress periods such as holidays), at other times there may be business imperatives for implementing customer system changes as quickly as possible.

The MOST effective method to permanently remove sensitive data from magnetic media is: Select an answer: A. reformatting. B. degaussing. C. deleting data. D. overwriting.

You are correct, the answer is B. A. Unless it is low-level formatting repeated a number of times, it is not certain that all traces of data are destroyed. This method is inefficient. B. Degaussing is the application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media. It is a standard approach for removing data from magnetic material quickly and is efficient, but may render the media unusable. C. Deleting data in most file structures merely marks the file header as available and does not destroy the data. D. Overwriting a number of times may successfully destroy the data, but there may still be sensitive information in the slack space. This method suffers the same inefficiency as low-level formatting.

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? Select an answer: A. A login screen is not displayed for guest users. B. The guest network is not segregated from the production network. C. Guest users who are logged in are not isolated from each other. D. A single factor authentication technique is used to grant access.

You are correct, the answer is B. A. Using a web captive portal, which displays a login screen in the user's web browser, is a best practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. B. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. C. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. D. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented.

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? Select an answer: A. A login screen is not displayed for guest users. B. The guest network is not segregated from the production network. C. Guest users who are logged in are not isolated from each other. D. A single factor authentication technique is used to grant access.

You are correct, the answer is B. A. Using a web captive portal, which displays a login screen in the user's web browser, is a best practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. B. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. C. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. D. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented.

Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster? Select an answer: A. Enforced procedures for regular plan updates B. A tabletop exercise with disaster scenarios C. A comprehensive reciprocal agreement D. Long-haul diversity and last-mile redundancy

You are correct, the answer is B. A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes. B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The test team walks through a simulated disaster to determine whether the plan will work as designed. Of the options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live testing to reveal plan deficiencies. C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but provide no assurance plans that the BCPs will work. D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by themselves are insufficient to ensure that the plans will work.

Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster? Select an answer: A. Enforced procedures for regular plan updates B. A tabletop exercise with disaster scenarios C. A comprehensive reciprocal agreement D. Long-haul diversity and last-mile redundancy

You are correct, the answer is B. A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes. B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The test team walks through a simulated disaster to determine whether the plan will work as designed. Of the options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live testing to reveal plan deficiencies. C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but provide no assurance plans that the BCPs will work. D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by themselves are insufficient to ensure that the plans will work.

Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment? Select an answer: A. Successful regression testing by the developer B. Approval from the information asset owner C. Approval from the security officer D. Patch installation at alternate sites

You are correct, the answer is B. A. While testing is important for any patch, in this case it should be assumed that the OS vendor tested the patch before releasing it. Before this OS patch is put into production, the organization should do system testing to ensure that no issues will occur. B. It is most important that information owners approve any changes to production systems in order to ensure that no serious business disruption takes place as the result of the patch release. C. The security officer does not normally need to approve every OS patch. D. Security patches need to be deployed consistently across the organization, including alternate sites. However, approval from the information asset owner is still the most important consideration.

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: Select an answer: A. apply the patch according to the patch's release notes. B. ensure that a good change management process is in place. C. thoroughly test the patch before sending it to production. D. approve the patch after doing a risk assessment.

You are correct, the answer is B. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: Select an answer: A. apply the patch according to the patch's release notes. B. ensure that a good change management process is in place. C. thoroughly test the patch before sending it to production. D. approve the patch after doing a risk assessment.

You are correct, the answer is B. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: Select an answer: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.

You are correct, the answer is B. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project.

Which of the following is an advantage of an integrated test facility (ITF)? Select an answer: A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. B. Periodic testing does not require separate test processes. C. It validates application systems and tests the ongoing operation of the system. D. The need to prepare test data is eliminated.

You are correct, the answer is B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data.

An IS auditor at a bank is performing compliance testing and has discovered that one of the branches has virus signatures that have not been updated in over six months. In this case, the IS auditor should recommend: Select an answer: A. security awareness and education regarding the importance of updating antivirus software. B. an automated process initiated from the main office to update antivirus software at each branch. C. reconfiguration of the firewall to a most-restrictive policy and implementation of an intrusion prevention system (IPS). D. that the branch recertify the machines after the updates are installed.

You are correct, the answer is B. An automated process is a holistic solution across the branches. While security awareness and education are important, they would not resolve the issue of the outdated signatures. Reconfiguration of the firewall and implementation of an IPS are good security practices; however, they do not relate to finding outdated virus signatures. Recertifying the machines at the branch with the outdated signatures is an appropriate first step, but it is not a holistic solution.

An IS auditor at a bank is performing compliance testing and has discovered that one of the branches has virus signatures that have not been updated in over six months. In this case, the IS auditor should recommend: Select an answer: A. security awareness and education regarding the importance of updating antivirus software. B. an automated process initiated from the main office to update antivirus software at each branch. C. reconfiguration of the firewall to a most-restrictive policy and implementation of an intrusion prevention system (IPS). D. that the branch recertify the machines after the updates are installed.

You are correct, the answer is B. An automated process is a holistic solution across the branches. While security awareness and education are important, they would not resolve the issue of the outdated signatures. Reconfiguration of the firewall and implementation of an IPS are good security practices; however, they do not relate to finding outdated virus signatures. Recertifying the machines at the branch with the outdated signatures is an appropriate first step, but it is not a holistic solution.

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? Select an answer: A. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

You are correct, the answer is B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. Totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system, but rather considers only the accounting system. Checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded). A date/time stamp does not help account for transactions that are missing or incomplete by the accounting and delivery department.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? Select an answer: A. Intrusion detection systems B. Data mining techniques C. Firewalls D. Packet filtering routers

You are correct, the answer is B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: Select an answer: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

You are correct, the answer is B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: Select an answer: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

You are correct, the answer is B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.

When developing a security architecture, which of the following steps should be executed FIRST? Select an answer: A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

You are correct, the answer is B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? Select an answer: A. Inherent B. Detection C. Control D. Business

You are correct, the answer is B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company's management. Business risk is usually not directly affected by an IS auditor.

Digital signatures require the: Select an answer: A. signer to have a public key and the receiver to have a private key. B. signer to have a private key and the receiver to have a public key. C. signer and receiver to have a public key. D. signer and receiver to have a private key.

You are correct, the answer is B. Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm. This requires the signer to have a private key and the receiver to have a public key.

During which of the following phases in system development would user acceptance test plans normally be prepared? Select an answer: A. Feasibility study B. Requirements definition C. Implementation planning D. Postimplementation review

You are correct, the answer is B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.

During which of the following phases in system development would user acceptance test plans normally be prepared? Select an answer: A. Feasibility study B. Requirements definition C. Implementation planning D. Postimplementation review

You are correct, the answer is B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? Select an answer: A. Function point analysis (FPA) B. Earned value analysis (EVA) C. Cost budget D. Program Evaluation and Review Technique (PERT)

You are correct, the answer is B. EVA is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. FPA is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for EACs and overall financial management.

The MAIN purpose of a transaction audit trail is to: Select an answer: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning.

You are correct, the answer is B. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used to trace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc.

An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings? Select an answer: A. System configuration values imported to a spreadsheet by the system administrator B. Standard report with configuration values spooled from the system by the IS auditor C. Dated screenshot of the system configuration settings made available by the system administrator D. Annual review of approved system configuration values by the business owner

You are correct, the answer is B. Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit. Evidence provided that is not system-generated information could be modified before it is presented to an IS auditor, and therefore it may not be as reliable as evidence obtained by the IS auditor. For example, a system administrator could change the settings or modify the graphic image before taking a screenshot. The annual review provided by a business owner may not reflect current information.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: Select an answer: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective.

You are correct, the answer is B. Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster.

Which of the following insurance types provide for a loss arising from fraudulent acts by employees? Select an answer: A. Business interruption B. Fidelity coverage C. Errors and omissions D. Extra expense

You are correct, the answer is B. Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.

The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? Select an answer: A. Test data B. Generalized audit software C. Integrated test facility D. Embedded audit module

You are correct, the answer is B. Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period.

The MOST likely explanation for a successful social engineering attack is: Select an answer: A. that computers make logic errors. B. that people make judgment errors. C. the computer knowledge of the attackers. D. the technological sophistication of the attack method.

You are correct, the answer is B. Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the basic argument in designing a social engineering attack. Generally, social engineering attacks do not require technological expertise; often, the attacker is not proficient in information technology or systems. Social engineering attacks are human-based and generally do not involve complicated technology.

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Select an answer: A. Log all table update transactions. B. Implement integrity constraints in the database. C. Implement before and after image reporting. D. Use tracing and tagging.

You are correct, the answer is B. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. Logging all table update transactions provides audit trails and is a detective control. Before and after image reporting makes it possible to trace the impact that transactions have on computer records and is a detective control. Tracing and tagging is used to test application systems and controls, but is not a preventive control that can avoid out-of-range data.

An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: Select an answer: A. expand the scope of the IS audit to include the devices that are not on the network diagram. B. evaluate the impact of the undocumented devices on the audit scope. C. note a control deficiency because the network diagram has not been updated. D. plan follow-up audits of the undocumented devices.

You are correct, the answer is B. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc. It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram. In this case, there is simply a mismatch in timing between the completion of the approval process and when the IS audit began. There is no control deficiency to be reported. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? Select an answer: A. Increase the time allocated for system testing. B. Implement formal software inspections. C. Increase the development staff. D. Require the sign-off of all project deliverables.

You are correct, the answer is B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction as less rework is involved. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring and the cost of the extra testing, and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce. Deliverable reviews normally do not go down to the same level of detail as software inspections.

In auditing a database environment, an IS auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions? Select an answer: A. Performing database changes according to change management procedures B. Installing patches or upgrades to the operating system C. Sizing table space and consulting on table join limitations D. Performing backup and recovery procedures

You are correct, the answer is B. Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA were performing this function, there would be a risk based on inappropriate segregation of duties. The other options are the normal duties of the DBA and would not be a cause for concern.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? Select an answer: A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

You are correct, the answer is B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Even if replication may be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. If unauthorized code were introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should: Select an answer: A. accept the DBA access as a common practice. B. assess the controls relevant to the DBA function. C. recommend the immediate revocation of the DBA access to production data. D. review user access authorizations approved by the DBA.

You are correct, the answer is B. It is good practice when finding a potential exposure to look for the best controls. Although granting access to production data to the DBA may be a common practice, the IS auditor should evaluate the relevant controls. The DBA should have access based on a need-to-know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA.

Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)? Select an answer: A. Participation by all of the identified resources B. Management approval of the testing scenario C. Advance notice for all of the impacted employees D. IT management approval of the testing scenario

You are correct, the answer is B. Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the testing is critical to the success of the disaster recovery testing. Choice A is not correct because a DRP should be flexible enough to adapt to use of whatever personnel are available. Choice C is not correct because advance notice for the impacted employees is not necessarily required if the testing exercise is not expected to create service disruptions or other issues. Choice D is not correct because a testing scenario approved by business management approval is more likely to reflect the needs of the business. IT management may select a testing scenario more focused on IT priorities, which may be less effective.

Naming conventions for system resources are important for access control because they: Select an answer: A. ensure that resource names are not ambiguous. B. reduce the number of rules required to adequately protect resources. C. ensure that user access to resources is clearly and uniquely identified. D. ensure that internationally recognized names are used to protect resources.

You are correct, the answer is B. Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources.

Which of the following message services provides the STRONGEST evidence that a specific action has occurred? Select an answer: A. Proof of delivery B. Nonrepudiation C. Proof of submission D. Message origin authentication

You are correct, the answer is B. Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. Message origination authentication will only confirm the source of the message and does not confirm the specific action that has been completed.

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern? Select an answer: A. System administrators use shared accounts which never expire at the hot site. B. Disk space utilization data is not kept current. C. Physical security controls at the hot site are less robust than at the main site. D. Servers at the hot site do not have the same specifications as at the main site.

You are correct, the answer is B. Not knowing how much disk space is in use and therefore how much is needed at the disaster recovery site could create major issues in the case of a disaster. While it is not a best practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space. Physical security controls are important and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? Select an answer: A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes

You are correct, the answer is B. One of the recognized strengths of an IDE is that it expands the programming resources and the aids that are available by maintaining all development tools centrally on the server along with the environment. IDE, in itself, does not control, but may actually facilitate, the existence of multiple versions of programs; IDE has no effect on integrity nor does it manage program changes.

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? Select an answer: A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes

You are correct, the answer is B. One of the recognized strengths of an IDE is that it expands the programming resources and the aids that are available by maintaining all development tools centrally on the server along with the environment. IDE, in itself, does not control, but may actually facilitate, the existence of multiple versions of programs; IDE has no effect on integrity nor does it manage program changes.

Which of the following wide area network (WAN) transmission techniques offers the BEST error and flow control procedures while transmitting data? Select an answer: A. Message switching B. Packet switching C. Circuit switching D. Virtual circuits

You are correct, the answer is B. Packet switching is a sophisticated means of maximizing the transmission capacity of networks. Messages are broken down into packets and routed independently through the network, depending on the availability of a channel in a network. The transmission cost is by packet and not by message, route or distance. Sophisticated error and flow control procedures are applied to each link by the network. This helps in identifying errors in transmission. All of the other options do not offer error and flow control procedures.

What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system? Select an answer: A. Multiple testing B. Parallel testing C. Integration testing D. Prototype testing

You are correct, the answer is B. Parallel testing is the best method for testing data results and system behavior because it allows the users to compare obtained results with both systems before decommission of the legacy system. Parallel testing also results in better user adoption of the new system. Multiple testing will not compare results from the old and new systems. Integration testing refers to how the system interacts with other systems, and it is not performed by end users. Prototype testing will not compare results from the old and new systems.

Which of the following is the MOST important aspect of effective business continuity management? Select an answer: A. The recovery site is secure and located an appropriate distance from the primary site. B. The recovery plans are periodically tested. C. Fully tested backup hardware is available at the recovery site. D. Network links are available from multiple service providers.

You are correct, the answer is B. Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. The other options are more tactical considerations that are secondary to the need for testing. If a disaster occurs, choices A, C and D would be more important.

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? Select an answer: A. A capability maturity model (CMM) B. Portfolio management C. Configuration management D. Project management body of knowledge (PMBOK)

You are correct, the answer is B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. A CMM would not help determine the optimum portfolio of capital projects since it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.

Over the long term, which of the following has the greatest potential to improve the security incident response process? Select an answer: A. A walk-through review of incident response procedures B. Postevent reviews by the incident response team C. Ongoing security training for users D. Documenting responses to an incident

You are correct, the answer is B. Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.

The BEST method for assessing the effectiveness of a business continuity plan is to review the: Select an answer: A. plans and compare them to appropriate standards. B. results from previous tests. C. emergency procedures and employee training. D. offsite storage and environmental controls.

You are correct, the answer is B. Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. Reviewing emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness.

A lower recovery time objective (RTO) results in: Select an answer: A. higher disaster tolerance. B. higher cost. C. wider interruption windows. D. more permissive data loss.

You are correct, the answer is B. RTO is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss.

A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? Select an answer: A. Mandatory B. Role-based C. Discretionary D. Single sign-on (SSO)

You are correct, the answer is B. Role-based access control would be the best method to allow users to view reports on a need-to-know basis. While the other options could achieve the same goal, they would most likely be more difficult to implement and maintain. SSO is a technology and not an access control method.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Select an answer: A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

You are correct, the answer is B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

Establishing the level of acceptable risk is the responsibility of: Select an answer: A. quality assurance management. B. senior business management. C. the chief information officer. D. the chief security officer.

You are correct, the answer is B. Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.

An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)? Select an answer: A. Overall number of users supported B. Percentage of incidents solved in the first call C. Number of incidents reported to the help desk D. Number of agents answering the phones

You are correct, the answer is B. Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service.

During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing that the auditor should check? Select an answer: A. The signal strength outside of the building B. The configuration settings C. The number of clients connected D. The IP address allocation mechanism

You are correct, the answer is B. The IS auditor should first check the configuration settings for the current network layout and connectivity and then, based on this, decide whether the security requirements are adequate. The signal strength outside of the building would not be of concern if proper encryption and security settings are in effect. The number of clients connected is not usually a major concern, from a security perspective. The IP address allocation mechanism is not a security risk.

An IS auditor reviewing an organization's IT strategic plan should FIRST review: Select an answer: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.

You are correct, the answer is B. The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users? Select an answer: A. System analysis B. Authorization of access to data C. Application programming D. Data administration

You are correct, the answer is B. The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators.

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: Select an answer: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources.

You are correct, the answer is B. The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.

Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees? Select an answer: A. To ensure that employees are not misusing corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets

You are correct, the answer is B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. The other options are not correct because issues such as the misuse of corporate resources, poor performance and theft of IT assets are not as severe as the possible ramifications of a conflict of interest.

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: Select an answer: A. only systems administrators perform the patch process. B. the client's change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.

You are correct, the answer is B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. While system administrators would normally install patches and patches would normally undergo testing, it is more important that changes be made during nonproduction times; furthermore, parallel testing is not appropriate for security patches because some servers would still be vulnerable. An approval process could not directly prevent this type of incident from happening.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan? Select an answer: A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

You are correct, the answer is B. The first step in any disaster recovery plan is to perform a BIA. All other tasks come afterwards.

Which of the following would contribute MOST to an effective business continuity plan (BCP)? Select an answer: A. The document is circulated to all interested parties. B. Planning involves all user departments. C. The plan is approved by senior management. D. An audit is performed by an external IS auditor.

You are correct, the answer is B. The involvement of user departments in the BCP is crucial for the identification of the business processing priorities. The BCP circulation will ensure that the BCP document is received by all users. Although essential, this does not contribute significantly to the success of the BCP. A BCP approved by senior management would not ensure the quality of the BCP, nor would an audit necessarily improve the quality of the BCP.

Which of the following is the MOST effective control when granting temporary access to vendors? Select an answer: A. Vendor access corresponds to the service level agreement (SLA). B. User accounts are created with expiration dates and are based on services provided. C. Administrator access is provided for a limited period. D. User IDs are deleted when the work is completed.

You are correct, the answer is B. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each ID. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access. Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked.

Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment? Select an answer: A. Noncompliance with software license agreements B. Performance issues due to Internet delivery method C. Higher cost due to software licensing requirements D. Higher cost due to the need to update to compatible hardware

You are correct, the answer is B. The risk that could be most likely encountered in an SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. SaaS is provisioned on a usage basis, not a license basis; therefore, there should be no risk of noncompliance with software license agreements or licensing fees. Additionally, the open design and Internet connectivity allow most SaaS to run on virtually no hardware.

Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment? Select an answer: A. Noncompliance with software license agreements B. Performance issues due to Internet delivery method C. Higher cost due to software licensing requirements D. Higher cost due to the need to update to compatible hardware

You are correct, the answer is B. The risk that could be most likely encountered in an SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. SaaS is provisioned on a usage basis, not a license basis; therefore, there should be no risk of noncompliance with software license agreements or licensing fees. Additionally, the open design and Internet connectivity allow most SaaS to run on virtually no hardware.

Which of the following should be included in an organization's information security policy? Select an answer: A. A list of key IT resources to be secured B. The basis for control access authorization C. Identity of sensitive security features D. Relevant software security features

You are correct, the answer is B. The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, C and D are more detailed than that which should be included in a policy.

Which of the following would help to ensure the portability of an application connected to a database? Select an answer: A. Verification of database import and export procedures B. Usage of a structured query language (SQL) C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema

You are correct, the answer is B. The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entity-relation model will be helpful, but none of these contribute to the portability of an application connecting to a database.

Which of the following would help to ensure the portability of an application connected to a database? Select an answer: A. Verification of database import and export procedures B. Usage of a structured query language (SQL) C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema

You are correct, the answer is B. The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entity-relation model will be helpful, but none of these contribute to the portability of an application connecting to a database.

To support an organization's goals, an IS department should have: Select an answer: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

You are correct, the answer is B. To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

An IS auditor discovers that URLs for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? Select an answer: A. IP spoofing B. Phishing C. Structured query language (SQL) injection D. Denial of service (DoS)

You are correct, the answer is B. URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. IP spoofing is used to change the source IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) packet, not in the HTTP protocol. Although URL shortening services can be used to perform SQL injections, their primary purpose is for phishing. DoS attacks are not affected by URL shortening services.

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: Select an answer: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested.

You are correct, the answer is B. Unless the data are sanitized, there is a risk of disclosing sensitive data.

A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data? Select an answer: A. Introduce a secondary authentication method such as card swipe. B. Apply role-based permissions within the application system. C. Have users input the ID and password for each database transaction. D. Set an expiration period for the database password embedded in the program.

You are correct, the answer is B. When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user's role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire.

Which of the following will BEST ensure the successful offshore development of business applications? Select an answer: A. Stringent contract management practices B. Detailed and correctly applied specifications C. Awareness of cultural and political differences D. Postimplementation reviews

You are correct, the answer is B. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Contract management practices, cultural and political differences, and postimplementation reviews, although important, are not as pivotal to the success of the project.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: Select an answer: A. documentation of staff background checks. B. independent audit reports or full audit access. C. reporting the year-to-year incremental cost reductions. D. reporting staff turnover, development or training.

You are correct, the answer is B. When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in an SLA; however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: Select an answer: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management since reporting this could have a negative impact on the organization.

You are correct, the answer is B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: Select an answer: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management since reporting this could have a negative impact on the organization.

You are correct, the answer is B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: Select an answer: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management since reporting this could have a negative impact on the organization.

You are correct, the answer is B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report.

An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should: Select an answer: A. interface with various types of enterprise resource planning (ERP) software and databases. B. preserve data integrity and not modify source data in any way. C. introduce audit hooks into the company's financial systems to support continuous auditing. D. be customizable and support inclusion of custom programming to aid in investigative analysis.

You are correct, the answer is B. While all of the options above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool does not compromise data integrity or make changes to the systems being audited.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? Select an answer: A. Project database B. Policy documents C. Project portfolio database D. Program organization

You are correct, the answer is C. A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? Select an answer: A. Project database B. Policy documents C. Project portfolio database D. Program organization

You are correct, the answer is C. A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Select an answer: A. Project sponsor B. System development project team C. Project steering committee D. User project team

You are correct, the answer is C. A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The system development project team is not responsible for reviewing the progress of the project. A user project team completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A user project team is not responsible for reviewing the progress of the project.

Which of the following controls helps prevent duplication of vouchers during data entry? Select an answer: A. A range check B. Transposition and substitution C. A sequence check D. A cyclic redundancy check (CRC)

You are correct, the answer is C. A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. A range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. Transposition and substitution are used in encoding, but will not help in establishing unique voucher numbers. A CRC is used for completeness of data received over the network, but is not useful in application code level validations.

The MOST likely effect of the lack of senior management commitment to IT strategic planning is: Select an answer: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. technology not aligning with the organization's objectives. D. an absence of control over technology contracts.

You are correct, the answer is C. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization's strategy.

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? Select an answer: A. A size check B. A hash total C. A validity check D. A field check

You are correct, the answer is C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used—for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. The implementation of a field check would eliminate this important requirement and would be the least useful control for passwords. Passwords can, and should, be the same length. This check is useful because passwords should have a minimum length, but it is not as strong of a control as validity. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More importantly, a system should not accept incorrect values of a password, so a hash total as a control will not find any errors or omissions.

It is MOST appropriate to implement an incremental backup scheme when: Select an answer: A. there is limited recovery time for critical data. B. online disk-based media are preferred. C. there is limited media capacity. D. a random selection of backup sets is required.

You are correct, the answer is C. A. A full backup or differential backup is preferred in this situation. B. Incremental backup could be used irrespective of the media adopted. C. In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage. D. A random selection of backup sets may not be possible with an incremental backup scheme because only fragments of the data are backed up on a daily basis.

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment? Select an answer: A. Alpha testing B. Regression testing C. Beta testing D. White box testing

You are correct, the answer is C. A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be a simulated test. B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality. C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing, and involves sending the beta version of the product to independent beta test sites or offering it free to interested users. D. White box testing is used to assess the effectiveness of program logic.

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment? Select an answer: A. Alpha testing B. Regression testing C. Beta testing D. White box testing

You are correct, the answer is C. A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be a simulated test. B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality. C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing, and involves sending the beta version of the product to independent beta test sites or offering it free to interested users. D. White box testing is used to assess the effectiveness of program logic.

Which of the following is the GREATEST concern to an IS auditor reviewing an organization's use of third-party-provided cloud services to store health care billing information? Select an answer: A. Disparate backup requirements B. Availability of infrastructure C. Segregation of client data D. Integrity of data

You are correct, the answer is C. A. Although disparate backup requirements may present a challenge, the primary concern is maintaining segregation of client data. B. Availability of infrastructure is an inherent benefit of cloud services, and as such is not a primary concern. C. In a shared services infrastructure, several clients access the same set of services. Therefore, the primary concern is maintaining segregation of client data. D. Although integrity of data is important, maintaining confidentiality of the data through segregation is a greater concern.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Select an answer: A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

You are correct, the answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard.

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? Select an answer: A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls

You are correct, the answer is C. A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard.

An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect? Select an answer: A. Control risk B. Compliance risk C. Inherent risk D. Residual risk

You are correct, the answer is C. A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.

A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects? Select an answer: A. Functional verification of the prototypes is assigned to end users. B. The project is implemented while minor issues are open from user acceptance testing (UAT). C. Project responsibilities are not formally defined at the beginning of a project. D. Program documentation is inadequate.

You are correct, the answer is C. A. Prototypes are verified by users. B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. D. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? Select an answer: A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a cross-departmental working group to share perspectives. C. Develop a scenario and perform a structured walk-through. D. Develop a project plan for end-to-end testing of disaster recovery.

You are correct, the answer is C. A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. B. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable. C. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. D. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process? Select an answer: A. The application owner requested new functionality. B. Changes are developed using an agile methodology. C. There is a high probability of a significant impact on operations. D. The operating system (OS) vendor has released a security patch.

You are correct, the answer is C. A. Requests for new functionality by the application owner generally follow normal change control procedures, unless they have an impact on the business function. B. The agile system development methodology breaks down projects into short time-boxed iterations. Each iteration focuses on developing end-to-end functionality from user interface to data storage for the intended architecture. However, the release does not need to follow emergency release procedures unless there is a significant impact on operations. C. Emergency releases to an application are fixes that require implementation as quickly as possible to prevent significant user downtime. Emergency release procedures are followed in such situations. D. OS security patches are applied after testing, and therefore there is not a need for an emergency release.

An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes? Select an answer: A. Select a sample of change tickets and review them for authorization. B. Perform a walk-through by tracing a program change from start to finish. C. Trace a sample of modified programs to supporting change tickets. D. Use query software to analyze all change tickets for missing fields.

You are correct, the answer is C. A. Selecting a sample of change tickets and reviewing them for authorization helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. B. Performing a walk-through assists the IS auditor in understanding the process, but does not ensure that all changes adhere to the normal process. C. Tracing a sample of modified programs to supporting change tickets is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. D. Using query software to analyze all change tickets for missing fields does not identify program changes that were made without supporting change tickets.

An IS auditor is reviewing a large financial institution's process of remotely managing network devices over the Internet. The IS auditor should be MOST concerned if: Select an answer: A. shared credentials are used. B. no login banner is displayed. C. Telnet access is enabled. D. device logs are not captured.

You are correct, the answer is C. A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk. B. Normally a login banner should indicate to unauthorized personnel that access is forbidden. Lack of a banner is a concern. However, the use of Telnet is a greater risk. C. Using Telnet over the Internet is not secure because it is not encrypted and is prone to intrusion. A more secure method, such as secure shell (SSH), should be used. D. Device logs should be captured and reviewed as a security control. However, the use of Telnet is a greater risk.

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: Select an answer: A. the project manager B. systems development management. C. business unit management. D. the quality assurance (QA) team.

You are correct, the answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The QA team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC).

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: Select an answer: A. the project manager. B. systems development management. C. business unit management. D. the quality assurance (QA) team.

You are correct, the answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The QA team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC).

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: Select an answer: A. the project manager. B. systems development management. C. business unit management. D. the quality assurance (QA) team.

You are correct, the answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The QA team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC).

Which of the following technologies is the BEST defense against a distributed denial-of-service (DDoS) attack? Select an answer: A. Stateful inspection firewall B. Cloud computing C. Load balancing D. Multiple Internet service provider (ISP) connections

You are correct, the answer is C. A. While a stateful packet inspection firewall can help defend against certain types of network attacks, neither the firewall nor the web server itself can differentiate DDoS attack traffic from normal web traffic. Therefore, a firewall does not help for this type of attack. B. While cloud computing providers typically have the ability to provide increased computing and processing power on demand, if the organization has only one server instance at a cloud service provider, this may not provide protection against a DDoS attack. Load balancing is used by cloud service providers as well to defend against DDoS attacks. C. A DDoS attack involves the use of a large number of geographically diverse hosts sending unwanted network traffic at a web server. A load balancer has the capability of processing a greater amount of network traffic while also detecting and blocking what are known as half-open connections, which can cause a web server to get overloaded so it cannot handle legitimate requests. D. Having multiple ISP connections may provide more bandwidth and/or redundancy for a web site, but cannot specifically defend against a DDoS attack.

An IS auditor is reviewing an organization's business continuity plan (BCP) to determine the impact of a disruption in an industry where regulatory requirements demand high availability. Which of the following findings should be of MOST concern to the auditor? Select an answer: A. The organization does not have an original copy of the agreement for the alternate processing site. B. The backup tapes are not encrypted for offsite storage. C. Data restoration tests for the backups of production data are not performed. D. Backup tapes that exceed their lifetime usage are not disposed of securely.

You are correct, the answer is C. A. While an original copy of the agreement is important, many third parties will send a duplicate original copy of an agreement so that each party has an original. B. Encrypted backups are important to ensure the confidentiality of information; however, if they are not encrypted, it does not impact the organization's ability to continue operations. C. Backup tapes should be periodically tested to ensure that data are available when needed and to minimize the impact of a disruption. If the backups are not tested, there could be a delay because the production data may not be available or must be moved to the alternate processing site. In addition, there could be a delay if manual processing is needed. D. Secure disposal of backup tapes is important to ensure the confidentiality of information; however, it does not impact the organization's ability to continue operations.

An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? Select an answer: A. Data Encryption Standard (DES) B. Message digest 5 (MD5) C. Advanced Encryption Standard (AES) D. Secure Shell (SSH)

You are correct, the answer is C. AES provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. DES is susceptible to brute-force attacks and has been publicly broken, and therefore does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. MD5 is an algorithm used to generate a one-way hash of data (a fixed length value) in order to test and verify data integrity. MD5 does not encrypt data, but instead puts the data through a mathematical process which cannot be reversed. As a result, MD5 could not be used to encrypt data on a USB drive. SSH is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.

The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is: Select an answer: A. that there will be too many alerts for system administrators to verify. B. decreased network performance due to IPS traffic. C. the blocking of critical systems or services due to false triggers. D. reliance on specialized expertise within the IT organization.

You are correct, the answer is C. An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the packets are coming from a spoofed address and the IPS is triggered based on previously defined behavior, it may block the service or connection of a critical internal system. The other choices are types of risk that are not as severe as blocking critical systems or services due to false triggers.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? Select an answer: A. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). B. Examine the e-business application in development. C. Identify threats and the likelihood of occurrence. D. Check the budget available for risk management.

You are correct, the answer is C. An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.

Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update? Select an answer: A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures

You are correct, the answer is C. An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes.

In determining the acceptable time period for the resumption of critical business processes: Select an answer: A. only downtime costs need to be considered. B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be evaluated. D. indirect downtime costs should be ignored.

You are correct, the answer is C. Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes. Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, e.g., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.

When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the: Select an answer: A. antivirus controls that have been put in place. B. protocols used on the network. C. network topology. D. configuration of network devices.

You are correct, the answer is C. By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the network which may require more detailed analysis. The other choices require more time to assess and are secondary to understanding the overall architecture of the network.

While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should: Select an answer: A. recommend the use of disk mirroring. B. review the adequacy of offsite storage. C. review the capacity management process. D. recommend the use of a compression algorithm.

You are correct, the answer is C. Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirroring solution and offsite storage is unrelated to the problem. Though data compression may save disk space, it could affect system performance.

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: Select an answer: A. was installed, but not documented in the IT department records. B. was installed and the license has expired. C. is not listed in the approved software standards document. D. license will expire in the next 15 days.

You are correct, the answer is C. Choice C implies which software is not allowed by policy. Any software that is allowed should be part of a standard software list. This is the first thing to review since this would also indicate compliance with policies; noncompliance would result in IT and legal risk. The other options are important issues, but not as critical as unapproved software being installed on organization PCs.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: Select an answer: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations.

You are correct, the answer is C. Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risk addressed in choices A, B and D.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: Select an answer: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations.

You are correct, the answer is C. Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risk addressed in choices A, B and D.

Data flow diagrams are used by IS auditors to: Select an answer: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.

You are correct, the answer is C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

Which of the following physical access controls effectively reduces the risk of piggybacking? Select an answer: A. Biometric door locks B. Combination door locks C. Deadman doors D. Bolting door locks

You are correct, the answer is C. Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking. An individual's unique body features such as voice, retina, fingerprint or signature activate biometric door locks; however, they do not prevent or reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a numeric key pad or dial to gain entry. They do not prevent or reduce the risk of piggybacking since unauthorized individuals may still gain access to the processing center. Bolting door locks require the traditional metal key to gain entry. Unauthorized individuals could still gain access to the processing center along with an authorized individual.

Which of the following physical access controls effectively reduces the risk of piggybacking? Select an answer: A. Biometric door locks B. Combination door locks C. Deadman doors D. Bolting door locks

You are correct, the answer is C. Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking. An individual's unique body features such as voice, retina, fingerprint or signature activate biometric door locks; however, they do not prevent or reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a numeric key pad or dial to gain entry. They do not prevent or reduce the risk of piggybacking since unauthorized individuals may still gain access to the processing center. Bolting door locks require the traditional metal key to gain entry. Unauthorized individuals could still gain access to the processing center along with an authorized individual.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Select an answer: A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

You are correct, the answer is C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). The calculation based on remaining budget does not take into account the speed at which the project has been progressing.

Many organizations require employees to take a mandatory one-week (or two-week) vacation each year PRIMARILY because the organization wants to ensure that: Select an answer: A. adequate cross-training exists between all functions of the organization. B. employee morale and satisfaction is maintained to help ensure an effective internal control environment. C. potential irregularities in processing are identified by temporarily replacing an employee in the job function. D. employee satisfaction is maintained to reduce the risk of processing errors.

You are correct, the answer is C. Employees who perform critical and sensitive functions within an organization should be required to take some time off in order to help ensure that irregularities and fraud are detected. Cross-training is a good practice to follow, but can be achieved without the requirement for mandatory vacation. Good employee morale and high levels of employee satisfaction are worthwhile objectives, but they should not be considered a means to achieve an effective internal control system. Although high levels of employee satisfaction could contribute to fewer processing errors, this is not typically a reason to require a mandatory vacation policy.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process? Select an answer: A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement

You are correct, the answer is C. Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

Which of the following fire suppression systems is MOST appropriate to use in a data center environment? Select an answer: A. Wet-pipe sprinkler system B. Dry-pipe sprinkler system C. FM-200 system D. Carbon dioxide-based fire extinguishers

You are correct, the answer is C. FM-200 is safer to use than carbon dioxide. It is considered a clean agent for use in gaseous fire suppression applications. A water-based fire extinguisher is suitable when sensitive computer equipment could be damaged before the fire department personnel arrive at the site. Manual firefighting (fire extinguishers) may not provide fast enough protection for sensitive equipment (e.g., network servers).

An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: Select an answer: A. problem management procedures. B. software development procedures. C. fallback procedures. D. incident management procedures.

You are correct, the answer is C. Fallback procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded.

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? Select an answer: A. A hot site maintained by the business B. A commercial cold site C. A reciprocal arrangement between its offices D. A third-party hot site

You are correct, the answer is C. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach to providing an acceptable level of confidence. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. Multiple cold sites leased for the multiple offices would lead to a costly solution with a high degree of confidence. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.

While downloading software, a hash may be provided to: Select an answer: A. ensure that the software comes from a genuine source. B. ensure that the software is the correct revision number. C. ensure that the software has not been modified. D. serve as a license key for paid users of the software.

You are correct, the answer is C. Hash values are used as a means to ensure file integrity. The computed hash value for a file will be different if even a single bit within the file has been modified. It is common practice for the hash value to be displayed on the software publisher's web site so that those downloading the application can be certain that the software has not been modified. Choice A is not correct because the hash value of a file would be the same whether or not it was copied from a genuine source. Software download sites often are "mirrored" to third-party sites, which can create a greater risk that the code has been modified because those sites are not controlled by the software publisher. Choice B is not correct because the hash value has no relation to the revision number of the software, nor is the hash value used for this purpose. The hash value can be verified by using a software utility that calculates the hash of the downloaded file, which then can be compared to the value displayed on the web site. If these two values match, then the downloaded file is intact and has not been modified. Choice D is not correct because the hash value is not used as a license key.

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: Select an answer: A. determine whether system developers have proper training on adequate security measures. B. determine whether system administrators have disabled security controls for any reason. C. verify that security requirements have been properly specified in the project plan. D. validate whether security controls are based on requirements which are no longer valid.

You are correct, the answer is C. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designed—meaning that the deployed system meets the requirements that were specified. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.

An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption: Select an answer: A. provides authenticity. B. is faster than asymmetric encryption. C. can cause key management to be difficult. D. requires a relatively simple algorithm.

You are correct, the answer is C. In a symmetric algorithm, each pair of users needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption is faster than asymmetric encryption. Symmetric algorithms require mathematical calculations, but they are not as complex as asymmetric algorithms.

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? Select an answer: A. Set up an exit interview with human resources (HR). B. Initiate the handover process to ensure continuity of the project. C. Terminate the developer's logical access to IT resources. D. Ensure that management signs off on the termination paperwork.

You are correct, the answer is C. In order to protect IT assets, terminating logical access to IT resources is the first and most important action to take once management has confirmed the employee's clear intention to leave the enterprise. The interview with HR is also an important process if it is conducted by the last date of employment, but it is of secondary importance. As long as the handover process to a designated employee is conducted by the last date of employment, there should be no problems. Ensuring that management signs off on termination paperwork is important, but not as critical as terminating access to the IT systems.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: Select an answer: A. eavesdropping. B. spoofing. C. traffic analysis. D. masquerading.

You are correct, the answer is C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, and the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. In eavesdropping, which also is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring and releasing message contents for personal analysis or for third parties. Spoofing and masquerading are active attacks. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. In masquerading, the intruder presents an identity other than the original identity.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: Select an answer: A. eavesdropping. B. spoofing. C. traffic analysis. D. masquerading.

You are correct, the answer is C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, and the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. In eavesdropping, which also is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring and releasing message contents for personal analysis or for third parties. Spoofing and masquerading are active attacks. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. In masquerading, the intruder presents an identity other than the original identity.

Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? Select an answer: A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of application logs used for service monitoring made the review difficult. C. Performance measures were not included in the SLA. D. The document is updated on an annual basis.

You are correct, the answer is C. Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of IT services. Delays related to exception reports and the complexity of application logs are operational issues which are not related to the SLA. While it is important that the document be current, it may not be necessary to change the document annually.

An IS auditor is conducting a compliance audit of a health care organization operating an online system that contains sensitive health care information. Which of the following should an IS auditor FIRST review? Select an answer: A. Network diagram and firewall rules surrounding the online system B. IT infrastructure and IS department organizational chart C. Legal and regulatory requirements regarding data privacy D. Adherence to organizational policies and procedures

You are correct, the answer is C. Legal and regulatory requirements will define the audit criteria and should therefore be reviewed first. The other choices support the organization's approach to adhering to the requirements.

Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management (CRM) system migration project? Select an answer: A. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks. B. Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system. C. A single implementation is planned, immediately decommissioning the legacy system. D. Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system's software.

You are correct, the answer is C. Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the new system not operate correctly. A weekend can be used as a time buffer so that the new system will have a better chance of being up and running after the weekend. A different data representation does not mean different data presentation at the front end. Even when this is the case, this issue can be solved by adequate training and user support. The printing functionality is commonly one of the last functions to be tested in a new system because it is usually the last step performed in any business event. Thus, meaningful testing and the respective error fixing are only possible after all other parts of the software have been successfully tested.

Accountability for the maintenance of appropriate security measures over information assets resides with the: Select an answer: A. security administrator. B. systems administrator. C. data and systems owners. D. systems operations group.

You are correct, the answer is C. Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: Select an answer: A. schedule the audits and monitor the time spent on each audit. B. train the IS audit staff on current technology used in the company. C. develop the audit plan on the basis of a detailed risk assessment. D. monitor progress of audits and initiate cost control measures.

You are correct, the answer is C. Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: Select an answer: A. IT budget. B. existing IT environment. C. business plan. D. investment plan.

You are correct, the answer is C. One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Select an answer: A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

You are correct, the answer is C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before the migration. The hash total will only validate the data integrity at a batch level rather than at a transaction level. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. Comparing the control totals does not imply that the records are complete.

The BEST method of confirming the accuracy of a system tax calculation is by: Select an answer: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.

You are correct, the answer is C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations.

When using public key encryption to secure data being transmitted across a network: Select an answer: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.

You are correct, the answer is C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

When using public key encryption to secure data being transmitted across a network: Select an answer: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.

You are correct, the answer is C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

Among the following controls, what is the BEST method to prevent inappropriate access to private and sensitive information through a business application? Select an answer: A. Two-factor authentication access control B. Encryption of authentication data C. Role-based access control (RBAC) D. Effective segregation of duties (SoD)

You are correct, the answer is C. RBAC is an approach to restrict access rights and privileges on a need-to-know basis. Roles or profiles are designed and approved according to what is required for the job and assigned tasks. While two-factor authentication and encryption are valid security measures, they do not eliminate the risk that authorized users can view or modify data that are not appropriate for their job role. SoD is a requirement in any access control scenario, but RBAC provides more fine-grained control over resources than SoD.

To address an organization's disaster recovery requirements, backup intervals should not exceed the: Select an answer: A. service level objective (SLO). B. recovery time objective (RTO). C. recovery point objective (RPO). D. maximum acceptable outage (MAO).

You are correct, the answer is C. RPO defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If service levels are not met, the usual consequences are penalty payments, not cessation of business. Organizations will try to set SLOs so as to meet established targets. The resulting time for the service level agreement (SLA) will usually be longer than the RPO. RTO defines the time period after the disaster in which normal business functionality needs to be restored. MAO is the maximum amount of system downtime that is tolerable. It can be used as a synonym for RTO. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)? Select an answer: A. Virtual tape libraries B. Disk-based snapshots C. Continuous data backup D. Disk-to-tape backup

You are correct, the answer is C. RPO is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk-based snapshots and disk-to-tape backup would require time to complete the backup, while continuous data backup happens online (in real time).

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? Select an answer: A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network

You are correct, the answer is C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)? Select an answer: A. Palm scan B. Face recognition C. Retina scan D. Hand geometry

You are correct, the answer is C. Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest FAR among the current biometric methods. Use of palm scanning entails placing a hand on a scanner where a palm's physical characteristics are captured. Hand geometry, one of the oldest techniques, measures the physical characteristics of the user's hands and fingers from a three dimensional perspective. The palm and hand biometric techniques lack uniqueness in the geometry data. In face biometrics, a reader analyzes the images captured for general facial characteristics. Though considered a natural and friendly biometric, the main disadvantage of face recognition is the lack of uniqueness, which means that people looking alike can fool the device.

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)? Select an answer: A. Warm site B. Hot site C. Cold site D. Mobile recovery site

You are correct, the answer is C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. While a warm site may be a good solution, it would not be the most appropriate because it is more expensive than a cold site. A hot site is used for those systems classified as critical that have a low RTO. A mobile recovery site would not be as cost-effective as a cold site and would not be appropriate for systems with high RTOs.

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)? Select an answer: A. Warm site B. Hot site C. Cold site D. Mobile recovery site

You are correct, the answer is C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. While a warm site may be a good solution, it would not be the most appropriate because it is more expensive than a cold site. A hot site is used for those systems classified as critical that have a low RTO. A mobile recovery site would not be as cost-effective as a cold site and would not be appropriate for systems with high RTOs.

To verify that the correct version of a data file was used for a production run, an IS auditor should review: Select an answer: A. operator problem reports. B. operator work schedules. C. system logs. D. output distribution reports.

You are correct, the answer is C. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports are used by operators to log computer operation problems. Operator work schedules are maintained to assist in human resources planning. Output distribution reports identify all application reports generated and their distribution.

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: Select an answer: A. incorporates state of the art technology. B. addresses the required operational controls. C. articulates the IT mission and vision. D. specifies project management practices.

You are correct, the answer is C. The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.

Which of the following would BEST help to prioritize project activities and determine the timeline for a project? Select an answer: A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

You are correct, the answer is C. The PERT method works on the principle of obtaining project timelines based on project events for three likely scenarios (worst, best, normal). The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. EVA is a technique to track project cost versus project deliverables, but does not assist in prioritizing tasks. A Gantt chart is a simple project management tool and would help with the prioritization requirement, but it is not as effective as PERT. FPA measures the complexity of input and output, and does not help to prioritize project activities.

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? Select an answer: A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. D. The plan has not been tested with the new RPO.

You are correct, the answer is C. The RPO is defined in the glossary of the CISA Review Manual as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without data, all other DR considerations are not useful. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and RPO, then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. The lack of training on the new DR strategy, as well as the lack of testing of the revised plan, both create risk in the team's ability to execute the plan; but, again, this risk is not as significant as not having data available due to the frequency of backups.

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? Select an answer: A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. D. The plan has not been tested with the new RPO.

You are correct, the answer is C. The RPO is defined in the glossary of the CISA Review Manual as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without data, all other DR considerations are not useful. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and RPO, then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. The lack of training on the new DR strategy, as well as the lack of testing of the revised plan, both create risk in the team's ability to execute the plan; but, again, this risk is not as significant as not having data available due to the frequency of backups.

An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing? Select an answer: A. A spreadsheet provided by the system administrator B. Human resources (HR) documents signed by employees' managers C. A list of accounts with access levels generated by the system D. Observations performed onsite in the presence of a system administrator

You are correct, the answer is C. The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system rather than by an individual. A verbal statement itself is not adequate evidence for substantive tests. In most cases, documentary evidence should be collected to support the auditee's verbal statements. The HR documents signed by managers are good evidence; however, they are not as objective as the system-generated access list. The observations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. Observations are not objective enough for substantive tests.

An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing? Select an answer: A. A spreadsheet provided by the system administrator B. Human resources (HR) documents signed by employees' managers C. A list of accounts with access levels generated by the system D. Observations performed onsite in the presence of a system administrator

You are correct, the answer is C. The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system rather than by an individual. A verbal statement itself is not adequate evidence for substantive tests. In most cases, documentary evidence should be collected to support the auditee's verbal statements. The HR documents signed by managers are good evidence; however, they are not as objective as the system-generated access list. The observations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. Observations are not objective enough for substantive tests.

An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing? Select an answer: A. A spreadsheet provided by the system administrator B. Human resources (HR) documents signed by employees' managers C. A list of accounts with access levels generated by the system D. Observations performed onsite in the presence of a system administrator

You are correct, the answer is C. The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system rather than by an individual. A verbal statement itself is not adequate evidence for substantive tests. In most cases, documentary evidence should be collected to support the auditee's verbal statements. The HR documents signed by managers are good evidence; however, they are not as objective as the system-generated access list. The observations are good evidence to understand the internal control structure; however, observations are not efficient for a large number of users. Observations are not objective enough for substantive tests.

The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: Select an answer: A. the internal lab testing phase. B. testing and prior to user acceptance. C. the requirements gathering process. D. the feasibility phase.

You are correct, the answer is C. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Later engagement (such as during testing or acceptance phases) may result in resource constraints which could prevent complete assessment. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution which might be more difficult to overcome as the process continues. However, assessing controls at the feasibility phase may be premature.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: Select an answer: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

You are correct, the answer is C. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.

An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? Select an answer: A. The tools used to conduct the test B. Certifications held by the IS auditor C. Permission from the data owner of the server D. An intrusion detection system (IDS) is enabled

You are correct, the answer is C. The data owner should be informed of the risk associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owner's responsibility for the security of the data assets.

An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? Select an answer: A. The tools used to conduct the test B. Certifications held by the IS auditor C. Permission from the data owner of the server D. An intrusion detection system (IDS) is enabled

You are correct, the answer is C. The data owner should be informed of the risk associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owner's responsibility for the security of the data assets.

Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit? Select an answer: A. Complexity of the organization's operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor's familiarity with the organization

You are correct, the answer is C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. The complexity of the organization's operation, prior issues and an auditor's familiarity with the organization are factors in the planning of an audit, but do not directly affect the determination of how much data to collect.

Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit? Select an answer: A. Complexity of the organization's operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor's familiarity with the organization

You are correct, the answer is C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. The complexity of the organization's operation, prior issues and an auditor's familiarity with the organization are factors in the planning of an audit, but do not directly affect the determination of how much data to collect.

Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit? Select an answer: A. Complexity of the organization's operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor's familiarity with the organization

You are correct, the answer is C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. The complexity of the organization's operation, prior issues and an auditor's familiarity with the organization are factors in the planning of an audit, but do not directly affect the determination of how much data to collect.

A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident? Select an answer: A. Dump the volatile storage data to a disk. B. Run the server in a fail-safe mode. C. Disconnect the web server from the network. D. Shut down the web server.

You are correct, the answer is C. The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

When reviewing the configuration of network devices, an IS auditor should FIRST identify: Select an answer: A. the best practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately.

You are correct, the answer is C. The first step is to understand the importance and role of the network device within the organization's network topology. After understanding the devices in the network, the best practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. Identification of which component or subcomponent is missing or being used inappropriately can only be known upon reviewing and understanding the topology and the best practice for deployment of the device in the network.

While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step? Select an answer: A. Observe the response mechanism. B. Clear the virus from the network. C. Inform appropriate personnel immediately. D. Ensure deletion of the virus.

You are correct, the answer is C. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. Choice A should be taken after choice C. This will enable an IS auditor to examine the actual workability and effectiveness of the response system. An IS auditor should not make changes to the system being audited, and ensuring the deletion of the virus is a management responsibility.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: Select an answer: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

You are correct, the answer is C. The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. Senior management approval is a prerequisite for designing the BCP. Making a BCP available on an enterprise's intranet does not guarantee that personnel will read or understand it.

Which of the following is an implementation risk within the process of decision support systems (DSSs)? Select an answer: A. Management control B. Semistructured dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes

You are correct, the answer is C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. Choices A, B and D are not types of risk, but characteristics of a DSS.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? Select an answer: A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D. The company does not have an information security policy committee.

You are correct, the answer is C. The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a best practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. The lack of a revision history with respect to the IS policy document is an issue, but not as significant as not having it approved by management. An IS policy committee is not required to develop and enforce a good information security policy. The policy could be written by one person, as long as the person who approves the policy has the proper authority and knowledge to review and approve the policy. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? Select an answer: A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D. The company does not have an information security policy committee.

You are correct, the answer is C. The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a best practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. The lack of a revision history with respect to the IS policy document is an issue, but not as significant as not having it approved by management. An IS policy committee is not required to develop and enforce a good information security policy. The policy could be written by one person, as long as the person who approves the policy has the proper authority and knowledge to review and approve the policy. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? Select an answer: A. That changes are authorized by IT managers at all times B. That user acceptance testing (UAT) is performed and properly documented C. That test plans and procedures exist and are closely followed D. That capacity planning is performed as part of each development project

You are correct, the answer is C. The most important control for ensuring system availability is to implement a sound testing plan and procedures which are consistently followed. The other options can be important considerations, but are not as important as the consistency and reliability of and testing before migration and "going live." The quality of the testing process is critical to ensure system availability.

Which of the following is the MOST important action in recovering from a cyberattack? Select an answer: A. Creating an incident response team B. Using cyberforensic investigators C. Executing a business continuity plan D. Filing an insurance claim

You are correct, the answer is C. The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cyberforensics investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? Select an answer: A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.

You are correct, the answer is C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical because issues such as processing delays, errors or even emergency changes are acceptable as long as they are properly documented as part of the process.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? Select an answer: A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.

You are correct, the answer is C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical because issues such as processing delays, errors or even emergency changes are acceptable as long as they are properly documented as part of the process.

Applying a digital signature to data traveling in a network provides: Select an answer: A. confidentiality and integrity. B. security and nonrepudiation. C. integrity and nonrepudiation. D. confidentiality and nonrepudiation.

You are correct, the answer is C. The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a different hash. The application of a digital signature would accomplish the nonrepudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Select an answer: A. Bottom up B. Sociability testing C. Top-down D. System test

You are correct, the answer is C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.

An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? Select an answer: A. Allow changes to be made only with the database administrator (DBA) user account. B. Make changes to the database after granting access to a normal user account. C. Use the DBA user account to make changes, log the changes and review the change log the following day. D. Use the normal user account to make changes, log the changes and review the change log the following day.

You are correct, the answer is C. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.

An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? Select an answer: A. Allow changes to be made only with the database administrator (DBA) user account. B. Make changes to the database after granting access to a normal user account. C. Use the DBA user account to make changes, log the changes and review the change log the following day. D. Use the normal user account to make changes, log the changes and review the change log the following day.

You are correct, the answer is C. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.

During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: Select an answer: A. an unauthorized user may use the ID to gain access. B. user access management is time consuming. C. user accountability is not established. D. passwords are easily guessed.

You are correct, the answer is C. The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable. The risk of an unauthorized user accessing the system with a shared ID is no greater than an unauthorized user accessing the system with a unique user ID. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.

The PRIMARY advantage of a continuous audit approach is that it: Select an answer: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately on all information collected. C. can improve system security when used in time-sharing environments that process a large number of transactions. D. does not depend on the complexity of an organization's computer systems.

You are correct, the answer is C. The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization's computer systems.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take? Select an answer: A. Delete all copies of the unauthorized software. B. Inform the auditee of the unauthorized software, and follow up to confirm deletion. C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management. D. Warn the end users about the risk of using illegal software.

You are correct, the answer is C. The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.

After implementation of a disaster recovery plan, predisaster and postdisaster operational costs for an organization will: Select an answer: A. decrease. B. not change (remain the same). C. increase. D. increase or decrease depending upon the nature of the business.

You are correct, the answer is C. There are costs associated with all activities and a disaster recovery plan is not an exception. Although there are costs associated with a disaster recovery plan, there are unknown costs that are incurred if a disaster recovery plan is not implemented.

Which of the following ensures a sender's authenticity and an email's confidentiality? Select an answer: A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key B. The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key

You are correct, the answer is C. To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private key, and then with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it.

To optimize an organization's business contingency plan (BCP), an IS auditor should recommend a business impact analysis (BIA) in order to determine: Select an answer: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. B. the priorities and order for recovery to ensure alignment with the organization's business strategy. C. the business processes that must be recovered following a disaster to ensure the organization's survival. D. the priorities and order of recovery which will recover the greatest number of systems in the shortest time frame.

You are correct, the answer is C. To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. It is a common mistake to overemphasize value (A) rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. Choices B and D are not correct because neither the long-term business strategy nor the mere number of recovered systems has a direct impact at this point in time.

When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the: Select an answer: A. node list. B. acceptance test report. C. network diagram. D. user's list.

You are correct, the answer is C. To properly review a LAN implementation, an IS auditor should first verify the network diagram and confirm the approval. Verification of nodes from the node list and the network diagram would be next, followed by a review of the acceptance test report and then the user's list.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: Select an answer: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

You are correct, the answer is C. When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review? Select an answer: A. References from other clients for the service provider B. The physical security of the service provider site C. The draft service level agreement (SLA) with the service provider D. Background checks of the service provider's employees

You are correct, the answer is C. When contracting with a service provider, it is a best practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. Due diligence activities such as reviewing references from other clients, reviewing physical security controls or the use of background checks for the service provider's employees are all good practices, but the SLA would be most critical since it would specify what specific levels of availability would be required and make the provider contractually obligated to deliver what was promised.

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review? Select an answer: A. References from other clients for the service provider B. The physical security of the service provider site C. The draft service level agreement (SLA) with the service provider D. Background checks of the service provider's employees

You are correct, the answer is C. When contracting with a service provider, it is a best practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. Due diligence activities such as reviewing references from other clients, reviewing physical security controls or the use of background checks for the service provider's employees are all good practices, but the SLA would be most critical since it would specify what specific levels of availability would be required and make the provider contractually obligated to deliver what was promised.

Which of the following is a risk of cross-training? Select an answer: A. Increases the dependence on one employee B. Does not assist in succession planning C. One employee may know all parts of a system D. Does not help in achieving a continuity of operations

You are correct, the answer is C. When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.

Which of the following is a risk of cross-training? Select an answer: A. Increases the dependence on one employee B. Does not assist in succession planning C. One employee may know all parts of a system D. Does not help in achieving a continuity of operations

You are correct, the answer is C. When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Select an answer: A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.

You are correct, the answer is C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.

Which of the following is the BEST method for determining the criticality of each application system in the production environment? Select an answer: A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA).

You are correct, the answer is D. A BIA will give the impact of the loss of each application. Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is only relevant to systems development and project management. The audits may not contain the required information or may not have been done recently.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? Select an answer: A. Symmetric key encryption B. Digital signatures C. Message digest algorithms D. Digital certificates

You are correct, the answer is D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusting authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained. Symmetric key encryption uses a single-pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner. Digital signatures provide message integrity and nonrepudiation; however, because the message is decrypted in digital signatures by using the sender's public key, confidentiality is not maintained. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation.

Which of the following would effectively verify the originator of a transaction? Select an answer: A. Using a secret password between the originator and the receiver B. Encrypting the transaction with the receiver's public key C. Using a portable document format (PDF) to encapsulate transaction content D. Digitally signing the transaction with the source's private key

You are correct, the answer is D. A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify to a recipient the identity of the source of a transaction and the integrity of its content. Since they are a "shared secret" between the user and the system itself, passwords are considered a weaker means of authentication. Encrypting the transaction with the recipient's public key will provide confidentiality for the information, while using a PDF will probe the integrity of the content but not necessarily authorship.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Select an answer: A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project

You are correct, the answer is D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

An organization has terminated a database administrator (DBA). The organization immediately removes all of the DBA's access to all company systems. The DBA threatens that the database will be deleted in two months unless he/she is paid a large sum of money. Which of the following would the former DBA MOST likely use to delete the database? Select an answer: A. Virus infection B. Worm infection C. Denial-of-service (DoS) attack D. Logic bomb attack

You are correct, the answer is D. A logic bomb is hidden code that will activate when certain conditions are met; in this example, after a certain period of time. A virus is another type of malicious code, but it does not typically operate on a time delay. A worm also is a type of malicious code that does not use a time delay, but is designed to spread as quickly as possible. A DoS attack would not delete the database, but could make the service unavailable.

IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? Select an answer: A. Port scanning B. Back door C. Man-in-the-middle D. War driving

You are correct, the answer is D. A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A back door is an opening left in software that enables an unknown entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify it.

IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? Select an answer: A. Port scanning B. Back door C. Man-in-the-middle D. War driving

You are correct, the answer is D. A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A back door is an opening left in software that enables an unknown entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify it.

The PRIMARY outcome of a business impact analysis (BIA) is: Select an answer: A. a plan for resuming operations after a disaster. B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan (DRP). D. an understanding of the cost of an interruption.

You are correct, the answer is D. A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logical security is not the primary objective of a BIA. C. The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP). D. A BIA helps one understand the cost of an interruption and identify which applications and processes are most critical to the continued functioning of the organization.

The PRIMARY outcome of a business impact analysis (BIA) is: Select an answer: A. a plan for resuming operations after a disaster. B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan (DRP). D. an understanding of the cost of an interruption.

You are correct, the answer is D. A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logical security is not the primary objective of a BIA. C. The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP). D. A BIA helps one understand the cost of an interruption and identify which applications and processes are most critical to the continued functioning of the organization.

An organization allows employees to connect company laptops to company-controlled wireless access points. To prevent unauthorized access to the organization's internal network, the BEST preventive control is to: Select an answer: A. enable media access control (MAC) filtering. B. disable wireless ID broadcast. C. employ strong encryption. D. disallow autoconnect.

You are correct, the answer is D. A. Enabling MAC filtering does not prevent mobile devices from connecting to unauthorized access points. MAC filters prevent unauthorized systems from connecting to the company's wireless access point. They do not prevent capturing login credentials that could be used to gain unauthorized access to the network. B. Disabling the broadcast does not prevent devices from connecting to unauthorized access points and capturing login credentials. C. Encryption enables confidentiality only and does not prevent laptops from connecting to unauthorized access points used to collect login credentials. D. Disallowing autoconnect will prevent users from connecting to unauthorized hotspots. With autoconnect enabled, devices send beacons searching for the preferred hotspot. An attacker could intercept these beacons, impersonate the hotspot and host fake web sites with the intention of capturing login credentials that could allow access to the organization's network.

Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? Select an answer: A. Phased changeover B. Abrupt changeover C. Rollback procedure D. Parallel changeover

You are correct, the answer is D. A. Phased changeover involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system. B. In abrupt changeover, the new system is changed from the old system on a cutoff date and time, and the old system is discontinued after changeover to the new system takes place. Therefore, the old system is not available as a backup if there are problems when the new system is implemented. C. Rollback procedures involve restoring all systems to their previous working state; however, parallel changeover is the better strategy. D. Parallel changeover involves first running the old system, then running both the old and new systems in parallel, and finally fully changing to the new system after gaining confidence in the functionality of the new system.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? Select an answer: A. Process narrative B. Inquiry C. Reperformance D. Walk-through

You are correct, the answer is D. A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. C. Reperformance is used to evaluate the operating effectiveness of the control rather than the design of the control. D. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control as it actually exists.

Which of the following should an IS auditor be MOST concerned about in a financial application? Select an answer: A. Programmers have access to application source code. B. Secondary controls are documented for identified role conflicts. C. The information security officer does not authorize all application changes. D. Programmers have access to the production database.

You are correct, the answer is D. A. Programmers who have access to application source code are not of concern to the IS auditor because programmers need access to source code to do their job. B. When segregation of duties conflicts are identified, secondary controls should be in place to mitigate risk. While the IS auditor reviews secondary controls, in this case the greater concern is programmers having access to the production database. C. The information security officer is not likely to authorize all application changes, therefore this is not a concern for an IS auditor. D. Programmers who have access to the production database are considered a segregation of duties conflict and should be of concern to an IS auditor.

An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business? Select an answer: A. Security policies B. Operational procedures C. Project portfolio D. IT balanced scorecard (IT BSC)

You are correct, the answer is D. A. Security policies are important; however, they are not designed to align IT to the business. B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a good basis to assess alignment of IT with the business. D. The IT BSC represents the translation of the business objectives into what IT needs to do to achieve these objectives.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Select an answer: A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

You are correct, the answer is D. A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization. C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change control process. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? Select an answer: A. The programming language B. The development environment C. A version control system D. Program coding standards

You are correct, the answer is D. A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important. B. The development environment may be relevant to evaluate the efficiency of the program development process, but not future maintenance of the program. C. A version control system helps manage software code revisions; however, it does not ensure that coding standards are consistently applied. D. Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications.

The ability to recognize a potential security incident is: Select an answer: A. the primary responsibility of security personnel. B. not important because many types of incidents could involve security. C. supported by detailed policies. D. required of all personnel.

You are correct, the answer is D. A. The skill of recognizing potential security incidents should NOT be limited to security staff. While security staff may be more proficient in determining whether an incident is a problem, all employees should have the basic skills to identify potential security incidents and be aware of the process to alert the security team in a timely manner. B. Not all incidents are security incidents or need to involve security personnel. C. Corporate standards should provide clear criteria of what constitutes a security incident. Policies do not provide such detail. D. What constitutes a security incident must be defined in severity criteria documents and must be understood by all personnel.

When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that: Select an answer: A. vulnerability testing was performed. B. the project was formally closed. C. the project schedule and budget were met. D. business requirements were met.

You are correct, the answer is D. A. Vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements were met. B. Formally closing the project is important, but the primary goal of meeting business requirements is most important. C. Although meeting the designated project time line and budget is an important goal, the overall purpose of the project is to fulfill a business need. Therefore, validating that the project met the business requirements is the most important task for the IS auditor. D. Established procedures for postimplementation review should primarily ensure that business requirements were met.

The reliability of an application system's audit trail may be questionable if: Select an answer: A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs. D. users can amend audit trail records when correcting system errors.

You are correct, the answer is D. An audit trail is not effective if the details in it can be amended.

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse? Select an answer: A. Validated daily backups B. Change management procedures C. Data dictionary maintenance D. A read-only restriction

You are correct, the answer is D. Applying read-only restrictions to historical information prevents data manipulation. Backups address availability, not integrity. Adequate change management and data dictionary maintenance procedures provide the integrity of historical information stored in a data warehouse; however, read-only restriction provides the most secure measure for integrity.

An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? Select an answer: A. Consistency B. Isolation C. Durability D. Atomicity

You are correct, the answer is D. Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an intermediate state, the transaction data are invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.

An organization's disaster recovery plan should address early recovery of: Select an answer: A. all information systems processes. B. all financial processing applications. C. only those applications designated by the IS manager. D. processing in priority order, as defined by business management.

You are correct, the answer is D. Business management should know which systems are critical and when they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.

An IS auditor reviewing a proposed application software acquisition should ensure that the: Select an answer: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. product is compatible with the current or planned OS.

You are correct, the answer is D. Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice A, if the OS is currently being used, it is compatible with the existing hardware platform; if it were incompatible, it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability).

Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database? Select an answer: A. Authentication controls B. Data normalization controls C. Read/write access log controls D. Commitment and rollback controls

You are correct, the answer is D. Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will complete in its entirety or not at all; i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pretransaction state. All other choices would not address transaction integrity.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: Select an answer: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.

You are correct, the answer is D. Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: Select an answer: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.

You are correct, the answer is D. Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.

Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? Select an answer: A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code

You are correct, the answer is D. Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner

You are correct, the answer is D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner

You are correct, the answer is D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner

You are correct, the answer is D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

Effective IT governance requires organizational structures and processes to ensure that: Select an answer: A. the organization's strategies and objectives extend the IT strategy. B. the business strategy is derived from an IT strategy. C. IT governance is separate and distinct from the overall governance. D. the IT strategy extends the organization's strategies and objectives.

You are correct, the answer is D. Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance.

Electromagnetic emissions from a terminal represent an exposure because they: Select an answer: A. affect noise pollution. B. disrupt processor functions. C. produce dangerous levels of electric current. D. can be detected and displayed.

You are correct, the answer is D. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. They should not cause disruption of CPUs or effect noise pollution. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.

Electromagnetic emissions from a terminal represent an exposure because they: Select an answer: A. affect noise pollution. B. disrupt processor functions. C. produce dangerous levels of electric current. D. can be detected and displayed.

You are correct, the answer is D. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. They should not cause disruption of CPUs or effect noise pollution. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: Select an answer: A. audit trail of the versioning of the work papers. B. approval of the audit phases. C. access rights to the work papers. D. confidentiality of the work papers.

You are correct, the answer is D. Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: Select an answer: A. audit trail of the versioning of the work papers. B. approval of the audit phases. C. access rights to the work papers. D. confidentiality of the work papers.

You are correct, the answer is D. Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption.

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? Select an answer: A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management.

You are correct, the answer is D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. While common risk may be covered by common industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Select an answer: A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted

You are correct, the answer is D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer's need) is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

Which of the following is the MOST reasonable option for recovering a noncritical system? Select an answer: A. Warm site B. Mobile site C. Hot site D. Cold site

You are correct, the answer is D. Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical applications.

Which of the following is the MOST reasonable option for recovering a noncritical system? Select an answer: A. Warm site B. Mobile site C. Hot site D. Cold site

You are correct, the answer is D. Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical applications.

Which of the following is the MOST reasonable option for recovering a noncritical system? Select an answer: A. Warm site B. Mobile site C. Hot site D. Cold site

You are correct, the answer is D. Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is contracted for a shorter time period at a higher cost and is better suited for recovery of vital and critical applications.

A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? Select an answer: A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted.

You are correct, the answer is D. Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. Sharing IP addresses and the existence of a firewall can be security measures.

A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? Select an answer: A. Offsite storage of daily backups B. Alternative standby processor onsite C. Installation of duplex communication links D. Alternative standby processor at another network node

You are correct, the answer is D. Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications. Offsite storage of backups would not help, since EFT tends to be an online process and offsite storage will not replace the dysfunctional processor. The provision of an alternate processor onsite would be fine if it were an equipment problem, but would not help in the case of a power outage. Installation of duplex communication links would be most appropriate if it were only the communication link that failed.

When preparing an audit report the IS auditor should ensure that the results are supported by: Select an answer: A. statements from IS management. B. work papers of other auditors. C. an organizational control self-assessment. D. sufficient and appropriate audit evidence.

You are correct, the answer is D. ISACA's IT audit and assurance standard on reporting requires that the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining concurrence on matters that cannot be verified with empirical evidence. The report should be based on evidence collected during the course of the review even though the IS auditor may have access to the work papers of other auditors. The results of an organizational control self-assessment (CSA) could supplement the audit findings. Choices A, B and C may be referenced during an audit but, of themselves, would not be considered a sufficient basis for issuing a report.

Users are issued security tokens to be used in combination with a personalized identification number (PIN) to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy? Select an answer: A. Users should not leave tokens where they could be stolen. B. Users must never keep the token in the same bag as their laptop computer. C. Users should select a PIN that is completely random, with no repeating digits. D. Users should never write down their PIN.

You are correct, the answer is D. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. Access to the token is of no value without the PIN; one cannot work without the other. The PIN does not need to be random as long as it is secret.

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure: Select an answer: A. the confidentiality of the message. B. nonrepudiation by the sender. C. the authenticity of the message. D. the integrity of data transmitted by the sender.

You are correct, the answer is D. If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test. Signing the message with the public key of the receiver ensures confidentiality. Signing the message with the private key of the sender ensures nonrepudiation and authenticity.

Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization? Select an answer: A. Targeted testing B. External testing C. Internal testing D. Double-blind testing

You are correct, the answer is D. In a double-blind test, the administrator and security staff are not aware of the test, which will result in an assessment of the incident handling and response capability in an organization. In targeted, external, and internal testing, the system administrator and security staff are aware of the tests since they are informed before the start of the tests.

Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? Select an answer: A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance

You are correct, the answer is D. In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider's performance, while renegotiating fees is usually a one-time activity.

An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? Select an answer: A. Establish two physically separate networks. B. Implement virtual local area network (VLAN) segmentation. C. Install a dedicated router between the two networks. D. Install a firewall between the networks.

You are correct, the answer is D. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network. While having two physically separate networks would ensure the security of customer data, it would make it impossible for authorized wireless users to access that data. While a VLAN would provide separation of the two networks, it is possible, with sufficient knowledge, for an attacker to gain access to one VLAN from the other. Similarly, a dedicated router between the two networks would separate them; however, this would be less secure than a firewall.

An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope? Select an answer: A. Data availability B. Data confidentiality C. Currency of data D. Data integrity

You are correct, the answer is D. Integrity represents accuracy of data and confidentiality represents availability of data to the customers or persons authorized by customers. Although choices A, B and C are important, they are not as important in this case as accuracy.

An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope? Select an answer: A. Data availability B. Data confidentiality C. Currency of data D. Data integrity

You are correct, the answer is D. Integrity represents accuracy of data and confidentiality represents availability of data to the customers or persons authorized by customers. Although choices A, B and C are important, they are not as important in this case as accuracy.

Which of the following would be the MOST significant audit finding when reviewing a point-of-sale (POS) system? Select an answer: A. Invoices recorded on the POS system are manually entered into an accounting application. B. An optical scanner is not used to read bar codes for the generation of sales invoices. C. Frequent power outages occur, resulting in the manual preparation of invoices. D. Customer credit card information is stored unencrypted on the local POS system.

You are correct, the answer is D. It is important for the IS auditor to determine if any credit card information is stored on the local POS system. Any such information, if stored, should be encrypted or protected by other means to avoid the possibility of unauthorized disclosure. Manually inputting sale invoices into the accounting application is an operational issue. If the POS system were to be interfaced with the financial accounting application, the overall efficiency could be improved. The nonavailability of optical scanners to read bar codes of the products and power outages are operational issues.

The editing/validation of data entered at a remote site would be performed MOST effectively at the: Select an answer: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

You are correct, the answer is D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

The editing/validation of data entered at a remote site would be performed MOST effectively at the: Select an answer: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

You are correct, the answer is D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

The most common reason for the failure of information systems to meet the needs of users is that: Select an answer: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

You are correct, the answer is D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish.

Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts? Select an answer: A. SYN flood attacks B. Social engineering C. Buffer overflow attacks D. Malicious code attacks

You are correct, the answer is D. Malicious code and Trojans commonly attempt to log on to administrator accounts. A SYN attack is a denial-of-service (DoS) attack on a particular network service and does not log on to administrator accounts. Social engineering will help in discovering passwords, but it is separate from brute-force attacks. A buffer overflow attack will not directly result in multiple logon failures.

Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts? Select an answer: A. SYN flood attacks B. Social engineering C. Buffer overflow attacks D. Malicious code attacks

You are correct, the answer is D. Malicious code and Trojans commonly attempt to log on to administrator accounts. A SYN attack is a denial-of-service (DoS) attack on a particular network service and does not log on to administrator accounts. Social engineering will help in discovering passwords, but it is separate from brute-force attacks. A buffer overflow attack will not directly result in multiple logon failures.

Which of the following testing techniques would the IS auditor use to identify specific program logic that has not been tested? Select an answer: A. A snapshot B. Tracing and tagging C. Logging D. Mapping

You are correct, the answer is D. Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. A snapshot records the flow of designated transactions through logic paths within programs. Tracing and tagging shows the trail of instructions executed during an application. Logging is the activity of recording specific tasks for future review.

A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of: Select an answer: A. concurrent access. B. deadlocks. C. unauthorized access to data. D. a loss of data integrity.

You are correct, the answer is D. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity. Deadlocks are not caused by denormalization. Access to data is controlled by defining user rights to information, and is not affected by denormalization.

Which of the following is the MOST critical step to perform when planning an IS audit? Select an answer: A. Review findings from prior audits. B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security policies and procedures. D. Perform a risk assessment.

You are correct, the answer is D. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. Detection risk (the risk that a material error is not detected by the IS auditor) is increased for the IS auditor if a risk assessment is not conducted. The review of findings from prior audits is a necessary part of the engagement, but this step is not as critical as conducting a risk assessment. A physical security review of the data center facility is important, but not as critical as performing a risk assessment. Reviewing IS security policies and procedures would normally be conducted during fieldwork, not planning.

During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: Select an answer: A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices.

You are correct, the answer is D. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation since doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risk. Since there are no documented procedures, there is no basis against which to test compliance.

The MOST effective control for reducing the risk related to phishing is: Select an answer: A. centralized monitoring of systems. B. including signatures for phishing in antivirus software. C. publishing the policy on antiphishing on the intranet. D. security training for all users.

You are correct, the answer is D. Phishing is a type of email attack that attempts to convince a user that the originator is genuine, with the intention of obtaining information. Phishing is an example of a social engineering attack. Any social engineering type of attack can best be controlled through security and awareness training.

A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? Select an answer: A. Rewrite the hard disk with random 0s and 1s. B. Low-level format the hard disk. C. Demagnetize the hard disk. D. Physically destroy the hard disk.

You are correct, the answer is D. Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnetizing is an inefficient procedure, because it requires specialized and expensive equipment to be fully effective.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: Select an answer: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.

You are correct, the answer is D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor. Not every enterprise has an IT steering committee.

Which of the following will prevent dangling tuples in a database? Select an answer: A. Cyclic integrity B. Domain integrity C. Relational integrity D. Referential integrity

You are correct, the answer is D. Referential integrity ensures that a foreign key in one table will equal null or the value of a primary in the other table. For every tuple in a table having a referenced/foreign key, there should be a corresponding tuple in another table, i.e., for existence of all foreign keys in the original tables. If this condition is not satisfied, then it results in a dangling tuple. Cyclical checking is the control technique for the regular checking of accumulated data on a file against authorized source documentation. There is no cyclical integrity testing. Domain integrity testing ensures that a data item has a legitimate value in the correct range or set. Relational integrity is performed at the record level and is ensured by calculating and verifying specific fields.

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed? Select an answer: A. Field definition B. Master table definition C. Composite keys D. Foreign key structure

You are correct, the answer is D. Referential integrity in a relational database refers to consistency between coupled tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table's primary key or a candidate key. Field definition, master table definition and composite keys are elements of the database, but are not directly related to referential integrity.

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? Select an answer: A. Analyzer B. Administration console C. User interface D. Sensor

You are correct, the answer is D. Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.

The PRIMARY objective of business continuity and disaster recovery plans should be to: Select an answer: A. safeguard critical IS assets. B. provide for continuity of operations. C. minimize the loss to an organization. D. protect human life.

You are correct, the answer is D. Since human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people. All other priorities are important but are secondary objectives of a business continuity and disaster recovery plan.

The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? Select an answer: A. Rewrite the patches and apply them. B. Review the code and application of available patches. C. Develop in-house patches. D. Identify and test suitable patches before applying them.

You are correct, the answer is D. Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches.

The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? Select an answer: A. Rewrite the patches and apply them. B. Review the code and application of available patches. C. Develop in-house patches. D. Identify and test suitable patches before applying them.

You are correct, the answer is D. Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches.

An advantage of using sanitized live transactions in test data is that: Select an answer: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing.

You are correct, the answer is D. Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

An advantage of using sanitized live transactions in test data is that: Select an answer: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing.

You are correct, the answer is D. Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

An IS auditor discovers that, in many cases, a username and password are the same, which is contrary to policy. What is the BEST recommendation? Select an answer: A. Modify the enterprise's security policy. B. Educate users about the risk of weak passwords. C. Require a periodic review of matching user IDs and passwords for detection and correction. D. Change the system configuration to enforce strong passwords.

You are correct, the answer is D. The best control is a preventive control through validation at the time the password is created or changed. Changing the enterprise's security policy and educating users about the risk of weak passwords provide only information to users, but do little to enforce this control. Requiring a periodic review of matching user IDs and passwords for detection and ensuring correction is a detective control.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: Select an answer: A. facilitates user involvement. B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame.

You are correct, the answer is D. The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: Select an answer: A. facilitates user involvement. B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame.

You are correct, the answer is D. The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.

Due to a recent economic downturn, an IT organization has terminated several administrators and consolidated all IT administration at its central headquarters. During an IT audit, the auditor determines that the organization has implemented remote administration connectivity to each site using low-cost digital subscriber line (DSL) connections and an automated simple network management protocol (SNMP)-based monitoring system. What would be the GREATEST concern? Select an answer: A. The authentication methods used for remote administration may be inadequate. B. Physical security at remote sites may not be adequate. C. Terminated employees may retain access to systems at remote sites. D. The connection to remote sites is not using a VPN for connectivity.

You are correct, the answer is D. The greatest concern is whether the network is being managed using a conventional unencrypted Internet connection. Choice A is not correct because, while the authentication methods should be reviewed, the use of an unencrypted link is a much greater risk because it can expose the network to unauthorized monitoring or configuration changes. The most common version of SNMP is version two (SNMP v2), which is not encrypted. Even if the authentication methods are adequate, the use of an unencrypted network connection and an unencrypted protocol can allow an attacker to view and possibly modify network device configurations at the remote sites. Choice B is not correct because, while the physical security of the remote sites is important, a network connection with inadequate security controls is a much greater risk. Choice C is not correct because it is assumed that the access rights of terminated employees were revoked immediately when they left the company. While this would be an issue if this condition were discovered, the greater concern would be if the security of the network connection was inadequate.

An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? Select an answer: A. A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall. B. Firewall policies are updated on the basis of changing requirements. C. Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. D. The firewall is placed on top of the commercial operating system with all installation options.

You are correct, the answer is D. The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risk of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners' roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C).

An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective? Select an answer: A. Run a low-level data wipe utility on all hard drives. B. Erase all data file directories. C. Format all hard drives. D. Physical destruction of the hard drive.

You are correct, the answer is D. The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed, exposing all data on the drive to unauthorized individuals.

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? Select an answer: A. User registration and password policies B. User security awareness C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening

You are correct, the answer is D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. In order to avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched. User registration, password policies, awareness and the use of IDSs/IPSs cannot mitigate pharming attacks because they do not prevent manipulation of DNS records.

When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the: Select an answer: A. annualized loss expectancy (ALE). B. service delivery objective. C. quantity of orphan data. D. maximum tolerable outage.

You are correct, the answer is D. The recovery time objective (RTO) is determined based on the acceptable downtime in case of a disruption of operations. It indicates the maximum tolerable outage that an organization considers to be acceptable before a system or process must resume following a disaster. Choice A is not correct because the acceptable downtime would not be determined by the ALE. Choices B and C are relevant to business continuity, but they are not determined by acceptable downtime.

A sender of an email message applies a digital signature to the digest of the message. This action provides assurance of the: Select an answer: A. date and time stamp of the message. B. identity of the originating computer. C. confidentiality of the message's content. D. authenticity of the sender.

You are correct, the answer is D. The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an email message does not prevent access to its content and, therefore, does not assure confidentiality.

A sender of an email message applies a digital signature to the digest of the message. This action provides assurance of the: Select an answer: A. date and time stamp of the message. B. identity of the originating computer. C. confidentiality of the message's content. D. authenticity of the sender.

You are correct, the answer is D. The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an email message does not prevent access to its content and, therefore, does not assure confidentiality.

An enterprise's risk appetite is BEST established by: Select an answer: A. the chief legal officer. B. security management. C. the audit committee. D. the steering committee.

You are correct, the answer is D. The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management. Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite. The security management team is concerned with managing the security posture, but not with determining the posture. The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise.

A disaster recovery plan for an organization's financial system specifies that the recovery point objective (RPO) is zero and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution? Select an answer: A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs B. Distributed database systems in multiple locations updated asynchronously C. Synchronous updates of the data and standby active systems in a hot site D. Synchronous remote copy of the data in a warm site that can be operational in 48 hours

You are correct, the answer is D. The synchronous copy of the storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO. Asynchronous updates of the database in distributed locations do not meet the RPO. Synchronous updates of the data and standby active systems in a hot site meet the RPO and RTO requirements but are more costly than a warm site solution.

During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which of the following would be considered an adequate set of compensating controls? Select an answer: A. Use the privileged administrative account, log the changes and review the change log on the following day. B. Use the normal user account to make changes, log the changes and review the change log on the following day. C. Allow changes to be made only after granting access to a normal user account, and review the change log on the following day. D. Use the database administrator (DBA) user account to make changes, log the changes and review the change log on the following day.

You are correct, the answer is D. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged accounts can be used by multiple users, and the use of a normal user account with no restrictions would allow uncontrolled changes to the databases. The use of the DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained.

When an employee is terminated from service, the MOST important action is to: Select an answer: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

You are correct, the answer is D. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.

When an employee is terminated from service, the MOST important action is to: Select an answer: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

You are correct, the answer is D. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.

An accuracy measure for a biometric system is: Select an answer: A. system response time. B. registration time. C. input file size. D. false-acceptance rate (FAR).

You are correct, the answer is D. Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and FAR. FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? Select an answer: A. Utilizing of intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

You are correct, the answer is D. Training is the only choice that is directed at security awareness. Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness.

An IS auditor evaluating logical access controls should FIRST: Select an answer: A. document the controls applied to the potential access paths to the system. B. test controls over the access paths to determine if they are functional. C. evaluate the security environment in relation to written policies and practices. D. obtain an understanding of the security risk to information processing.

You are correct, the answer is D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths—to determine if the controls are functioning. Lastly, the IS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? Select an answer: A. Using a cryptographic hashing algorithm B. Enciphering the message digest C. Deciphering the message digest D. Using a sequence number and time stamp

You are correct, the answer is D. When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the transaction. When the message is deciphered by the receiver using the sender's public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should: Select an answer: A. conclude that the project is progressing as planned since dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

You are correct, the answer is D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded. It is possible that the programmers are trying to take advantage of the time system, but if they are not paid extra for overtime, they may not want to work the extra hours.

It is MOST appropriate to implement an incremental backup scheme when: Select an answer: A. there is limited recovery time for critical data. B. online disk-based media are preferred. C. there is limited media capacity. D. a random selection of backup sets is required.

the answer is C. A. A full backup or differential backup is preferred in this situation. B. Incremental backup could be used irrespective of the media adopted. C. In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage. D. A random selection of backup sets may not be possible with an incremental backup scheme because only fragments of the data are backed up on a daily basis.

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? Select an answer: A. Pilot B. Paper C. Unit D. System

№ 10; не знаю правильный ответ. точно не A. Pilot


Kaugnay na mga set ng pag-aaral

Foundations of Project Management

View Set

Software Engineering Test Questions

View Set

Mgmt Theory Midterm (Chapters 1, 2, and 3)

View Set

Chapter 3: Cell Structure and Function (biology)

View Set

OT Survey - Review Questions for Final

View Set

Cultural Anthropology FINAL Part 2

View Set

A&P 1 Exam 4: Chapter 10, 11, and 12

View Set

N128 Week 3 - Lewis Adaptive Quizzing #1

View Set