CISA Questions 201 - 300

Which of the following would BEST help to prioritize project activities and determine the time line for a project? A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

You answered A. The correct answer is C. A. A Gantt chart is a simple project management tool and would help with the prioritization requirement, but it is not as effective as program evaluation review technique (PERT). B. Earned value analysis (EVA) is a technique to track project cost versus project deliverables but does not assist in prioritizing tasks. C. The PERT method works on the principle of obtaining project time lines based on project events for three likely scenarios (worst, best, normal). The time line is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. D. Function point analysis (FPA) measures the complexity of input and output and does not help to prioritize project activities.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: Select an answer: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

You answered B. The correct answer is A. A. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. B. The plans do not necessarily have to be integrated into one single plan. C. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. D. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

Which of the following is MOST important to ensure that effective application controls are maintained? Select an answer: A. Exception reporting B. Manager involvement C. Control self-assessment (CSA) D. Peer review

You are correct, the answer is C. A. Exception reporting only looks at errors or problems, but will not ensure that controls are still working. B. Manager involvement is important, but may not be a consistent or well-defined process compared to control self-assessment (CSA). C. CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls. D. Peer review lacks the direct involvement of audit specialists and management.

Integrating the business continuity plan (BCP) into IT project management aids in: Select an answer: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.

You answered A. The correct answer is B. A. Testing the business continuity plan's (BCP) requirements is not related to IT project management. B. Integrating the BCP into the development process ensures complete coverage of the requirements through each phase of the project. C. A transaction flowchart aids in analyzing an application's controls, but does not affect business continuity. D. A BCP will not directly address the detailed processing needs of the users.

Which of the following would contribute MOST to an effective business continuity plan (BCP)? Select an answer: A. The document is circulated to all interested parties. B. Planning involves all user departments. C. The plan is approved by senior management. D. An audit is performed by an external IS auditor.

You answered A. The correct answer is B. A. The BCP circulation will ensure that the BCP document is received by all users. Although essential, this does not contribute significantly to the success of the BCP. B. The involvement of user departments in the BCP is crucial for the identification of the business processing priorities and the development of an effective plan. C. A BCP approved by senior management would not necessarily ensure the effectiveness of the BCP. D. An audit would not necessarily improve the quality of the BCP.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? Select an answer: A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered A. The correct answer is C. A. All other choices are important, but the first step is to ensure that the contracts support the business—only then can an audit process be valuable. B. All service level agreements (SLAs) should be measureable and reinforced through key performance indicators (KPIs)—but the first step is to ensure that the SLAs are aligned with business requirements. C. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

The output of the risk management process is an input for making: Select an answer: A. business plans. B. audit charters. C. security policy decisions. D. software design decisions.

You answered B. The correct answer is C. A. Making a business plan is not the ultimate goal of the risk management process. B. Risk management can help create the audit plan, but not the audit charter. C. The risk management process is about making specific, security-related decisions such as the level of acceptable risk. D. Risk management will drive the design of security controls in software, but influencing security policy is more important.

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? Select an answer: A. Pilot B. Paper C. Unit D. System

You answered A. The correct answer is B. A. A pilot test is used for implementing a new process or technology and is not appropriate for a business continuity plan (BCP). B. A paper test (sometimes called a deskcheck) is appropriate for testing a BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP's execution who reason out what may happen in a particular disaster. C. A unit test is used to test new software components and is not appropriate for a BCP. D. A system test is an integrated test used to test a new IT system but is not appropriate for a BCP.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Select an answer: A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation

You answered A. The correct answer is B. A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. B. Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. C. Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. D. Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.

Which of the following is the PRIMARY objective of the business continuity plan (BCP) process? Select an answer:A. To provide assurance to stakeholders that business operations will continue in the event of disaster B. To establish an alternate site for IT services to meet predefined recovery time objectives (RTOs) C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster

You answered A. The correct answer is C. A. The business continuity plan (BCP) in itself does not provide assurance of continuing operations; however, it helps the organization to respond to disruptions to critical business processes. B. Establishment of an alternate site is more relevant to disaster recovery than the BCP. C. The BCP process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations. D. The regulatory compliance requirements may help establish the recovery time objective (RTO) requirements

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? Select an answer: A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management.

You answered A. The correct answer is D. A. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. B. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. C. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization. D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.

Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? Select an answer: A. The disaster levels are based on scopes of damaged functions but not on duration. B. The difference between low-level disaster and software incidents is not clear. C. The overall BCP is documented, but detailed recovery steps are not specified. D. The responsibility for declaring a disaster is not identified.

You answered A. The correct answer is D. A. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to identify someone with the authority to invoke the business continuity plan (BCP). B. The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. C. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery if, in fact, someone has invoked the BCP. D. If nobody declares the disaster, the BCP would not be invoked, making all other concerns less important.

The PRIMARY objective of testing a business continuity plan is to: Select an answer: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

You answered A. The correct answer is D. A. Familiarizing employees with the business continuity plan is a secondary benefit of a test. B. It is not cost-effective to address all residual risk in a business continuity plan. C. It is not practical to test all possible disaster scenarios. D. Testing the business continuity plan provides the best evidence of any limitations that may exist.

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? Select an answer: A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

You answered B. The correct answer is C. A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the chief information officer (CIO). Pragmatically, lack of documenting test results could have more significant consequences. B. The contact lists are an important part of the business continuity plan (BCP); however, they are not as important as documenting the test results. C. The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc. D. If test results are documented, a need for training will be identified and the BCP will be updated.

To optimize an organization's business continuity plan (BCP), an IS auditor should recommend a business impact analysis (BIA) to determine: Select an answer: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. B. the priorities and order for recovery to ensure alignment with the organization's business strategy. C. the business processes that must be recovered following a disaster to ensure the organization's survival. D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame.

You answered B. The correct answer is C. A. It is a common mistake to overemphasize financial value rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. B. The business strategy (which is often a long-term view) does not have a direct impact at this point in time. C. To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. D. The mere number of recovered systems does not have a direct impact at this point in time. The importance is to recover systems that would impact business survival.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: Select an answer: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

You answered B. The correct answer is C. A. Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. B. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals; thus, the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. C. When assessing IT security risk, it is important to take into account the entire IT environment. D. Measures of security risk do not identify tolerances.

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)? Select an answer: A. Risk such as single point-of-failure and infrastructure risk B. Threats to critical business processes C. Critical business processes for ascertaining the priority for recovery D. Resources required for resumption of business

You answered B. The correct answer is C. A. Risk should be identified after the critical business processes have been identified. B. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. C. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. D. Identification of resources required for business resumption will occur after the identification of critical business processes.

The PRIMARY objective of business continuity and disaster recovery plans should be to: Select an answer: A. safeguard critical IS assets. B. provide for continuity of operations. C. minimize the loss to an organization. D. protect human life.

You answered B. The correct answer is D. A. Safeguarding critical IS assets is a secondary objective of a business continuity and disaster recovery plan. The first priority is always life safety. B. Providing continuity of operations is a secondary objective of a business continuity and disaster recovery plan. The first priority is always life safety. C. Minimizing the loss to an organization is a secondary objective of a business continuity and disaster recovery plan. The first priority is always life safety. D. Because human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? Select an answer: A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

You answered B. The correct answer is D. A. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. B. The walk-through test is a basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. C. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. The IT plan has been tested repeatedly so a disaster recovery test would not help in verifying the administrative and organizational parts of the BCP, which are not IT-related. D. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? Select an answer: A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.

You answered C. The correct answer is A. A. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that should be concerned. B. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, but should cover business requirements. D. Multisourcing is an acceptable way to reduce risk associated with a single point of failure.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? Select an answer: A. Full operational test B. Preparedness test C. Paper test D. Regression test

You answered C. The correct answer is B. A. A full operational test is conducted after the paper and preparedness test and is quite expensive. B. A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. C. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test, but a paper test (deskcheck) is not sufficient to test the viability of the plan. D. A regression test is not a disaster recovery plan test and is used in software development and maintenance.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: Select an answer: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

You answered C. The correct answer is B. A. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments in IT assets. B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way the auditor can measure the success of the IT investment and strategy. C. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity, but does not ensure effectiveness of IT investment. D. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? Select an answer: A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

You answered C. The correct answer is B. A. Developing a recovery strategy will come after performing a business impact analysis (BIA). B. The first step in any disaster recovery plan (DRP) is to perform a BIA. C. The BIA will identify critical business processes and the systems that support those processes. Mapping software systems, hardware and network components will come after performing a BIA. D. Appointing recovery teams with defined personnel, roles and hierarchy will come after performing a BIA.

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting their attention. The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for failure to approve the plan. B. a board of senior managers is set up to review the existing plan. C. the existing plan is approved and circulated to all key management and staff. D. a manager coordinates the creation of a new or revised plan within a defined time limit.

You answered C. The correct answer is D. A. Censuring the deputy chief executive officer (CEO) will not improve the current situation and is generally not within the scope of an IS auditor to recommend. B. Establishing a board to review the disaster recover plan (DRP), which is two years out of date, may achieve an updated DRP but is not likely to be a speedy operation; issuing the existing DRP would be folly without first ensuring that it is workable. C. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit. D. The primary concern is to establish a workable DRP, which reflects current processing volumes to protect the organization from any disruptive incident.

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? Select an answer: A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.

You answered C. The correct answer is D. A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. C. Approvals for risk response come later in the process. D. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

Which of the following is the PRIMARY objective of an IT performance measurement process? Select an answer: A. Minimize errors. B. Gather performance data. C. Establish performance baselines. D. Optimize performance.

You answered C. The correct answer is D. A. Minimizing errors is an aspect of performance but not the primary objective of performance management. B. Gathering performance data is necessary to measure IT performance but is not the objective of the process. C. The performance measurement process compares actual performance with baselines but that is not the objective of the process. D. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions.

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? Select an answer: A. A cost-benefit analysis B. An annual loss expectancy (ALE) calculation C. A comparison of the cost of the IPS and firewall and the cost of the business systems D. A business impact analysis (BIA)

You answered D. The correct answer is A. A. In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option. B. The annual loss expectancy (ALE) is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls but is not sufficient alone. C. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted. D. Potential business impact is only one part of the cost-benefit analysis.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: Select an answer: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

You answered D. The correct answer is A. A. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. B. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards and the results of tests of the plan. C. To evaluate effectiveness, the IS auditor should review the results from previous tests or incidents. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. D. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization has implemented plans to allow for an effective response.

Which of the following is an attribute of the control self-assessment (CSA) approach? Select an answer: A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven

You answered D. The correct answer is A. A. The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement. B. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors. C. Limited employee participation is an attribute of a traditional audit approach. D. Policy-driven is an attribute of a traditional audit approach.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? Select an answer:A. User management B. Project steering committee C. Senior management D. Quality assurance staff

You answered D. The correct answer is A. A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. B. A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. C. Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. D. Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with standards and requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation. Question #: 287 CISA Job Practice Task Statement: 3.5

Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

You answered D. The correct answer is B. A. A characteristic of prototyping is its iterative nature, but it does not have an adverse effect on change control. B. Changes in requirements and design happen so quickly that they are seldom documented or approved. C. A characteristic of prototyping is its emphasis on reports and screens, but it does not have an adverse effect on change control. D. Lack of integrated tools is a characteristic of prototyping, but it does not have an adverse effect on change control.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: Select an answer: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

You answered D. The correct answer is B. A. Compliance with security standards is important, but there is no way to verify or prove that is the case without an independent review. B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. C. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak. D. Compliance with organizational security policies is important, but there is no way to verify or prove that that is the case without an independent review.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: Select an answer: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be delayed.

You answered D. The correct answer is B. A. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. B. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. C. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. D. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? A. Project database B. Policy documents C. Project portfolio database Incorrect D. Program organization

You answered D. The correct answer is C. A. A project database may contain the information about control effectiveness for one specific project and updates to various parameters pertaining to the current status of that single project. B. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. C. A project portfolio database is the basis for project portfolio management. It includes project data such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. D. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objectives of the projects.

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

You answered D. The correct answer is C. A. Business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP) but not for gaining an understanding of the business. B. Resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy but not for gaining an understanding of the business. C. Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. D. The role gap analysis can play in BCP is to identify deficiencies in a plan but not for gaining an understanding of the business.

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? Select an answer: A. Business continuity self-audit B. Resource recovery analysis C. Risk assessment D. Gap analysis

You answered D. The correct answer is C. A. Business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP) but not for gaining an understanding of the business. B. Resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy but not for gaining an understanding of the business. C. Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. D. The role gap analysis can play in BCP is to identify deficiencies in a plan but not for gaining an understanding of the business.

Which of the following must exist to ensure the viability of a duplicate information processing facility? Select an answer: A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

You answered D. The correct answer is C. A. The site chosen should not be subject to the same natural disaster as the primary site. Being close may be a risk or an advantage, depending on the type of expected disaster. B. A reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. D. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure that the operation will continue to perform as planned.

Documentation of a business case used in an IT development project should be retained until: Select an answer:A. the end of the system's life cycle. B. the project is approved. C. user acceptance of the system. D. the system is in production.

You are correct, the answer is A. A. A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates versus actuals. Questions such as "Why do we do that?", "What was the original intent?" and "How did we perform against the plan?" can be answered, and lessons for developing future business cases can be learned. During the development phase of a project, one should always validate the business case because it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference. B. The business case should be retained even after project approval to provide ability to review and validate the business case once the project is implemented. C. The business case will be retained throughout the system development life cycle (SDLC) for later reference and validation. D. Once the system is in production, the business case can be validated to ensure that the promised costs and benefits were correct.

An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop: Select an answer: A. a business continuity strategy. B. a test and exercise plan. C. a user training program. D. the business continuity plan (BCP).

You are correct, the answer is A. A. A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover and security must be considered during this phase. B. The recovery strategy and plan development precede the test plan. C. Training can only be developed once the business continuity plan (BCP) is in place. D. A strategy must be determined before the BCP is developed.

Which of the following business continuity plan (BCP) tests involves participation of relevant members of the crisis management/response team to practice proper coordination? Select an answer: A. Tabletop B. Functional C. Full-scale D. Deskcheck

You are correct, the answer is A. A. The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. B. Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication. C. Full-scale testing involves enterprisewide participation and full involvement of external organizations. D. Deskcheck testing requires the least effort of the options given. Its aim is to ensure the plan is up to date and promote familiarity of the BCP to critical personnel from all areas.

Which of the following is the MOST likely benefit of implementing a standardized infrastructure? Select an answer:A. Improved cost-effectiveness of IT service delivery and operational support B. Increased security of the IT service delivery center C. Reduced level of investment in the IT infrastructure D. Reduced need for testing future application changes

You are correct, the answer is A. A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support. B. A standardized infrastructure results in a more homogeneous environment, which is more prone to attacks. C. While standardization can reduce support costs, the transition to a standardized kit can be expensive; therefore, the overall level of IT infrastructure investment is not likely to be reduced. D. A standardized infrastructure may simplify testing of changes, but it does not reduce the need for such testing. Question #: 289 CISA Job Practice Task Statement: 3.1

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? Select an answer: A. The group walks through the different scenarios of the plan from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

You are correct, the answer is A. A. A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. B. The ability of the group to ensure that specific systems can actually perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings. C. Group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business. D. While improving communication is important, it is not the most valued method to ensure that the plan is up to date.

When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor? Select an answer: A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan (DRP). D. Postpone the audit until the systems are added to the DRP.

You are correct, the answer is A. A. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. B. Cancelling the audit is an inappropriate action. C. Ignoring the fact that some systems are not covered would violate audit standards that require reporting all material findings and is an inappropriate action. D. Postponing the audit is an inappropriate action. The audit should be completed according to the initial scope with identification to management of the risk of systems not being covered.

An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: Select an answer:A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects

You are correct, the answer is A. A. An organization would have reached the highest level of the software capability maturity model (CMM) at level 5, optimizing. B. Quantitative quality goals can be reached at level 4 and below. C. A documented process is executed at level 3 and below. D. A process tailored to specific projects can be achieved at level 2 or below

Disaster recovery planning (DRP) addresses the: Select an answer: A. technological aspect of business continuity planning (BCP). B. operational part of business continuity planning. C. functional aspect of business continuity planning. D. overall coordination of business continuity planning.

You are correct, the answer is A. A. Disaster recovery planning (DRP) is the technological aspect of business continuity plan (BCP) that focuses on IT systems and operations. B. Business resumption planning addresses the operational part of BCP. C. Disaster recovery addresses the technical components of business recovery. D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

The waterfall life cycle model of software development is most appropriately used when: Select an answer: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requirements are well understood and the project is subject to time pressures. C. the project intends to apply an object-oriented design and programming approach. D. the project will involve the use of new technology.

You are correct, the answer is A. A. Historically, the waterfall model has been best suited to stable conditions and well-defined requirements. B. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful. In these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. The ability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. C. The choice of a design and programming approach is not, itself, a determining factor of the type of software development life cycle that is appropriate. D. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile or exploratory methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.

Which of the following should be considered FIRST when implementing a risk management program? A. An understanding of the organization's threat, vulnerability and risk profile B. An understanding of the risk exposures and the potential consequences of compromise C. A determination of risk management priorities based on potential consequences D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

You are correct, the answer is A. A. Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. B. An understanding of risk exposure and potential consequences of compromise could be determined only after there is an understanding the organization's threat, vulnerability and risk profile. C. Risk management priorities based on potential consequences could only be developed after the organization's threat, vulnerability and risk profile is determined. D. Risk mitigation priorities are based on the risk profile, risk acceptance levels and potential mitigating controls. These elements provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A. requirement for protecting confidentiality of information could be compromised. B. contract may be terminated because prior permission from the outsourcer was not obtained. C. other service provider to whom work has been outsourced is not subject to audit. D. outsourcer will approach the other service provider directly for further work.

You are correct, the answer is A. A. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. B. Terminating the contract for a violation of the terms of the contract could be a concern but is not related to ensuring the confidentiality of information. C. The outsourcer not being subject to an audit could be a concern but is not related to ensuring the confidentiality of information. D. There is no reason why an IS auditor should be concerned with the outsourcer approaching the other service providers directly for further work.

Overall quantitative business risk for a particular threat can be expressed as: Select an answer: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

You are correct, the answer is A. A. Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability and provides the best measure of the risk to an asset. B. The calculation of risk must consider impact and likelihood of a threat (not a threat source) exploiting a vulnerability. C. Considering only the likelihood of an exploit and not the impact or damage caused is not sufficient to determine the overall risk. D. The collective judgment of the risk assessment team is a part of qualitative risk assessment, but must be combined with calculations of the impact on the business to determine overall risk.

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: Select an answer: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

You are correct, the answer is A. A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency. C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment. D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments.

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST? Select an answer: A. Evacuation plan B. Recovery priorities C. Backup storages D. Call tree

You are correct, the answer is A. A. Protecting human resources during a disaster-related event should be addressed first. Having separate business continuity plans (BCPs) could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. B. Recovery priorities may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed. C. Backup strategies are not critical to the integration of the plans for the various departments. Life safety is always the first priority. D. Communication during a crisis is always a challenge, but the call tree is not as important as ensuring life safety first.

Assessing IT risk is BEST achieved by: Select an answer: A. evaluating threats and vulnerabilities associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports.

You are correct, the answer is A. A. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. B. Basing an assessment on past losses will not adequately reflect new threats or inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. C. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. D. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? Select an answer: A. Ensure that the IT security risk assessment has a clearly defined scope. B. Require the IT security officer to approve each risk rating during the workshop. C. Suggest that the IT security officer accept the business unit risk and rating. D. Select only commonly accepted risk with the highest submitted rating.

You are correct, the answer is A. A. The IT risk assessment should have a clearly defined scope to be efficient and meet the objectives of risk identification. The IT risk assessment should include relationships with risk assessments in other areas, if appropriate. B. It is most likely that the IT security officer is not in a position to approve risk ratings, and the results of the workshop may need to be compiled and analyzed following the workshop, making approval during the workshop improbable. C. The facilitator of the workshop should encourage input from all parties without causing embarrassment or intimidation. However, the IT security officer is not expected to accept risk—that is a senior management function. D. The purpose of a workshop is to brainstorm and draw out the input of all participants, not just to address commonly accepted risk.

An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? Select an answer: A. Review and evaluate the business continuity plan for adequacy B. Perform a full simulation of the business continuity plan C. Train and educate employees regarding the business continuity plan D. Notify critical contacts in the business continuity plan

You are correct, the answer is A. A. The business continuity plan should be reviewed every time a risk assessment is completed for the organization. B. Performing a simulation should be completed after the business continuity plan has been deemed adequate for the organization. C. Training of the employees should be performed after the business continuity plan has been deemed adequate for the organization. D. There is no reason to notify the business continuity plan contacts at this time.

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: Select an answer:A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality

You are correct, the answer is A. A. The first concern of an IS auditor should be to ensure that the proposal meets the needs of the business, and this should be established by a clear business case. B. Compliance with security standards is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. C. Having users involved in the implementation process is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. D. Meeting the needs of the users is essential, and this should be included in the business case presented to management for approval

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: Select an answer: A. duration of the outage. B. type of outage. C. probability of the outage. D. cause of the outage.

You are correct, the answer is A. A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. B. The type of outage is not as important to the activation of the plan as the length or duration of the outage. C. The probability of the outage would be relevant to the frequency of incidents, not the need to activate the plan. The plan is designed to be activated after an event of a certain duration occurs. D. The cause of the outage may affect the response plan to be activated, but not the decision to activate the plan. The plan will be activated any time an event of a predetermined duration occurs.

Which of the following is the key benefit of a control self-assessment (CSA)? Select an answer: A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection will be improved because internal business staff are engaged in testing controls. D. Internal auditors can shift to a consultative approach by using the results of the assessment.

You are correct, the answer is A. A. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. B. Reducing audit expenses is not a key benefit of CSA. C. Improved fraud detection is important, but not as important as control ownership, and is not a principal objective of CSA. D. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.

The success of control self-assessment (CSA) depends highly on: Select an answer: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties.

You are correct, the answer is A. A. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. B. CSA requires managers to participate in the monitoring of controls. C. The implementation of stringent controls will not ensure that the controls are working correctly. D. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness, but would work best when used in a formal process such as CSA.

A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: Select an answer: A. vulnerabilities. B. threats. C. probabilities. D. impacts.

You are correct, the answer is A. A. Vulnerabilities represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that could be addressed by the security specialist, they are examples of vulnerabilities. B. Threats are circumstances or events with the potential to cause harm to information resources. Threats are usually outside the control of the security specialist. C. Probabilities represent the likelihood of the occurrence of a threat. D. Impacts represent the outcome or result of a threat exploiting a vulnerability.

Before implementing an IT balanced scorecard (BSC), an organization must: Select an answer: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses.

You are correct, the answer is B. A. A balanced scorecard (BSC) is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. C. A BSC will measure the value of IT to business, not the other way around. D. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC.

An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the: Select an answer: A. alignment of the BCP with industry good practices. B. results of business continuity tests performed by IS and end-user personnel. C. offsite facility, its contents, security and environmental controls. D. annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan.

You are correct, the answer is B. A. Alignment of the business continuity plan (BCP) with industry good practices does not provide the assurance of the effectiveness of the BCP. B. The effectiveness of the BCP can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. C. The offsite facility, its contents, security and environmental controls do not provide the assurance of the effectiveness of the BCP. Only testing will provide an accurate assessment of the effectiveness of the BCP. D. The annual financial cost of the BCP activities versus the expected benefit of implementation of the plan does not provide the assurance of the effectiveness of the BCP. Only testing will provide an accurate assessment of the effectiveness of the BCP.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: Select an answer: A. documentation of staff background checks. B. independent audit reports or full audit access. C. reporting the year-to-year incremental cost reductions. D. reporting staff turnover, development or training.

You are correct, the answer is B. A. Although it is necessary to document the fact that background checks are performed, this is only one of the provisions that should be in place for audits. B. When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. C. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. D. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

Which of the following insurance types provide for a loss arising from fraudulent acts by employees? Select an answer: A. Business interruption B. Fidelity coverage C. Errors and omissions D. Extra expense

You are correct, the answer is B. A. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. B. Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. C. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. D. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.

The BEST method for assessing the effectiveness of a business continuity plan is to review the: Select an answer: A. plans and compare them to appropriate standards. B. results from previous tests. C. emergency procedures and employee training. D. offsite storage and environmental controls.

You are correct, the answer is B. A. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. B. Previous test results will provide evidence of the effectiveness of the business continuity plan. C. Reviewing emergency procedures would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness. D. Reviewing offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plan's overall effectiveness.

Which of the following statements is valid while drafting a disaster recovery plan (DRP)? Select an answer: A. Downtime costs decrease as the recovery point objective (RPO) increases. B. Downtime costs increase with time. C. Recovery costs are independent of time. D. Recovery costs can only be controlled on a short-term basis.

You are correct, the answer is B. A. Downtime costs are not related to the recovery point objective (RPO). The RPO defines the data backup strategy, which is related to recovery costs rather than to downtime costs. B. Downtime costs—such as loss of sales, idle resources, salaries—increase with time. A disaster recovery plan (DRP) should be drawn to achieve the lowest downtime costs possible. C. Recovery costs decrease with the time allowed for recovery. For example, recovery costs to recover business operations within two days will be higher than the cost to recover business within seven days. The essence of an effective DRP is to minimize uncertainty and increase predictability. D. With good planning, recovery costs can be predicted and contained.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: Select an answer: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

You are correct, the answer is C. A. The business continuity plan (BCP), if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. B. Senior management approval is a prerequisite for designing and approving the BCP but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. C. The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. D. Making a BCP available on an enterprise's intranet does not guarantee that personnel will be able to access, read or understand it.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? Select an answer: A. Function point analysis (FPA) B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development

You are correct, the answer is B. A. Function point analysis (FPA) is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks. B. A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known. C. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. D. Object-oriented system development is the process of solution specification and modeling but will not assist in calculating project duration.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

You are correct, the answer is B. A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates. B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration. C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected. D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path.

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? Select an answer: A. Sign-off is required on the enterprise's security policies for all users. B. An indemnity clause is included in the contract with the service provider. C. Mandatory security awareness training is implemented for all users. D. Security policies should be modified to address compliance by third-party users.

You are correct, the answer is B. A. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. B. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies because any violations discovered would lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. C. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. D. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? Select an answer: A. Payment terms B. Uptime guarantee C. Indemnification clause D. Default resolution

You are correct, the answer is B. A. Payment terms are typically included in the master agreement rather than in the service level agreement (SLA). B. The most important element of an SLA is the measurable terms of performance, such as uptime agreements. C. The indemnification clause is typically included in the master agreement rather than in the SLA. D. The default resolution would only apply in case of a default of the SLA; therefore, it is more important to review the performance conditions of the SLA.

Establishing the level of acceptable risk is the responsibility of: Select an answer: A. quality assurance (QA) management. B. senior business management. C. the chief information officer (CIO). D. the chief security officer (CSO).

You are correct, the answer is B. A. Quality assurance (QA) is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. B. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization. C. The establishment of acceptable risk levels is a senior management responsibility. The chief information officer (CIO) is the most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest. D. The establishment of acceptable risk levels is a senior management responsibility. The chief security officer (CSO) is responsible for enforcing the decisions of the senior management team.

he PRIMARY benefit of implementing a security program as part of a security governance framework is the: A. alignment of the IT activities with IS audit recommendations. B. enforcement of the management of security risk. C. implementation of the chief information security officer's (CISO's) recommendations. D. reduction of the cost for IT security.

You are correct, the answer is B. A. Recommendations, visions and objectives of the IS auditor are usually addressed within a security program, but they would not be the major benefit. B. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. C. Recommendations, visions and objectives of the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. D. The cost of IT security may or may not be reduced.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? Select an answer: A. The right to audit clause was not included in the contract. B. The business case was not established. C. There was no source code escrow agreement. D. The contract does not cover change management procedures.

You are correct, the answer is B. A. The lack of the right to audit clause presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. C. If the source code is held by the provider and not provided to the organization, the lack of source code escrow presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. D. The lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.

An organization has purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following would help mitigate the risk relating to continued application support? Select an answer:A. A viability study on the vendor B. A software escrow agreement C. Financial evaluation of the vendor D. A contractual agreement for future enhancements

You are correct, the answer is B. A. While a viability study on the vendor may provide some assurance on the long-term availability of the vendor's services to the entity, in this case, it is more important that the company has the rights to the source code. B. Considering that the vendor has been in the business for only one year, the biggest concern is financial stability or viability of the vendor and the risk of the vendor going out of business. The best way that this risk can be addressed is to have a software escrow agreement for the source code of the application, which provides the entity access to the source code in the event of the vendor going out of business. C. Considering that the vendor has been in business for only one year, financial evaluation of the vendor would not be of much value and cannot provide assurance on the long-term availability of the vendor's services to the entity. In this case, it is more important that the company has rights to the source code. D. A contractual agreement, while binding, is not enforceable or only has limited value in the event of bankruptcy

After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? Select an answer: A. Test and maintain the plan. B. Develop a specific plan. C. Develop recovery strategies. D. Implement the plan.

You are correct, the answer is C. A. After selecting a strategy, a specific business continuity planning (BCP) can be developed, tested and implemented. B. After selecting a strategy, a specific BCP can be developed, tested and implemented. C. Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA. D. After selecting a strategy, a specific BCP can be developed, tested and implemented.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: Select an answer: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define the loss amount exactly.

You are correct, the answer is C. A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: Select an answer:A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals.

You are correct, the answer is C. A. An excessive turnaround time is an inconvenience, but not a serious risk. B. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. C. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication would pose a serious risk of financial loss. D. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions

The GREATEST advantage of using web services for the exchange of information between two systems is: A. secure communication. B. improved performance. C. efficient interfacing. D. enhanced documentation

You are correct, the answer is C. A. Communication is not necessarily more secure using web services. B. The use of web services will not necessarily increase performance. C. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used. D. There is no documentation benefit in using web services.

In determining the acceptable time period for the resumption of critical business processes: Select an answer: A. only downtime costs need to be considered. B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be evaluated. D. indirect downtime costs should be ignored.

You are correct, the answer is C. A. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to rapidly recover information resources might be prohibitive for nonessential business processes. B. Recovery operations alone do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. C. Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. D. The indirect costs of a serious disruption to normal business activity (e.g., loss of customer and supplier goodwill, and loss of market share) may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.

While reviewing the IT governance processes of an organization, an IS auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? Select an answer: A. Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. B. IT projects could suffer from cost overruns. C. Misleading indications of IT performance may be presented to management. D. IT service level agreements (SLAs) may not be accurate.

You are correct, the answer is C. A. If the performance indicators are not objectively measurable, the most significant risk would be the presentation of misleading performance results to management. This could result in a false sense of assurance and, as a result, IT resources may be misallocated or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management. B. Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. C. The IT balanced scorecard (BSC) is designed to measure IT performance. To measure performance, a sufficient number of "performance drivers" or key performance indicators (KPIs) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading. D. Although performance management issues related to service level agreements (SLAs) could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.

An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? Select an answer: A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure that all persons in the data center are evacuated. D. Remove all backup tapes from the data center.

You are correct, the answer is C. A. Life safety is always the first priority, and notifying the fire department of the alarm is not typically necessary because most data center alarms are configured to automatically report to the local authorities. B. Fire suppression systems are designed to operate automatically, and activating the system when staff are not yet evacuated could create confusion and panic, leading to injuries or even fatalities. Manual triggering of the system could be necessary under certain conditions, but only after all other data center personnel are safely evacuated. C. In an emergency, safety of life is always the first priority; therefore, the complete and orderly evacuation of the facility staff would be the most important activity. D. Removal of backup tapes from the data center is not an appropriate action because it could delay the evacuation of personnel. Most companies would have copies of backup tapes in offsite storage to mitigate the risk of data loss for this type of disaster.

Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit? Select an answer: A. Data backups are performed on a timely basis. B. A recovery site is contracted for and available as needed. C. Human safety procedures are in place. D. Insurance coverage is adequate and premiums are current.

You are correct, the answer is C. A. Performing data backups is necessary for a business continuity plan, but the IS auditor will always be most concerned with human safety. B. A recovery site is important for business continuity, but life safety is always the first priority. C. The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan. D. Insurance coverage is not as important as life safety.

To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: Select an answer: A. avoidance. B. transfer. C. mitigation. D. acceptance.

You are correct, the answer is C. A. Risk avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. B. Risk transfer is the strategy that provides for sharing risk with partners or purchasing insurance coverage. C. Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By requiring the system's administrator to sign off on the completion of the backups, this is an administrative control that can be validated for compliance. D. Risk acceptance is a strategy that provides for formal acknowledgment of the existence of a risk but not taking any action to reduce the risk, and the monitoring of that risk.

When developing a risk management program, what is the FIRST activity to be performed? Select an answer: A. Threat assessment B. Classification of data C. Inventory of assets D. Criticality analysis

You are correct, the answer is C. A. The assets need to be identified first. A listing of the threats that can affect the assets is a later step in the process. B. Data classification is required for defining access controls and in criticality analysis, but the assets (including data) need be identified before doing classification. C. Identification of the assets to be protected is the first step in the development of a risk management program. D. Criticality analysis is a later step in the process after the assets have been identified.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

You are correct, the answer is C. A. The hardware configuration is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. B. The access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. C. The contract must specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. D. The development methodology should be of no real concern in an outsourcing contract.

During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: Select an answer: A. responsibility for maintaining the business continuity plan. B. criteria for selecting a recovery site provider. C. recovery strategy. D. responsibilities of key personnel.

You are correct, the answer is C. A. The responsibility for maintaining the business continuity plan is decided after the selection or design of the appropriate recovery strategy and development of the plan. B. The criteria for selecting a recovery site provider are decided after the selection or design of the appropriate recovery strategy. C. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis (BIA). D. The responsibilities of key personnel are decided after the selection or design of the appropriate recovery strategy during the plan development phase.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? Select an answer: A. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). B. Examine the e-business application in development. C. Identify threats and the likelihood of occurrence. D. Check the budget available for risk management.

You are correct, the answer is C. A. The risk can only be determined after the threats, likelihood and vulnerabilities are all documented. B. The first step is to identify the risk levels to existing applications and then to apply those to applications in development. Risk can only be identified after the threats and likelihood have also been determined. C. To determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. D. The budget available for risk management is not relevant at this point because the risk has not yet been determined.

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: Select an answer: A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

You are correct, the answer is C. A. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. B. The recovery of the backups has no bearing on the notification system. C. If the notification system has been severely impacted by the damage, redundancy would be the best control. D. Storing the notification system in a vault would be of little value if the building is damaged.

The reason for establishing a stop or freezing point on the design of a new system is to: Select an answer: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

You are correct, the answer is C. A. The stop point is intended to provide greater control over changes but not to prevent them. B. The stop point is used for project control but not to create an artificial fixed point that requires the design of the project to cease. C. Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period. D. A stop point is used to control requirements, not systems design.

An IS auditor performing an audit of the risk assessment process should FIRST confirm that: Select an answer: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.

You are correct, the answer is C. A. The threats facing each of the organization's assets should be analyzed according to their value to the organization. This would occur after identifying and ranking assets. B. Analyzing how these weaknesses, in the absence of mitigating controls, would impact the organization's information assets would occur after the assets and weaknesses have been identified. C. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset. D. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectiveness of mitigating controls. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses.

Which of the following is a characteristic of timebox management? Select an answer: A. Not suitable for prototyping or rapid application development (RAD) B. Eliminates the need for a quality process C. Prevents cost overruns and delivery delays D. Separates system and user acceptance testing

You are correct, the answer is C. A. Timebox management is very suitable for prototyping and rapid application development (RAD). B. Timebox management does not eliminate the need for a quality process. C. Timebox management, by its nature, sets specific time and cost boundaries. It is effective in controlling costs and delivery time lines by ensuring that each segment of the project is divided into small controllable time frames. D. Timebox management integrates system and user acceptance testing.

An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A. Due diligence should be performed on the software vendor. B. A quarterly audit of the vendor facilities should be performed. C. There should be a source code escrow agreement in place. D. A high penalty clause should be included in the contract.

You are correct, the answer is C. A. While due diligence is a good practice, it does not ensure availability of the source code in the event of vendor failure. B. While a quarterly audit of vendor facilities is a good practice, it does not ensure availability of the source code in the event of failure of the start-up vendor. C. A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business. D. While a penalty clause is a good practice, it does not provide protection or ensure availability of the source code in the event of vendor bankruptcy.

Which of the following does a lack of adequate security controls represent? Select an answer: A. Threat B. Asset C. Impact D. Vulnerability

You are correct, the answer is D. A. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls. B. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls. C. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact. D. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability.

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

You are correct, the answer is D. A. Although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project. B. Projects may fail as the needs of the users increase; however, this can be mitigated through better change control procedures. C. Rarely do hardware limitations affect the usability of the project as long as the requirements were correctly documented at the beginning of the project. D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: Select an answer: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed.

You are correct, the answer is D. A. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. B. The capability maturity model (CMM) does not evaluate technical processes such as programming efficiency. C. The CMM does not evaluate security requirements or other application controls. D. By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software development process.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment? Select an answer: A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime

You are correct, the answer is D. A. An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA). B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk assessment and a BIA. D. A determination of acceptable downtime is made only in a BIA.

While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? Select an answer: A. Monthly committee meetings include the subcontractor's IS manager B. Management reviews weekly reports from the subcontractor C. Permission is obtained from the government agent regarding the contract D. Periodic independent audit of the work delegated to the subcontractor

You are correct, the answer is D. A. Regular committee meetings are a good monitoring tool for delegated operations; however, independent reviews provide better assurance. B. Management should not only rely on self-reported information from the subcontractor. C. Obtaining permission from the government agent is not related to ensuring the confidentiality of information. D. Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: Select an answer: A. can deliver on the immediate contract. B. is of similar financial standing as the organization. C. has significant financial obligations that can impose liability to the organization. D. can support the organization in the long term.

You are correct, the answer is D. A. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract but should be to provide assurance of sustainability over a longer time frame. B. Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. C. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor. D. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.

An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? Select an answer: A. The interruption window B. The recovery time objective (RTO) C. The service delivery objective (SDO) D. The recovery point objective (RPO)

You are correct, the answer is D. A. The interruption window is defined as the amount of time during which the organization is unable to maintain operations from the point of failure to the time that the critical services/applications are restored. B. The recovery time objective (RTO) is determined based on the acceptable downtime in the case of a disruption of operations. C. The service delivery objective (SDO) is directly related to the business needs. SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. D. The recovery point objective (RPO) is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption.

Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a software as a service (SaaS) model with an external provider? Select an answer:A. Workstation upgrades must be performed. B. Long-term software acquisition costs are higher. C. Contract with the provider does not include onsite technical support. D. Incident handling procedures with the provider are not well defined

You are correct, the answer is D. A. Unless organization workstations are obsolete, upgrading should not be an issue with a software as a service (SaaS) model because most applications running as SaaS use common technologies that allow a user to run the software on different devices. B. The reduction of software acquisition costs is one of the benefits of SaaS. C. A SaaS provider does not normally have onsite support for the organization. D. A SaaS provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.