IT Audit Exam 1
Which one of the following is not one of the seven domains of a typical IT infrastructure? A. User Domain B. Workstation Domain C. LAN-to-LAN Domain D. WAN Domain E. Remote Access Domain
LAN to LAN domain
Which of the following provides a framework for assessing the adequacy of implemented controls? A. NIST 800-53 B. NIST 800 C. NIST 800-53A D. NIST 800A
NIST 800-53A
Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers
SOC
National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __
corrective
PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data. A. True B. False
False
The decision to apply or not apply controls is based on risk.
true
To comply with the Red Flags Rule, financial institutions and creditors must do which of the following? A. Identify red flags for covered accounts. B. Detect red flags. C. Respond to detected red flags. D. Update the program periodically. E. All of the above F. Answers B and C only
All of the above
Which of the following is an example of why an ongoing IT compliance program is important? A. Organizations are dynamic, growing environments. B. Threats evolve. C. Laws and regulations evolve. D. All of the above
All of the above
Which of the following is not one of the titles within Sarbanes-Oxley? A. Corporate Responsibility B. Enhanced Financial Disclosures C. Analyst Conflicts of Interest D. Studies and Reports E. Auditor Conflicts of Interest
Auditor conflicts of interest
If a baseline security control cannot be implemented, which of the following should be considered? A. Compensating control B. Baseline security standard revision C. Policy revision D. None of the above
Compensating control
An unauthorized user has gained access to data and viewed it. What has been lost?
Confidentiality
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. WorldCom B. Enron C. TJX D. All of the above E. A and B only
WorldCom and Enron
RMF provides for the authorization of the operation of an information system based on an acceptable level of ________.
Risk
Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. B. Assessments are attributive and audits are not. C. An audit is typically a precursor to an assessment. D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. E. Audits can result in blame being placed upon an individual.
audits can result in blame being placed upon an individual
The process of selecting security controls is considered within the context of risk management. A. True B. False
True
Which one of the following is not an example of a level of depth required to assess a control? A. Comprehensive B. Generalized C. Focused D. Detailed
comprehensive
providing access for applications developers to the test environment...
creates a segregation of duties weakness in the configuration management process
A configuration ________ database provides a central repository of configuration items.
management
The COSO framework is targeted to which of the following groups within a company? A. Executive management B. First-line management C. Security analysts D. Application developers
executive management
Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.
false
A _______ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
framework
Policies, standards, and guidelines are part of the policy ________.
framework
Responding to business requirements in alignment with the business strategy is an example of an IT ________.
goal
Which one of the following is not an example of a review technique? A. Password cracking B. File integrity checking C. Log review D. Network sniffing
password and cracking
A ________ is an assessment method that uses methods similar to what a real-world attacker might use.
penetration testing
Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.
strict liability
the IT security controls covered by the NAtional institute of standards and technology (NIST) include management, operational, and ___
technical
Frameworks differ from each other in that they might offer varying levels of depth and breadth. A. True B. False
true
Whereas only qualified auditors perform security audits, anyone may do security assessments.
true
While the Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, the act does permit the use of the last four digits of a SSN. A. True B. False
False
Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
all of the above
Which of the following are examples of information provided by audit logs? A. Failed authentication attempts B. Account changes C. Privileged use D. All of the above
all of the above
What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process? A. Auditing Standard No. 1 B. Auditing Standard No. 11 C. Auditing Standard No. 55 D. Auditing Standard No. 5
auditing standard no 5
COSO is the acronym for which of the following? A. Compliance Objectives Standards Organization B. Committee of Sponsoring Organizations C. Compliance Organization Standard Operation D. Committee on Standard Objectives
committee of sponsoring organizations
what is generally not tracked in a configuration management
cost of software
which of the following is a common system management environment that requires review during an audit
development environment, test environment, production environment
Which of the following benefits does an automated security information and event management log solution provide? A. Diagnosing and preventing operational problems B. Assigning appropriate responsibilities to security operations C. Management of a configuration change control board D. All of the above
diagnosing and preventing operational problems
Which one of the following is not part of the change management process? A. Identify and request B. Evaluate change request C. Decision response D. Implement unapproved change E. Monitor change
implement unapproved changes
Which one of the following is not considered a principal part of the Gramm-Leach-Bliley Act? A. Financial Privacy Rule B. Pretexting provisions C. Safeguards Rule D. Information Security Rule
information security rule
production environments...
should only contain fully tested and authorized applications
If required, an auditor is justified in the use of security assessment techniques such as penetration testing and vulnerability analysis and may consider using the work of other experts.
true
Mitigating a risk from an IT security perspective is about eliminating the risk to zero.
False
Regarding the seven domains of IT infrastructure, the Workstation Domain includes which of the following? (Select three.) A. Desktop computers B. Laptop computers C. Remote access systems D. E-mail servers E. Handheld devices
desktop computers, laptop computers, handheld devices
which of the following best describes a prescriptive IT control?
helps standardize IT operations and tasks
An IT infrastructure audit __ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk
baseline
At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D
governance and risk management
Adequate controls over privacy data helps prevent ________ theft.
identity
Which one of the following is not one of the four domains of COBIT? A. Plan and Organize B. Implement and Support C. Acquire and Implement D. Deliver and Support E. Monitor and Evaluate
implement and support
Which one of the following is not true of COBIT? A. It is business-focused. B. It is security-centered. C. It is process-oriented. D. It is controls-based. E. It is measurement-driven.
it is security centered
ISO/IEC 27002 is a code of ________ for information security management.
practice
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.
risk-based approach
Preventing a user who approves a configuration change from being the person who implements the change is an example of which of the following? A. Rotation of duties B. Least privilege C. Segregation of duties D. Dual control
segregation of duties
Which of the following should organizations do when selecting a standard? (Select three.) A. Select a standard that can be followed. B. Employ the selected standard. C. Select a flexible standard. D. Select a standard that other organizations in the same geographic location are using.
select a standard that can be followed, employ the selected standard, select a flexible standard
which of the following is not an important step for conducting effective IT audit interviews?
setting organizational goals during the interview.
Which of the following best describes documents such as policies, procedures, plans, and architectural designs? A. Specification objects B. Mechanism objects C. Activity objects D. Configuration objects
specification objects
An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __ to identify anything that is missing.
Gap analysis
Which of the following is an examination of the current state of controls against the desired state of controls? A. Control objective B. Gap analysis C. Baseline analysis D. Log review
Gap analysis
Which regulatory department is responsible for the enforcement of HIPAA laws? A. HHS B. FDA C. U.S Department of Agriculture D. U.S. EPA E. FTC
HHS
An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.
Independent
Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems? A. NIST B. FISMA C. Congress D. PCI SSC E. U.S. Department of the Navy
NIST
Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)
Payment Card Industry Data Security Standard (PCI DSS)
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan
Penetration testing
Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information? A. Security management B. Compliance management C. Privacy management D. Personal management E. Collection management
Privacy management
Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures. A. True B. False
false
SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.
false
The purpose of a network scan is to identify as many vulnerabilities as possible.
false
NIST has three IT security control categories. The following are controls in one of the categories: 1. identification and authorization 2. logical access control 3. audit trail 4. cryptography the above controls are examples of which control category
technical
which of the following best describes security configuration management
the process and techniques around managing security-related configuration items that directly relate to control or settings.
An acceptable use policy (AUP) is part of the ___ domain
user domain
In an IT infrastructure, the end users' operating environment is called the ___
workstation domain
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit
Compliance audit
NIST 800-53A provides ________.
A guide for assessing security controls
What can be done to manage risk? (Select three.) A. Accept B. Transfer C. Avoid D. Migrate
Accept, transfer, avoid
After mapping existing controls to new regulations, an organization needs to conduct a ________ analysis.
Gap
Assurance against unauthorized modification or destruction of data is the definition of:
Integrity
which of the following best describes a descriptive IT control?
Aligns IT with business goals
What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?
Configuration and change management
Regarding privacy, what is a common characteristic of "personal information"
It can be used to identify a person
The internal audit function may be outsourced to an external consulting firm.
True
Which of the following best describes control objectives for information and related technology (COBIT)?
a framework providing best practices for IT governance and control
Which one of the following best describes an assessment objective for a control? A. A high-level statement to determine the effectiveness of a control B. A detailed statement on what activities need to occur to implement a control C. A definition of responsibilities to be assigned to security operations for the management of a control D. A statement about the required depth or coverage required to test a control
a high-level statement to determine the effectiveness of a control
What does CAATT stand for? A. Computer Assisted Audit Tools and Techniques B. Computer Aided Assessment Tools and Techniques C. Compliance Auditing Assisted Tactical Techniques D. Compliance Assisted Audit Tactical Tools
computer assisted audit tools and techniques
A security assessment is a method for proving the strength of security systems.
False
Sarbanes-Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting. A. True B. False
False
Which one of the following is the best example of avoiding risk? A. The IT department decides to install an antivirus device at its network border. B. The IT department outsources its vulnerability management program to a third party. C. The IT department disables the ability for end users to use portable storage devices. D. The IT department installs data loss prevention software on all end users' workstations.
the IT department disables the ability for end users to use portable storage devices
Which of the following policies would apply to the User Domain concerning the seven domains of a typical IT infrastructure? A. Acceptable use policy B. Internet access policy C. Security incident policy D. Firewall policy E. Answers A and B F. Answers B and D
Acceptable use policy and internet access policy
Account management and separation of duties are examples of what type of controls? A. Audit and accountability B. Access control C. Security assessment and authorization D. Personal security
Access control
Which of the following best describes the Gramm-Leach-Billey Act (GLBA)
An act of Congress that prohibits banks from offering investment , commercial banking, and insurance services all under one umbrella
Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security? A. FISMA B. GLBA C. HIPAA D. FACTA E. FERPA
FISMA
What organization was tasked to develop standards to apply to federal information systems using a risk-based approach? A. Public Entity Risk Institute B. International Organization for Standardization C. National Institute of Standards and Technology D. International Standards Organization E. American National Standards Institute
National institute of standards and technology
Which one of the following is not one of the safeguards provided within the HIPAA Security Rule? A. Administrative B. Operational C. Technical D. Physical
Operational
Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits? A. COSO B. Enron C. PCAOB D. Sarbanes-Oxley E. None of the above
PCAOB
Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate
Remediate
A large financial organization wants to outsource its payroll function. which of the following should the financial organization ensure the payroll company has?
SOC report
Which act, which consists of 11 titles, mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud.
Sarbanes-Oxley Act
What section of Sarbanes-Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting? A. Section 301 B. Section 404 C. Section 802 D. Section 1107
Section 404
In accordance with the Children's Internet Protection Act, who determines what is considered inappropriate material? A. FCC B. U.S. Department of Education C. The local communities D. U.S. Department of the Interior Library E. State governments
The local communities
Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation
to adhere to an auditors reccommendation