Practice Test 3 Unknown Questions
Which of the following BEST ensures that business requirements are met prior to implementation? Incorrect A. Feasibility study B. User acceptance testing (UAT) C. Postimplementation review D. Implementation plan
You answered A. The correct answer is B. A. A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and therefore is of greater value. B. UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. C. The postimplementation review occurs after the implementation. D. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.
While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: Incorrect A. quality management systems (QMSs) comply with best practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined.
You answered A. The correct answer is B. A. Generally, best practices are adopted according to business requirements and, therefore, conforming to best practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if they are not being monitored.
Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? Incorrect A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data
You answered A. The correct answer is B. A. The quantity of data for each test case is not as important as having test cases that will address all types of operating conditions. B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. C. It is more important to have adequate test data than to complete the testing on schedule. D. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.
Which of the following is the MOST effective type of antivirus software to detect an infected application? Incorrect A. Scanners B. Active monitors C. Integrity checkers D. Vaccines
You answered A. The correct answer is C. A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files. C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Incorrect A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.
You answered A. The correct answer is C. A. The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk. B. User accountability is important, but not as great a risk as the actions of unauthorized users. C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. D. The failure to implement audit recommendations is a management problem, but not as serious as the ability of unauthorized users making modifications.
An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? Incorrect A. Establish two physically separate networks. B. Implement virtual local area network (VLAN) segmentation. C. Install a dedicated router between the two networks. D. Install a firewall between the networks.
You answered A. The correct answer is D. A. While having two physically separate networks would ensure the security of customer data, it would make it impossible for authorized wireless users to access that data. B. While a VLAN would provide separation of the two networks, it is possible, with sufficient knowledge, for an attacker to gain access to one VLAN from the other. C. A dedicated router between the two networks would separate them; however, this would be less secure than a firewall. D. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network.
Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)? A. Business processes owners Incorrect B. IT management C. Senior business management D. Industry experts
You answered B. The correct answer is A. A. Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs. B. While IT management must be involved, they may not be fully aware of the business processes that need to be protected. C. While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected. D. The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value.
Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A. Developments may result in hardware and software incompatibility. Incorrect B. Resources may not be available when needed. C. The recovery plan cannot be tested. D. The security infrastructures in each company may be different.
You answered B. The correct answer is A. A. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. B. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. C. The plan can be tested by paper-based walk-throughs, and possibly by agreement between the companies. D. The difference in security infrastructures, while a risk, is not insurmountable.
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A. Malicious code could be spread across the network. Incorrect B. The VPN logon could be spoofed. C. Traffic could be sniffed and decrypted. D. The VPN gateway could be compromised.
You answered B. The correct answer is A. A. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic. B. A secure VPN solution would use two-factor authentication to prevent spoofing. C. VPN traffic should be encrypted, making the sniffing of traffic unimportant. D. A misconfigured or poorly implemented VPN gateway could be subject to attack, but if it is located in a secure subnet then the risk is reduced.
Which of the following will MOST successfully identify overlapping key controls in business application systems? A. Reviewing system functionalities that are attached to complex business processes Incorrect B. Submitting test transactions through an integrated test facility (ITF) C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective
You answered B. The correct answer is C. A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible. B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems. D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.
An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: A. the training needs for users after applying the patch. Incorrect B. any beneficial impact of the patch on the operational systems. C. delaying deployment until testing the impact of the patch. D. the necessity of advising end users of new patches.
You answered B. The correct answer is C. A. Normally, there is no need for training users when a new operating system patch has been installed. B. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. C. Deploying patches without testing exposes an organization to the risk of system disruption or failure. D. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations.
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: A. the project manager. Incorrect B. systems development management. C. business unit management. D. the quality assurance (QA) team.
You answered B. The correct answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The quality assurance (QA) team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC). They will conduct testing but not sign off on the project requirements.
After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress Incorrect B. Black box C. Interface D. System
You answered B. The correct answer is D. A. Stress testing relates to capacity and availability and does not apply in these circumstances. B. Black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed. C. Interface testing would test the interaction with external systems, but would not validate the performance of the changed system. D. Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules.
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: A. the controls already in place. Incorrect B. the effectiveness of the controls in place. C. the mechanism for monitoring the risk related to the assets. D. the threats/vulnerabilities affecting the assets.
You answered B. The correct answer is D. A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address. B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address. C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk. D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.
Which of the following would BEST maintain the integrity of a firewall log? A. Granting access to log information only to administrators Incorrect B. Capturing log events in the operating system layer C. Writing dual logs onto separate storage media D. Sending log information to a dedicated third-party log server
You answered B. The correct answer is D. A. To enforce segregation of duties, administrators should not have access to log files. This primarily contributes to the assurance of confidentiality rather than integrity. B. There are many ways to capture log information: through the application layer, network layer, operating systems layer, etc.; however, there is no log integrity advantage in capturing events in the operating systems layer. C. If it is a highly mission-critical information system, it may be nice to run the system with a dual log mode. Having logs in two different storage devices will primarily contribute to the assurance of the availability of log information, rather than to maintaining its integrity. D. Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, the risk of unauthorized log modification will be mitigated, therefore improving the integrity of log information.
An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway B. A remote access server Incorrect C. A proxy server D. Port scanning
You answered C. The correct answer is A. A. An application-level gateway is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection (OSI) model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.). B. For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet, creating security exposure. C. Proxy servers can provide excellent protection, but depending on the type of proxy, they may not be able to examine traffic as effectively as an application gateway. For proxy servers to work, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. D. Port scanning is used to detect vulnerabilities or open ports on a network, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.
An IS auditor is performing a review of a network, and users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: A. use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment. B. take steps to increase the bandwidth of the connection to the Internet. Incorrect C. create a baseline using a protocol analyzer and implement quality of service (QoS) to ensure that critical business applications work as intended. D. implement virtual LANs (VLANs) to segment the network and ensure performance.
You answered C. The correct answer is A. A. In this case, the first step is to identify the problem through review and analysis of network traffic. Using a protocol analyzer and reviewing the log files of the related switches or routers will determine whether there is a configuration issue or hardware malfunction. B. While increasing Internet bandwidth may be required, this may not be needed if the performance issue is due to a different problem or error condition. C. While creating a baseline and implementing quality of service (QoS) will ensure that critical applications have the appropriate bandwidth, in this case the performance issue could be related to misconfiguration or equipment malfunction. D. While implementing virtual local area networks (VLANs) may be a best practice for ensuring adequate performance, in this case the issue could be related to misconfigurations or equipment malfunction.
Which of the following is the MOST critical element of an effective disaster recovery plan (DRP)? A. Offsite storage of backup data B. Up-to-date list of key disaster recovery contacts Incorrect C. Availability of a replacement data center D. Clearly defined recovery time objective (RTO)
You answered C. The correct answer is A. A. Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. B. Having a list of key contacts is important, but not as important as having adequate data backup. C. A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement. D. Having a clearly defined recovery time objective (RTO) is especially important for business continuity planning (BCP), but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.
A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. Incorrect C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.
You answered C. The correct answer is A. A. The applications have been operated intensively; but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. B. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load. C. Because users were able to connect to and use the system, the response time must have been satisfactory. D. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.
An IS auditor who is auditing the software acquisition process will ensure that the: A. contract is reviewed and approved by the legal counsel before it is signed. B. requirements cannot be met with the systems already in place. Incorrect C. requirements are found to be critical for the business. D. user participation is adequate in the process.
You answered C. The correct answer is A. A. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. B. Existing systems may meet the requirements, but management may choose to acquire software for other reasons. C. Not all of the requirements in the contract need to support critical business needs; some requirements may be there for ease-of-use or other purposes. D. User participation is not necessarily required in the software acquisition process. Instead, users would most likely participate in requirements definition and user acceptance testing (UAT).
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system Incorrect C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production
You answered C. The correct answer is A. A. Verification will ensure that produced products match the orders in the customer order system. B. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C. Hash totals will ensure accurate order transmission, but not accurate processing centrally. D. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.
Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed Incorrect C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods
You answered C. The correct answer is B. A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Which of the following will prevent dangling tuples in a database? A. Cyclic integrity B. Domain integrity Incorrect C. Relational integrity D. Referential integrity
You answered C. The correct answer is D. A. Cyclical checking is the control technique for the regular checking of accumulated data on a file against authorized source documentation. There is no cyclical integrity testing. B. Domain integrity testing ensures that a data item has a legitimate value in the correct range or set. C. Relational integrity is performed at the record level and is ensured by calculating and verifying specific fields. D. Referential integrity ensures that a foreign key in one table will equal null or the value of a primary in the other table. For every tuple in a table having a referenced/foreign key, there should be a corresponding tuple in another table, i.e., for existence of all foreign keys in the original tables. If this condition is not satisfied, then it results in a dangling tuple.
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? A. User registration and password policies B. User security awareness Incorrect C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening
You answered C. The correct answer is D. A. User registration and password policies cannot mitigate pharming attacks because they do not prevent manipulation of domain name system (DNS) records. B. User security awareness cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. C. The use of intrusion detection/intrusion prevention systems (IDSs/IPSs) cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.
Which of the following choices would be the BEST source of information when developing a risk-based audit plan? A. Process owners identify key controls. B. System custodians identify vulnerabilities. Incorrect C. Peer auditors understand previous audit results. D. Senior management identify key business processes.
You answered C. The correct answer is D. A. While process owners should be consulted to identify key controls, senior management would be a better source to identify business processes, which are more important. B. System custodians would be a good source to better understand the risk and controls as they apply to specific applications; however, senior management would be a better source to identify business processes, which are more important. C. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope, or if the key business processes have changed and/or new business processes have been introduced, then this would not contribute to the development of a risk-based audit plan. D. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.
During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan (BCP) is to: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. review the experience of the vendor's staff. Incorrect D. test the BCP.
You answered D. The correct answer is A. A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's BCP. C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.
Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the: A. customer over the authenticity of the hosting organization. B. hosting organization over the authenticity of the customer. C. customer over the confidentiality of messages from the hosting organization. Incorrect D. hosting organization over the confidentiality of messages passed to the customer.
You answered D. The correct answer is A. A. Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. B. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. C. The customer cannot be assured of the confidentiality of messages from the host because many people have access to the public key and can decrypt the messages from the host. D. The host cannot be assured of the confidentiality of messages sent out, because many people have access to the public key and can decrypt it.
An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? A. Project scope management B. Project time management C. Project risk management Incorrect D. Project procurement management
You answered D. The correct answer is A. A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. B. Project time management is defined as the processes required to ensure timely completion of the project. The issue noted in the question does not mention whether projects were completed on time, so this is not the most likely cause. C. Project risk management is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. D. Project procurement management is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope.
An IS auditor reviewing the operating system integrity of a server would PRIMARILY: A. verify that privileged programs or services cannot be invoked by user programs. B. determine whether administrator accounts have proper password controls. C. ensure that file permissions are correct on configuration files. Incorrect D. verify that programs or services running on the server are from valid sources.
You answered D. The correct answer is A. A. If user-level programs can interfere with privileged programs or services, then changes to system parameters and operating system (OS) integrity issues could result. A privilege escalation attack occurs when a user with limited authority is able to perform actions beyond what he/she has been authorized to do. For example, consider a program scheduling utility that often can run with "system level" authority and allows the user to run a program that his/her security profile ordinarily would not allow. Configuration features of the OS, such as file permissions for critical files, must be set correctly to ensure that privilege escalation attacks are less likely to occur. B. Password controls on administrator accounts are very important, but ensuring that programs operate within their defined security limits is much more critical. C. While file permissions are important, this is only part of the process of ensuring OS integrity. D. The risk associated with privileged programs or services is more severe than risk related to software that has been compromised or obtained from sources that are not valid.
In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A. there is an integration of IT and business personnel within projects. B. there is a clear definition of the IT mission and vision. C. a strategic information technology planning scorecard is in place. Incorrect D. the plan correlates business objectives to IT goals and objectives.
You answered D. The correct answer is A. A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.
Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. Increase the time allocated for system testing. B. Implement formal software inspections. C. Increase the development staff. Incorrect D. Require the sign-off of all project deliverables.
You answered D. The correct answer is B. A. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. C. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. D. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.
Receiving an electronic data interchange (EDI) transaction and passing it through the communication's interface stage usually requires: A. translating and unbundling transactions. B. routing verification procedures. C. passing data to the appropriate application system. Incorrect D. creating a point of receipt audit log.
You answered D. The correct answer is B. A. Electronic data interchange (EDI) or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services. B. The communication's interface stage requires routing verification procedures. C. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system. D. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication's interface stage.
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. Incorrect D. Review the access control log of the backup server.
You answered D. The correct answer is B. A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? A. Inherent B. Detection C. Control Incorrect D. Business
You answered D. The correct answer is B. A. Inherent risk is the risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Inherent risk is not usually affected by an IS auditor. B. Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. C. Control risk is the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Control risk can be mitigated by the actions of the company's management. D. Business risk is a probable situation with uncertain frequency and magnitude of loss (or gain). Business risk is usually not directly affected by an IS auditor.
Inadequate programming and coding practices introduce the risk of: A. phishing. B. buffer overflow exploitation. C. synchronize (SYN) flood. Incorrect D. brute force attacks.
You answered D. The correct answer is B. A. Phishing is a social engineering attack that attempts to gather sensitive information from a customer—often via email. This is not a programming or coding problem. B. Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. C. A synchronize (SYN) flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. D. Brute force attacks are used against passwords and are not related to programming and coding practices.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) Incorrect D. PKI disclosure statement (PDS)
You answered D. The correct answer is B. A. The certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. B. The certification practice statement (CPS) is the how-to document used in policy-based public key infrastructure (PKI). C. The certificate policy (CP) sets the requirements that are subsequently implemented by the CPS. D. The PKI disclosure statement (PDS) covers critical items such as the warranties, limitations and obligations that legally bind each party.
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. Incorrect D. confirm that the card is not shown as lost or stolen on the master file.
You answered D. The correct answer is B. A. The initial validation would not be used to check the transaction type—just the validity of the card number. B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. C. The initial validation is to prove the card number entered is valid—only then can the transaction amount be checked for approval from the bank. D. The verification that the card has not been reported as lost or stolen is only done after the card number has been validated as correctly entered.
Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the: A. registration authority (RA). B. certificate authority (CA). C. certificate repository. Incorrect D. receiver.
You answered D. The correct answer is B. A. The registration authority (RA) authenticates applicants for a certificate but does not issue or validate the certificates. B. A certificate authority (CA) is a trusted authority that issues and manages security credentials and public keys for message encryption. As a part of the public key infrastructure, a CA checks with a RA to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can issue a certificate. The CA signs the certificate with its private key for distribution to the user. Upon receipt, the user will decrypt the certificate with the CA's public key. C. The certificate repository is a commonly available directory of all the public keys issued by a CA. D. The digital certificate is signed using the private key of the CA; therefore, the CA's public key is the only key that will validate the certificate.
An organization has implemented an online customer help desk application using a Software as a Service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? A. Ask the SaaS vendor to provide a weekly report on application uptime. B. Implement an online polling tool to monitor the application and record outages. C. Log all application outages reported by users and aggregate the outage time weekly. Incorrect D. Contract an independent third party to provide weekly reports on application uptime.
You answered D. The correct answer is B. A. Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated. B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. C. Logging the outage times reported by users is helpful, but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. D. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.
The FIRST step in the execution of a problem management mechanism should be: A. issue analysis. B. exception ranking. C. exception reporting. Incorrect D. root cause analysis.
You answered D. The correct answer is C. A. Analysis and resolution are performed after logging and triage have been performed. B. Exception ranking can only be performed once the exceptions have been reported. C. The reporting of operational issues is normally the first step in tracking problems. D. Root cause analysis is performed once the exceptions have been identified and is not normally the first part of problem management.
A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident? A. Dump the volatile storage data to a disk. B. Run the server in a fail-safe mode. C. Disconnect the web server from the network. Incorrect D. Shut down the web server.
You answered D. The correct answer is C. A. Dumping the volatile storage data to a disk may be used at the investigation stage, but does not contain an attack in progress. B. To run the server in a fail-safe mode, the server needs to be shut down. C. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker. D. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.
An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. Incorrect D. The plan has not been tested with the new RPO.
You answered D. The correct answer is C. A. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and recovery point objective (RPO), then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. B. The lack of training on the new disaster recovery (DR) strategy creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups. C. The RPO is defined in the ISACA glossary as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without availability of the necessary data, all other DR considerations are not useful. D. The lack of testing of the revised plan creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups.
Which of the following specifically addresses how to detect cyberattacks against an organization's IT systems and how to recover from an attack? Correct A. An incident response plan (IRP) B. An IT contingency plan C. A business continuity plan (BCP) D. A continuity of operations plan (COOP)
You are correct, the answer is A. A. The incident response plan (IRP) determines the information security responses to incidents such as cyberattacks on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial of service (DoS) or unauthorized changes to system hardware or software. B. The IT contingency plan addresses IT system disruptions and establishes procedures for recovering from a major application or general support system failure. The contingency plan deals with ways to recover from an unexpected failure, but it does not address the identification or prevention of cyberattacks. C. The business continuity plan (BCP) addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. While a cyberattack could be severe enough to require use of the BCP, the IRP would be used to determine which actions should be taken—both to stop the attack as well as to resume normal operations after the attack. D. The continuity of operations plan (COOP) addresses the subset of an organization's missions that are deemed most critical and contains procedures to sustain these functions at an alternate site for a short time period.
Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? A. To establish adequate staffing requirements to complete the IS audit Correct B. To provide reasonable assurance that all material items will be addressed C. To determine the knowledge required to perform the IS audit D. To develop the audit program and procedures to perform the IS audit
You are correct, the answer is B. A. A risk assessment does not directly influence staffing requirements. B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. C. A risk assessment does not identify the knowledge required to perform an IS audit. D. A risk assessment is not used in the development of the audit program and procedures.
When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: A. whose sum of activity time is the shortest. Correct B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.
You are correct, the answer is B. A. Attention should focus on the tasks within the critical path that have no slack time. B. A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained. C. The critical path is the longest time length of the activities, but is not based on the longest time of any individual activity. D. A task on the critical path has no slack time.
An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? A. Change permissions to prevent DBAs from purging logs. Correct B. Forward database logs to a centralized log server. C. Require that critical changes to the database are formally approved. D. Back up database logs to tape.
You are correct, the answer is B. A. Changing the database administrator (DBA) permissions to prevent DBAs from purging logs may not be feasible and does not adequately protect the availability and integrity of the database logs. B. To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access. C. Requiring that critical changes to the database are formally approved does not adequately protect the availability and integrity of the database logs. D. Backing up database logs to tape does not adequately protect the availability and integrity of the database logs.
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis (FPA) Correct B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development
You are correct, the answer is B. A. Function point analysis (FPA) is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks. B. A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known. C. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. D. Object-oriented system development is the process of solution specification and modeling but will not assist in calculating project duration.
When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget Correct B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks
You are correct, the answer is B. A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates. B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration. C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected. D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path.
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production Correct B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports
You are correct, the answer is B. A. Recommending that user acceptance testing (UAT) occur for all reports before release into production does not address the root cause of the problem described. B. This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. C. Recommending standard software tools be used for report development does not address the root cause of the problem described. D. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.
Which of the following BEST limits the impact of server failures in a distributed environment? A. Redundant pathways Correct B. Clustering C. Dial backup lines D. Standby power
You are correct, the answer is B. A. Redundant pathways will minimize the impact of channel communications failures, but will not address the problem of server failure. B. Clustering allows two or more servers to work as a unit so that when one of them fails, the other takes over. C. Dial backup lines will minimize the impact of channel communications failures, but not a server failure. D. Standby power provides an alternative power source in the event of an energy failure, but does not address the problem of a server failure.
Which control is the BEST way to ensure that the data in a file have not been changed during transmission? A. Reasonableness check B. Parity bits Correct C. Hash values D. Check digits
You are correct, the answer is C. A. A reasonableness check is used to ensure that input data is within expected values, not to ensure integrity of data transmission. B. Parity bits are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C. Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. D. Check digits are used to detect an error in an account number—usually related to a transposition or transcribing error.
Which of the following is a MAJOR concern during a review of help desk activities? A. Certain calls could not be resolved by the help desk team. B. A dedicated line is not assigned to the help desk team. Correct C. Resolved incidents are closed without reference to users. D. The help desk instant messaging has been down for over six months.
You are correct, the answer is C. A. Although this is of concern, it should be expected. A problem escalation procedure should be developed to handle such scenarios. B. Ideally, a help desk team should have dedicated lines, but this exception is not as serious as the technical team unilaterally closing an incident. C. The help desk function is a service-oriented unit. The users must sign off before an incident can be regarded as closed. D. Instant messaging is an add-on to improve the effectiveness of the help desk team. Its absence cannot be seen as a major concern as long as calls can still be made.
The BEST method of confirming the accuracy of a system tax calculation is by: A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. Correct C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.
You are correct, the answer is C. A. Detailed visual review of source code is not an effective method of ensuring that the calculation is being computed correctly. B. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations. C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. D. Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.
Which of the following is the MOST important security consideration to an organization that wants to reduce its IS infrastructure by using servers provided by a Platform as a Service (PaaS) vendor? A. Require users of the new application to adopt specific, minimum-length passwords. B. Implement a firewall that monitors incoming traffic using the organization's standard settings. Correct C. Review the need for encryption of stored and transmitted application data. D. Make the service vendor responsible for application security through contractual terms.
You are correct, the answer is C. A. Requiring application users to maintain another password may not be popular. A more fundamental reason is that many cloud service providers expose their services via application programming interfaces (APIs). These APIs are designed to accept tokens, not passwords. Ideally, they use an open standard such as Security Assertion Markup Language (SAML) or WS-Federation for exchanging authentication and authorization information. An authentication scheme needs to take into account the type of application users—organization employees, employees of partner organizations, customers or a combination of user types. Additionally, the increasing trend is for web applications to be accessible by multiple device types. Therefore, the organization may need to employ a "bring your own identity" scheme of authentication. An appropriate mechanism (such as a security token, smart card, one-time password via short message service [SMS] or telephone) based on assessed risk should be used to confirm user identity. B. In a Platform as a Service (PaaS) cloud computing model, network security remains the responsibility of the cloud service provider. Because multiple tenants use the cloud service provider's infrastructure, insisting on a specific firewall configuration is not practical, although it may be possible to agree to some arrangements when negotiating the service contract. The "deperimeterized" nature of cloud computing enhances the need for strong application security controls to be designed, tested and implemented. C. With cloud computing, an application does not run on an organization's trusted environment. Instead, it runs on infrastructure shared by other tenants and administered by people not employed by the organization. Therefore, depending on the nature of the data, there may be a greater need to rely on encryption to protect privacy. This may apply not just to data when they are stored in the cloud, but also during transmission. However, careful consideration must be given to the nature of the data to understand what degree of protection is needed. Using encryption can increase complexity and have performance implications. The possibility of using compensating controls, e.g., protecting stored data through database access controls, should also be considered. D. In a PaaS cloud computing model, the service provider supplies the computing infrastructure and development frameworks. While requirements for basic infrastructure security can be discussed and possibly included as contract terms, responsibility for building a secure application rests with the customer organization. Given that cloud computing enhances some threats present with traditional in-house hosted systems as well as introducing some new threats, it is particularly important that application security controls be given strong focus during application development.
Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. B. systems administrator. Correct C. data and systems owners. D. systems operations group.
You are correct, the answer is C. A. System owners are accountable for systems security, but they typically delegate day-to-day security responsibilities to a security administrator. B. The systems administrator is responsible for operating the system according to the conditions set by the system owner. C. Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. Even though they delegate much of the operational responsibility, owners remain accountable for the maintenance of appropriate security measures. D. System owners typically delegate day-to-day custodianship to the system's delivery/operations group.
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables Correct C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget
You are correct, the answer is C. A. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B. Interviews are a valuable source of information, but will not necessarily identify any project challenges because the people being interviewed are involved in project. C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). D. The calculation based on remaining budget does not take into account the speed at which the project has been progressing.
Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? A. Change management B. Backup and recovery C. Incident management Correct D. Configuration management
You are correct, the answer is D. A. Change management is important to control changes to the configuration, but the baseline itself refers to a standard configuration. B. Backup and recovery of the configuration are important, but not used to create the baseline. C. Incident management will determine how to respond to an adverse event, but is not related to recording baseline configurations. D. The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return.
Which of the following BEST helps ensure that deviations from the project plan are identified? A. A project management framework B. A project management approach C. A project resource plan Correct D. Project performance criteria
You are correct, the answer is D. A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project, but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables, but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members, but does not wholly define the criteria used to measure project success. D. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? A. Parity check B. Echo check C. Block sum check Correct D. Cyclic redundancy check (CRC)
You are correct, the answer is D. A. Parity check (known as vertical redundancy check) also involves adding a bit (known as the parity bit) to each character during transmission. In this case, where there is a presence of bursts of errors (i.e., impulsing noise during high transmission rates), it has a reliability of approximately 50 percent. In higher transmission rates, this limitation is significant. B. Echo checks detect line errors by retransmitting data to the sending device for comparison with the original transmission. C. A block sum check is a form of parity checking and has a low level of reliability. D. The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.
Which of the following is the BEST method to ensure that critical IT system failures do not recur? A. Invest in redundant systems. B. Conduct a follow-up audit. C. Monitor system performance. Correct D. Perform root cause analysis.
You are correct, the answer is D. A. Redundancy may be a solution; however, a root cause analysis enables an educated decision to address the origin of the problem instead of simply assuming that system redundancy is the solution. B. While an audit may discover the root cause of the problem, an audit is not a solution to an operational problem. Identifying the origins of operational failures needs to be part of day-to-day IT processes and owned by the IT department. C. Use of monitoring tools is a means to gather data and can contribute to root cause analysis, but it does not by itself help prevent an existing problem from recurring. D. Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring.
The ability to recognize a potential security incident is: A. the primary responsibility of security personnel. B. not important because many types of incidents could involve security. C. supported by detailed policies. Correct D. required of all personnel.
You are correct, the answer is D. A. The skill of recognizing potential security incidents should NOT be limited to security staff. While security staff may be more proficient in determining whether an incident is a problem, all employees should have the basic skills to identify potential security incidents and be aware of the process to alert the security team in a timely manner. B. Not all incidents are security incidents or need to involve security personnel. C. Corporate standards should provide clear criteria of what constitutes a security incident. Policies do not provide such detail. D. What constitutes a security incident must be defined in severity criteria documents and must be understood by all personnel.
A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? A. Mandatory Correct B. Role-based C. Discretionary D. Single sign-on (SSO)
vYou are correct, the answer is B. A. An access control system based on mandatory access control (MAC) would be expensive, unnecessary and difficult to implement and maintain. B. Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis. C. Discretionary access control (DAC) is where the owner of the resources decides who should have access to that resource. Most access control systems are an implementation of DAC. This answer is not specific enough for this question. D. Single sign-on (SSO) is an access control technology used to manage access to multiple systems, networks and applications. This answer is not specific enough for this question.
