Section 2: Quiz 18 - IT Resource Management
Which of the following is the primary consideration when reviewing the IT priorities and co-ordination? A. Alignment of the project with business objectives B. Management of project risk C. Cost of project controls D. IT project escalation process
A. Alignment of the project with the business objectives Explanation: The main goal of IT projects is to add value to business processes. An IS auditor should first focus on ensuring that IT initiatives are aligned with business objective. The other answers are not as critical as option A.
The integrity of new staff can be determined by which of the following? A. Conducting background verification B. Analyzing their family background C. Analyzing prior experience D. Reviewing the qualifications listed on a resume
A. Conducting background verification Explanation: A background verification process is the main tool to ensure the integrity of a prospective employee. This may include criminal history checks, financial status checks, verification education, and so on.
The most important consideration when reviewing an approved software product list is which of the following? A. Whether the risk associated with each product is reviewed periodically B. Whether the latest versions of products are listed C. Whether the list is approved every year D. Whether the list contains vendor support details
A. The risk associated with the use of the products is periodically assessed Explanation: IT products should be assessed on a periodic basis to ensure that any new and emerging risks are appropriately addressed. This should be incorporated as a part of the IT risk management process.
The rate of change in technology increases the importance of which of the following? A. Outsourcing IT functions B. Implementing and enforcing sound processes C. Hiring qualified personnel D. Meeting user requirements
B. Implementing and enforcing sound processes Explanation: It is essential to implement sound IT process and policies to cope with frequent and rapid IT changes.
The prime objective of mandatory holidays for employees is which of the following? A. Improve the productivity of the employee B. Reduce the opportunity for fraud or illegal acts C. Provide training to other staff D. Test the business continuity
B. It reduces the opportunity for fraud or illegal acts Explanation: Mandatary holidays aim to hand over the processes that employee was responsible for to another employee, thereby unearthing any fraud or process lapses committed by the employee on holiday. The other answers are secondary advantages.
The best compensatory control for a lack of segregation of duties between IT staff and end users is which of the following? A. Restricting physical access to computing equipment B. Reviewing transaction and application logs C. Conducting background checks before hiring IT staff D. Locking user sessions after a stated duration of inactivity
B. Reviewing transaction and application logs Explanation: When it is not possible to implement SoD, an appropriate compensating control should be in place. Monitoring and reviewing logs acts as the best compensating control in this scenario. This will act as both a preventive and detective control as employees will be deterred from misuse of power as they are aware of the possibility of being caught.
Which of the following roles, taken together, should not be trusted to a single individual? A. Network administrator and quality assurance B. System administrator and application developer C. Security administrator and end user D. System analyst and database administrator
B. System administrator and application developer Explanation: Ideally, all of the roles listed as answer options should be segregated, but the major concern is about the system administrator and application developer. This person can do almost anything, including creating the back door. System administration and developer roles should therefore be segregated.
Which of the following dual roles is an area of major concern? A. Quality assurance and network administrators B. System administrators and application programmer C. End users as security administrators for critical applications D. Database managers as system analysts
B. System administrators and application programmers Explanation: It is extremely important to ensure SoD for functions that are prone to risk if a single individual is handling them both. The roles of system administrator and application programmer need to be split between different individuals. A single employee with both roles can misuse their privileges and do almost anything on a system, including creating a back door. The other options are not as critical as the same individual handling administration as well as programming.
Which of the following risks should be assessed by an IS auditor reviewing an organization that uses cross-training practices? A. Dependence on a single person B. Inadequate succession planning C. All parts of a system being known to one person D. Disruption to operations
C. All parts of a system are known to one person Explanation: In cross-training, individuals are trained on other aspects of the jobs in addition to their routing function. It is important to ensure that cross-training does not lead to potential exposures related to abuse of privilege. If an individual knows all parts of the system, they may abuse their knowledge and privilege.
The primary control objective of job rotations is to achieve which of the following? A. To provide cross-training B. To motivate employees C. To detect improper or illegal employee acts D. To improve efficiency and productivity
C. Detect improper or illegal employee acts Explanation: Job rotation is a well-planned practice to reduce the chances of irregularities and fraud by an employee handling a given function for a long time and who is well versed in all the processes and ways to bypass control mechanisms.
Which of the following should be done as a priority when an employee with access to highly confidential information resigns? A. Conducting a debriefing interview with the employee B. Ensuring succession plans are in place C. Revoking the employee's access to all systems D. Reviewing the employee's job history
C. Revoke the employee's access to all systems Explanation: If an employee has dealt with highly classified information, the first step is to remove their access to all systems to prevent the exfiltration of data and restrict access to sensitive information.
A software escrow agreement is intended primarily to address which of the following? A. Disaster recovery B. System upgradation C. The risk of business closure of a vendor of custom-written software D. The requirements of the IS audit
C. The risk of business closure of a vendor of custom-written software Explanation: An escrow agreement is entered into between a service provider and a client to ensure the permanent availability of the client's source code. The source code is held by some third party. In the event of the vendor going out of business, the client can claim back the source code from the third party
The primary control objective of implementing a vacation policy is which of the following? A. To improve employee productivity B. To increase the motivation level of employees C. To identify potential errors or inconsistencies in business processes D. To comply with regulatory requirements
C. To identify potential errors or inconsistencies in business processes Explanation: Mandatory vacation policies require employees to take time away from their job. These policies help to reduce fraud and uncover malicious activities by employees. These policies help to prevent employees from continuing with fraudulent activities.
The most important consideration when planning to implement a new technology is which of the following? A. A cost analysis B. The security risks of the current technology C. Compatibility with existing systems D. A risk analysis
D. A risk analysis Explanation: Before introducing new technologies, an organization will carry outa risk evaluation, which is then submitted for review and acceptance to the business management unit.