CISA EXAM - 1
Q121) Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment? A) Beta testing B) Alpha testing C) White box testing D) Regression testing
A) Beta testing is correct. This follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing and involves sending the beta version of the product to independent beta test sites or offering it free to interested users. B) Alpha testing is incorrect. This is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be a simulated test. D) Regression testing is incorrect. This is used to determine whether system changes have introduced new errors to existing functionality. C) White box testing is incorrect. This is used to assess the effectiveness of program logic.
Q113) A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future? A) Ensure that developers do not have access to code after testing. B) Improve regression test cases. C) Conduct an application user access review. D) Activate audit trails for a limited period after release.
A) Ensure that developers do not have access to code after testing is correct. To ensure proper segregation of duties, developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing, the process must be restarted in development. B) Improve regression test cases is incorrect. Improving the quality of the testing would not be applicable in this case because the more important issue is that developers have access to the production environment. D) Activate audit trails for a limited period after release is incorrect. Activating audit trails or performing additional logging may be useful; however, the more important issue is that developers have access to the production environment. C) Conduct an application user access review is incorrect. This would not identify developers' access to code because they would not be included in this review.
Q132) An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? A) Production access is granted to the individual support ID when needed. B) Developers use a firefighter ID to promote code to production. C) A dedicated user promotes emergency changes to production. D) Emergency changes are authorized prior to promotion.
A) Production access is granted to the individual support ID when needed is correct. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change. B)Developers use a firefighter ID to promote code to production is incorrect. Some organizations may use a firefighter ID, which is a generic/shared ID, to promote changes to production. When needed, the developer can use this ID to access production. It may still be difficult to determine who made the change; therefore, although this process is commonly used, the use of a production support ID is a better choice. A dedicated user promotes emergency changes to production is incorrect. C) Having a dedicated user who promotes changes to production in an emergency is ideal but is generally not cost-effective and may not be realistic for emergency changes. D) Emergency changes are authorized prior to promotion is incorrect. Emergency changes are, by definition, unauthorized changes. Approvals usually are obtained following promotion of the change to production. All changes should be auditable, and that can best be accomplished by having a user ID added/removed to the production support group as needed.
Q131) Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements? A) Server utilization data B) Server logs C) Benchmark test results D) Downtime reports
A) Server utilization data is correct. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment. C) Benchmark test results is incorrect. Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. B) Server logs is incorrect. A server log contains data showing activities performed on the server but does not contain the utilization data required to ensure the optimal configuration of servers. D) Downtime reports is incorrect. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure but is not useful in determining optimal server configurations.
Q120) Over the long term, which of the following has the greatest potential to improve the security incident response process? A) Simulation exercises performed by incident response team B) Ongoing security training for users C) Documenting responses to an incident D) A walk-through review of incident response procedures
A) Simulation exercises performed by incident response team is correct. Simulation exercises to find the gaps and shortcomings in the actual incident response processes will help improve the process over time. D) A walk-through review of incident response procedures is incorrect. A walk-through is a good first step to evaluate the incident response plan, but the lessons learned from incidents will provide more meaningful long-term benefits. B) Ongoing security training for users is incorrect. Training the users and members of the incident response team will improve the effectiveness of the team but learning from the lessons of previous incidents will generate the greatest benefit. C) Documenting responses to an incident is incorrect. Documenting all incidents is important to allow later analysis and review but is not as important as the results of the analysis.
Q111) An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: A) the configuration management database is not maintained. B) the test environment is installed on the production server. C) change management records are paper based. D) test systems run different configurations than do production systems.
A) The configuration management database is not maintained is correct. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained or leave out critical dependencies during the test phase. D) Test systems run different configurations than do production systems is incorrect. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. C) Change management records are paper based is incorrect. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. B) The test environment is installed on the production server is incorrect. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s).
Q130) Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees? A) To prevent conflicts of interest B) To prevent theft of IT assets C) To prevent employee performance issues D) To prevent the misuse of corporate resources
A) To prevent conflicts of interest is correct. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing organization. Conflicts of interest can result in serious risk such as fraud, theft of intellectual property or other improprieties. D) To prevent the misuse of corporate resources is incorrect. The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment. C) To prevent employee performance issues is incorrect. Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment. B) To prevent theft of IT assets is incorrect. Theft of assets is a problem but not necessarily related to secondary employment.
Q119) A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response? A) Revision of the OS baseline configuration B) Assessment of the risk and identification of compensating controls C) Approval of the exception to policy to meet business needs D) Initial rejection of the request because it is against the security policy
B) Assessment of the risk and identification of compensating controls is correct. Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation. D) Initial rejection of the request because it is against the security policy is incorrect. The security policy may be waived with management approval to meet business requirements; it is not up to the security manager to refuse the deviation. C) Approval of the exception to policy to meet business needs is incorrect. The security manager may make a case for deviation from the policy, but this should be based on a risk assessment and compensating controls. The deviation itself should be approved in accordance with a defined exception handling process. A) Revision of the OS baseline configuration is incorrect. Updating or revising the baseline configuration is not associated with requests for deviations.
Q114) An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? A) System breach notification procedures B) Chain of custody of electronic evidence C) Escalation procedures to external agencies D) Procedures to recover lost data
B) Chain of custody of electronic evidence is correct. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. A) System breach notification procedures is incorrect. System breach notification is an important aspect and, in many cases, may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply. C) Escalation procedures to external agencies is incorrect. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation. D) Procedures to recover lost data is incorrect. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.
Q115) The PRIMARY purpose of installing data leak prevention software is to: A) detect attempts to destroy sensitive data in an internal network. B) control confidential documents leaving the internal network. C) block external systems from accessing internal resources. D) restrict user access to confidential files stored on servers.
B) Control confidential documents leaving the internal network is correct. A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network. D) Restrict user access to confidential files stored on servers is incorrect. Access privileges to confidential files stored on the server will be controlled through digital rights management (DRM) software. A) Detect attempts to destroy sensitive data in an internal network is incorrect. Potential attacks to systems on the internal network would normally be controlled through an intrusion detection system (IDS) and intrusion prevention system (IPS) as well as by security controls of the systems themselves. Data leak prevention (DLP) systems focus on data leaving the enterprise. C) Block external systems from accessing internal resources is incorrect. Controlling what external systems can access internal resources is the function of a firewall rather than a DLP system.
Q122) When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT - A) has all the personnel and equipment it needs. B) plans are consistent with management strategy. C) uses its equipment and personnel efficiently and effectively. D) has sufficient excess capacity to respond to changing directions.
B) Plans are consistent with management strategy is correct. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans. A) Has all the personnel and equipment it needs is incorrect. Having personnel and equipment is an important requirement to meet the IT strategy but will not ensure that the IT strategy supports business objectives. C) Uses its equipment and personnel efficiently and effectively is incorrect. Using equipment and personnel efficiently and effectively is an effective method for determining the proper management of the IT function but does not ensure that the IT strategy is aligned with business objectives. D) Has sufficient excess capacity to respond to changing directions is incorrect. This important to show flexibility to meet organizational changes but is not in itself a way to ensure that IT is aligned with business goals.
Q129) Which of the following BEST helps ensure that deviations from the project plan are identified? A) A project resource plan B) Project performance criteria C) A project management approach D) A project management framework
B) Project performance criteria is correct. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success. D) A project management framework is incorrect. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. C)A project management approach is incorrect. This defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. A) A project resource plan is incorrect. This defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success.
Q102) The internal audit department of an organization has written some scripts that are used for continuous auditing of some information systems. The IT department of that organization has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? A) Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. B) Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. C) Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring. D) Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B) Sharing the scripts is permissible if IT recognizes that audits may still be conducted in areas not covered in the script is the correct answer. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts, but they can still audit the systems. D) Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit is incorrect. The ability of IT to continuously monitor and address any issues on IT systems does not affect the ability of IS audit to perform a comprehensive audit. A) Sharing the scripts is required because IT must have the ability to review all programs and software that run on IS systems regardless of audit independence is incorrect. Sharing the scripts may be required by policy for quality assurance and configuration management, but that does not impair the ability to audit. C) Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring is incorrect. An audit of an IS system encompasses more than just the controls covered in the scripts.
Q112) What is the PRIMARY purpose of an IT forensic audit? A) to preserve evidence of criminal activity. B) the systematic collection and analysis of evidence after a system irregularity. C) to participate in investigations related to corporate fraud. D) to assess the correctness of an organization's financial statements.
B) The systematic collection and analysis of evidence after a system irregularity is correct. This best describes a forensic audit. The evidence collected can then be analyzed and used in judicial proceedings. C) To participate in investigations related to corporate fraud is incorrect. Forensic audits are not limited to corporate fraud. D) To assess the correctness of an organization's financial statements is incorrect. Assessing the correctness of an organization's financial statements is not the primary purpose of most forensic audits. A) To preserve evidence of criminal activity is incorrect. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.
Q109) Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? A) To reduce requirements for periodic internal audits B) To collect evidence while transactions are processed C) To increase efficiency of the audit function D) To identify and report fraudulent transactions
B) To collect evidence while transactions are processed is correct. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. A) To reduce requirements for periodic internal audits is incorrect. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. D) To identify and report fraudulent transactions is incorrect. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. C) To increase efficiency of the audit function is incorrect. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
Q126) Applying a retention date on a file will ensure that: A) data cannot be read until the date is set. B) datasets having the same name are differentiated. C) data will not be deleted before that date. D) backup copies are not retained after that date.
C) Data will not be deleted before that date is correct. A retention date will ensure that a file cannot be overwritten or deleted before that date has passed. A) Data cannot be read until the date is set is incorrect. The retention date will not affect the ability to read the file. D) Backup copies are not retained after that date is incorrect. Backup copies would be expected to have a different retention date and, therefore, may be retained after the file has been overwritten. B) Datasets having the same name are differentiated is incorrect. The creation date, not the retention date, will differentiate files with the same name.
Q128) An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? A) Message digest algorithms B) Digital signatures C) Digital certificates D) Symmetric key encryption
C) Digital certificates is correct. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained. D) Symmetric key encryption is incorrect. This uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation. B) Digital signatures is incorrect. These provide message integrity and nonrepudiation; however, confidentiality is not provided. A) Message digest algorithms is incorrect. These are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation.
Q106) As an IS auditor, you have identified that reports on product profitability produced by an organization's finance and marketing departments give different results. Your further investigation reveals that the product definition being used by the two departments is different. As an IS auditor, what should you recommend? A) Management signs-off on requirements for new reports B) Standard software tools are used for report development C) Organizational data governance practices are put in place D) User acceptance testing occurs for all reports before release into production
C) Organizational data governance practices are put in place is correct. This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. D) User acceptance testing occurs for all reports before release into production is incorrect. Recommending that user acceptance testing occur for all reports before release into production does not address the root cause of the problem described. B) Standard software tools are used for report development is incorrect. Recommending standard software tools be used for report development does not address the root cause of the problem described. Management signs off on requirements for new reports is incorrect. A) Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.
Q103) As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: A) strategic alignment. B) resource management. C) performance measurement. D) value delivery.
C) Performance measurement is correct. This includes setting and monitoring measurable objectives of that which the IT processes need to deliver (process outcome), and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement, because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. A) Strategic alignment is incorrect. This primarily focuses on ensuring linkage of business and IT plans, not on transparency. D) Value delivery is incorrect. This is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values but does not ensure transparency of investment. B) Resource management is incorrect. This is about the optimal investment in and proper management of critical IT resources but does not ensure transparency of IT investments.
Q110) Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A) Automated tests should be performed through the use of scripting. B) Test coverage should be restricted to functional requirements. C) Requirements should be tested in terms of importance and frequency of use. D) The number of required test runs should be reduced by retesting only defect fixes.
C) Requirements should be tested in terms of importance and frequency of use is correct. Maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects. B) Test coverage should be restricted to functional requirements is incorrect. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. A) Automated tests should be performed through the use of scripting is incorrect. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D) The number of required test runs should be reduced by retesting only defect fixes is incorrect. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.
Q105) As an outcome of information security governance, strategic alignment provides - A) baseline security following good practices. B) institutionalized and commoditized solutions. C) security requirements driven by enterprise requirements. D) an understanding of risk exposure.
C) Security requirements driven by enterprise requirements is correct. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. A) Baseline security following good practices is incorrect. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices (i.e., baseline security following good practices or institutionalized and commoditized solutions) is a part of value delivery. B) Institutionalized and commoditized solutions is incorrect. Value delivery addresses the effectiveness and efficiency of solutions but is not a result of strategic alignment. D) An understanding of risk exposure is incorrect. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure.
Q101) Which of the following groups would create MOST concern to an IS auditor if they have full access to the production database? A) Business users B) System administrators C) Information security team D) Application developers
D) Application developers is correct. This bears the highest risk. Due to their focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes into production environment. B) System administrators is incorrect. These individuals may require full production access to conduct their administration duties; however, they should be monitored for unauthorized activity. A) Business users is incorrect. These individuals might not need a full access to database. Such set up might result in negatives scenarios (fraud), however developers having a direct access to production environment is a higher concern. C) Information security team is incorrect. The data recovery team will need full access to make sure the complete database is recoverable.
Q123) An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? A) Implement a source code version control tool. B) Schedule user testing to occur at a given time each day. C) Only retest high-priority defects. D) Consider the feasibility of a separate user acceptance environment.
D) Consider the feasibility of a separate user acceptance environment is correct. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. B) Schedule user testing to occur at a given time each day is incorrect. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. A) Implement a source code version control tool is incorrect. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. C) Only retest high-priority defects is incorrect. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.
Q104) When developing a formal enterprise security program, the MOST critical success factor is the - A) selection of a security process owner. B) creation of a security unit. C) establishment of a review board. D) effective support of an executive sponsor.
D) Effective support of an executive sponsor is correct. The executive sponsor is in charge of supporting the organization's strategic security program and aids in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor. C) Establishment of a review board is incorrect. This is not effective without visible sponsorship of top management. B) Creation of a security unit is incorrect. This is not effective without visible sponsorship of top management. A) Selection of a security process owner is incorrect. This is not effective without visible sponsorship of top management.
Q108) An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: A) approve the patch after doing a risk assessment. B) apply the patch according to the patch's release notes. C) thoroughly test the patch before sending it to production. D) ensure that a good change management process is in place.
D) Ensure that a good change management process is in place is correct. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. B) Apply the patch according to the patch's release notes is incorrect. The IS auditor should not apply the patch. That is an administrator responsibility. C) Thoroughly test the patch before sending it to production is incorrect. The testing of the patch is the responsibility of the development or production support team, not the auditor. A) Approve the patch after doing a risk assessment is incorrect. The IS auditor is not authorized to approve a patch. That is a responsibility of a steering committee.
Q117) After identifying the findings, the IS auditor should FIRST: A) determine mitigation measures for the findings. B) obtain remediation deadlines to close the findings. C) inform senior management of the findings. D) gain agreement on the findings.
D) Gain agreement on the findings is correct. If findings are not agreed upon and confirmed by both parties, then there may be an issue during sign-off on the final audit report or while discussing findings with management. When agreement is obtained with the auditee, it implies the finding is understood and a clear plan of action can be determined. A) Determine mitigation measures for the findings is incorrect. Although the auditor may recommend mitigation measures, the organization ultimately decides and implements the mitigation strategies as a function of risk management. C) Inform senior management of the findings is incorrect. Before senior management is informed, it is imperative that the auditor informs the auditee and gains agreement on the audit findings to correctly communicate the risk. B) Obtaining remediation deadlines to close the findings is incorrect and is not the first step in communicating the audit findings.
Q125) An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? A) Run-to-run totals B) Reconciliations C) Recalculations D) Limit checks
D) Limit checks is correct. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. C) Recalculations is incorrect. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. A) Run-to-run totals is incorrect. These provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. B) Reconciliations is incorrect. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.
Q116) Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience? A) Internal quality requirements B) The audit guidelines C) The audit methodology D) Professional standards
D) Professional standards is correct. Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more. A) Internal quality requirements is incorrect. They may exist but are superseded by the requirement of supervision to comply with professional standards. B) Audit guidelines is incorrect. These exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C) The audit methodology is incorrect. This is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards.
Q118) Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review? A) The code was missed during the initial implementation. B) The error was discovered during the postimplementation review. C) The release team used the same change order number. D) The change did not have change management approval.
D) The change did not have change management approval is correct. Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval. A) The code was missed during the initial implementation is incorrect. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. B) The error was discovered during the post-implementation review is incorrect. Most release/change control errors are discovered during post-implementation review. It is of greater concern that the change was promoted without management approval after it was discovered. C) The release team used the same change order number is incorrect. Using the same change order number is not a relevant concern.
Q107) An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? A) The VM server is included in the disaster recovery plan. B) Allocated physical resources are available. C) System administrators are trained to use the VM architecture. D) Server configuration has been hardened appropriately.
D) Server configuration has been hardened appropriately is correct. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. B) Allocated physical resources are available is incorrect. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed. C) System administrators are trained to use the virtual machine (VM) architecture is incorrect. VMs are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment. A) The VM server is included in the disaster recovery plan is incorrect. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan.
Q127) When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? A) Subscribers report key compromises to the certificate authority. B) There is no registration authority for reporting key compromises. C) Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D) The certificate revocation list is not current.
D) The certificate revocation list is not current is correct. If the certificate revocation list is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. B) There is no registration authority for reporting key compromises is incorrect. The certificate authority (CA) can assume the responsibility if there is no registration authority. C) Digital certificates contain a public key that is used to encrypt messages and verify digital signatures is incorrect as this is not a risk. A) Subscribers reporting key compromises to the CA is incorrect. This is not a risk because reporting this to the CA enables the CA to take appropriate action.
Q124) A cyclic redundancy check is commonly used to determine the: A)integrity of a downloaded program. B) adequacy of encryption. C) accuracy of data input. D) validity of data transfer.
D) Validity of data transfer is correct. The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check. C) Accuracy of data input is incorrect. This can be enforced by data validation controls, such as picklists, cross checks, reasonableness checks, control totals and allowed character checks. A) Integrity of a downloaded program is incorrect. A checksum or digital signature is commonly used to validate the integrity of a downloaded program or other transferred data. B) Adequacy of encryption is incorrect. Encryption adequacy is driven by the sensitivity of the data to be protected and algorithms that determine how long it will take to break a specific encryption method.
Q89) Which of the following is the MOST reliable form of single factor personal identification? A) Iris scan B) Smart card C) Password D) Photo identification
A) Iris scan is correct. Because no two irises are alike, identification and verification can be done with confidence. B) Smart card is incorrect. There is no guarantee that a smart card is being used by the correct person because it can be shared, stolen, or lost and found. C) Password is incorrect. These can be shared and, if written down, carry the risk of discovery. D) Photo identification is incorrect. This can be forged or falsified.
Q90) Authorizing access to application data is the responsibility of the: A) data owner. B) data custodian. C) security administrator. D) application administrator.
A) Data owner is correct. These individuals have authority to grant or withhold access to the data and applications for which they are responsible. B) Data custodian is incorrect. These individuals are responsible only for storing and safeguarding the data according to the direction provided by the data owner. D) Application administrator is incorrect. This person is responsible for managing the application itself, not determining who is authorized to access the data that it contains. C) Security administrator is incorrect. This individual may lead investigations and is responsible for implementing and maintaining information security policy, but not for authorizing data access.
Q74) The GREATEST risk from an improperly implemented intrusion prevention system is: A) blocking of critical systems or services due to false triggers. B) too many alerts for system administrators to verify. C) decreased network performance due to additional traffic. D) reliance on specialized expertise within the IT organization.
A) Blocking of critical systems or services due to false triggers is correct. An intrusion prevention system (IPS) prevents a connection or service based on how it is programmed to react to specific incidents. If the IPS is triggered based on incorrectly defined or nonstandard behavior, it may block the service or connection of a critical internal system. B) Too many alerts for system administrators to verify is incorrect. A number of false positives may cause excessive administrator workload, but this is a relatively minor risk. C) Decreased network performance due to additional traffic is incorrect. The IPS will not generate any traffic that would impact network performance. D) Reliance on specialized expertise within the IT organization is incorrect. Configuring an IPS can take months of learning what is and what is not acceptable behavior, but this does not require specialized expertise.
Q27) An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered - A) can support the organization in the long term. B) can deliver on the immediate contract. C) has significant financial obligations that can impose liability to the organization. D) is of similar financial standing as the organization.
A) Can support the organization in the long term is correct. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. B) Can deliver on the immediate contract is incorrect. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract but should be to provide assurance of sustainability over a longer time frame. Is of similar financial standing as the organization is incorrect. D) Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. C) Has significant financial obligations that can impose liability to the organization is incorrect. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor.
Q37) Which of the following would be BEST prevented by a raised floor in the computer machine room? A) Damage of wires around computers and servers B) Shocks from earthquakes C) Water flood damage D) A power failure from static electricity
A) Damage of wires around computers and servers is correct. The primary reason for having a raised floor is to enable ventilation systems, power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor. D) A power failure from static electricity is incorrect. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. B) Shocks from earthquakes is incorrect. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. C) Water flood damage is incorrect. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.
Q44) The responsibility for authorizing access to a business application system belongs to the: A) data owner. B) security administrator. C) IT security manager. D) requestor's immediate supervisor.
A) Data owner is correct. When a business application is developed, a good practice is to assign an information or data owner to the application. The information owner should be responsible for authorizing access to the application itself or to back-end databases for queries. B) Security administrator is incorrect. This individual normally does not have responsibility for authorizing access to business applications. C) IT security manager is incorrect. This individual normally does not have responsibility for authorizing access to business applications. D) Requestor's immediate supervisor is incorrect. This individual may share the responsibility for approving user access to a business application system; however, the final responsibility should go to the information owner.
Q10) Which of the following would MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation? A) Designing the cybersecurity controls B) Conducting the vulnerability assessment C) Delivering cybersecurity awareness training D) Advising on the cybersecurity framework Explanation
A) Designing the cybersecurity controls is correct. If an auditor designs the controls, a conflict of interest arises in the neutrality of the auditor to address deficiencies during an audit. This is in violation of the ISACA Code of Ethics. C) Delivering cybersecurity awareness training is incorrect. This is typically an operational responsibility, but it is not nearly as strong as a conflict of interest as the auditor designing controls and then reviewing them. D) Advising on the cybersecurity framework is incorrect. Part of the role of an IS auditor can be to advise on a cybersecurity framework, provided that such advice does not rise to the level of designing specific controls that the auditor would later review. B) Conducting the vulnerability assessment is incorrect. This can be the responsibility of the IS auditor and does not present a conflict of interest.
Q42) Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting? A) Findings are clearly tracked back to evidence. B) Recommendations address root causes of findings. C) Remediation plans are provided by responsible parties. D) Risk statement includes an explanation of a business impact.
A) Findings are clearly tracked back to evidence is correct. Without adequate evidence, the findings hold no ground; therefore, this must be verified before communicating the findings. D) Risk statement includes an explanation of a business impact is incorrect. It is important to have a well-elaborated risk statement; however, it might not be relevant if findings are not accurate. B) Recommendations address root causes of findings is incorrect. It is important to address the root causes of findings, and it may be not included in the report. However, it might not be relevant if findings are not accurate. C) Remediation plans are provided by responsible parties is incorrect. In some cases, top-management might expect to see remediation plans during debriefing of the findings; however, the accuracy of findings should be proved first.
Q59) When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A) improper transaction authorization. B) application interface failure. C) excessive transaction turnaround time. D) nonvalidated batch totals.
A) Improper transaction authorization is correct. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss. C) Excessive transaction turnaround time is incorrect. An excessive turnaround time is an inconvenience, but not a serious risk. B) Application interface failure is incorrect. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. D) Nonvalidated batch totals is incorrect. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions
Q96) While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step? A) Inform appropriate personnel immediately. B) Observe the response mechanism. C) Ensure deletion of the virus. D) Clear the virus from the network.
A) Inform appropriate personnel immediately is correct. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. B) Observe the response mechanism is incorrect. This should be done after informing appropriate personnel. This will enable an IS auditor to examine the actual workability and effectiveness of the response system. D) Clear the virus from the network is incorrect. The IS auditor is neither authorized nor capable in most cases of removing the virus from the network. C) Ensure deletion of the virus is incorrect. An IS auditor should not make changes to the system being audited; ensuring the deletion of the virus is a management responsibility.
Q43) Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? A) Return on investment to the company B) Total cost of ownership of the application C) The resources required for implementation D) The cost and complexity of security requirements
A) Return on investment (ROI) to the company is correct. The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.) B) Total cost of ownership of the application is incorrect. This is important to understand the resource and budget requirements in the short and long term; however, decisions should be based on benefits realization from this investment. Therefore, ROI is the most important consideration. C) The resources required for implementation is incorrect. These are an important consideration; however, decisions should be based on benefits realization from this investment. Therefore, ROI should be carefully considered. D) The cost and complexity of security requirements is incorrect. These are important considerations, but they need to be weighed against the proposed benefits of the application. Therefore, ROI is more important.
Q70) An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? A) Review the data flow diagram. B) Evaluate the change request process. C) Evaluate the reconciliation controls. D) Review user access.
A) Review the data flow diagram is correct. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls. D) Review user access is incorrect. The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. B) Evaluate the change request process is incorrect. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. C) Evaluating the reconciliation controls is incorrect. This would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place.
Q92) Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? A) Service measures were not included in the SLA. B) A service adjustment resulting from an exception report took a day to implement. C) The complexity of application logs used for service monitoring made the review difficult. D) The document is updated on an annual basis.
A) Service measures were not included in the service level agreement (SLA) is correct. Lack of service measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. B) A service adjustment resulting from an exception report took a day to implement is incorrect. Resolving issues related to exception reports is an operational issue that should be addressed in the SLA; however, a response time of one day may be acceptable depending on the terms of the SLA. C) The complexity of application logs used for service monitoring made the review difficult is incorrect. The complexity of application logs is an operational issue, which is not related to the SLA. D) The document is updated on an annual basis is incorrect. While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually.
Q76) In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A) sufficiency. B) compliance. C) documentation. D) implementation.
A) Sufficiency is correct. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements. D) Implementation is incorrect. The first step is to review the baseline to ensure that it is adequate or sufficient to meet the security requirements of the organization. Then the IS auditor will ensure that it is implemented and measure compliance. B) Compliance is incorrect. This cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C) Documentation is incorrect. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation.
Q73) When two or more systems are integrated, the IS auditor must review input/output controls in the: A) systems sending and receiving data. B) systems sending output to other systems. C) systems receiving the output of other systems. D) interfaces between the two systems.
A) Systems sending and receiving data is correct. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. C) Systems receiving the output of other systems is incorrect. A responsible control is to protect downstream systems from contamination from an upstream system. This requires a system that sends data to review its output and the receiving system to review its input. B) Systems sending output to other systems is incorrect. Systems sending data to other systems should ensure that the data they send are correct, but that would not protect the receiving system from transmission errors. D) Interfaces between the two systems is incorrect. The interfaces must be set up correctly and provide error controls, but good practice is to review the data before sending and after receipt.
Q22) An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? A) Review the results of stress tests during user acceptance testing. B) Request vendor technical support to resolve performance issues. C) Request additional IS audit resources. D) Review the implementation of selected integrated controls. .
A) The appropriate recommendation is to review the results of stress tests during user acceptance testing that demonstrated the performance issues. D) Reviewing the implementation of selected integrated controls is incorrect. This validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning application. C) Request additional IS audit resources is incorrect. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. B) Request vendor technical support to resolve performance issues is incorrect. This is a good option, but not the first recommendation
Q75) The MOST effective biometric control system is the one with: A) the lowest equal-error rate. B) a false-rejection rate equal to the failure-to-enroll rate. C) the highest equal-error rate. D) false-rejection rate equal to the false-acceptance rate.
A) The lowest equal-error rate is correct. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective. C) The highest equal-error rate (EER) is incorrect. The biometric that has the highest EER is the most ineffective. D) A false-rejection rate equal to the false-acceptance rate is incorrect. For any biometric, there will be a measure at which the FRR will be equal to the FAR. This is the EER. B) A false-rejection rate equal to the failure-to-enroll (FER) rate is incorrect. FER is an aggregate measure of FRR.
Q67) What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? A) To check that the project meets expectations B) To make sure that users are appropriately trained C) To determine whether proper controls were implemented D) To verify that the project was within budget
A) To check that the project meets expectations is correct. The objective of a post-implementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). B) To make sure that users are appropriately trained is incorrect. Post-implementation review does not target verifying user training needs. D) To verify that the project was within budget is incorrect. Project costs are monitored during development and are not the primary reason for a post-implementation review. C) To determine whether proper controls were implemented is incorrect. While an IS auditor would be interested in ensuring that proper controls were implemented, the most important consideration would be that the project meets expectations.
Q9) An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A) Unauthorized access B) System unavailability C) Exposure to malware D) System integrity
A) Unauthorized access is correct. Untested common gateway interfaces (CGIs) can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. B) System unavailability is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. C) Exposure to malware is incorrect. Untested CGI scripts do not inherently lead to malware exposures. D) System integrity is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.
Q19) From a control perspective, the key element in job descriptions is that they - A) are current, documented and readily available to the employee. B) establish responsibility and accountability for the employee's actions. C) provide instructions on how to do the job and define authority. D) communicate management's specific job performance expectations.
B) Establish responsibility and accountability for the employee's actions is correct. From a control perspective, a job description should establish responsibility and accountability. This aids in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access. C) Provide instructions on how to do the job and defining authority is incorrect. This addresses the managerial and procedural aspects of the job and is a management responsibility. Job descriptions, which are a human resources (HR)-related function, are primarily used to establish job requirements and accountability. A) Are current, documented and readily available to the employee is incorrect. It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability. D) Communicate management's specific job performance expectations is incorrect. Communication of management's specific expectations for job performance would not necessarily be included in job descriptions.
Q30) Which of the following is a form of two-factor user authentication? A) An iris scan and a fingerprint scan B) A smart card and personal identification number C) A unique user ID and complex, non-dictionary password D) A magnetic strip card and a proximity badge
B) A smart card and personal identification number is correct. A smart card is something that a user has, while a personal identification number paired with the card is something the user knows. This is an example of two-factor authentication. C) A unique user ID and complex, non-dictionary password is incorrect. Both an ID and a password are something the user knows, so this pairing provides single-factor user authentication regardless of complexity. A) An iris scan and a fingerprint scan is incorrect. Both an iris scan and a fingerprint scan are something the user is, so this pairing is not a basis for two-factor user authentication. D) A magnetic-strip card and a proximity badge is incorrect. Both a magnetic card and a proximity badge are examples of something a user has, so these are not adequate for two-factor authentication.
Q94) Neural networks are effective in detecting fraud because they can: A) discover new trends because they are inherently linear. B) address problems that require consideration of a large number of input variables. C) solve problems where large and general sets of training data are not obtainable. D) make assumptions about the shape of any curve relating variables to the output.
B) Address problems that require consideration of a large number of input variables is correct. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. A) Discover new trends because they are inherently linear is incorrect. Neural networks are inherently nonlinear. C) Solve problems where large and general sets of training data are not obtainable is incorrect. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. D) Make assumptions about the shape of any curve relating variables to the output is incorrect. Neural networks make no assumption about the shape of any curve relating variables to the output.
Q84) Which of the following is MOST directly affected by network performance monitoring tools? A) Confidentiality B) Availability C) Integrity D) Completeness
B) Availability is correct. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability. C) Integrity is incorrect. Network monitoring tools can be used to detect errors that are propagating through a network, but their primary focus is on network reliability so that the network is available when required. D) Completeness is incorrect. Network monitoring tools will not measure completeness of the communication. This is measured by the end points in the communication. A) Confidentiality is incorrect. A network monitoring tool can violate confidentiality by allowing a network administrator to observe non-encrypted traffic. This requires careful protection and policies regarding the use of network monitoring tools.
Q80) Inadequate programming and coding practices increase the risk of: A) synchronize flood. B) buffer overflow exploitation. C) brute force attacks. D) social engineering.
B) Buffer overflow exploitation is correct. This may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and overwrite part of the program with arbitrary code, which will then be executed with the privileges of the program. The countermeasure is proper programming and good coding practices. D) Social engineering is incorrect. This attempts to gather sensitive information from people and primarily relies on human behavior. This is not a programming or coding problem. A) A Synchronize (SYN) flood is incorrect. This is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. C) Brute force attacks is incorrect. These are used against passwords and are not related to programming and coding practices.
Q68) During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A) brute force attack. B) buffer overflow. C) war dialing attack. D) distributed denial-of-service attack.
B) Buffer overflow is correct. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A) A brute force attack is incorrect. This is used to crack passwords, but this is not related to coding standards. D) A distributed denial-of-service attack is incorrect. This floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. C) War dialing attack is incorrect. This uses modem-scanning tools to hack private branch exchanges or other telecommunications services.
Q82) Which of the following conditions should be of GREATEST concern to an IS auditor regarding the outsourcing of IT services? A) Periodic renegotiation is not specified in the outsourcing contract. B) Core activities that provide a differentiated advantage to the organization have been outsourced. C) The outsourcing contract fails to cover every action required by the business. D) Similar activities are outsourced to more than one vendor.
B) Core activities that provide a differentiated advantage to the organization have been outsourced is correct. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that condition should be concerned. A) Periodic renegotiation is not specified in the outsourcing contract is incorrect. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C) The outsourcing contract fails to cover every action required by the business is incorrect. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved but should cover business requirements. D) Similar activities are outsourced to more than one vendor is incorrect. Multi-sourcing is an acceptable way to reduce risk associated with a single point of failure.
Q52) When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? A) Discuss a single solution. B) Demonstrate feasibility. C) Consider security controls. D) Consult the audit department.
B) Demonstrate feasibility is correct. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision. A) Discuss a single solution is incorrect. A business case should discuss all possible solutions to a given problem, which would enable management to select the best option. This may include the option not to undertake the project. C) Consider security controls is incorrect. It may be important to include security considerations in the business case if security is important to the solution and will address the problem; however, the feasibility study is more important and is necessary regardless of the type of problem. D) Consult the audit department is incorrect. While the person preparing the business case may consult with the organization's audit department, this would be situational and is not necessary to include in the business case.
Q51) An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? A) Developers could gain elevated access to production servers. B) Developers have the ability to create or de-provision servers. C) Developers can affect the performance of production servers with their applications. D) Developers could install unapproved applications to any servers.
B) Developers have the ability to create or de-provision servers is correct. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. A) Developers could gain elevated access to production servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. C) Developers can affect the performance of production servers with their applications is incorrect. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de-provision VMs. D) Developers could install unapproved applications to any servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.
Q12) The internal audit division of an organization is planning a general IS audit as part of their internal IS audit function. Which of the following activities takes place during the FIRST step of the planning phase? A) Identification of key information owners B) Development of a risk assessment C) Define the audit scope D) Development of an audit program
B) Development of a risk assessment is correct. A risk assessment should be performed to determine how internal audit resources should be allocated to ensure that all material items will be addressed. D) Development of an audit program is incorrect. The results of the risk assessment are used for the input for the audit program. C) Define the audit scope is incorrect. The output of the risk assessment helps define the scope. A) Identification of key information owners is incorrect. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit.
Q62) The FIRST step in the execution of a problem management mechanism should be: A) root cause analysis. B) exception reporting. C) exception ranking. D) issue analysis.
B) Exception reporting is correct. The reporting of operational issues is normally the first step in tracking problems. D) Issue analysis is incorrect. Analysis and resolution are performed after logging and triage have been performed. C) Exception ranking is incorrect. This can only be performed once the exceptions have been reported. A) Root cause analysis is incorrect. This is performed once the exceptions have been identified and is not normally the first part of problem management.
Q60) The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? A) The IS auditor should gather more information about the specific implementation. B) Digital signatures are not adequate to protect confidentiality. C) The IS auditor should recommend implementation of digital watermarking for secure email. D) Digital signatures are adequate to protect confidentiality.
B) Digital signatures are not adequate to protect confidentiality is correct. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding. D) Digital signatures are adequate to protect confidentiality is incorrect. Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plaintext. A) The IS auditor should gather more information about the specific implementation is incorrect. Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality. C) The IS auditor should recommend implementation of digital watermarking for secure email is incorrect. Digital watermarking is used to protect intellectual property rights for documents rather than to protect the confidentiality of email.
Q16) An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? A) Retest the control to confirm the finding. B) Discuss the finding with the IT auditor's manager. C) Elevate the risk associated with the control. D) Discuss the finding with the auditee's manager.
B) Discuss the finding with the IT auditor's manager is correct. Discussing the disagreement with the auditor's manager is the best course of action because other actions can weaken relationships with the auditee and auditor A) Retest the control to confirm the finding is incorrect. This may unnecessarily expend human and time resources. The audit manager should determine if controls need to be retested. C) Elevate the risk associated with the control is incorrect. Elevating the risk will not address the disagreement. D) Discuss the finding with the auditee's manager is incorrect. It is usually best to consult the audit manager prior to escalating the issue the auditee's manager. This could prove to be an adversarial action.
Q46) Assignment of process ownership is essential in system development projects because it: A) enables the tracking of the development completion percentage. B) ensures that system design is based on business needs. C) minimizes the gaps between requirements and functionalities. D) optimizes the design cost of user acceptance test cases.
B) Ensures that system design is based on business needs is correct. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins. A) Enables the tracking of the development completion percentage is incorrect. Process ownership assignment does not have a feature to track the completion percentage of deliverables. D) Optimizes the design cost of user acceptance test cases is incorrect. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C) Minimizes the gaps between requirements and functionalities is incorrect. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as-built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing. Process ownership alone does not have the capability to minimize requirement gaps.
Q87) During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A) No recommendation is necessary because the current approach is appropriate for a medium-sized organization. B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. C) Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. D) Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.
B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management is correct. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date. C) Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts is incorrect. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. D) Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle is incorrect. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. A) No recommendation is necessary because the current approach is appropriate for a medium-sized organization is incorrect. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization.
Q1) When installing an intrusion detection system, which of the following is MOST important? A) Identifying messages that need to be quarantined B) Properly locating it in the network architecture C) Preventing denial-of-service attacks D) Minimizing the rejection errors
B) Properly locating it in the network architecture is correct. Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. C) Preventing denial-of-service attacks is incorrect. A network IDS will monitor network traffic and a host-based IDS will monitor activity on the host, but it has no capability of preventing a denial-of-service (DoS) attack. A) Identifying messages that need to be quarantined is incorrect. Configuring an IDS can be a challenge because it may require the IDS to "learn" what normal activity is, but the most important part of the installation is to install it in the right places. D) Minimizing the rejection errors is incorrect. An IDS is only a monitoring device and does not reject traffic. Rejection errors would apply to a biometric device.
Q97) Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? A) Volume testing B) Load testing C) Stress testing D) Recovery resting
B) Load testing is correct. This evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. C) Stress testing is incorrect. This determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. D) Recovery testing is incorrect. This evaluates the ability of a system to recover after a failure. A) Volume testing is incorrect. This evaluates the impact of incremental volume of records (not users) on a system.
Q23) An IS auditor reviewing an organization that uses cross-training practices should assess the risk of - A) dependency on a single person. B) one person knowing all parts of a system. C) inadequate succession planning. D) a disruption of operations.
B) One person knowing all parts of a system is correct. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, before using this approach, it is prudent to assess the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. A) Dependency on a single person is incorrect. Cross-training helps decrease dependence on a single person. C) Inadequate succession planning is incorrect. Cross-training assists in succession planning. D) A disruption of operations is incorrect. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations.
Q26) Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: A) continuous improvement and monitoring plans. B) post-BPR process flowcharts. C) pre-BPR process flowcharts. D) BPR project plans.
B) Post-BPR process flowcharts is correct. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. C) Pre-BPR process flowcharts is incorrect. An IS auditor must review the process as it is today, not as it was in the past. D) BPR project plans is incorrect. Business process reengineering (BPR) project plans are a step within a BPR project. A) Continuous improvement and monitoring plans is incorrect. These are steps within a BPR project.
Q65) An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A) Project risk assessment B) Post-implementation review C) User acceptance testing D) Management approval of the system
B) Post-implementation review is correct. The purpose of a post-implementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The post-implementation review also evaluates how effective the project management practices were in keeping the project on track. C) User acceptance testing (UAT) is incorrect. This verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT would be performed on a subset of system functionality. The UAT review is a part of the post-implementation review. A) Project risk assessment is incorrect. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. D) Management approval of the system is incorrect. This could be based on reduced functionality and does not verify that the system is operating as designed. Management approval is a part of post-implementation review.
Q86) The project steering committee is ultimately responsible for: A) ensuring that system controls are in place. B) project deliverables, costs and timetables. C) allocating the funding for the project. D) day-to-day management and leadership of the project.
B) Project deliverables, costs and timetables is correct. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D) Day-to-day management and leadership of the project is incorrect. This is the function of the project manager. C) Providing the funding for the project is incorrect. This is the function of the project sponsor. A) Ensuring that system controls are in place is incorrect. This is the function of the project security officer.
Q50) During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? A) Generating disk images of the compromised system B) Rebooting the system C) Removing the system from the network D) Dumping the memory content to a file
B) Rebooting the system is correct. This may result in a change in the system state and the loss of files and important evidence stored in memory. D) Dumping the memory content to a file is incorrect. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence. A) Generating disk images of the compromised system is incorrect. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate. C) Removing the system from the network is incorrect. When investigating a system, it is recommended to disconnect it from the network to minimize external infection or access.
Q83) When conducting a penetration test of an IT system, an organization should be MOST concerned with: A) logging changes made to production system. B) restoring systems to the original state. C) the confidentiality of the report. D) finding all weaknesses on the system.
B) Restoring systems to the original state is correct. After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created, or false files uploaded. These must all be cleaned up before the test is completed. C) The confidentiality of the report is incorrect. A penetration test report is a sensitive document because it lists the vulnerabilities of the target system. However, the main requirement for the penetration test team is to restore the system to its original condition. D) Finding all weaknesses on the system is incorrect. Finding all possible weaknesses is not possible in complex information systems. A) Logging changes made to production systems is incorrect. All changes made should be recorded, but the most important concern is to ensure that the changes are reversed at the end of the test.
Q53) The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should: A) take no action, because the IT processes related to patch management appear to be adequate. B) review the patch management policy and determine the risk associated with this condition. C) recommend that IT systems personnel test and then install the patches immediately. D) recommend that patches be applied every month or immediately upon release.
B) Review the patch management policy and determine the risk associated with this condition is correct. Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices. C) Recommend that IT systems personnel test and then install the patches immediately is incorrect. While there may be instances in which the patch is an urgent fix for a serious security issue, IT may have made the determination that the risk to system stability is greater than the risk identified by the software vendor who issued the patch. Therefore, the time frame selected by IT may be appropriate. D) Recommend that patches be applied every month or immediately upon release is incorrect. While keeping critical systems properly patched helps to ensure that they are secure, the requirement for a precise timetable to patch systems may create other issues if patches are improperly tested prior to implementation. Therefore, this is not the correct answer. A) Take no action, because the IT processes related to patch management appear to be adequate is incorrect. Even if the IS auditor concludes that the patch management process is adequate, the observation related to the time delay in applying patches should be reported.
Q100) Which of the following would MOST effectively reduce social engineering incidents? A) Email monitoring policy B) Security awareness training C) Increased physical security measures D) Intrusion detection systems
B) Security awareness training is correct. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. C) Increased physical security measures is incorrect. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident. A) Email monitoring policy is incorrect. An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. D) Intrusion detection systems is incorrect. These are used to detect irregular or abnormal traffic patterns.
Q63) Which of the following is an effective preventive control to ensure that a database administrator complies with the custodianship of the enterprise's data? A) Review of access logs and activities B) Segregation of duties C) Management supervision D) Exception reports
B) Segregation of duties is correct. Adequate segregation of duties (SoD) is a preventative control that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task. D) Exception reports is incorrect. These are detective controls used to indicate when the activities of the database administrator (DBA) were performed without authorization. A) Review of access logs and activities is incorrect. Reviews of access logs are used to detect the activities performed by the DBA. C) Management supervision is incorrect. Management supervision of DBA activities is used to detect which DBA activities were not authorized.
Q4) To protect a Voice-over Internet Protocol infrastructure against a denial-of-service attack, it is MOST important to secure the: A) intrusion detection system. B) session border controllers. C) backbone gateways. D) access control servers
B) Session border controllers is correct. These enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. D) Access control servers is incorrect. Securing the access control server may prevent account alteration or lockout but is not the primary protection against DoS attacks. C) Backbone gateways is incorrect. These are isolated and not readily accessible to hackers, so this is not a location of DoS attacks. A) Intrusion detection system is incorrect. This monitors traffic, but does not protect against DoS attacks.
Q34) To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet: A) allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled). B) specifies the route that a packet should take through the network (the source routing field is enabled). C) puts multiple destination hosts (the destination field has a broadcast address in the destination field). D) indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on).
B) Specifies the route that a packet should take through the network (the source routing field is enabled) is correct. Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. C) Puts multiple destination hosts (the destination field has a broadcast address) is incorrect. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. D) Indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on) is incorrect. Turning on the reset flag is part of the normal procedure to end a Transmission Control Protocol connection. A) Allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled) is incorrect. The use of dynamic or static routing will not represent a spoofing attack.
Q15) The Secure Sockets Layer protocol ensures the confidentiality of a message by using: A) message authentication codes. B) symmetric encryption. C) hash function. D) digital signature certificates.
B) Symmetric encryption is correct. Secure Sockets Layer (SSL) uses a symmetric key for message encryption. A) Message authentication codes is incorrect. These are used for ensuring data integrity. C) Hash function is incorrect. This is used for generating a message digest which can provide message integrity; it is not used for message encryption. D) Digital signature certificates is incorrect. These are used by SSL for server authentication.
Q17) The computer security incident response team of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: A) implement individual solutions. B) use this information to launch attacks. C) fail to understand the threat. D)forward the security alert.
B) Use this information to launch attacks is correct. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. D) Forward the security alert is incorrect. This is not harmful to the organization. A) Implement individual solutions is incorrect. This is unlikely and inefficient, but not a serious risk. C) Fail to understand the threat is incorrect. This would not be a serious concern.
Q36) In what capacity would an IS auditor MOST likely see a hash function applied? A) Authorization B) Identification C) Authentication D) Encryption
C) Authentication is correct. The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources. B) Identification is incorrect. Hash functions are not used for identification. They are used to validate the authenticity of the identity. A) Authorization is incorrect. Hash functions are not typically used to provide authorization. Authorization is provided after the authentication has been established. D) Encryption is incorrect. Hash functions do not encrypt data.
Q49) An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: A) software development teams continually re-plan each step of their major projects. B) application features and development processes are not extensively documented. C) certain project iterations produce proof-of-concept deliverables and unfinished code. D) project managers do not manage project resources, leaving that to project team members.
C) Certain project iterations produce proof-of-concept deliverables and unfinished code is correct. The agile software development methodology is an iterative process where each iteration or "sprint" produces functional code. If a development team was producing code for demonstration purposes, this would be an issue because the following iterations of the project build on the code developed in the prior sprint. B) Application features and development processes are not extensively documented is incorrect. One focus of agile methodology is to rely more on team knowledge and produce functional code quickly. These characteristics would result in less extensive documentation or documentation embedded in the code itself. A) Software development teams continually re-plan each step of their major projects is incorrect. After each iteration or "sprint," agile development teams re-plan the project so that unfinished tasks are performed, and resources can be reallocated as needed. The continual re-planning is a key component of agile development methodology. D) Project managers do not manage project resources, leaving that to project team members is incorrect. The management of agile software development is different from conventional development approaches in that leaders act as facilitators and allow team members to determine how to manage their own resources to get each sprint completed. Because the team members are performing the work, they are in a good position to understand how much time/effort is required to complete a sprint.
Q20) What is the PRIMARY control purpose of required vacations or job rotations? A) allow cross-training for development. B) provide a competitive employee benefit. C) detect improper or illegal employee acts. D) help preserve employee morale.
C) Detect improper or illegal employee acts is correct. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. A) Allow cross-training for development is incorrect. Although cross-training is a good practice for business continuity, it is not achieved through mandatory vacations. D) Help preserve employee morale is incorrect. It is a good practice to maintain good employee morale, but this is not a primary reason to have a required vacation policy. B) Provide a competitive employee benefit is incorrect. Vacation time is a competitive benefit, but that is not a control.
Q35) Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? A) Asymmetric cryptography B) Message authentication code C) Digital certificates D) Digital signatures
C) Digital certificates is correct. These are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D) Digital signatures is incorrect. These are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. A) Asymmetric cryptography is incorrect. This appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. B) Message authentication code is incorrect. This is used for message integrity verification.
Q25) Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? A) User security awareness B) Use of intrusion detection/intrusion prevention systems C) Domain name system server security hardening D) User registration and password policies
C) Domain name system (DNS) server security hardening is correct. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched. D) User registration and password policies is incorrect. These cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. A) User security awareness is incorrect. This cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. B) Use of intrusion detection/intrusion prevention systems is incorrect. This cannot mitigate pharming attacks because they do not prevent manipulation of DNS records.
Q78) Which of the following is the BEST method of controlling scope creep in a system development project? A) Adopting a matrix project management structure B) Identifying the critical path of the project C) Establishing a software baseline D) Defining penalties for changes in requirements
C) Establishing a software baseline is correct. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. D) Defining penalties for changes in requirements is incorrect. While this may help to prevent scope creep, software baselining is a better way to accomplish this goal. A) Adopting a matrix project management structure is incorrect. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. B) Identifying the critical path of the project is incorrect. Although the critical path is important, it will change over time and will not control scope creep.
Q77) Question 77: Correct Assessing IT risk is BEST achieved by - A) reviewing IT control weaknesses identified in audit reports. B) using the organization's past actual loss experience to determine current exposure. C) evaluating threats and vulnerabilities associated with existing IT assets and IT projects. D) reviewing published loss statistics from comparable organizations.
C) Evaluating threats and vulnerabilities associated with existing IT assets and IT projects is correct. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. B) Using the organization's past actual loss experience to determine current exposure is incorrect. Basing an assessment on past losses will not adequately reflect new threats or inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. D) Reviewing published loss statistics from comparable organizations is incorrect. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. A) Reviewing it control weaknesses identified in audit reports is incorrect. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk.
Q45) Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? A) Routers B) Virtual local area networks C) Firewalls D) Layer 2 switches
C) Firewalls is correct. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. A) Routers is incorrect. These can filter packets based on parameters, such as source address but are not primarily a security tool. D) Layer 2 switches is incorrect. Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. B) Virtual local area networks is incorrect. A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.
Q14) Which of the following is the initial step in creating a firewall policy? A) A cost-benefit analysis of methods for securing the applications B) Identification of vulnerabilities associated with network applications to be externally accessed C) Identification of network applications to be externally accessed D) Creation of an application traffic matrix showing protection methods Explanation
C) Identification of network applications to be externally accessed is correct. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. A) A cost-benefit analysis of methods for securing the applications is incorrect. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B) Identification of vulnerabilities associated with network applications to be externally is incorrect. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D) Creation of an application traffic matrix showing protection methods is incorrect. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Q13) The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A) authentication. B) data integrity. C) nonrepudiation. D) replay protection.
C) Nonrepudiation is correct. Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. B) Data integrity is incorrect. This refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. A) Authentication is incorrect. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. D) Replay protection is incorrect. This is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed).
Q55) While performing a risk analysis, an IS auditor identifies threats and potential impacts. What would the IS auditor should do NEXT? A) identify information assets and the underlying systems. B) disclose the threats and impacts to management. C) identify and evaluate the existing controls. D) ensure the risk assessment is aligned to management's risk assessment process.
C) Identify and evaluate the existing controls is correct. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified. D) Ensure the risk assessment is aligned to management's risk assessment process is incorrect. An audit risk assessment is conducted for purposes that are different from management's risk assessment process purposes. A) Identify information assets and the underlying systems is incorrect. It is impossible to determine impact without first identifying the assets affected; therefore, this must already have been completed. B) Disclose the threats and impacts to management is incorrect. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets, and recommendations for addressing the risk. However, this action cannot be done until the controls are identified and the likelihood of the threat is calculated.
Q88) A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed? A) Outside the firewall B) On the server that hosts the web site C) In the demilitarized zone D) On the local network
C) In the demilitarized zone (DMZ) is correct. Network-based intrusion detection systems (IDSs) detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the DMZ. An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to act. D) On the local network is incorrect. While an IDS can be installed on the local network to ensure that systems are not subject to internal attacks, a company's public web server would not normally be installed on the local network, but rather in the DMZ. A) Outside the firewall is incorrect. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would not be used to specifically protect the web application. B) On the server that hosts the web site is incorrect. A host-based IDS would be installed on the web server, but a network-based IDS would not.
Q98) Which of the following is the key benefit of a control self-assessment? A) Fraud detection will be improved because internal business staff are engaged in testing controls. B) Internal auditors can shift to a consultative approach by using the results of the assessment. C) Management ownership of the internal controls supporting business objectives is reinforced. D) Audit expenses are reduced when the assessment results are an input to external audit work.
C) Management ownership of the internal controls supporting business objectives is reinforced is correct. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. D) Audit expenses are reduced when the assessment results are an input to external audit work is incorrect and is not a key benefit of CSA. A) Fraud detection is improved because internal business staff are engaged in testing controls is incorrect. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. B) Internal auditors can shift to a consultative approach by using the results of the assessment is incorrect. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.
Q3) During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: A) manager approves a change request and then reviews it in production. B) programmer codes a change in the development environment and tests it in the test environment. C) manager initiates a change request and subsequently approves it. D) user raises a change request and tests it in the test environment.
C) Manager initiates a change request and subsequently approves it is correct. Initiating and subsequently approving a change request violates the principle of segregation of duties. D) A person should not be able to approve their own requests. User raises a change request and tests it in the test environment is incorrect. Having a user involved in testing changes is common practice. B) Programmer codes a change in the development environment and tests it in the test environment is incorrect. Having a programmer code a change in development and then separately test the change in a test environment is a good practice and preferable over testing in production. A) Manager approves a change request and then reviews it in production is incorrect. C) Having a manager review a change to make sure it was done correctly is an acceptable practice.
Q64) An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: A) card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. B) the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure. C) non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. D) access cards are not labeled with the organization's name and address to facilitate easy return of a lost card.
C) Non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity is correct. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license). D) Access cards are not labeled with the organization's name and address to facilitate easy return of a lost card is incorrect. Having the name and address of the organization on the card may be a concern because a malicious finder could use a lost or stolen card to enter the organization's premises. A) Card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards is incorrect. Separating card issuance from technical rights management is a method to ensure the proper segregation of duties so that no single person can produce a functioning card for a restricted area within the organization's premises. The long lead time is an inconvenience but not a serious audit risk. B) The computer system used for programming the cards can only be replaced after three weeks in the event of a system failure is incorrect. System failure of the card programming device would normally not mean that the readers do not function anymore. It simply means that no new cards can be issued, so this option is minor compared to the threat of improper identification.
Q72) Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: A) review subsequent program change requests. B) assess whether the planned cost benefits are being measured, analyzed and reported. C) review controls built into the system to assure that they are operating as designed. D) determine user feedback on the system has been documented.
C) Review controls built into the system to assure that they are operating as designed is correct. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D) Determine whether user feedback on the system has been documented is incorrect. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B) Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. A) Review subsequent program change requests is incorrect. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.
Q71) When reviewing the configuration of network devices, an IS auditor should FIRST identify: A) whether components of the network are missing. B) the good practices for the type of network devices deployed. C) the importance of the network devices in the topology. D) whether subcomponents of the network are being used appropriately.
C) The importance of the network devices in the topology is correct. The first step is to understand the importance and role of the network device within the organization's network topology. B) The good practices for the type of network devices deployed is incorrect. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. A) Whether components of the network are missing is incorrect. Identification of which component is missing can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. D) Whether subcomponents of the network are being used appropriately is incorrect. Identification of which subcomponent is being used inappropriately can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network.
Q58) An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A) the environmental impact of the data center has not been considered. B) it has not been determined how the project fits into the overall project portfolio. C) the organizational impact of the project has not been assessed. D) not all IT stakeholders have been given an opportunity to provide input.
C) The organizational impact of the project has not been assessed is correct. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. B) It has not been determined how the project fits into the overall project portfolio is incorrect. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. D) Not all IT stakeholders have been given an opportunity to provide input is incorrect. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. A) The environmental impact of the data center has not been considered is incorrect. The environmental impact should be part of the feasibility study however the organizational impact is more important.
Q5) An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? A) Select a sample of change tickets and review them for authorization. B) Use query software to analyze all change tickets for missing fields. C) Trace a sample of modified programs to supporting change tickets. D) Perform a walk-through by tracing a program change from start to finish.
C) Trace a sample of modified programs to supporting change tickets is correct. This is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. A) Select a sample of change tickets and reviewing them for authorization is incorrect. This helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. D) Perform a walk-through by tracing a program change from start to finish is incorrect. This assists the IS auditor in understanding the process but does not ensure that all changes adhere to the normal process. B) Use query software to analyze all change tickets for missing fields is incorrect. This does not identify program changes that were made without supporting change tickets.
Q18) Which of the following is the BEST indicator that a newly developed system will be used after it is in production? A) Regression testing B) Sociability testing C) User acceptance testing D) Parallel testing
C) User acceptance testing is correct. This is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. A) Regression testing is incorrect. These results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B) Sociability testing is incorrect. These results indicate how the application works with other components within the environment and is not indicative of the user experience. D) Parallel testing is incorrect. This is performed when the comparison of two applications is needed but will not provide feedback on user satisfaction.
Q85) In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? A) Preventing the release manager from making program modifications B) Hiring additional staff to provide segregation of duties C) Verifying that only approved program changes are implemented D) Logging of changes to development libraries
C) Verifying that only approved program changes are implemented is correct. Compensating controls are used to mitigate risk when proper controls are not feasible or practical. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. Verifying program changes has roughly the same effect as intended by full segregation of duties. B) Hiring additional staff to provide segregation of duties is incorrect. Establishing segregation of duties is not a compensating control; it is a preventive control. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. A) Preventing the release manager from making program modifications is incorrect Since the release manager is performing dual roles, preventing them from making program modifications is not feasible, and, in a small organization, segregation of duties may not be possible. D) Logging of changes to development libraries is incorrect. Logging changes to development libraries does not detect changes to production libraries.
Q91) An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A) Stateful inspection firewall B) Proxy server C) Web content filter D) Web cache server
C) Web content filter is correct. This accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator blacklists and classifications for millions of web sites. A) Stateful inspection firewall is incorrect. This is of little help in filtering web traffic because it does not review the content of the web site, nor does it take into consideration the site's classification. D) Web cache server is incorrect. This is designed to improve the speed of retrieving the most common or recently visited web pages. B) Proxy server is incorrect. A proxy server services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.
Q8) An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A) encrypt electronic orders. B) perform reasonableness checks on quantities ordered before filling orders. C) acknowledge receipt of electronic orders with a confirmation message. D) verify the identity of senders and determine if orders correspond to contract terms.
D Verify the identity of senders and determine if orders correspond to contract terms is correct. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. C) Acknowledging the receipt of electronic orders with a confirming message is incorrect. This is good practice but will not authenticate orders from customers. B) Performing reasonableness checks on quantities ordered before filling orders is incorrect. This is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. A) Encrypt electronic orders is incorrect. This is an appropriate step but does not prove authenticity of messages received.
Q7) A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and - A) age, because training in audit techniques may be impractical. B) length of service, because this will help ensure technical competence. C) IT knowledge, because this will bring enhanced credibility to the audit function. D) ability, as an IS auditor, to be independent of existing IT relationships.
D) Ability, as an IS auditor, to be independent of existing IT relationships is correct. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. B) Length of service is incorrect and does not ensure technical competency. A) Evaluating an individual's qualifications based on the age of the individual is incorrect and is illegal in many parts of the world. C) IT knowledge is incorrect. The fact that the employee has worked in IT for many years may not ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements.
Q32) During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to - A) collect sufficient evidence. B) minimize audit resources. C) specify appropriate tests. D) address audit objectives.
D) Address audit objectives is correct. ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary. A) Collect sufficient evidence is incorrect. The IS auditor does not collect evidence in the planning stage of an audit. C) Specify appropriate tests is incorrect. This is not the primary goal of audit planning. B) Minimize audit resources is incorrect. Effective use of audit resources is a goal of audit planning, not minimizing audit resources.
Q38) An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend? A) Modify the firewall rules to further protect the application server. B) Implement a host-based intrusion detection system. C) Apply the patch only after it has been thoroughly tested. D) Assess the overall risk, then recommend whether to deploy the patch.
D) Assess the overall risk, then recommend whether to deploy the patch is correct. While it is important to ensure that systems are properly patched, a risk assessment needs to be performed to determine the likelihood and probability of the vulnerability being exploited. Therefore, the patch would be applied only if the risk of circumventing the existing security controls is great enough to warrant it. C) Apply the patch only after it has been thoroughly tested is incorrect. Applying a patch without first performing a risk assessment might be a waste of resources if it is determined that the application is not mission critical. B) Implement a host-based intrusion detection system is incorrect. This would be a valid control; however, it may not address vulnerabilities within the application. A) Modify the firewall rules to further protect the application server is incorrect. This may help to mitigate the risk of a security incident; however, first the risk related to the patch would need to be determined.
Q40) Which of the following is the responsibility of information asset owners? A) Implementation of access rules to data and programs B) Implementation of information security within applications C) Provision of physical and logical security for data D) Assignment of criticality levels to data
D) Assignment of criticality levels to data is correct. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. B) Implementation of information security within applications incorrect. This is the responsibility of the data custodians based on the requirements set by the data owner. A) Implementation of access rules to data and programs is incorrect. This is a responsibility of data custodians based on the requirements set by the data owner. C) Provision of physical and logical security for data is incorrect. This is the responsibility of the security administrator.
Q24) When testing for compliance, which of the following sampling methods is MOST useful? A) Difference estimation sampling B) Variable sampling C) Stratified mean per unit sampling D) Attribute sampling
D) Attribute sampling is correct. It is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals. B) Variable sampling is incorrect. It is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value is estimated to be US $10,000. This is not a good way to measure compliance with a process. C) Stratified mean-per-unit sampling is incorrect. This attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance. A) Difference estimation sampling is incorrect. This examines measure deviations and extraordinary items and is not a good way to measure compliance.
Q33) Electromagnetic emissions from a terminal represent a risk because they: A) could damage or erase nearby storage media. B) could have adverse health effects on personnel. C) can disrupt processor functions. D) can be detected and displayed.
D) Can be detected and displayed is correct. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents. A) Could damage or erase nearby storage media is incorrect. While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern. C) Can disrupt processor functions is incorrect. Electromagnetic emissions should not cause disruption of central processing units. B) Could have adverse health effects on personnel is incorrect. Most electromagnetic emissions are low level and do not pose a significant health risk.
Q81) Which of the following BEST limits the impact of server failures in a distributed environment? A) Redundant pathways B) Standby power C) Dial backup lines D) Clustering
D) Clustering is correct. This allows two or more servers to work as a unit so that when one of them fails, the other takes over. A) Redundant pathways is incorrect. These will minimize the impact of channel communications failures but will not address the problem of server failure. C) Dial backup lines is incorrect. These will minimize the impact of channel communications failures but not a server failure. B) Standby power is incorrect. This provides an alternative power source in the event of an energy failure but does not address the problem of a server failure.
Q66) An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A) Have periodic meetings with the client IT manager. B) Require the vendor to provide monthly status reports. C) Require that performance parameters be stated within the contract. D) Conduct periodic audit reviews of the vendor.
D) Conduct periodic audit reviews of the vendor is correct. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with which they want to continue to work. B) Require the vendor to provide monthly status reports is incorrect. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. A) Have periodic meetings with the client IT manager is incorrect. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C) Require that performance parameters be stated within the contract is incorrect. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met.
Q39) A substantive test to verify that tape library inventory records are accurate is - A) checking whether receipts and issues of tapes are accurately recorded. B) determining whether the movement of tapes is authorized. C) determining whether bar code readers are installed. D) conducting a physical count of the tape inventory
D) Conducting a physical count of the tape inventory is correct. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy and validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. C) Determining whether bar code readers are installed is incorrect. This is a compliance test. B) Determining whether the movement of tapes is authorized is incorrect. This is a compliance test. A) Checking whether receipts and issues of tapes are accurately recorded is incorrect. This is a compliance test.
Q47) Which of the following presents an inherent risk with no distinct identifiable preventive controls? A) Unauthorized application shutdown B) Viruses C) Piggybacking D) Data diddling
D) Data diddling is correct. This involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. C) Piggybacking is incorrect. This is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B) Viruses is incorrect. These are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. A) Unauthorized application shutdown is incorrect. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.
Q41) An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern? A) Voice communication uses the same equipment that is used for data communication. B) The team that supports the data network also is responsible for the telephone system. C) Voice communication is not encrypted on the local network. D) Ethernet switches are not protected by uninterrupted power supply units.
D) Ethernet switches are not protected by uninterrupted power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center. A) Voice communication uses the same equipment that is used for data communication is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, which can save on wiring cost and simplify both the installation and support of the telephone system. This use of shared infrastructure is a benefit of VoIP and therefore is not a concern. C) Voice communication is not encrypted on the local network is incorrect. VoIP devices do not normally encrypt the voice traffic on the local network, so this is not a concern. Typically, a VoIP phone system connects to a telephone company voice circuit, which would not normally be encrypted. If the system uses the Internet for connectivity, then encryption is required. B) The team that supports the data network also is responsible for the telephone system is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, so the personnel who support and maintain that infrastructure are now responsible for both the data and voice network by default. Therefore, this would not be a concern.
Q54) This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the: A) web server and the firewall. B) Internet and the firewall. C) Internet and the web server. D) firewall and the organization's network.
D) Firewall and the organization's network is correct. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network. B) Internet and the firewall is incorrect. A network-based IDS placed between the Internet and the firewall will detect attack attempts, whether they are or are not noticed by the firewall. C) Internet and the web server is incorrect. Placing an IDS outside of the web server will identify attacks directed at the web server but will not detect attacks missed by the firewall. A) Web server and the firewall is incorrect. Placing the IDS after the web server would identify attacks that have made it past the web server but will not indicate whether the firewall would have been able to detect the attacks.
Q95) Which of the following provides the MOST relevant information for proactively strengthening security settings? A) Intrusion prevention system B) Intrusion detection system C) Bastion host D) Honeypot
D) Honeypot is correct. The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods. C) Bastion host is incorrect. This is a hardened system used to host services. It does not provide information about an attack. B) Intrusion detection system is incorrect. These are designed to detect and address an attack in progress and stop it as soon as possible. A) Intrusion prevention system is incorrect. These are designed to detect and address an attack in progress and stop it as soon as possible.
Q56) An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? A) Install a dedicated router between the two networks. B) Establish two physically separate networks. C) Implement virtual local area network segmentation. D) Install a firewall between the networks.
D) Install a firewall between the networks is correct. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network. B) Establish two physically separate networks is incorrect. While having two physically separate networks would ensure the security of customer data, it would make it impossible for authorized wireless users to access that data. C) Implement virtual local area network (VLAN) segmentation is incorrect. While a VLAN would provide separation of the two networks, it is possible, with sufficient knowledge, for an attacker to gain access to one VLAN from the other. A) Install a dedicated router between the two networks is incorrect. A dedicated router between the two networks would separate them; however, this would be less secure than a firewall.
Q61) The PRIMARY reason for using digital signatures is to ensure data: A) availability. B) correctness. C) confidentiality. D) integrity.
D) Integrity is correct. Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin. C) Confidentiality is incorrect. A digital signature does not, in itself, address message confidentiality. A) Availability is incorrect. This is not related to digital signatures. B) Correctness is incorrect. In general, correctness is not related to digital signatures. A digital signature guarantee data integrity, however cannot ensure correctness of signed data.
Q99) A top-down approach to the development of operational policies helps to ensure - A) that they are implemented as a part of risk assessment. B) that they are reviewed periodically. C) compliance with all policies. D) that they are consistent across the organization.
D) That they are consistent across the organization is correct. Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. A) That they are implemented as a part of risk assessment is incorrect. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C) Compliance with all policies is incorrect. A top-down approach, of itself, does not ensure compliance. B) That they are reviewed periodically is incorrect. A top-down approach, of itself, does not ensure that policies are reviewed.
Q2) An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? A) Implement the Simple Network Management Protocol to allow active monitoring. B) Use service set identifiers that clearly identify the organization. C) Encrypt traffic using the Wired Equivalent Privacy mechanism. D) Physically secure wireless access points to prevent tampering.
D) Physically secure wireless access points to prevent tampering is correct. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to restore weak default passwords and encryption keys, or to totally remove authentication and encryption from the network. B) Use service set identifiers that clearly identify the organization is incorrect. Service set identifiers should not be used to identify the organization because hackers can associate the wireless local area network with a known organization, and this increases both their motivation to attack and, potentially, the information available to do so. C) Encrypt traffic using the Wired Equivalent Privacy mechanism is incorrect. The original Wired Equivalent Privacy security mechanism has been demonstrated to have a number of exploitable weaknesses. The more recently developed Wi-Fi Protected Access and Wi-Fi Protected Access 2 standards represent considerably more secure means of authentication and encryption. A) Implement the Simple Network Management Protocol to allow active monitoring is incorrect. Installing Simple Network Management Protocol on wireless access points can actually open up security vulnerabilities. If SNMP is required at all, then SNMP v3, which has stronger authentication mechanisms than earlier versions, should be deployed.
Q31) Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system? A) Review of business requirements B) System accreditation C) System certification D) Post-implementation review
D) Post-implementation review is correct. One key objective of a post-implementation review is to evaluate the projected cost-benefits or the return on investment measurements. A) Review of business requirements is incorrect. While reviewing the business requirements is important, only a post-implementation review provides evidence that the project met the business requirements. C) System certification is incorrect. This involves performing a comprehensive assessment against a standard of management, operational and technical controls in an information system to examine the level of compliance in meeting certain requirements such as standards, policies, processes, procedures, work instructions and guidelines. D) System accreditation is incorrect. This is an official management decision to authorize operation of an information system and to explicitly accept the risk to the organization's operations, assets or individuals based on the implementation of an agreed-on set of requirements and security controls.
Q80) Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? A) Process walk-through B) Observation C) Documentation review D) Re-performance
D) Re-performance is correct. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. A) Process walk-through is incorrect. This may help the auditor understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions. B) Observation is incorrect. This is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method. C) Documentation review is incorrect. This may be of some value for understanding the control environment; however, conducting re-performance is a better method.
Q28) Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization? A) Post-implementation functional testing B) User acceptance testing C) Validation of user requirements D) Registration and review of changes
D) Registration and review of changes is correct. An independent review of the changes to the program in production could identify potential unauthorized changes, versions or functionality that the programmer had put into production. A) Post-implementation functional testing is incorrect. This would not be as effective because the system could be accepted by the end user without detecting the undocumented functionality. C) Validation of user requirements is incorrect. This would not be as effective because the system could meet user requirements and still include undocumented functionalities. B) User acceptance testing is incorrect. This would not be as effective because the system could be accepted by the end users, and the undocumented functionalities could remain undetected.
Q11) An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A) Request that the system be shut down to preserve evidence. B) Ask for immediate suspension of the suspect accounts. C) Investigate the source and nature of the incident. D) Report the incident to management.
D) Report the suspected incident to management is correct. This will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. A) Request that the system be shut down to preserve evidence is incorrect. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down. B) Ask for immediate suspension of the suspect accounts is incorrect. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management. C) Investigate the source and nature of the incident is incorrect. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.
Q48) Confidentiality of transmitted data can best be delivered by encrypting the: A) session key with the sender's public key. B) messages with the receiver's private key. C) message digest with the sender's private key. D) session key with the receiver's public key.
D) Session key with the receiver's public key is correct. This will ensure that the session key can only be obtained using the receiver's private key, retained by the receiver. C) Message digest with the sender's private key is incorrect. This will ensure authentication and nonrepudiation. A) Session key with the sender's public key is incorrect. This will make the message accessible to only the sender. B) Messages with the receiver's private key is incorrect. A message encrypted with a receiver's private key could be decrypted by anyone using the receiver's public key.
Q29) The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? A) Disabling of unused ports presents a potential risk. B) Soft zoning presents a potential risk. C) There is no significant potential risk. D) The SAN administrator presents a potential risk.
D) The SAN administrator presents a potential risk is correct. The potential risk in this scenario is posed by the SAN administrator. One concern is having a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. The organization currently relies entirely on the SAN administrator to implement, maintain, and validate all security controls; this means that the SAN administrator could modify or remove those controls without detection. C) There is no significant potential risk is incorrect. While the storage area network (SAN) may have been implemented with good controls, there is risk created by the combination of roles held by the SAN administrator. B) Soft zoning presents a potential risk is incorrect. Hard zoning is more secure than soft zoning. A) Disabling of unused ports presents a potential risk is incorrect. Unused ports should generally be disabled to increase security.
Q57) An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? A) Guest users who are logged in are not isolated from each other. B) A login screen is not displayed for guest users. C) A single factor authentication technique is used to grant access. D) The guest network is not segregated from the production network.
D) The guest network is not segregated from the production network is correct. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. B) A login screen is not displayed for guest users is incorrect. Using a web captive portal, which displays a login screen in the user's web browser, is a good practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. A) Guest users who are logged in are not isolated from each other is incorrect. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. C) A single factor authentication technique is used to grant access is incorrect. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented.
Q21) An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A) Network cabling is disorganized and not properly labeled. B) The telephones are using the same cable used for LAN connections. C) wiring closet also contains power lines and breaker panels. D) The local area network (LAN) switches are not connected to uninterruptible power supply units.
D) The local area network (LAN) switches are not connected to uninterruptible power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. A) Network cabling is disorganized and not properly labeled is incorrect. While improper cabling can create reliability issues, the more critical issue in this case would be the lack of power protection. B) The telephones are using the same cable used for LAN connections is incorrect. An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. C) The wiring closet also contains power lines and breaker panels is incorrect. As long as the power and telephone equipment are separated, this would not be a significant risk.
Q69) Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been: A) independently time stamped. B) encrypted by the most secure algorithm. C) recorded by multiple logging systems. D) verified to ensure log integrity.
D) Verified to ensure log integrity is correct. It is important to assure that log information existed at a certain point of time and it has not been altered. Therefore, evidential credibility of log information is enhanced when there is proof that no one has tampered with this information, something typically accomplished by maintaining a documented chain of custody. A) Independently time stamped is incorrect. This is a key requirement in logging. This is one method of ensuring log integrity; however, this does not prevent information from being modified. C) Recorded by multiple logging systems is incorrect. Having multiple logging resources may work to ensure redundancy; however, increased redundancy may not effectively add value to the credibility of log information. B) Encrypted by the most secure algorithm is incorrect. The strength of the encryption algorithm may improve data confidentiality; however, this does not necessarily prevent data from being modified.
Q93) In a public key infrastructure, a registration authority: A) digitally signs a message to achieve nonrepudiation of the signed message. B) issues the certificate after the required attributes are verified and the keys are generated. C) registers signed messages to protect them from future repudiation. D) verifies information supplied by the subject requesting a certificate.
D) Verifies information supplied by the subject requesting a certificate is correct. A registration authority is responsible for verifying information supplied by the subject requesting a certificate and verifies the requestor's right to request a certificate on behalf of themselves or their organization. B) Issues the certificate after the required attributes are verified and the keys are generated is incorrect. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed. A) Digitally signs a message to achieve nonrepudiation of the signed message is incorrect. The sender who has control of his/her private key signs the message, not the registration authority. C) Registers signed messages to protect them from future repudiation is incorrect. This is not a task performed by registration authorities.
Q6) Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? A) Hash functions B) Secret key encryption C) Dynamic Internet protocol address and port D) Virtual private network tunnel
D) Virtual private network tunnel is correct. As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network tunnel would best ensure that the transmission of information was secure. B) Secret key encryption is incorrect. This would require sharing of the same key at the source and destination and involve an additional step for encrypting and decrypting data at each end. This is not a feasible solution given the scenario. C) Dynamic Internet Protocol address and port is incorrect. This is not an effective control because an attacker could easily find the new address using the domain name system. A) Hash functions is incorrect. While the use of a cryptographic hash function may be helpful to validate the integrity of data files, in this case it would not be useful for a production support team connecting remotely.