CISA Questions (901-1000)
An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? Select an answer: A. A cost analysis B. The security risk of the current technology C. Compatibility with existing systems D. A risk analysis
You answered C. The correct answer is D. A. The information system solution should be cost-effective, but this is not the most important aspect. B. The security risk of the current technology is one of the components of the risk analysis, and alone is not the most important factor. C. Compatibility with existing systems is one consideration; however, the new system may be a major upgrade that is not compatible with existing systems, so this is not the most important consideration. D. Prior to implementing new technology, an organization should perform a risk assessment, which would then be presented to business unit management for review and acceptance.
Segmenting a highly sensitive database results in: Select an answer: A. reduced exposure. B. reduced threat. C. less criticality. D. less sensitivity.
You are correct, the answer is A. A. Segmenting data reduces the quantity of data exposed as a result of a particular event. B. The threat may remain constant, but each segment may represent a different vector against which it must be directed. C. Criticality (availability) of data is not affected by the manner in which it is segmented. D. Sensitivity of data is not affected by the manner in which it is segmented.
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this? Select an answer: A. Detective B. Preventive C. Corrective D. Directive
You are correct, the answer is B. A. Detective controls identify events after they have happened. In this case, the action of the branch manager would prevent an event from occurring. B. Having a manager approve transactions more than a certain amount is considered a preventive control. C. A corrective control serves to remedy problems discovered by detective controls. In this case, the action of the branch manager is a preventive control. D. A directive control is a manual control that typically consists of a policy or procedure that specifies what actions are to be performed. In this case, there is an automated control that prevents an event from occurring.
An IS auditor is conducting a review of the disaster recovery (DR) procedures for a data center. Which of the following indicators is the BEST to show that the procedures meet the requirements? Select an answer: A. Documented procedures were approved by management. B. Procedures were reviewed and compared with industry good practices. C. A tabletop exercise using the procedures was conducted. D. Recovery teams and their responsibilities are documented.
You are correct, the answer is C. A. Even though documented procedures were approved by management, this does not ensure that there is nothing missing. B. While it is useful to compare the procedures with documented industry good practices, a paper test would be a better indicator that the procedures meet requirements. C. If IT conducted a paper-based test of the procedures with all responsible members, this would help to ensure that the procedures meet requirements so that they are useful and practical at the time of a real disaster. D. The documentation of recovery teams and their responsibilities would be part of the procedures and not necessarily validate that the procedures meet requirements.
What is the PRIMARY reason that an IS auditor would verify that the process of postimplementation review of an application was completed after a release? Select an answer: A. To make sure that users are appropriately trained B. To verify that the project was within budget C. To check that the project meets expectations D. To determine whether proper controls were implemented
You are correct, the answer is C. A. Postimplementation review does not target verifying user training needs. B. Project costs are monitored during development and are not the primary reason for a postimplementation review. C. The objective of a postimplementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). D. While an IS auditor would be interested in ensuring that proper controls were implemented, the most important consideration would be that the project meets expectations.
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? Select an answer: A. Secret key encryption B. Dynamic Internet protocol (IP) address and port C. Hash functions D. Virtual private network (VPN) tunnel
You are correct, the answer is D. A. Secret key encryption would require sharing of the same key at the source and destination and involve an additional step for encrypting and decrypting data at each end. This is not a feasible solution given the scenario. B. Using a dynamic Internet protocol (IP) address and port is not an effective control because an attacker could easily find the new address using the domain name system (DNS). C. While the use of a cryptographic hash function may be helpful to validate the integrity of data files, in this case it would not be useful for a production support team connecting remotely. D. As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network (VPN) tunnel would best ensure that the transmission of information was secure.
An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network (VPN). B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. D. Biometric system risk analysis was last conducted three years ago.
An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? Select an answer: A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network (VPN). B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. D. Biometric system risk analysis was last conducted three years ago.
Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been: Select an answer: A. independently time stamped. B. recorded by multiple logging systems. C. encrypted by the most secure algorithm. D. verified to ensure log integrity.
You are correct, the answer is D. A. Independent time stamps are a key requirement in logging. This is one method of ensuring log integrity; however, this does not prevent information from being modified. B. Having multiple logging resources may work to ensure redundancy; however, increased redundancy may not effectively add value to the credibility of log information. C. The strength of the encryption algorithm may improve data confidentiality; however, this does not necessarily prevent data from being modified. D. It is important to assure that log information existed at a certain point of time and it has not been altered. Therefore, evidential credibility of log information is enhanced when there is proof that no one has tampered with this information.
A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation? Select an answer: A. Integrity of the data B. Timing of the cutover C. Authorization level of users D. Normalization of the data
You are correct, the answer is A. A. A critical issue when migrating data from one database to another is the integrity of the data and ensuring that the data are migrated completely and correctly. B. The timing of the cutover is important, but because the data are being migrated to a new database, duplication should not be an issue. C. The authorization of the users is not as relevant as the authorization of the application because the users will interface with the database through an application, and the users will not directly interface with the database. D. Normalization is used to design the database and is not necessarily related to database migration.
An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web sites for the company. Which of the following choices would be the HIGHEST risk? Select an answer: A. Expired digital certificates B. Self-signed digital certificates C. Using the same digital certificate for multiple web sites D. Using 56-bit digital certificates
You answered A. The correct answer is B. A. An expired certificate leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. B. Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. C. Using the same digital certificate is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites. D. 56-bit digital certificates may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.
An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information (PHI). Which of the follow contractual terms would be the GREATEST risk to the customer organization? Select an answer: A. Data ownership is retained by the customer organization. B. The third-party provider reserves the right to access data to perform certain operations. C. Bulk data withdrawal mechanisms are undefined. D. The customer organization is responsible for backup, archive and restore.
You answered A. The correct answer is B. A. The customer organization would want to retain data ownership and, therefore, this would not be a risk. B. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information (PHI), regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure. C. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider. D. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's processes. This would only be a risk if the customer organization was unable to perform these activities itself.
While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: Select an answer: A. adequately monitoring service levels of IT resources and services. B. providing data to enable timely planning for capacity and performance requirements. C. providing accurate feedback on IT resource availability. D. properly forecasting performance, capacity and throughput of IT resources.
You answered A. The correct answer is C. A. Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important. B. While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability. C. Accurate availability monitoring of IT resources would be the most critical element of a continuous monitoring process. D. While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate.
An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? Select an answer: A. User acceptance testing (UAT) B. Project risk assessment C. Postimplementation review D. Management approval of the system
You answered A. The correct answer is C. A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review. B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.
An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of: Select an answer: A. a wet pipe-based fire suppression system. B. a rented rack space in the NOC. C. a carbon dioxide-based fire suppression system. D. an uninterrupted power supply (UPS) with 10 minutes of backup power.
You answered A. The correct answer is C. A. Wet pipe systems may damage computer equipment, but they are safe for humans and not as damaging as carbon dioxide (CO2) systems. B. Rented rack space is not a concern as long as security controls are maintained. Most organizations rent server rack space. C. CO2 systems are a danger to people and should not be used because they cause suffocation in the event of a fire. Controls should consider personnel safety first. D. Depending on the system, a few minutes might be all that is needed for a graceful shutdown. However, a CO2 system is dangerous for personnel.
An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: Select an answer: A. test systems run different configurations than do production systems. B. change management records are paper based. C. the configuration management database is not maintained. D. the test environment is installed on the production server.
You answered A. The correct answer is C. A. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. B. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. C. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained, or leave out critical dependencies during the test phase. D. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s).
An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? Select an answer: A. Malware on servers B. Firewall misconfiguration C. Increased spam received by the email server D. Unauthorized network activities
You answered A. The correct answer is D. A. The existence of malware on the organization's server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. B. Firewall misconfiguration could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. C. The existence of spam on the organization's email server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. D. Unauthorized network activities—such as employee use of file or music sharing sites or online gambling or personal email containing large files or photos—could contribute to network performance issues. Because the IS auditor found the degraded performance during business hours, this is the most likely cause.
Which of the following choices would be the BEST source of information when developing a risk-based audit plan? Select an answer: A. Process owners identify key controls. B. System custodians identify vulnerabilities. C. Peer auditors understand previous audit results. D. Senior management identify key business processes.
You answered A. The correct answer is D. A. While process owners should be consulted to identify key controls, senior management would be a better source to identify business processes, which are more important. B. System custodians would be a good source to better understand the risk and controls as they apply to specific applications; however, senior management would be a better source to identify business processes, which are more important. C. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope or if the key business processes have changed and/or new business processes have been introduced, then this would not contribute to the development of a risk-based audit plan. D. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.
An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? Select an answer: A. Use of a point-to-point leased line B. Use of a firewall rule to allow only the Internet Protocol (IP) address of the remote site C. Use of two-factor authentication D. Use of a nonstandard port for Telnet
You answered B. The correct answer is A. A. A leased line will effectively extend the local area network (LAN) of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet. B. A firewall rule at the headquarters network to only allow Telnet connections from the Internet Protocol (IP) address assigned to the remote site would make the connection more secure; however, there is the possibility that the source address could be spoofed by an attacker, and therefore, a dedicated leased line would be more secure. C. While two-factor authentication would enhance the login security, it would not secure the transmission channel against eavesdropping, and, therefore, a leased line would be a better option. D. Attacks on network services start with the assumption that network services use the standard Transmission Control Protocol (TCP)/IP port number assigned for the service, which is port 23 for Telnet. By reconfiguring the host and client, a different port can be used. Assigning a nonstandard port for services is a good general security practice because it makes it more difficult to determine what service is using the port; however, in this case, creating a leased-line connection to the remote site would be a better solution.
An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: Select an answer: A. certain project iterations produce proof-of-concept deliverables and unfinished code. B. application features and development processes are not extensively documented. C. software development teams continually re-plan each step of their major projects. D. project managers do not manage project resources, leaving that to project team members.
You answered B. The correct answer is A. A. The agile software development methodology is an iterative process where each iteration or "sprint" produces functional code. If a development team was producing code for demonstration purposes, this would be an issue because the following iterations of the project build on the code developed in the prior sprint. B. One focus of agile methodology is to rely more on team knowledge and produce functional code quickly. These characteristics would result in less extensive documentation or documentation embedded in the code itself. C. After each iteration or "sprint," agile development teams re-plan the project so that unfinished tasks are performed and resources can be reallocated as needed. The continual re-planning is a key component of agile development methodology. D. The management of agile software development is different from conventional development approaches in that leaders act as facilitators and allow team members to determine how to manage their own resources to get each sprint completed. Because the team members are performing the work, they are in a good position to understand how much time/effort is required to complete a sprin
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors would the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? Select an answer: A. Existing IT mechanisms that enable compliance B. Alignment of the policy to the business strategy C. Current and future technology initiatives D. Regulatory compliance objectives that are defined in the policy
You answered B. The correct answer is A. A. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. B. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. C. Current and future technology initiatives should be driven by the needs of the business and would not affect an organization's ability to comply with the policy. D. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state, and would not aid in achieving compliance.
An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? Select an answer: A. Chain of custody of electronic evidence B. System breach notification procedures C. Escalation procedures to external agencies D. Procedures to recover lost data
You answered B. The correct answer is A. A. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. B. System breach notification is an important aspect and in many cases may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply. C. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation. D. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.
Where would an IS auditor MOST likely see a hash function applied? Select an answer: A. Authentication B. Identification C. Authorization D. Encryption
You answered B. The correct answer is A. A. The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources. B. Hash functions are not used for identification. They are used to validate the authenticity of the identity. C. Hash functions are not typically used to provide authorization. Authorization is provided after the authentication has been established. D. Hash functions are algorithms that map or translate one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result using the same algorithm. Hash functions do not encrypt data.
An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine (VM) management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? Select an answer: A. Developers have the ability to create or de-provision servers. B. Developers could gain elevated access to production servers. C. Developers can affect the performance of production servers with their applications. D. Developers could install unapproved applications to any servers.
You answered B. The correct answer is A. A. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. B. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. C. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de-provision VMs. D. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.
An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution? Select an answer: A. Redesign the controls related to data authorization. B. Implement additional segregation of duties controls. C. Review policy to see if a formal exception process is required. D. Implement additional logging controls.
You answered B. The correct answer is C. A. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. B. While adequate segregation of duties is important, it is simpler to fix the policy versus adding additional controls to enforce segregation of duties. C. If the users are granted access to change data in support of the business requirements, but the policy forbids this, then perhaps the policy needs some adjustment to allow for policy exceptions to occur. D. Audit trails are needed, but this is not the best long-term solution to address this issue. Additional resources would be required to review logs.
Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? Select an answer: A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a cross-departmental working group to share perspectives. C. Develop a scenario and perform a structured walk-through. D. Develop a project plan for end-to-end testing of disaster recovery.
You answered B. The correct answer is C. A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. B. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable. C. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. D. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.
An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend? Select an answer: A. Encrypted mail accounts B. Training and awareness C. Activity monitoring D. Data loss prevention (DLP)
You answered B. The correct answer is D. A. Encrypted email accounts will secure the information being sent, but will not prevent an employee from sending the information to an unauthorized person. B. Training and awareness, while important to tailor employee behavior, are not as strong as an automated preventive control. C. Activity monitoring is a detective control and will not prevent data from leaving the network. D. Data loss prevention (DLP) is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders.
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: Select an answer: A. report the issue to IT management. B. discuss the issue with the service provider. C. perform a risk assessment. D. perform an access review.
You answered C. The correct answer is A. A. During the course of an audit, if there are material issues that are of concern, they need to be reported immediately. B. The IS auditor may discuss the issue with the service provider to clarify it; however, the appropriate response is to report the issue to IT management. C. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes that there is a significant risk. D. The IS auditor should not perform an access review on behalf of the third-party IT service provider. The control may be re-performed to determine any actual violations resulting from the lack of review.
During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? Select an answer: A. The client did not pay for the open source software components. B. The organization and client must comply with open source software license terms. C. Open source software has security vulnerabilities. D. Open source software is unreliable for commercial use.
You answered C. The correct answer is B. A. A major benefit of using open source software is that it is free. The client is not required to pay for the open source software components; however, both the developing organization and the client should be concerned about the licensing terms and conditions of the open source software components that are being used. B. There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely, but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences. C. Open source software, just like any software code, should be tested for security flaws and should be part of the normal system development life cycle (SDLC) process. This is not more of a concern than licensing compliance. D. Open source software does not inherently lack quality. Like any software code, it should be tested for reliability and should be part of the normal SDLC process. This is not more of a concern than licensing compliance.
The GREATEST benefit of having well-defined data classification policies and procedures is: Select an answer: A. a more accurate inventory of information assets. B. a decreased cost of controls. C. a reduced risk of inappropriate system access. D. an improved regulatory compliance.
You answered C. The correct answer is B. A. A more accurate inventory of information assets is a benefit but would not be the greatest benefit of the choices listed. B. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, more costly than is required based on the data classification. C. Classifying the data may assist in reducing the risk of inappropriate system access, but that would not be the greatest benefit. D. Improved regulatory compliance would be a benefit; however, achieving a cost reduction would be a greater benefit.
An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? Select an answer: A. Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process
You answered C. The correct answer is B. A. Data retention, backup and recovery are important controls; however, they do not guarantee data privacy. B. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. C. Network and intrusion detection are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. D. A patch management process helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: Select an answer: A. directive control. B. corrective control. C. compensating control. D. detective control.
You answered C. The correct answer is B. A. Directive controls, such as IT policies and procedures, would not apply in this case because this is an automated control. B. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation. C. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device. D. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.
Which of the following preventive controls BEST helps secure a web application? Select an answer: A. Password masking B. Developer training C. Encryption D. Vulnerability testing
You answered C. The correct answer is B. A. Password masking is a necessary preventive control but is not the best way to secure an application. B. Of the given choices, teaching developers to write secure code is the best way to secure a web application. C. Encryption will protect data but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices. D. Vulnerability testing can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.
An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the contract? Select an answer: A. Availability B. Portability C. Agility D. Scalability
You answered C. The correct answer is B. A. Removing the customer lock-in clause will not secure availability of the systems resources stored in a cloud computing environment. B. When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be important for the client to secure portability of their system assets (i.e., the right to transfer from one vendor to another). C. Agility refers to efficiency of solutions enabling organizations to respond to business needs faster. This is a desirable quality of cloud computing. D. Scalability is the strength of cloud computing through the ability to adjust service levels according to changing business circumstances. Therefore, this is not the best option.
Which of the following ways is the BEST for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? Select an answer: A. Ensure that automatic updates are enabled on critical production servers. B. Verify manually that the patches are applied on a sample of production servers. C. Review the change management log for critical production servers. D. Run an automated tool to verify the security patches on production servers.
You answered C. The correct answer is D. A. Ensuring that automatic updates are enabled on production servers may be a valid way to manage the patching process; however, this would not provide assurance that all servers are being patched appropriately. B. Verifying patches manually on a sample of production servers will be less effective than automated testing and introduces a significant audit risk. Manual testing is also difficult and time consuming. C. The change management log may not be updated on time and may not accurately reflect the patch update status on servers. A better testing strategy is to test the server for patches, rather than examining the change management log. D. An automated tool can immediately provide a report on which patches have been applied and which are missing.
Assignment of process ownership is essential in system development projects because it: Select an answer: A. enables the tracking of the development completion percentage. B. optimizes the design cost of user acceptance test (UAT) cases. C. minimizes the gaps between requirements and functionalities. D. ensures that system design is based on business needs.
You answered C. The correct answer is D. A. Process ownership assignment does not have a feature to track the completion percentage of deliverables. B. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as-built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing (UAT). Process ownership alone does not have the capability to minimize requirement gaps. D. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process? Select an answer: A. The maturity of the project management process B. The regulatory environment C. Past audit findings D. The IT project portfolio analysis
You answered C. The correct answer is D. A. The maturity of the project management process is more important with respect to managing the day-to-day operations of IT versus performing strategic planning. B. Regulatory requirements may drive investment in certain technologies and initiatives; however, having to meet regulatory requirements is not typically the main focus of the IT and business strategy. C. Past audit findings may drive investment in certain technologies and initiatives; however, having to remediate past audit findings is not the main focus of the IT and business strategy. D. Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio would provide comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.
Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system? A. Re-performance B. Process walk-through C. Observation D. Documentation review
You answered D. The correct answer is A. A. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. B. Process walk-through may help the auditor to understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions. C. Observation is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method. D. Documentation review may be of some value for understanding the control environment; however, conducting re-performance is a better method.
While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: Select an answer: A. quality management systems (QMSs) comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined.
You answered D. The correct answer is B. A. Generally, good practices are adopted according to business requirements, and therefore, conforming to good practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if they are not being monitored.
Which of the following choices BEST helps information owners to properly classify data? Select an answer: A. Understanding of technical controls that protect data B. Training on organizational policies and standards C. Use of an automated data leak prevention (DLP) tool D. Understanding which people need to access the data
You answered D. The correct answer is B. A. While understanding how the data are protected is important, these controls might not be applied properly if the data classification schema is not well understood. B. While implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified. C. While an automated data leak prevention (DLP) tool may enhance productivity, the users of the application would still need to understand what classification schema was in place. D. In terms of protecting the data, the data requirements of end users are critical, but if the data owner does not understand what data classification schema is in place, it would be likely that inappropriate access to sensitive data might be granted by the data owner.
An IS auditor has been asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? Select an answer: A. Require the vendor to provide monthly status reports. B. Have periodic meetings with the client IT manager. C. Conduct periodic audit reviews of the vendor. D. Require that performance parameters be stated within the contract.
You answered D. The correct answer is C. A. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. B. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C. Conducting periodic reviews of the vendor will ensure that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements (SLAs) as well as the client's requirements for security controls may become less of a focus for the vendor and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with whom they wish to continue to work. D. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met.
A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved into production is the same? Select an answer: A. Release management software B. Manual code comparison C. Regression testing in preproduction D. Management approval of changes
You are correct, the answer is A. A. Automated release management software can prevent unauthorized changes by moving code into production without any manual intervention. B. Manual code comparison can detect whether the wrong code has been moved into production; however, code comparison does not prevent the code from being migrated and is not as good a control as using release management software. In addition, manual code comparison is not always efficient and requires highly skilled personnel. C. Regression testing ensures that changes do not break the current system functionality or unwittingly overwrite previous changes. Regression testing does not prevent untested code from moving into production. D. Although management should approve every change to production, approvals do not prevent untested code from being migrated into the production environment.
A company determined that its web site was compromised and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? Select an answer: A. A host-based intrusion prevention system (IPS) B. A network-based intrusion detection system (IDS) C. A firewall D. Operating system (OS) patching
You are correct, the answer is A. A. A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator. B. A network-based intrusion detection system (IDS) relies on attack signatures based on known exploits and attack patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access to an exploit unknown to the IDS, it will go undetected. A web server exploit performed through the web application itself, such as a structured query language (SQL) injection attack, would not appear to be an attack to the network-based IDS. C. A firewall by itself does not protect a web server because the ports required for users to access the web server must be open in the firewall. Web server attacks are typically performed over the same ports that are open for normal web traffic. Therefore, a firewall does not protect the web server. D. Operating system (OS) patching will make exploitation of the server more difficult for the attacker and less likely. However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched server vulnerabilities, and the host-based IPS should detect any attempts to change files on the server, regardless of how access was obtained.
When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? Select an answer: A. Controls are eliminated as part of the BPR effort. B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area.
You are correct, the answer is A. A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern. B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort. D. A recommended good practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern.
Which of the following controls would be MOST effective to reduce the risk of loss due to fraudulent online payment requests? Select an answer: A. Transaction monitoring B. Protecting web sessions using Secure Sockets Layer (SSL) C. Enforcing password complexity for authentication D. Inputting validation checks on web forms
You are correct, the answer is A. A. An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. B. Using Secure Sockets Layer (SSL) would help to ensure the secure transmission of data to and from the user's web browser and help to ensure that the end user has reached the correct web site, but this would not prevent fraudulent transactions. C. Online transactions are not necessarily protected by passwords; for example, credit card transactions are not necessarily protected. The use of strong authentication would help to protect users of the system from fraud by attackers guessing passwords, but transaction monitoring would be the better control. D. Inputting validation checks on web forms is important to ensure that attackers do not compromise the web site, but transaction monitoring would be the best control.
Which of the following groups would create MOST concern to an IS auditor if they have direct full access to the production database? Select an answer: A. Application testers B. System administrators C. The database owner D. The data recovery team
You are correct, the answer is A. A. Application testers should be restricted to the nonproduction environment and, if they have full access to the production database, the confidentiality and integrity of data become questionable. B. System administrators may require full production access to conduct their administration duties; however, they should be monitored for unauthorized activity. C. Database owners can have full access to the production database because they are owners and accountable for the database. D. The data recovery team will need full access to make sure the complete database is recoverable.
A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take? Select an answer: A. Continue the current process of testing and applying patches. B. Reduce testing and ensure that an adequate backout plan is in place. C. Delay patching until resources for testing are available. D. Rely on the vendor's testing of the patches.
You are correct, the answer is A. A. Applying security software patches promptly is critical to maintain the security of the servers; further, testing the patches is important because the patches may affect other systems and business operations. Because the vendor has recently released several critical patches in a short time, it can be hoped that this is a temporary problem and does not need a revision to policy or procedures. B. Reduced testing increases the risk of business operation disruption due to a faulty or incompatible patch. While a backout plan does help mitigate this risk, a thorough testing up front would be the more appropriate option. C. Applying security software patches promptly is critical to maintain the security of the servers. Delaying patching would increase the risk of a security breach due to system vulnerability. D. The testing done by the vendor may not be applicable to the systems and environment of the organization that needs to deploy the patches.
Which of the following choices BEST ensures accountability when updating data directly in a production database? Select an answer: A. Before and after screen images B. Approved implementation plans C. Approved validation plan D. Data file security
You are correct, the answer is A. A. Creating before and after images is the best way to ensure that the appropriate data have been updated in a direct data change. The screen shots would include the data prior to and after the change. B. Having approved implementation plans would verify that the change was approved to be implemented but will not ensure that the appropriate change was made. C. Having an approved validation plan will ensure that the data change had a validation plan designed prior to the data change but will not ensure that the data change was appropriate and correct. D. Data file security would only ensure that the user making the data change was appropriate. It would not ensure that the data change was correct.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department? Select an answer: A. Discuss it with the IT managers. B. Review the job descriptions of the IT functions. C. Research past IS audit reports. D. Evaluate the organizational structure.
You are correct, the answer is A. A. Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department. B. Job descriptions may not be the best source of information because they could be outdated or what is documented in the job descriptions may be different from what is actually performed. C. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned. D. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.
Which of the following stakeholders is the MOST important in terms of developing a business continuity plan (BCP)? Select an answer: A. Process owners B. Application owners C. The board of directors D. IT management
You are correct, the answer is A. A. Process owners are essential in identifying the critical business functions, recovery times and resources needed. B. A business continuity plan (BCP) is concerned with the continuity of business processes, while applications may or may not support critical business processes. C. The board of directors might approve the plan, but they are typically not involved in the details of developing the BCP. D. IT management will identify the IT resources, servers and infrastructure needed to support the critical business functions as defined by the business process owners.
An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? Select an answer: A. Production access is granted to the individual support ID when needed. B. Developers use a firefighter ID to promote code to production. C. A dedicated user promotes emergency changes to production. D. Emergency changes are authorized prior to promotion.
You are correct, the answer is A. A. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change. B. Some organizations may use a firefighter ID, which is a generic/shared ID, to promote changes to production. When needed, the developer can use this ID to access production. It may still be difficult to determine who made the change; therefore, although this process is commonly used, the use of a production support ID is a better choice. C. Having a dedicated user who promotes changes to production in an emergency is ideal but is generally not cost-effective and may not be realistic for emergency changes. D. Emergency changes are, by definition, unauthorized changes. Approvals usually are obtained following promotion of the change to production. All changes should be auditable, and that can best be accomplished by having a user ID added/removed to the production support group as needed.
Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? Select an answer: A. Provide and monitor separate login IDs that the developer will use for programming and for production support. B. Capture activities of the developer in the production environment by enabling audit trails. C. Back up all affected records before allowing the developer to make production changes. D. Ensure that all changes are approved by the change manager.
You are correct, the answer is A. A. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. B. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. C. Creating a backup of affected records before making the change would allow for rollback in case of an error, but would not prevent or detect unauthorized changes. D. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.
Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? Select an answer: A. Results of a risk assessment B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls
You are correct, the answer is A. A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review. B. The relative value of an asset to the business is one element considered in the risk assessment; this alone does not determine the level of protection required. C. The results of a vulnerability assessment would be useful when creating the risk assessment; however, this would not be the primary focus. D. The cost of security controls is not a primary factor to consider because the expenditures on these controls are determined by the value of the information assets being protected.
The PRIMARY benefit of an enterprise architecture (EA) initiative would be to: Select an answer: A. enable the organization to invest in the most appropriate technology. B. ensure that security controls are implemented on critical platforms. C. allow development teams to be more responsive to business requirements. D. provide business units with greater autonomy to select IT solutions that fit their needs.
You are correct, the answer is A. A. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. C. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.
What is the PRIMARY consideration for an IS auditor while reviewing the prioritization and coordination of IT projects and program management? Select an answer: A. Projects are aligned with the organization's strategy. B. Identified project risk is monitored and mitigated. C. Controls related to project planning and budgeting are appropriate. D. IT project metrics are reported accurately.
You are correct, the answer is A. A. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment. B. An adequate process for monitoring and mitigating identified project risk is important; however, strategic alignment helps in assessing identified risk in business terms. C. Completion of projects within a predefined time and budget is important; however, the focus of project management should be on achieving the desired outcome of the project, which is aligned with the business strategy. D. Adequate reporting of project status is important but may or may not help in providing the strategic perspective of project deliverables.
The PRIMARY objective of the audit initiation meeting with an IS audit client is to: Select an answer: A. discuss the scope of the audit. B. identify resource requirements of the audit. C. select the methodology of the audit. D. review requested evidence provided by the audit client.
You are correct, the answer is A. A. The primary objective of the initiation meeting with an audit client is to help define the scope of the audit. B. Determining the resource requirements of the IS audit is typically done by IS audit management during the early planning phase of the project rather than at the initiation meeting. C. Selecting the methodology of the audit is not normally an objective of the initiation meeting. D. For most audits, the audit evidence would be provided during the course of the engagement, and would not normally be reviewed at the initiation meeting.
Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters? Select an answer: A. Recovery point objective (RPO) B. Volume of data to be backed up C. Data backup technologies D. Recovery time objective (RTO)
You are correct, the answer is A. A. The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in the case of interruption. Based on this, one can design the data backup strategy for potential disasters using various technologies. B. While the amount of data to be stored is critical in terms of planning for adequate capacity, the speed of recovery required by the business is the more important factor. C. While a solid understanding of the capabilities of all types of advanced data backup technologies is necessary, without the knowledge of the RPO one cannot design a backup strategy using these technologies. D. The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. This will help in designing disaster site options, but not the data backup strategy in the case of impacting disasters.
An IS auditor performing an audit of the newly installed Voice-over Internet Protocol (VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? Select an answer: A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections. D. The wiring closet also contains power lines and breaker panels.
You are correct, the answer is A. A. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet [POE]) from the wiring closet where the network switch is installed. If the local area network (LAN) switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. B. While improper cabling can create reliability issues, the more critical issue in this case would be the lack of power protection. C. An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. D. As long as the power and telephone equipment are separated, this would not be a significant risk.
Which of the following factors is the MOST critical when evaluating the effectiveness of an IT governance implementation? Select an answer: A. Ensure that assurance objectives are defined. B. Determine stakeholder requirements and involvement. C. Identify the relevant risk and related opportunities. D. Determine the relevant enablers and their applicability.
You are correct, the answer is B. A. The stakeholder's needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. B. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This will drive the success of the project. Based on this, the assurance scope and objectives would be determined. C. The relevant risk and related opportunities are identified and driven by the assurance objectives. D. The relevant enablers and their applicability for the IT governance implementation would be considered based on assurance objectives.
An IS auditor performing an audit of the newly installed Voice-over Internet Protocol(VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? Select an answer: A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections. D. The wiring closet also contains power lines and breaker panels.
You are correct, the answer is A. A. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet [POE]) from the wiring closet where the network switch is installed. If the local area network (LAN) switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. B. While improper cabling can create reliability issues, the more critical issue in this case would be the lack of power protection. C. An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. D. As long as the power and telephone equipment are separated, this would not be a significant risk.
An IS auditor reviewing a network log discovers that an employee ran elevated commands on his/her PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? Select an answer: A. A race condition B. A privilege escalation C. A buffer overflow D. An impersonation
You are correct, the answer is B. A. A race condition exploit involves the timing of two events and an action that causes one event to happen later than expected. The scenario given is not an example of a race condition exploit. B. A privilege escalation is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level. C. Buffer overflows involve applications of actions that take advantage of a defect in the way an application or system uses memory. By overloading the memory storage mechanism, the system will perform in unexpected ways. The scenario given is not an example of a buffer overflow exploit. D. Impersonation attacks involve an error in the identification of a privileged user. The scenario given is not an example of this exploit.
An IS auditor is performing a postimplementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? Select an answer: A. Recalculations B. Limit checks C. Run-to-run totals D. Reconciliations
You are correct, the answer is B. A. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. B. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. C. Run-to-run totals provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. D. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.
Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? Select an answer: A. To conduct a feasibility study to demonstrate IT value B. To ensure that investments are made according to business requirements C. To ensure that proper security controls are enforced D. To ensure that a standard development methodology is implemented
You are correct, the answer is B. A. A steering committee may use a feasibility study in its reviews; however, it is not responsible for performing/conducting the study. B. A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities. C. The steering committee is not responsible for enforcing security controls. D. The steering committee is not responsible for implementing development methodologies.
An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? Select an answer: A. Executive management B. IT management C. Board of directors D. Steering committee
You are correct, the answer is B. A. Although executive management's approval is essential, the IT department is responsible for managing system resources and their availability as related to disaster recovery (DR). B. Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management's approval would be most important to verify that the system resources will be available in the event that a disaster event is triggered. C. The board of directors may review and approve the DRP, but the IT department is responsible for managing system resources and their availability as related to DR. D. The steering committee would determine the requirements for disaster recovery (recovery time objective [RTO] and recovery point objective [RPO]); however, the IT department is responsible for managing system resources and their availability as related to DR.
Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review? Select an answer: A. The code was missed during the initial implementation. B. The change did not have management approval. C. The error was discovered during the postimplementation review. D. The release team used the same change order number.
You are correct, the answer is B. A. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. B. Management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate management approval. C. Most release/change control errors are discovered during postimplementation review. It is of greater concern that the change was promoted without management approval after it was discovered. D. Using the same change order number is not a relevant concern.
An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application that is hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? Select an answer: A. Plan an audit of the cloud vendor. B. Review the vendor contract to determine its DR capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the DRP from the cloud vendor.
You are correct, the answer is B. A. Auditing the cloud vendor would be useful; however, this would only be useful if the vendor is contractually required to provide disaster recovery (DR) services. B. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Without the contractual language, the vendor is not required to provide DR services. C. An independent auditor's report, such as Statements on Standards for Attestation Engagements (SSAE) 16, on DR capabilities can be reviewed to ascertain the vendor's DR capabilities; however, this will only be fruitful if the vendor is contractually required to provide DR services. D. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services.
An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? Select an answer: A. Change permissions to prevent DBAs from purging logs. B. Forward database logs to a centralized log server. C. Require that critical changes to the database are formally approved. D. Back up database logs to tape.
You are correct, the answer is B. A. Changing the database administrator (DBA) permissions to prevent DBAs from purging logs may not be feasible and does not adequately protect the availability and integrity of the database logs. B. To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access. C. Requiring that critical changes to the database are formally approved does not adequately protect the availability and integrity of the database logs. D. Backing up database logs to tape does not adequately protect the availability and integrity of the database logs.
Which of the following choices would MOST likely ensure that a disaster recovery (DR) effort is successful? A. The tabletop test was performed. B. Data restoration was completed. C. Recovery procedures are approved. D. Appropriate staff resources are committed.
You are correct, the answer is B. A. Performing a tabletop test is extremely helpful, but does not ensure that the recovery process is working properly. B. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly. C. Approved recovery procedures will not ensure that data can be successfully restored. D. While having appropriate staff resources is appropriate, without data the recovery would not be successful.
Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is: Select an answer: A. prepared according to a predefined and standard template. B. backed by sufficient and appropriate audit evidence. C. comprehensive in coverage of enterprise processes. D. reviewed and approved by audit management.
You are correct, the answer is B. A. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required. B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate audit evidence so that they demonstrate the application of the minimum standard of performance and the findings and recommendations can be validated, if required. C. The scope and coverage of IS audit is defined by a risk assessment process, which may not always provide comprehensive coverage of processes of the enterprise. D. While from an operational standpoint an audit report should be reviewed and approved by audit management, the more critical consideration is that all conclusions are backed by sufficient and appropriate audit evidence.
In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: Select an answer: A. stop-or-go sampling. B. substantive testing. C. compliance testing. D. discovery sampling.
You are correct, the answer is B. A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case. B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. C. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case. D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.
A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? Select an answer: A. Preventing the compromise of the source code during the implementation process B. Ensuring that vendor default accounts and passwords have been disabled C. Removing the old copies of the program from escrow to avoid confusion D. Verifying that the vendor is meeting support and maintenance agreements
You are correct, the answer is B. A. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation. B. Disabling vendor default accounts and passwords is a critical part of implementing a new application. C. Because this is a new application, there should not be any problem with older versions in escrow. D. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.
During the requirements definition stage of a proposed enterprise resource planning (ERP) system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform? Select an answer: A. Unit testing B. Integration testing C. Sociability testing D. Quality assurance (QA) testing
You are correct, the answer is B. A. Unit testing is a technique that is used to test program logic within a particular program or module and does not specifically address the linkage between software modules. Integration testing is the best answer. B. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design. C. Sociability testing confirms that the new or modified system can operate in its target environment without adversely impacting existing systems, and does not specifically address the linkage between software modules. Integration testing is the best answer. D. Quality assurance (QA) testing is primarily used to ensure that the logic of the application is correct and does not specifically address the linkage between software modules. Integration testing is the best answer.
An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol (VoIP) technology. Which of the following is the GREATEST concern? Select an answer: A. Voice communication uses the same equipment that is used for data communication. B. Ethernet switches are not protected by uninterrupted power supply (UPS) units. C. Voice communication is not encrypted on the local network. D. The team that supports the data network also is responsible for the telephone system.
You are correct, the answer is B. A. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, which can save on wiring cost and simplify both the installation and support of the telephone system. This use of shared infrastructure is a benefit of VoIP and therefore is not a concern. B. VoIP telephone systems use the LAN infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply (UPS) units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center. C. VoIP devices do not normally encrypt the voice traffic on the local network, so this is not a concern. Typically, a VoIP phone system connects to a telephone company voice circuit, which would not normally be encrypted. If the system uses the Internet for connectivity, then encryption is required. D. VoIP telephone systems use the LAN infrastructure of a company for communication, so the personnel who support and maintain that infrastructure are now responsible for both the data and voice network by default. Therefore, this would not be a concern.
When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? Select an answer: A. Discuss a single solution. B. Consider security controls. C. Demonstrate feasibility. D. Consult the audit department.
You are correct, the answer is C. A. A business case should discuss all possible solutions to a given problem, which would enable management to select the best option. This may include the option not to undertake the project. B. It may be important to include security considerations in the business case if security is important to the solution and will address the problem; however, the feasibility study is more important and is necessary regardless of the type of problem. C. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision. D. While the person preparing the business case may consult with the organization's audit department, this would be situational and is not necessary to include in the business case.
Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? Select an answer: A. Analysis of transaction logs B. Re-performance C. Observation D. Interviewing personnel
You are correct, the answer is C. A. Analysis of transaction logs would help to show that dual control is in place but does not necessarily guarantee that this process is being followed consistently. Therefore, observation would be the better test technique. B. While re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor. C. Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person. D. Interviewing personnel would be useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it would not provide direct evidence confirming the existence of dual control because the information provided may not accurately reflect the process being performed.
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ? Select an answer: A. Single sign-on authentication B. Password complexity requirements C. Two-factor authentication D. Internet protocol (IP) address restrictions
You are correct, the answer is C. A. Single sign-on authentication provides a single access point to system resources. It would not be best in this situation. B. While password complexity requirements would help prevent unauthorized access, two-factor authentication is a more effective control for this scenario. C. Two-factor authentication is the best method to provide a secure connection because it uses two factors, typically "what you have" (for example, a device to generate one-time-passwords), "what you are" (for example, biometric characteristics) or "what you know" (for example, a personal identification number [PIN] or password). Using a password in and of itself without the use of one or more of the other factors mentioned is not the best for this scenario. D. Internet protocol (IP) addresses can always change or be spoofed and, therefore, are not the best form of authentication for the scenario mentioned.
Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable? Select an answer: A. Test the adequacy of the control design. B. Test the operational effectiveness of controls. C. Focus on auditing high-risk areas. D. Rely on management testing of controls.
You are correct, the answer is C. A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed. B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk. C. Reducing the scope and focusing on auditing high-risk areas is the best course of action. D. The reliance on management testing of controls will not provide an objective verification of the control environment.
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy: Select an answer: A. is cost-effective. B. is future thinking and innovative. C. is aligned with the business strategy. D. has the appropriate priority level assigned.
You are correct, the answer is C. A. The IT strategy should be cost-effective, but it must align with the business strategy for the strategy to be effective. B. The IT strategy should be forward thinking and innovative, but it must align with the business strategy to be effective. C. The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy. D. The IT strategy should be appropriately prioritized; however, it must align with the business strategy first and then it will be prioritized.
Which of the following is MOST important to determine the recovery point objective (RPO) for a critical process in an enterprise? Select an answer: A. Number of hours of acceptable downtime B. Total cost of recovering critical systems C. Extent of data loss that is acceptable D. Acceptable reduction in the level of service
You are correct, the answer is C. A. The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster. B. The determination of the recovery point objective (RPO) already takes cost into consideration. C. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. D. The service delivery objective (SDO) is directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored.
Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? Select an answer: A. Total cost of ownership (TCO) of the application B. The resources required for implementation C. Return on investment (ROI) to the company D. The cost and complexity of security requirements
You are correct, the answer is C. A. Total cost of ownership (TCO) of the application is important to understand the resource and budget requirements in the short and long term; however, decisions should be based on benefits realization from this investment. Therefore, return on investment (ROI) is the most important consideration. B. The resources required for implementation of the application are an important consideration; however, decisions should be based on benefits realization from this investment. Therefore, ROI should be carefully considered. C. The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.) D. The cost and complexity of security requirements are important considerations, but they need to be weighed against the proposed benefits of the application. Therefore, ROI is more important.
Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? Select an answer: A. Two-factor authentication B. A digital certificate C. Audit trails D. Single sign-on authentication
You are correct, the answer is C. A. Two-factor authentication would enhance security while logging into the human resource management system (HRMS) application; however, it will not establish accountability for actions taken subsequent to login. B. A digital certificate will also enhance login security to conclusively authenticate users logging into the application. However, it will not establish accountability because user ID and transaction details will not be captured without an audit trail. C. Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users. D. Single sign-on authentication allows users to log in seamlessly to the application, thus easing the authentication process. However, this would also not establish accountability.
Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment? Select an answer: A. The technology architecture of the e-commerce environment B. The policies, procedure and practices that form the internal control environment C. The nature and criticality of the business process supported by the application D. Continuous monitoring of control measures for system availability and reliability
You are correct, the answer is C. A. Understanding the technology architecture of the e-commerce environment is important; however, it is vital that the nature and criticality of the business process supported by the e-commerce application are well understood. B. While the policies, procedure and practices that form the internal control environment need to be in alignment with the e-commerce environment, this is not the most important element that the IS auditor needs to understand. C. The e-commerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business process supported by the e-commerce application to identify specific controls to review. D. The availability of the e-commerce environment is important, but this is only one of the aspects to be considered with respect to business processes that are supported by the e-commerce application.
A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed? Select an answer: A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site
You are correct, the answer is C. A. While an intrusion detection system (IDS) can be installed on the local network to ensure that systems are not subject to internal attacks, a company's public web server would not normally be installed on the local network, but rather in the demilitarized zone (DMZ). B. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would not be used to specifically protect the web application. C. Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to take action. D. A host-based IDS would be installed on the web server, but a network-based IDS would not.
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: Select an answer: A. the security controls of the application may not meet requirements. B. the application may not meet the requirements of the business users. C. the application technology may be inconsistent with the enterprise architecture (EA). D. the application may create unanticipated support issues for IT.
You are correct, the answer is C. A. While security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. While the use of standard supported technology may be more secure, this is not the primary benefit of the EA. B. When selecting an application, the business requirements as well as the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they would be more likely to choose a solution that fit their business process the best with less emphasis on how compatible and supportable the solution would be in the enterprise, and this would not be a concern. C. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system (OS) that is not part of the EA for the business, this would increase the cost and complexity of the solution and ultimately deliver less value to the business. D. While any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.
An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? Select an answer: A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity
You are correct, the answer is C. A. While untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.
An IS auditor is auditing an IT disaster recovery plan (DRP). The IS auditor should PRIMARILY ensure that the plan covers: Select an answer: A. a resilient IT infrastructure. B. alternate site information. C. documented disaster recovery (DR) test results. D. analysis and prioritization of business functions.
You are correct, the answer is D. A. A resilient IT infrastructure is typically required to minimize interruptions to IT services; however, if a critical business function does not require high availability of IT, this may not be required for all disaster recovery plan (DRP) elements. B. While the selection of an alternate site is important, the more critical issue is the prioritization of resources based on impact and recovery time objectives (RTOs) of business functions. C. Documented DRP test results are helpful when maintaining the DRP; however, the DRP must first and foremost be aligned with business requirements. D. The DRP must primarily focus on recovering critical business functions in the event of disaster within predefined RTOs; thus, it is necessary to align the recovery of IT services based on the criticality of business functions.
The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the following choices? Select an answer: A. Access privileges to confidential files stored on servers B. Attempts to destroy critical data on the internal network C. Which external systems can access internal resources D. Confidential documents leaving the internal network
You are correct, the answer is D. A. Access privileges to confidential files stored on the server will be controlled through digital rights management (DRM) software. B. Potential attacks to systems on the internal network would normally be controlled through an intrusion detection system (IDS) and intrusion prevention system (IPS) as well as by security controls of the systems themselves. Data leak prevention (DLP) systems focus on data leaving the enterprise. C. Controlling what external systems can access internal resources is the function of a firewall rather than a DLP system. D. A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network.
A company with a limited budget has a recovery time objective (RTO) of 72 hours and a recovery point objective (RPO) of 24 hours. Which of the following would BEST meet the requirements of the business? Select an answer: A. A hot site B. A cold site C. A mirrored site D. A warm site
You are correct, the answer is D. A. Although a hot site enables the business to meets its recovery point objective (RPO) and recovery time objective (RTO), the cost to maintain a hot site is more than the cost to maintain a warm site, which could also meet the objectives. B. A cold site, although providing basic infrastructure, lacks the required hardware to meet the business objectives. C. A mirrored site provides fully redundant facilities with real-time data replication. It can meet the business objectives, but it is not as cost-effective a solution as a warm site. D. A warm site is the most appropriate solution because it provides basic infrastructure and most of the required IT equipment to affordably meet the business requirements. The remainder of the equipment needed can be provided through vendor agreements within a few days. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The RPO is determined based on the acceptable data loss in case of a disruption of operations. The RPO indicates the earliest point in time that is acceptable to recover the data, and it effectively quantifies the permissible amount of data loss in case of interruption.
An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend? Select an answer: A. Apply the patch anyway, after it can be tested. B. Implement a host-based intrusion detection system (IDS). C. Implement firewall rules to further protect the application server. D. Assess the overall risk, then decide whether to deploy the patch.
You are correct, the answer is D. A. Applying a patch without first performing a risk assessment could create other issues and, therefore, would not be the best choice. B. Implementing a host-based intrusion detection system (IDS) would be a valid control; however, it may not address the vulnerability in the application. C. Implementing firewall rules may help to mitigate the risk of a security incident; however, first the risk related to the patch would need to be determined. D. While it is important to ensure that systems are properly patched, a risk assessment needs to be performed to determine the likelihood and probability of the vulnerability being exploited. Therefore, the patch would be applied only if the risk of circumventing the existing security controls is great enough to warrant it.
An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved. Which of the following choices would be of MOST concern to the IS auditor? Select an answer: A. End users are not aware of incident reporting procedures. B. Log servers are not on a separate network. C. Backups are not performed consistently. D. There is no chain of custody policy.
You are correct, the answer is D. A. End users should be made aware of incident reporting procedures, but this is not likely to affect data integrity related to the breach. The IS auditor would be more concerned that the organization's policy exists and provides for proper evidence handling. B. Having log servers segregated on a separate network might be a good idea because ensuring the integrity of log server data is important. However, it is more critical to ensure that the chain of custody policy is in place. C. While not having valid backups would be a concern, the more important concern would be a lack of a chain of custody policy. Data breach evidence is not normally retrieved from backups. D. Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law. Chain of custody involves documentation of how digital evidence is acquired, processed, handled, stored and protected, and who handled the evidence and why. If there is no policy in place, it is unlikely that employees will ensure that the chain of custody is maintained during any data breach investigation.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: Select an answer: A. include a review of the database controls in the scope. B. document for future review. C. work with database administrators to correct the issue. D. report the weaknesses as observed.
You are correct, the answer is D. A. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time. B. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. C. It is not appropriate for the IS auditor to work with database administrators to correct the issue. D. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during the course of an application software review need to be reported to management.
An IS auditor discovers that several IT-based projects were implemented that were not approved by the steering committee. What is the GREATEST concern for the IS auditor? Select an answer: A. IT projects will not be adequately funded. B. IT projects are not following the system development life cycle (SDLC) process. C. IT projects are not consistently formally approved. D. The IT department may not be working toward a common goal.
You are correct, the answer is D. A. Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company. B. Although requiring steering committee approval may be part of the system development life cycle (SDLC) process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals. C. Although having a formal approval process is important, the greatest concern would be for the steering committee to provide corporate direction for the projects. D. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals.
A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future? Select an answer: A. Improve regression test cases. B. Activate audit trails for a limited period after release. C. Conduct an application user access review. D. Ensure that developers do not have access to code after testing.
You are correct, the answer is D. A. Improving the quality of the testing would not be applicable in this case because the more important issue is that developers have access to the production environment. B. Activating audit trails or performing additional logging may be useful; however, the more important issue is that developers have access to the production environment. C. Conducting an application user access review would not identify developers' access to code because they would not be included in this review. D. To ensure proper segregation of duties, developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing (UAT), the process must be restarted in development.
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern? Select an answer: A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D. Company-defined security policies are not applied to the cloud application.
You are correct, the answer is D. A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy. D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Which of the following should an IS auditor be MOST concerned about in a financial application? Select an answer: A. Programmers have access to application source code. B. Secondary controls are documented for identified role conflicts. C. The information security officer does not authorize all application changes. D. Programmers have access to the production database.
You are correct, the answer is D. A. Programmers who have access to application source code are not of concern to the IS auditor because programmers need access to source code to do their jobs. B. When segregation of duties conflicts are identified, secondary controls should be in place to mitigate risk. While the IS auditor reviews secondary controls, in this case the greater concern is programmers having access to the production database. C. The information security officer is not likely to authorize all application changes, therefore this is not a concern for an IS auditor. D. Programmers who have access to the production database are considered a segregation of duties conflict and should be of concern to an IS auditor.
The PRIMARY purpose of the IS audit charter is to: Select an answer: A. establish the organizational structure of the audit department. B. illustrate the reporting responsibilities of the IS audit function. C. detail the audit processes and procedures performed by the IS audit department. D. outline the responsibility and authority of the IS audit function.
You are correct, the answer is D. A. The IS audit charter does not set forth the organizational structure of the IS audit department. The charter serves as a directive to create the IS audit function. B. The IS audit charter does not dictate the reporting requirements of the IS audit department. The charter sets forth the purpose, responsibility, authority and accountability of the information systems audit function. C. IS audit processes and procedures are not detailed within the IS audit charter. Procedures are part of the IS audit plan and processes are determined by audit management. D. The primary purpose of the IS audit charter is to set forth the purpose, responsibility, authority and accountability of the IS audit function. The charter document grants authority to the audit function on behalf of the board of directors and company stakeholders.
While conducting an audit on the customer relationship management (CRM) application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend? Select an answer: A. The IS auditor should recommend nothing because the system is compliant with current business requirements. B. IT should increase the network bandwidth to improve performance. C. Users should be provided with detailed manuals to use the system properly. D. The IS auditor should recommend establishing performance measurement criteria for the authentication servers.
You are correct, the answer is D. A. The IS auditor recommending nothing is not the right choice because a delayed login process has a negative impact on employee productivity. B. Network bandwidth may or may not be the root cause of this issue. Performance measurement criteria may help determine the cause, which can then be remediated. C. Because the problem is related to logging on and not to processing, additional training for users would not be effective in this case. D. Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.
An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important? Select an answer: A. The emergency power off button cover is missing. B. Scheduled maintenance of the fire suppression system was not performed. C. There are no security cameras inside the data center. D. The emergency exit door is blocked.
You are correct, the answer is D. A. The emergency power off button issue is a significant concern, but life safety is the highest priority. B. The primary purpose of the fire suppression system is to protect the equipment and building. The lack of scheduled maintenance is a concern; however, this does not indicate that the system would not function as required. The more critical issue is the emergency exit because life safety is the highest priority. C. The lack of security cameras inside the data center may be a significant concern; however, the more significant issue is the emergency exit door being blocked. D. Life safety is always the highest priority; therefore, the blocking of the emergency exit is the most serious problem.
An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? Select an answer: A. Review user access. B. Evaluate the change request process. C. Evaluate the reconciliation controls. D. Review the data flow diagram.
You are correct, the answer is D. A. The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. B. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. C. Evaluating the reconciliation controls would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place. D. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.
During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern? Select an answer: A. The support model was not approved by senior management. B. The incident resolution time specified in the SLA is not realistic. C. There are inadequate resources to support the applications. D. The support model was not properly developed and implemented.
You are correct, the answer is D. A. While senior management involvement is important, the more critical issue is whether the support model was not properly developed and implemented. B. While the incident resolution time specified in the service level agreement (SLA) may not always be attainable, the more critical issue is whether the support model was not properly developed and implemented. C. While adequate support resources are important, the more critical issue is whether the support model was not properly developed and implemented. D. The greatest concern for the IS auditor is that the support model was not developed and implemented correctly to prevent or react to potential outages. Incidents could cost the business a significant amount of money and a support model should be implemented with the project. This should be a step within the system development life cycle (SDLC) and procedures and, if it is missed on one project, it may be a symptom of an overall breakdown in process.