CISA Study Guide Questions
Which of the following is an objective of a control self-assessment program? A. concentration on areas of high risk b. conducting training and workshop c. to increase risk awareness d. to replace risk management programme
A. concentration on areas of high risk
Test data should be designed as what for accurate test resuults
As per live workload for accurate test results
What is the difference between attribute sampling and variable sampling?
Attribute sampling is used for compliance testing whereas variable sampling is used for substantive testing
An organization is conducting system testing for newly developed software. The primary purpose of a system test is t: a. test efficiency of security controls built in the system b. determine appropriate documentation of system functionality C. Evaluate the system functionality d. identify and document the benefit of new system
C. Evaluate the system functionality
An IS auditor evaluating how the project manager has monitored the process of the project. Which of the following is MOST relevant in this context? a. Critical Path Methodologies B> PERT C. Gantt Chart d. Function point analysis (FPA)
C. Grantt Chart
The prime objective of Audit Charter is to govern: a. IS function b. External Auditor C. Internal Audit Function D. Finance Function
C. Internal Audit Function
Which control would you use to identify data transmission errors (completeness and integrity)
CRC and checksum
Which control would you used to identify transcription and transpositions errors (accuracy)?
Check digit
Following samplings are best suitable for compliance and substantive testing
Compliance testing --> Attribute sampling Substantive tesing -> variable sampling
What is the difference between compliance testing and substantive testing?
Compliance testing involves verification of process whereas substantive testing involves verification of transactions or data
By examining the IP address, which of the following device can make intelligent decisions toto direct the packets to its destination? a. hub b. layer -2 switch c. bridge d. router
D. Router
Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful when an audit trail is required? a. integrated test facility (ITF) b. Continuous and intermittent stimulation (CIS) c. Audit hooks D. Snapshots
D. Snapshots
Statistical sampling minimizes what?
Detection risk
What are responsibilities of Strategy Committee?
Determining exposure of IT and strategic direction to board
What is the best sampling technique where fraud is being suspected?
Discovery sampling
What for the clauses that are a must in any outsourcing contracts from IS auditor point of view:
- clause with respect to 'Right to Audit' - clause with respect to ownership of intellectual property rights - clause with respect to data confidentiality and privacy - clause with respect to BCP and DRP
Both RTO and RPO are based on _______ parameters. The lower the time requirements, the ________ the cost of recovery strategies
1. Time parameters 2. Higher
What are two main advantages of outsourcing in their preferential order are:
1. expert service can be obtained from outside (so organization can concentrate on its core business) 2. cost saving
Best practices for Wireless (wi-fi) security?
Enable MAC address filtering Enable encryption to protect data in transit disable SSID broadcasting Disable DHCP
Which control would you use to correct data transmission errors
Forward error control (FEC)
When is the confidentiality of the data transmitted in a wireless LAN is BES protected?
If the session is encrypted using dynamic keys
What is the role of an IS auditor in a control self-assessment (CSA)?
In any given scenario, role of an IS auditor in a control self-assessment (CSA) should be that of facilitator
What's SCARF?
Inbuilt audit softwaree used when regular processing cannot be interupted
What is the most important success factor for CSA?
Involvement of line managementt
What is the purpose of CSA?
Is to enhance the audit responsibilities ( and not audit replacement)
What tis the difference between IT strategy committee and IT steering committee?
It strategy committee advises board on various IT strategy and initiatives whereas IT steering committeee focuses on implementation part.
what is the MAJOR risk associated with agile development
Lack of documentation
A higher confidence coefficient will result tin the use of a ________ sample size.
Larger high sample size will give higher confidence coefficient
Tthe lower the RTO/ RPO indicates that disaster tolerance is _______
Low
When internal controls are strong, confidence coefficient/ sample size may be _____________.
Lowered
What will be the main concern of IS auditor if service provider is in other country?
Main concern will be legal jurisdiction
What is recommended for low RTO
Mirrored site or hot site recommended
What does RTO of 2 hours and RPO of 2 hours indicate
RTO of 2 hrs: that organization needs to endure that their system downtime shouldn't exceed 2 hours RPO of 2 hrs: indicates that organization needs to ensure that their data loss should not excess 2 hours of data captured.
What is the difference between reengineering and reverse engineering?
Reengineering refers to provers of major changes in system and reverse engineering refers too studying and analyzing softwares toto see how it function and two use that information to develop a similar system,
Determine the difference between Regression, Sociability and integration
Regression: is test to check again that changes/ modifications have not introduced any new errors Sociability: test to determine adoptability of new system to settle in existing environment Integration: test to ensure flow of information between two or more system is correct and accurate
What's the responsibilities of steering committee
Setting priorities and milestones, monitoring and approving funds and efficient use of IT resources.
what is the MAJOR advantage of a component-based dvelopment approach?
Support tof multiple development environments.
What's Snapshot and when is it used
Take pictures Snaps Used when audit trial is required
What is a MAJOR benefit of object-oriented developmetn
The ability to reuse objects
True or false? No organization can outsourced or transfer its accountability even if any process has been outsourced, final accountabilities lies with the organization
True
Statistical samples is used when?
Used when the probability of error must be objectively quantified
What's CIS and when is It used
Used with DBMS CIS stimulates the application system processing As high complex criteria can be set in CIS, its the best technique to identify transactors as per pre-defined criteria
What tis the strongest encryption standard for wireless connection?
WPA-2
What is the waterfall approach most suitable?
When requirements are well defined and understood. The waterfall approach is not successful when requirements are changing frequently.
Whats ITF
Yummy entities are created in live production environment
A message and message hash is encrypted by the sender's private key. This will ensure: a, authenticity and integrity b. authenticity and confidential c. integrity and privacy d. confidential and non-repudiation
a, authenticity and integrity
A hot site should be implemented as a recovery strategy when the: a, disaster tolerance is low b. RPO is high c. RTTO is high d. disaster tolerance is high
a, disaster tolerance is low
While determining the appropriate level of protection for an information asset an IS auditor should primarily focus on: a. Criticality of information assets b. cost of information assets c. Owner of information asset d. result of vulnerability assessment
a. Criticality of information assets
Which of the following is a characteristic of decision support system (DSS)? a. DSS allows flexibility in the decision-making approach of users b. DSS supports only structured decision-making tasks c. DSS is aimed at solving highly structured problems d. DSS uses techniques with non-traditional data access and retrieval function
a. DSS allows flexibility in the decision-making approach of users
An organization is considering implementing biometric access control fro one of its critical system. The auditor should be MOST concerned with which of the following? a. False - Acceptance Rate (FAR) b. False- Rejection Rate (FRR) c. Equal Error Rate (EER) d. Number of staff enrolled for biometrics
a. False - Acceptance Rate (FAR)
IS auditor is reviewing general IT controls of an organization. Which of the following should concern him? a. LAN connections are easily in the facility to connect laptops toto the networks b. two factors authentication is mandatory of access of critical applications c. stand-alone terminals with password protection are located in insecure locations d. terminals are located within the facility ini small clusters under the supervision of an administrator
a. LAN connections are easily in the facility to connect laptops toto the networks
IS auditor is evaluating general operating system access control functions. Which of the following access control function will be in his scope? a. Logging user activities b. login data communication access activities c. verifying user authorization a the field level d. Changing data files
a. Logging user activities
A packet filtering firewall operates on which layer of following OSI model? a. Network layer b. application layer c. transport layer d. session layer
a. Network layer
A hot site should be implemented as a recovery strategy when the: a. RTO is low b. RPO is high c. RTO is high d. disaster tolerance is high
a. RTO is low
Overall business risk for a particular threat can be expressed as: a. a product of the probability. and impact b. probability of occurrence c. magnitude of impact d. assumption of the risk assessment team
a. a product of the probability. and impact
Which of the following is advantage of using of object-oriented development technique? a. ability to reuse modules b. improvement in system performance c. increase control effectiveness d. rapid system development process
a. ability to reuse modules
An organization has outsourced designing of IT security policy. Which of the following function cannot be outsourced? a. accountability for the IT security policy b. benchmarking security policy with other organization In industry c. implementing the IT security policy d. user awareness for ITTT security policy
a. accountability for the IT security policy
An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. a major risk of suing single sign- on (SSO) is tithe it: a. acts as a single authentication point fo multiple applications b. acts as a single point of failure c. acts as a bottleneck for smooth administration d. leads tot a lockout of valid users in case of authentication failure.
a. acts as a single authentication point fo multiple applications
Most important factor while evaluating controls is to ensure that the controls: a. addresses the risk b. does not reduce productivity c. is less costly than risk d. is automotive
a. addresses the risk
The prime objective of review of information systems buy IT steering committee should be to assess: a. alignment of IT processes as per business requirement b. alignment t of business process as per IT requirement c. The capacity of existing software d. the capacity of installed technology
a. alignment of IT processes as per business requirement
An IT steering committee should review the IT process to determine: a. alignment of IT processes with business requirement b. capacity management c. functionality of existing software d. stability of installed technology
a. alignment of IT processes with business requirement
The most robust access control policy is the Default Deny Access Control Policy. This policy: a. allows selected traffic and denies rest all traffic b. denies selected traffic and allows rest all traffic c. is frequently used for granting access from a trusted network too an external systems d. traffic is allowed as per discretion of application owner
a. allows selected traffic and denies rest all traffic
Which of the following BEST logical control mechanisms to ensure that access allowed to user to only those functions needed to perform their duties? a. applicatpton level access control b. data encryption c. HTTPs protocol d. Network monitoring device
a. applicatpton level access control
Which of the following would be the IS auditor's main concern while reviewing the business process reengineering process? a. appropriate key controls are in place to protect assets and information resources b. requirements of the new system are appropriately documented c. Time and resource budget is adhered to d. Roles and responsibilities assigned for new process
a. appropriate key controls are in place to protect assets and information resources
An audit charter should state management's objectives for and delegation of authority to IS audit and MUST be: a. approved by the top management approved by Chief Audit Officer c. approved bye IS department d. approved by IT steering committee
a. approved by the top management
Discretionary Access Control will be more effective if they: a. are placed in accordance with mandatory access controls b. are placed independently of mandatory access controls c. allow enable users to bypass mandatory access controls as and when required d. are allowed by security policy
a. are placed in accordance with mandatory access controls
In planning an audit, the MOST critical step is the identification of the: a. areas of high risk b. skill sets of the audit staff c. test steps in the audit d. time allotted for the audit
a. areas of high risk
Principle of data integrity that a transaction is either completed win its entirety or not at all is known as: a. atomicity b. consistency c. Isolation d. durability
a. atomicity
IS auditor is reviewing the internal control of an application software. the sampling method that will be MOST useful when testing for compliance is: a. attribute sampling b. variable sampling c. random sampling d. judgmental sampling
a. attribute sampling
IS auditor is reviewing the internal control of application software. the sampling method that will be MOST useful when testing for compliance is: a. attribute sampling b. variable sampling c. discovery sampling d. stop or go sampling
a. attribute sampling
Digital signature will address which of the concerns about electronic message: a. authentication and integrity of data b. authentication and confidentiality of data c. confidentiality and integrity of data d. authentication and availability of data
a. authentication and integrity of data
Mr. A has sent a message along with encrypted (by A's private key) hash of the message to Mr. B. This will ensure: a. authenticity and integrity b. Authenticity and confidentiality c. integrity and privacy d. privacy and non- repudiation
a. authenticity and integrity
As a part of effective IT governance, IT plan should be consistent with the organization's: a. business plan b. information security plan c. business continuity plan d. risk management plan
a. business plan
Basic difference between hashing and encryption is that hashing: a. cannot be reversed b. can be reversed c. is concerned with integrity and security d. creates output of bigger length than original message
a. cannot be reversed
Authority thatt manages the certificate life cycles is the: a. certificate authority (CA) b. certificate revocation list (CRL) c. Certification practice statement (CPS) d. Registration authority (RA)
a. certificate authority (CA)
An IS auditor is reviewing access control policy of an organization. Which of the following is the BEST basis for determining the appropriate level of information resource protection? a. classification of Information assets b. data owner c. threat assessment d. cost of information assets
a. classification of Information assets
An alternate recovery site with space and basic infrastructure like electrical wiring, air-conditioning and flooring , but not computer or communications equipment is a : a. cold site b. warm site c. hot site d. mirrored sitet
a. cold site
For recovering a non-critical system, which of the following is appropriate option? a. cold site b. mirrored site c. hot site d. warm site
a. cold site
In which fo the following recovery processing site, only arrangement for electricity and HVAC is available? a. cold site b. mirrored site c. hot site d. warm site
a. cold site
When an IS auditor performs a test to ensure that only active users have access to a critical system, the IS auditor is performing a: a. compliance test b. substantive test c. statistical sample d. judgment sampling
a. compliance test
The objective of compliance tests is to ensure: a. controls are implemented as prescribed b. documentation is complete c. access to users is provided as specified d. Data validation procedures are provided
a. controls are implemented as prescribed
'Bridge' operates at which of the following OSI layer? a. data link layer b. physical layer c. network layer d. transport layer
a. data link layer
'layer -2 switch' operates at which of the following OSI layer? a. data link layer b. physical layer c. network layer d. transport layer
a. data link layer
In co-ordination with database administrator, craning access to data is the responsibility of: a. data owners b. system engineer c. security officer d. librarians
a. data owners
The Business Information System which provides answers to semi-structured problems and for validation of business decisions is: a. decision support system b. strctured information syystem c. transaction processing syystem d. executive support system
a. decision support system
Which transmission method would provide best security? a. dedicated lines b. wireless network c. dial-uup d. broadband network
a. dedicated lines
The authority, scope, and responsibility of the Information System Audit function is: a. defined by the audit charter approved by the senior management/ Board b. defined by the I.T. Head of the organizations, as the expert in the matter c. defined by the various functional divisions, depending upon criticality d. generated by the Audit division of the organizations
a. defined by the audit charter approved by the senior management/ Board
An organization is implementing business process reengineering (BPR) project for its critical system. Which of the following is the FIRST step? a. defining the scope and areas to be reviewed b. designing a project plan c. analyzing the process under review d. reengineering the process under review
a. defining the scope and areas to be reviewed
The first step in installing a Firewall in a large organization is: a. developing security policy b. review firewall settings c. prepare access control list d. configure the firewall
a. developing security policy
Which of the following is used to address the risk of has being compromised? a. digital signatures b. Message encryption c. email password d. disabling SSID broadcast
a. digital signatures
An organization is routinely traffic through split- cable or duplicate- cable facility. This arrangement is called? a. diverse routing b. alternate routing c. gateway d. bridge
a. diverse routing
An organization has implemented CSA programme. What is the advantage of CSA over a traditional audit? a. early identification of risk b. reduction I audit workload c. increase in cost of control d. Reduction in audit resources
a. early identification of risk
Which of the following should an IS auditor review to understand project progress in terms of time, budget, and deliverables and for projecting estimates at completion (EACs)? a. earned value analysis (EVA) b. PERT c. Gantt Chart d. Function Point Analysis (EVA)
a. earned value analysis (EVA)
Which of the following is the most important benefit of Single Sign On? a. easier administration of password management b. it can avoid a potential single point of failure issue c. maintaining SSO is easy as it is not prone to human errors d. it protects network traffic
a. easier administration of password management
An organization is sharing critical information to vendors through email. Organization can ensure that the recipients of e-mails (i.e vendors) can authenticate the identity of the sender (i.e employees) by: a. employees digitally signs their email messages b. employees encrypting their email messages c. employees compressing their email messages d. Password protecting all e-mail messages,
a. employees digitally signs their email messages
Which of the following ensure a sender's authenticity? a. encrypting the has of the message with the sender's private key b. encrypting the message with the receiver's public key c. encrypting the hash go the message with the sender's public d. encrypting the message with the receiver's private key
a. encrypting the has of the message with the sender's private key
A stock broking firm sends invoices to clients through email and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: a. encrypting the hash of the invoice using the firm's private key b. encrypting the hash of the invoice using the firm's public key c. encrypting invoice using firm's private key d. encrypting invoice using firm's public key
a. encrypting the hash of the invoice using the firm's private key
Which of the following ensures confidentiality of the message and also authenticity of the sender of the message? a. encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key b. encrypting the hash of message with the sender's private key and thereafter encrypting the message with the receiver's private key c. Encrypting the hash of the message with the recipe's public key and thereafter encrypting the message with the sender's private key d. encrypting the hash of the message with the receiver's public key and thereafter encrypting the message with the sender's public key
a. encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key
A Digital signature contains a hash value (message digest) to : a. ensure message integrity b. define the encryption algorithm c. confirm the identity of the originator d. compress the message
a. ensure message integrity
Information security governance requires strategic alignment in terms of: a. enterprise requirements are the basis for security requirements b. security requirements are the basis for enterprise requireemttns c. current technology trend d. benchmarking with industry standards
a. enterprise requirements are the basis for security requirements
IS auditor is reviewing physical controls for data centre. For visitor access to datta centre, most effective control he should recommend is that: a. escort policy for every visitor b. issuance of visitor badge c. proper sign in procedure for visitors d. security checks procedure for every visitor
a. escort policy for every visitor
An organization is evaluating the effectiveness of biometrics systems for its extremely high security requirements. Which of the following performance indicators is MOST important? a. false- acceptance rate (FAR) b. Equal error rate (EER) c. False- rejection rate (FRR) d. Fail to enrol ratet (FER)
a. false- acceptance rate (FAR)
The purpose of IT balanced scorecard is to evaluate and monitor performance indicators other than: a. financial result b. customer satisfaction c. internal processes d. innovation capacity
a. financial result
Evaluation of IT risks can be done by: a. finding threats/vulnerabilities associated with current IT assets b. trend analysis on the basis of past year losses c. industry benchmark d. reviewing IT control weaknesses identified in audit reports
a. finding threats/vulnerabilities associated with current IT assets
Best method to remove confidential data from computer storage is: a. hard disk should be demagnetized b. hard disk should be formatted c. data on hard disk should be deleted d. data on the hard disk should be defragmented
a. hard disk should be demagnetized
In public key encryption (asymmetric encryption) to authenticate the sender of the message: a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key b. hash of the message to be encrypted by sender's public key and decryption is done by sender's private key c. hash of the message to be encrypted by receiver's private key and decryption is done by receiver's public key d. Hash of the message to be encrypted by receiver's public key and decryption is done by receiver's private key
a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key
In public key encryption (asymmetric encryption) to ensure integrity of the message: a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key b. hash of the message to be encrypted by sender's public key and decryption is done by sender's private key c. hash of the message to be encrypted by receiver's private key and decryption is done by receiver's public key d. hash of the message to be encrypted by receiver's public key and decryption is done by receiver's private key
a. hash of the message to be encrypted by sender's private key and decryption is done by sender's public key
Digital signature helps to : a. help detect spam b. provide confidentiality c. add to the workload of gateway servers d. decreases available bandwidth
a. help detect spam
The the RPO is close to zero, how will the overall cost of maintaining the environment for recovery be? a. high b. low c. medium d. there is no relation between RPO and cost
a. high
The FIRST step in data classification is to : a. identify data owners b. perform a criticality analysis c. define access rules d. define firewall rules
a. identify data owners
Risk can be mitigated by: a. implementing controls b. insurance d. audit and certification d. contracts and service level agreements (SLAs)
a. implementing controls (security and control practices)
Backup scheme wherein backup of data is taken only for data changed/ modified either after full backup or incremental backup is known as: a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup
a. incremental backup
The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls: a. inherent risk b. control risk c. detection risk d. correction risk
a. inherent risk
In a risk-based audit approach, an IS auditor should FIRST complete a(n): a. inherent risk assessment b. control risk assessment c. test of control assessment d. substantive test assessment
a. inherent risk assessment
An organization is developing one of its applications using agile approach. Which of the following would be a risk in agile development process? a. insufficient documentation b. insufficient testing c. poor requirements definition d. insufficient user involvement
a. insufficient documentation
A PRIMARY advantage of control self-assessment (CSA) techniques is that: a. it ascertains high-risk areas that might need a detailed review later b. risk can be assessed independently buy IS auditors c. it replaces audit activities d. it allows management to delegate responsibility for control
a. it ascertains high-risk areas that might need a detailed review later
Use of redundant combinations (local carrier lines, microwaves, and/or coaxial) to access local communication loop is known as: a. last-mile circuit protection b. long- haul network diversity c. diverse routing d. alternative routing
a. last-mile circuit protection
An organization has outsourced IT support service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor? a. legal jurisdiction can be questioned b. increase in overall cost c. delay in providing service due to time difference d. difficult to monitor performance of outsourced vendor duet to geographical distance
a. legal jurisdiction can be questioned
In which fo the following attack, the attacker reproduces characteristics similar tot those of the enrolled user? a. mimic b. brute-force c. cryptographic d. replay
a. mimic
Which of the following is a function of an intrusion detection system (IDS)? a. obtain evidence on intrusive activity b. control tthe access on the basis of defined rule c. blocking access to websites for unauthorized users d. preventing access to servers for unauthorized user.
a. obtain evidence on intrusive activity
IS department is in process of floating the request for proposal (RFP) for the acquisition of an application system. Who would MOST likely to approve content of RFP: a. project steering committee b. project sponsor c. project manager d. IS strategy Committee
a. project steering committee
IS department is in process of floating the request for proposal (RFP) for the acquisition of an application system. Who would MOST likely to approve content of RFP: a. project steering committee b. project sponsor c. project manager d. IS strategy committee
a. project steering committee
An organization has outsourced IT support service. A probable advantage of outsourcing is that: a. reliance can be placed on expertise of outsourcing vendors b. more control can be exercised over IT processing c. organization can transfer their accountability in terms of privacy laws d. employee satisfaction may increases
a. reliance can be placed on expertise of outsourcing vendors
In which of the before mentioned scenario, waterfall life cycle approach for system development is most likely to be used: a. requirements tare well defined and no changes are expected b. requirements are well defined and the project is subject to time pressures c. requirements are not finalized and subject to frequent changes d. the project will involve the use of new technology
a. requirements tare well defined and no changes are expected
An IS auditor observes that default printing options are enabled for all users. In this situation, the IS auditor is MOST likely the conclude that: a. risk of data confidentially increases b. risk if data integrity increases c. improvises the productivity of employees d. it ensures smooth flow of information among users
a. risk of data confidentially increases
An organization is conducting regression testing for rectified bugs in the system. What Datta should be used for regression testing? a. same data as used in previous test b. random data c. different data as used in previous test d. data product by a test data generator
a. same data as used in previous test
An organization wants to protect a network from Internet attack. Which of the following firewall structure would BEST ensure the protection? a. screened subnet firewall b. screened host firewall c. packet filtering router d. circuit-level gateway
a. screened subnet firewall
An IS auditor reviewing system controls should be most concerned that: a. security and performance requirements are considered b. changes are recorded iiim log c. process for change authorization is in place d. restricted access for system parameters is in place
a. security and performance requirements are considered
Message authenticity and confidentiality is BES achieved by encrypting hash of the message using the: a. sender's private key and encrypting the message using the receiver's public key b. sender's public key and encrypting the message using the receiver's private key c. receiver's private key and encrypting the message using the sender's public key d. receiver's public key and encrypting the message using the sender's private key
a. sender's private key and encrypting the message using the receiver's public key
The component of an IDS that collect's the data is a. sensor b. analyzer c. user interface d. administration console
a. sensor
To minimize the risk of data corruption, which of the following options can be effective? a. separate conduits for electrical and data cables b. encryption c. check-digits d. hashing
a. separate conduits for electrical and data cables
A RPO will be deemed critical if it is a. small b. large c. medium d. large than industry standards.
a. small
Even for normal activity, which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms? a. statistical-based b. signature- based c. neural network d. Host-based
a. statistical-based
Senior management's involvement is very vital in the development of: a. strategic plans b. IS security guidelines c. IS security procedures d. IS functions
a. strategic plans
Risk assessment process is: a. subjective b. objective c. mathematical d. statistical
a. subjective
An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered? a. substantive b. compliance c. integrated d. continuous audit
a. substantive
Evidence gathering to evaluate the integrity of individual transactions, data, or other information is typical of which of the following? a. substantive testing b. compliance testting c. detection testing d. control testing
a. substantive testing
Characteristics that BEST describe an integrated test facility: a. technique to verify system processing b. technique to very system integration c. technique to generate test data d. technique to validate the ongoing operation of the system
a. technique to verify system processing
Ina risk-based audit approach, an IS auditor, in addition two risk, would be influences PRIMARILY by: a. the audit charter b. management's representation c. organizational structure d. no. of outsourcing contracts
a. the audit charter
What is the recovery time objective (RTO)? a. the extent of acceptable system downtime b. the time period the crisis is expected to last c. the extent of acceptable data loss d. the time required for the crisis management team too respond.
a. the extent of acceptable system downtime
What tis the GREATEST concern when implementing warm site as a recovery site? a. timely availability of hardware b. availability of heat, humidity and air condition equipment c. adequacy of electrical power connections d. space arrangements
a. timely availability of hardware
Which of the following concerns would be addressed by a firewall? a. unauthorized access from external network b. unauthorized access from internal network c. a delay in internet connectivity d. a delay in system processing
a. unauthorized access from external network
Which of the following should take ownership of project for system development? a. user management b. project strategy committee c. project steering committee d. systems development management
a. user management
Who assumes ownership of a systems- development project and the resulting system? a. user management b. project steering committee c. IT management d. System developers
a. user management
When objective is to ensure message integrity, confidentiality and non-repudiation, the MOST effective method would be too create a message digest and encrypt the message digest. a. using the sender's private key, encrypting the message with a symmetric key and encrypting the symmetric key by using receivers public key b. using the sender's private key, encrypting the message with a symmetric key and encrypting the symmetric key by using receivers private key c. using the sender's private key, encrypting the message with a symmetric key and encrypting the symmetric key by using sender's private key d. using the sender's private key, encrypting the message with a symmetric key and encrypting the symmetric key by using sender's public key
a. using the sender's private key, encrypting the message with a symmetric key and encrypting the symmetric key by using receivers public key
While implementing a firewall, the most likely error to occur is: a. wrong configuration of the access lists b. compromise of the password due to shoulder surging c. inadequate user training about firewall rules d. inadequate anti-virus updation
a. wrong configuration of the access lists
Which control would you use to ensure that a transaction must either fully happen or not happen at all
atomicity
An IS auditor reviewing the system development approach should be concerned about? a. UAT is managed by user group b. A quality plan is not part of the contracted deliverables c. Module is released in phases instead of full implementation d. Prototyping is used to ensure that system is aligned with business objectives
b. A quality plan is not part of the contracted deliverables
Which of the following is the role of IT Steering Committee? a. advise board on IT strategy b. Approve and monitor funds for IT strategy c. scheduling meetings d. monitoring of outsourcing agreements
b. Approve and monitor funds for IT strategy
Which of the below online auditing tools should best identify transactions as per predefined criteria? a. Systems control audit review file and embedded audit modules (SCARF/ EAM) b. Continuous and Intermittent Stimulation (CIS) c. Integrated Test Facilities (ITF) d. Audit Hooks
b. Continuous and Intermittent Stimulation (CIS)
The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? a. Inherent b. Detection c. Control d. Business
b. Detection
Best way to determine that whether IS functions support the organization's business objective is to ensure that: a. IS has latest available equipments b. IS plans are designed as per business objectives c. all resources are utilized effectively and efficiently d. IS has proper control over outsourcing partners
b. IS plans are designed as per business objectives
An IS auditor is evaluating an organization's IT security policy. The PRIMARY objective is to ensure that: a. IT security policy is available with all the users b. IT security policy support business and IT objectives c. IT security policy is considered on the basis of latest technology available in the market d. IT security policy is approved by top management
b. IT security policy support business and IT objectives
Which of the following authority is responsible for monitoring the overall project, achievement of milestones and alignment of project with business requirements? a. user management b. IT steering committee c. IT strategy committee d. System development management
b. IT steering committee
Integraetted test facility (ITF) has advantage over other automated audit tools because of its following characteristics: a. creation of dummies/fictitious entity is not required as testing is done on actual master files b. ITF does not require setting up separate test environments/test processes c. ITF is continuous audit tools and validates the ongoing operation of the system d. ITF eliminates the need to prepare test data
b. ITF does not require setting up separate test environments/test processes
In several instances, system interface failures are occurred when correction to previously detected errors are resubmitted. This would indicate absence of which of the following types of testing? a. pilot testing b. Integration testing c. Parallel testing d. Unit testing
b. Integration testing
An organization is considering implementing access control for one of its critical system. Among below mention control measures, the MOST effective control is : a. token based PIN b. Iris scan c. Photo identification d. password
b. Iris scan
Which of the following techqnieues would provide the GREATEST assistance in developing an estimate of project duration? a. function point analysis b. PERT c. Critical Path Methodology (CPM) d. Object - oriented system developement
b. PERT
Which of the following would BEST help to determine the timeline for a project and prioritize project activities? a. CPM b. PERT C. Gantt Chart d. FPA (Function Point Analysis)
b. PERT
which of tithe following uses a prototype that can be updated continually to meet changing user or business requirements? a. critical path methodology (CPM b. RAD v. FPA d. EVM
b. RAD
An organisation considering development of system should use which of the below methodology two develop system faster, reduce development costs, and still maintain high quality? a. CPM b. Rapid application development (RAD) c. PERT D. Function Point analysis
b. Rapid application development (RAD)
Which of the following should be a concern to an IS auditor reviewing a wireless network? a. system hardening of all wireless clients b. SSID (service set identifier) broadcasting has been enabled c. WPA-2 (wi-fi protected access protocol) encryption is enabled d. DHCP (dynamic host configuration protocol) is disabled at all wireless access points
b. SSID (service set identifier) broadcasting has been enabled
Auditor is reviewing wireless network security of the organization. Which of the following should be a concern to an IS auditor? a. 128- bit-static-key WEP encryption is enabled b. SSID broadcasting has been enabled c. Antivirus software has been installed in all wireless clients d. MAC access control filtering has been deployed
b. SSID broadcasting has been enabled
An organization wants to evaluate whether a new or modified system can operate in its target environment without adversely impacting other existing systems. Which of the following testing would be relevant? a. regression testing b. Sociability testing c. Interface/ integration testing d. pilot testing
b. Sociability testing
An Is auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOST effective control? a. penalty clause in service level agreement (SLA) b. User accounts are created as per defined role (least privilege) with expiration dates dc. dull access is provided for a limited period d. vendor management to be given right to delete ids when work is completed
b. User accounts are created as per defined role (least privilege) with expiration dates
What level of RTO will a critical monitoring system have? a. Very high TRTO b. Very low RO, close to zero c. Close to a year d. Medium level of RTO, close to 50%
b. Very low RO, close to zero
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? a. a substantive test of program library controls b. a compliance test of program library controls c. a compliance test of the program compiler controls a substantive test of the program compiler controls
b. a compliance test of program library controls
Which of the following is the greatest concern in reviewing system development approach? a. user manages acceptance testing b. a quality plan is not part of the contracted deliverables c. application will be rolled out in 3 phases d. compliance with business requirements are done through prototyping
b. a quality plan is not part of the contracted deliverables
For effective access control, proper naming conventions for system resources are essential because they: a. ensures that resource names are as per their utility b. access rules can be structured and better managed. c. ensures that user access to resources is clearly identified. d. ensures that international standard for naming is maintained
b. access rules can be structured and better managed.
When identifying an earlier project completion time, the activities that should be selected for early completion and more concentration are those: a. activities with shortest completion time b. activities with zero slack time c . activities with longest completion time including slack time. d. activities with highest slick time
b. activities with zero slack time
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: a. segregation of duties to mitigate risks is in place b. all the relevant vulnerabilities and threats are identified c. regularity compliance is adhered to d. business is profitable
b. all the relevant vulnerabilities and threats are identified
Method of routing information via an alternative medium, such as copper cable or fiber optics is called? a. diverse rouuting b. alternate routine c, gateway d. bridge
b. alternate routine
An IS auditor is evaluating access control policy of an organization. tthe implementation of access controls FIRST requires: a. creation of access control list b. an inventory of IS resources c. perform a impact analysis d. labeling of IS resources
b. an inventory of IS resources
An organisation with the objective of preventing downward of file through FTP (File transfer protocol) should configure which of the firewall types? a. stateful inspection b. application gateway c. packet filter d. circuit gateway
b. application gateway
Which of the following transmission error can occur in wired as well as wireless communication? a. cross- talk b. attenuation c. sags, spikes, and surges d. multipath interference
b. attenuation
Which of he following sampling methods would be the most effective to determine whether access rights to staffs have been authorized as per the authorization matriculates? a. stratified mean per unit b. attribute sampling c. discovery sampling d. stop and go sampling
b. attribute sampling
The document used buy the top management of organizations too delegate authority to the IS audit function is tthe : a. audit calendar b. audit charter c. risks register d. audit compendium
b. audit charter
Audit charter should include: a. yearly audit resource planning b. audit function's reporting structure c. audit report drafting guidelines d. yearly audit calendar
b. audit function's reporting structure
A commercial website uses asymmetric encryption where there is one private key for the server and corresponding public key is made available to the customers. this ensures: a. authenticity of the customer b. authenticity of the website c. confidentiality fo messages from the website hosting organization too the customer d. non-repudiation from customer
b. authenticity of the website
An IS auditor performing a telecommunicaiton access control review should be concerned PRIMARILY with the: a. regular updation of logs files of usage of various system resources b. authorization and authentication mechanism for allowing access only to authorized user c. Encryption mechanism for data protection d. Mechanism to control remote access
b. authorization and authentication mechanism for allowing access only to authorized user
For appropriate data classification, the MOST important requirement is: a. knowledge of technical controls for protection of data b. awareness and training about organizational policies and standards c. use of automatic data control tools d. understanding the requirements of data user
b. awareness and training about organizational policies and standards
Who's is primarily responsible for IT governance? a. IT strategy committee b. board of directors c. IT steering committee d. Audit committee
b. board of directors
Which of the following devices has the capacity too store frames and act as a storage and forward device? a. hub b. bridge c. repeater d. router
b. bridge
Which of the following attack involves sending the numerous different biometric samples to a biometric device? a. mimic b. brute-force c. cryptographic d. replay
b. brute-force
Which of the following is a advantage of the program evaluation review techniques (PERT) over other techniques? PERT: a. considers single scenario for planning and control projects b. considers different scenarios for planning and control projects c. Defines functionalities of the software under development d. Allows the user to define program and system parameters
b. considers different scenarios for planning and control projects
The risk that the controls put in place will not prevent, correct, for detect errors on a timely basis a. inherent risk b. control risk c. detection risk d. correction risk
b. control risk
Major difference between compliance testing and substantive testing is that compliance testing tests: a. details, while substantive testing tests controls b. controls, while substantive testing tests details c. financial statements, while substantive testing tests items in trial balance d. internal requirements, while substantive testing tests internal controls
b. controls, while substantive testing tests details
An organization is planning to add personnel to activities imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? a. budget of the project b. critical path of the project c. duration for remaining task d. resources availability for the project
b. critical path of the project
The MOST important benefit of having data classification policy is: a. data classification ensures accurate inventory of information assets b. data classification helps to decrease cost of controls c. data classification helps in vulnerability assessment d. data classification helps in appropriate alignment with data owners
b. data classification helps to decrease cost of controls
Main reason for implementing parity bits as a control is to validate: a. data source b. data completeness c. data availability d. data accuracy
b. data completeness
When creating data for testing the logic in a new system, Which of the following is MOST critical? a. quantity of the data b. data designed as per expected live processing c. Sample oof actual data d. completing the test as per schedule
b. data designed as per expected live processing
An IS auditor is reviewing access control policy of an organization. Which of the following is responsible for authorizing access rights to production data and systems? a. process owner b. data owner c. data custodian d. security administrator
b. data owner
Expert system's knowledge base that uses questionnaires to lead the user through a serious of choices before a conclusion is reached is known as: a. diagram trees b. decision trees c. semantic nets d. network trees
b. decision trees
Questionnaires to lead the user through a serious of choices to reach a conclusion are used by: a. network tree b. decision trees c. logic trees d. logic algorithms
b. decision trees
Dynamic Host configuration protocol (DHCP) is disabled att all wireless access points. Which of the following statement is true when DHCP is disabled for wireless networks? a. increases the risk of unauthorized access to the network b. decreases the risk of unauthorized access to the network c. Automatically provides an IP address to anyone d. it disables SSID (service sett identifier)
b. decreases the risk of unauthorized access to the network
Following is the pre-requisite before implementing an IT balanced scorecard: a. existence of effective and efficient IT services b. define key performance indicators c. IT projects should add value to the business d. IT expenses within allotted budget
b. define key performance indicators
The Allow All Access Control Policy: a. allows selected traffic and denies rest all traffic b. denies selected traffic and allows rest all traffic c. is frequently used for granting access from un-trusted network to an external system d. traffic is allowed as per discretion of application owner.
b. denies selected traffic and allows rest all traffic
Tthe most robust configuration in firewall rule base is: a. allow all traffic and deny the specified traffic b. deny all traffic and allow the specified traffic c. dynamically decide based on traffic d. control traffic on the basis of discretion of network administrator
b. deny all traffic and allow the specified traffic
As an IS auditor is reviewing EDI application and observed that validation edit ' Check Digit' has been implemented for financial transactions. Purpose of 'Check Digit' is to: a. Detect only Datta-transcription errors b. detect data- transposition and transcription errors c. detect data-transmission error d. Detect only data-transposition errors
b. detect data- transposition and transcription errors
Statistical sampling reduces which of the following risk? a. audit risk b. detection risk c. inherent risk d. sampling risk
b. detection risk
An IS auditor is reviewing data centre security review. Which of the following steps would an IS auditor normally perform FIRST: a. evaluate physical access controls b. determine the risks/threats to the data centre site c. review screening process for hiring security staff d. evaluate logical access control
b. determine the risks/threats to the data centre site
Backup scheme where in backup of data is taken only for data changed after full backup (incremental backup is ignored) is known as : a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup
b. differential backup
Which of the following is BEST time to perform a control self-assessment involving all concerned parties? a. posts issuance of audit report b. during preliminary survey c. during compliance test d. preparation of the audit report
b. during preliminary survey
In public key encryption (assymmetric encryption) to secure message confidentiality: a. encryption is done by private key and decryption is done by public key b. encryption is done by public key and decryption is done by private key c. both the key used to encrypt and decrypt the data are public d. both the key used to encrypt and decrypt the data are private
b. encryption is done by public key and decryption is done by private key
An IS auditor has been asked to facilitate a control self-assessment (CSA) program. Which of the following is an objective of a CSA program? a. replacement of audit responsibilities b. enhancement of audit responsibilities c. to evaluate risk management program d. to provide audit training
b. enhancement of audit responsibilities
An IS auditor is evaluating the effectiveness of biometrics systems for extremely high secured environment. Which of the following stage should be reviewed first? a. storage b. enrollment c. identification d. termination
b. enrollment
The IS auditor reviews logical access control with a primary objective to: a, access control software is working properly b. ensures access is granted as per the approved structure c. to protect computer software d. to protect computer hardware
b. ensures access is granted as per the approved structure
Which of the following is the MOST important objective of data protection? a. current technology trend b. ensuring the confidentiality and integrity of information c. denying or authorizing access to the IS system d. internal processing efficiency
b. ensuring the confidentiality and integrity of information
Which of the following is the MOST important objective of data protection? a. creation of an access control list b. ensuring the integrity of information c. reductio tin costs of control d. to comply with risk management policy
b. ensuring the integrity of information
An organisation has established a steering committee to oversee its application development program. Following is the function of the steering committee: a. documentation of requirements b. escalation of project issues c. design of interface controls d. specification of reports
b. escalation of project issues
An organization has established a steering committee to oversee its application development program. Following is the function of the steering committee: a. documentation of requirements b. escalation of project issues c. design of interface controls d. specification of reports
b. escalation of project issues
An IS auditor is evaluating data classification policy of an organization. the FIRSTT step in data classification is to: a. the labeling of IS resources b. establish ownership c. perform a impact analysis d. define access control rules
b. establish ownership
Tthe chairperson for steering committee who can have significant impact on a business area would be the : a. board member b. executive level officer c. chief information officer (CIO) d. Business analyst
b. executive level officer
An organization is considering implementing access control for one of its critical system. Among below mentioned control measures, the MOST effective control is: a. cipher lock b. fingerprint scanner c. photo identification d. electronic door lock
b. fingerprint scanner
An organization wants to detect attack attempts tha the firewall is unable to recognize. A network intrusion detection system (IDS) between the: a. internet and firewall b. firewall and organization's internal network c. internett and the IDS d. IDS and internal network
b. firewall and organization's internal network
Which of the following clauses in outsourcing contract help MOST to improve service level and minimize the costs? a. use of latest O/S and hardware b. gain- sharing performance bonuses c. penalties for noncompliance d. training to outsourced staff
b. gain- sharing performance bonuses
To identify excess inventory for the previous year, which online auditing technique can be used? a. test data b. generalized audit software c. integrated test facility d. Embedded audit modules
b. generalized audit software
In a risk based audit planning, an IS auditor's first step is to identify: a. responsibilities of stakeholders b. high-risk areas within the organization c. cost centre d. profit centre
b. high-risk areas within the organization
With regard to confidence correlation, it can be said that: a. small sample size will give high confidence correlation b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered c. small confidence correlation will result into high sample size d. if an auditor knows internal controls are strong, the confidence coefficient may be increased
b. if an auditor knows internal controls are strong, the confidence coefficient may be lowered
The MAIN reason for using digital signatures is too ensure data: a. privacy b. integrity c. availability d. confidentiality
b. integrity
Which of the following represents a typical prototype of an interactive application? a. program logic and screens b. interactive edits and screens c. interactive edits programs logic and sample reports d. screens, interactive edits, program logic and sample reports
b. interactive edits and screens
Testing the network of two or more system for accurate flow of information between them is : a. unit testing b. interface testing c. sociability testing d. regression testing
b. interface testing
Attempts of intrusion attacks and penetration threat to a network can be detected by which of the following by analyzing the behavior of the system? a. router b. intrusion detection system (IDS) c. stateful inspection d. packet inspection
b. intrusion detection system (IDS)
A project has budget of 16 hours (over 2 days). While reviewing, the IS auditor notes that the development teach has spent eight house of activity at the end of first day. The projected time to complete the remainder of the activity is 12 hours. The IS auditor should report that the project: a. is ahead of schedule b. is behind schedule c. is on schedule d. to be evaluated only after activity is completed.
b. is behind schedule
Benefit of development of organizational policies buy bottom-up approach is that they: a. covers whole organization b. is derived as a result of risk assessment c. will be in line with overall corporate policy d. ensures consistency across the organization
b. is derived as a result of risk assessment
An IS auditor is reviewing a project controlled through time box management. Which fo the following is a characteristic of timebox management? a. not suitable for prototyping or rapid application development where projects need to be completed within timeframe b. it prevents project cost overruns and delays from scheduled delivery c. it requires separate system testing and user accepting testing d. Performance can be evaluated only after activity is completed
b. it prevents project cost overruns and delays from scheduled delivery
An IS auditor reviewing the decision support system should be MOST concerned with the : a. quality of input data b. level of experience and skills contained in the knowledge base c. logical access control of the system d. processing controls implemented in the system,
b. level of experience and skills contained in the knowledge base
Read Only option is always recommended for: a. access control matrix/rule b. log files for suspected transactions c. logging rules d. user profiles
b. log files for suspected transactions
Who among the following is responsible for internal control in the organization? a. accounting department b. management c. the external auditor d. IS auditor
b. management
Hash function will address which of the concerns about electronic message: a. message confidentiality b. message integrity c. message availability d. message compression
b. message integrity
An organization has outsourced IT support service to an independent service provider. Which of the following clause would be the best to define in the SLA to control performance of service provider? a. total number of user to be supported b. minimum percentage of incidents solved in the first call c. minimum percentage fo incidents reported to the help desk d. minimum percentage of agents answering the phones
b. minimum percentage of incidents solved in the first call
Which of the following is a PRIME role of an IT steering committee? a. IT support tot user management b. monitoring IT proprieties and milestones c. monitoring IT vendors d. advise board members about new projects
b. monitoring IT proprieties and milestones
Appropriateness of router setting is to be reviewed during: a. physical access review b. network security review c. data centre security review d. data back-up review
b. network security review
Which of the following message services provides the strongest evidence that a specific action has occurred a. proof of delivery b. non-repudiation c. proof of submission d. authorization
b. non-repudiation
IS auditor is reviewing an organization's logical access security. He should be most concerned if: a. passwords are shared b. password files are not protected c. resigned employees logon IDs are not deleted immediately d. Logon IDs are issued centrally
b. password files are not protected
'Hub' operates at which of the following OSI layer? a. data link layer b. physical layer c. Network layer d. transport layer
b. physical layer
Requirement specifications is ultimately responsible of: a. top management b. project sponsor c. system analyst d. steering committee
b. project sponsor
Who of the following is ultimately responsible for providing requirement specifications to the software development project team? a. team leader b. project sponsor c. system analyst d. steering committee
b. project sponsor
Which of the following team should assume overall responsibility for system development projects? a. audit committee b. project steering committee c. user management d. system development management
b. project steering committee
Which of the following is an advantage of prototyping? a. prototyping ensures strong internal controls b. prototyping ensures significant time and costs savings c. prototyping ensures strong change controls d. prototyping ensures that extra functions are not added too the intended system
b. prototyping ensures significant time and costs savings
An organization is developing one of its applications using prototyping approach. Change control can be impacted by the : a. involvement of user in prototyping b. rapid pace of modification in requirements and design c. trial and error approach in prototyping d. absence of integrated tools
b. rapid pace of modification in requirements and design
Proper classification of labeling for system resources are important for access control because they: a. help to avoid ambiguous resource names b. reduce the number of rules required to adequately protect resources c. serve as stringent access control d. ensure that internationally recognized names are used to protect resources
b. reduce the number of rules required to adequately protect resources
An organization is considering implementing access control for all PCs that access critical data. This will: a. completely eliminate the risk of false acceptance i.e unauthorized access will be eliminated completely b. require enrollment of all users that access the critical data c. require fingerprint reader to be controlled by a seperate password d. provide assurance that unauthorized access will be impossible.
b. require enrollment of all users that access the critical data
An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, which has the highest reliability and lowest false- acceptance rate (FAR)? a. fingerprints b. retina scan c. face recognition d. voice recognition
b. retina scan
Which of the following techniques is used to study a application or software to see how it functions and to use that information to develop a similar system? a. object oriented b. reverse engineering c. software reengineering d. agile development
b. reverse engineering
Which of the following would be the MOST secure firewall system implementation? a. screened-host firewall b. screened-subnet firewall c. dual-homed firewall d. stateful-inspection firewall
b. screened-subnet firewall
Managing the risk up to acceptable level is tithe responsibility of: a. risk management team b. senior business management c. the chief information officer d. the chief security officer
b. senior business management
Which of the following document will serve the purpose for vendor performance review buy an IS auditor? a. market feedback of the vendor b. service level agreement (SLA) c. penalty levied reports d. performance report submitted by vendor
b. service level agreement (SLA)
Digital signatures require the: a. signer to have a public key of sender and the receiver to have a private key of the sender b. signer to have a private key of the sender and the receive to have a public key of the sender c. signer and receiver to have a public key d. signer and receiver to have a private key
b. signer to have a private key of the sender and the receive to have a public key of the sender
The firewall that allows traffic from outside only if it is in response to traffic from internal hosts, is: a. application level gateway firewall b. stateful inspection firewall c. packett filtering router d. circuit Level gateway
b. stateful inspection firewall
An IS auditor is reviewing installation of intrusion detection system (IDS). Which of the following is a GREATEST concern? a. number of non-alarming events identified as alarming b. system not able to identify the alarming attacks c. automated tool is used for analysis of reports/logs d. traffic from known source is blocked by IDS
b. system not able to identify the alarming attacks
An IS auditor is reviewing an organization's IT strategic plan. He should FIRST review? a. Alignment of IT processes as per business requirement b. the business plan c. the capacity of installed technology d. latest technology trends
b. the business plan
Greatest assurance about E-mail authenticity can be ensured by which of the following? a. the prehash code is encrypted using sender's public key b. the prehash code is encrypted using sender's private key c. the prehash code is encrypted using receivers's public key d. the prehash code is encrypted using receivers's privattekey
b. the prehash code is encrypted using sender's private key
The major risk for lack of an authorization process for users of an application would be: a. many users can claim to be a specific user b. there is no way too limit role based access c. sharing of user accounts d. principle of least privilege can be assured
b. there is no way too limit role based access
Which of the following option increases the cost of cryptography? a. use of symmetric technique rather than asymmetric b. use of long asymmetric key rather than short c. only has is encrypted rather than full message d. use of Shortt asymmetric key rather than long.
b. use of long asymmetric key rather than short
An IS auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOSTT effective control? a. penalty clause In service level agreement (SLA) b. user accounts are created as per defined role (least privilege) with expiration dates c. full access is provided for a limited period d. vendor management to be given right to delete Ids when work is completed.
b. user accounts are created as per defined role (least privilege) with expiration dates
In a public key infrastructure, role of a certificate authority is too: a. ensure secured communication and secured network services based on certificates b. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA c. ensure secured communication infrastructure between parties d. hosting a private key of subscribers in public domain
b. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA
In a public key infrastructure, a registration authority: a. issues the certificate b. verifies information supplied by the subject requesting a certificate c. signs the certificate to achieve authentication and non-repudiation. d. Managing the certificate throughout its life cycle.
b. verifies information supplied by the subject requesting a certificate
Which of the following characteristics of white box testing differentiates between white box testing and black box testing? a. white- box testing involves IS auditor b. white- box testing testing of program's logical structure c. white- box testing involves bottom-up approach d. white- box testing does not involve testing of programs's logical structure
b. white- box testing testing of program's logical structure
An organization is introducing a single sign-on (SSO) system. In SSO, unauthorized access: a. will have minor impact b. will have major impact c. is not possible d. is highly possible
b. will have major impact
An organization is considering implementing a biometric access control for one of its critical system. Among below mentioned biometrics, tthe MOST effective biometric control system is tthe one: a. with highest equal-error rate (EER) b. with lowest equal- error rate (EER) c. with highest cross error rate (CER) d. which covers all the systems in the organizations
b. with lowest equal- error rate (EER)
An organization states that digital signatures are used when receiving communications from customers. This its done by: a. A hash of the data that is transmitted and encrypted with the organization's private key b.A hash of the data that is transmitted and encrypted with the customer's private key c. A hash of the data that is transmitted and encrypted with the customers public key d. A hash of the data that is transmitted and encrypted with the organizations public key
b.A hash of the data that is transmitted and encrypted with the customer's private key
IS auditor observed lac of senior management's involvement in IT strategy planning. the MOST likely risk is: a. lack of investment in technology b. absence of structured methodology for IT security c. Absence of IT alignment with business objectives d. An absence of control over outsourced vendors
c. Absence of IT alignment with business objectives
Which of the following transmission error can be caused by the length of cable if UTP is more than 100 meters long? a. electromagnetic interference (EMI) b. Cross-talk c. Attenuation d. sags, spikes, and surges
c. Attenuation
Which of the following observations is the GREATEST concern to the auditor reviewing biometrics control for a critical system? a. access tot biometric scanner is provided through virtual private network (VPN) b. Biometric devices are not installed in restricted area c. Data transferred between biometric device and access control system is not encrypted d. Risk analysis for biometric control is conducted before 2 years
c. Data transferred between biometric device and access control system is not encrypted
The risk of an IS auditor certifying existence of proper system and procedures without using an inadequate test procedure is an example of: a. internet risk b. control risk c. detection risk d. audit risk
c. Detection risk
The best overall quantitative performance indicator for biometric system is: a. False - Acceptance Rate (FAR) b. False- Rejection Rate (FRR) c. Equal Error Rate (EER) d. Number of staff enrolled for biometrics
c. Equal Error Rate (EER)
A system under development has multiple linked modules which will handle several million queries and transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? a. Critical Path methodology (COM) b. Counting Source lines of code (SLOC) c. Function point analysis d. Program evaluation review technique (PERT)
c. Function point analysis
An IS auditor reviewing the implementation of IDS should be most concerned if: a. high instances of false alarm by statistical based IDS b. IDS is placed between firewall and internal network c. IDS is used to detect encrypted traffic d. signature based IDS is not able tot identify new threats
c. IDS is used to detect encrypted traffic
Of all three IDS (i. signature, ii. statistics, and iii. neural network), neural network is more effective in detecting fraud because: a. intrusion is identified on the basis of known type of atttakcs b. any activity which falls outside the scope of normal behavior is flagged as intrusion c. IDS monitor the general pattern of activities and creates a database and attacks problems that require consideration of a large number of input variables d. IDS solves the problem where large and where large database is not required.
c. IDS monitor the general pattern of activities and creates a database and attacks problems that require consideration of a large number of input variables
'Router' operates at which of the following OSI layer? a. data link layer b. physical layer c. network layer d. transport layer
c. Network layer
An IS auditor should recommend which of following check (control) for completeness of data transmission? a. check digits b. one-for=one checking c. Parity bits d. atom city
c. Parity bits
Characteristics that BEST describes and integrated test facility: a. actual transactions are validated on ongoing basis b. enables the IS auditors too generate test data c. Pre-determined results are compared with processing output to ascertain correctness of system processing d. enables the IS auditors to analyze large range of information
c. Pre-determined results are compared with processing output to ascertain correctness of system processing
Which of the following technology or approach will facilitate the speedy delivery of information systems to the business user community? a. BPR b. CASE c. RAP d. Waterfall approach
c. RAP
For man-in-the-middle attach, which of the following encryption techniques will BEST protect a wireless network? a. wired equivalent privacy (WEP) b. MAC- based pre-shared key (PSK) c. Randomly generated pre-shared key (PSK) d. Service sett identifier (SSID)
c. Randomly generated pre-shared key (PSK)
Unit testing indicates that individual modules are operating correctly. The IS auditor should: a. Conclude that system as a whole can produce the desired results b. Document the test result as a proof for system functionality c. Review the findings of integrated tests d. conduct the test again to confirm the findings
c. Review the findings of integrated tests
A major vulnerability was observed in a application by IS team. To mitigate risk, a patch was applied to a significant number of modules. Which of the following tests should an IS auditor recommend? a. Security testing b. Load testing c. System testing D. Interface testing
c. System testing
Best approach for conducting stress testing is: a. using test data and in test environment b. using live data and in production environment c. Using live data and in test environment d. Using test data and in production environment
c. Using live data and in test environment
To detect intrusion, BESTT control would be: a. controlled procedure for granting user access b. inactive system to be automatically logged off after time limit c. actively monitoring unsuccessful login attempts d. deactivate the user ID after specified unsuccessful login attempts
c. actively monitoring unsuccessful login attempts
Which of the following types of firewalls provide the MOSTT secured environment? a. Stateful inspection b. packet filter c. application gateway d. circuit gateway
c. application gateway
An organization wants to connect a critical server to the internet. Which of the following would provide the BEST protection against hacking? a. Stateful inspection b. a remote access server c. application-level gateway d. port scanning
c. application-level gateway
Risk Assessment approach is more suitable when determining the appropriate level of protection for an information asset because it ensures: a. all information assets are protected b. a basic level of protection is applied regardless of assets value c. appropriate levels of protection are applied to information assets d. only most sensitive information assets are protected
c. appropriate levels of protection are applied to information assets
Which of the following is a function of an IS steering committee? a. monitoring change management and control testing b. monitoring role conflict assessment c. approving and monitoring major projects, the sautés of IS plans and budgets d. monitoring service level agreements with third party vendors.
c. approving and monitoring major projects, the sautés of IS plans and budgets
Which of the following is a function of an IS steering committee? a. managing outsourced vendors for IS services b. proper segregation of duties for IS processes c. approving and monitoring major projects, the status of IS plans and budgets d. implementing IS security procedures
c. approving and monitoring major projects, the status of IS plans and budgets
Which of the following PKI element control and manage the digital certificate life cycle to ensure proper security exist in digital signature applications? a. certification revocation list b. registration authority (Ra) c. certificate authority (CA) d. Certification practice statement
c. certificate authority (CA)
Detailed description for dealing with a compromised private key is provided in which of tithe following public key infrastructure (PKI) elements? a. certificate policy (CP) b. certificate revocation list (CRL) c. certification practice statement (CPS) d. PKI disclosure statementt (PDS)
c. certification practice statement (CPS)
An IS auditor should suggest which of the following data validation edits for banks to avoid transposition and transcription errors and thereby ensuring the correctness of bank account numbers assigned to customers? a. parity check b. checksum c. check digit d. existence check
c. check digit
Test to determine whether last 50 new user requisitions were correctly processed is an example oof: a. discovery sampling b. substantive testing c. compliance testing d. stop-or- go sampling
c. compliance testing
Test tot determine whether last 50 new user requisitions were correctly processed is an example of: a. discovery sampling b. substantive testing c. compliance testing d. stop-or-go sampling
c. compliance testing
Which of the following attack targets the algorithm or the encrypted data transmitted between biometric device and access control system? a. mimic b. brute-force c. cryptographic d. replay
c. cryptographic
Responsibility for the maintenance of proper control measures over information resources resides with the: a. database administrator b. security administrator c. data and systems owners d. systems operation groups
c. data and systems owners
From control perspective, access to application data should be given by: a. database administrator b. data custodian c. data owner d. security administrator
c. data owner
The result of risk management process is used for: a. forecasting profit b. post implementation review c. designing controls d. user acceptance testing
c. designing controls
Which of the following is the MOST critical function of a firewall? a. to act as a special router that connects different network b. device for preventing authorized users from accessing the LAN c. device used to connect authorized user to trusted network resources d. proxy server to increase the speed of access to authorized user
c. device used to connect authorized user to trusted network resources
IS auditor reviewing a critical financial application is concerned about fraud. Which of the following sampling methods would BEST assist the auditors? a. attribute sampling b. variable sampling c. discovery sampling d. stop or goo sampling
c. discovery sampling
A decision support system (DSS): a. concentrates on highly structrued problems b. supports the requirements of only top management c. emphasizes flexibility in the decision making approach of users d. fails to survive in changing environments
c. emphasizes flexibility in the decision making approach of users
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over datta? a. inheritance b. dynamic warehousing c. encapsulation d. polymorphism
c. encapsulation
IS auditor observed that outsourcing vendors have been appointed without formal written agreements? the IS auditor should recommend that management: a. obtains independent assurance of the third-party service providers b. sets up a process for monitoring the service delivery of the third party c. ensures that formal contracts are in place d. appointment of outsourcing vendors too be revoked
c. ensures that formal contracts are in place
An organization is implementing bottom- up approach for software testing. An advantage in using a botttom-up against a top-down approach is that: a. errors in critical modules can be found early b. test can be performed online once all programs are complete c. errors in interface can be found early d. Confidence in the system is achieved earlier
c. errors in interface can be found early
An IIS auditor is reviewing data classification policy of an organization. Forma control perspective, the PRIMARY objective of classifying information assets is to: a. ensures that all assets are insured against losses b. to assist in risk assessment c. establish appropriate access control guidelines d. ensure all information assets have access controls
c. establish appropriate access control guidelines
Which of tthe following processes can be delegated by a certificate authority (CA) a. issuance of digital certificates b. managing the certificate throughout its life cycle. c. establishing a link between the requesting entity and its public key d. maintain list of revoked lists
c. establishing a link between the requesting entity and its public key
IS auditor is evaluating database-level access control functions. Which of the following access control function will not be in his scope? a. creating database profiles for monitoring b. authorization user a field level c. establishing individual accountability d. logging database access activities for monitoring access violation
c. establishing individual accountability
An IS auditor has been asked to participate in implementation of control self-assessment program. The auditor should participate primarily as a. team leader b. the auditor should not participate as it would create a potential conflict of interest c. facilitator d. project controller
c. facilitator
An organization is considering type of transmission media which provide best security against unauthorized access. Which of the following provides best security?. a. unshielded twisted pair b. shielded twisted pair c. fiber-optic cables d. coaxial cables
c. fiber-optic cables
Most effective transmission media in terms of security against unauthorized access is: a. copper wire b. twisted pair c. fiber-optic cables d. coaxial cables
c. fiber-optic cables
To ensure detection and correction of errors, redundant information is transmitted with each character or frame. This control is known as: a. parity bits b. block sum checks c. forward error control d. cyclic redundancy check
c. forward error control
For successful control self-assessment (CSA) program, it is essential to: a. design stringent control policy b. have auditors take responsibility for control monitoring c. have line managers take responsibility for control monitoring d. implement stringent control policy
c. have line managers take responsibility for control monitoring
An organization has done provision for hot sit as an alternate arrangement. An advantage of the use of hot sites as a backup alternative is that: a. cost of maintaining the environment is low b. how sites can be arranged in or near primary site c. hot sites can be made ready for operation within a short period of time d. system compatibility is not an requirement in case of hot sites.
c. hot sites can be made ready for operation within a short period of time
IS auditor is developing a risk management program, the FIRST activity to be performed is a(n): a. vulnerability assessment b. evaluation of control c. identification of assets d. gap analysis
c. identification of assets
An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task? a. Report the vulnerabilities to the management immediately b. examine application development process c. identify threats and likelihood of occurrence d. recommend for new application
c. identify threats and likelihood of occurrence
An origination is introducing SSO system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. To prevent unauthorized access, the MOST important action is to: a. monitor all failed attempts b. regular review of log files c. implement a strong password policy d. to deactivate all unused accounts.
c. implement a strong password policy
Major risk of implementation of decision support system is: a. not able to specify purpose and usage requirements b. Decision making is a semi-structured dimensions c. inability to specify purpose and usage patterns d. frequent changes in decision processes
c. inability to specify purpose and usage patterns
A digital signiture is created buy the sender to prove message integrity by: a. encrypting the message with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the sender's public key b. encrypting the message with the recipient's public key. upon receiving the data, the recipient can decrypt the data using the recipient's public key c. initially using a hashing algorithm t produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it d. encrypting the message with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's private key.
c. initially using a hashing algorithm t produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it
Which of the following is the most important routine problem in implementation of intrusion detection system (IDS)? a. instances of false rejection rate b. instances of false acceptance rate c. instances of false positives d. denial of service attacks
c. instances of false positives
In final acceptance testing, QAT and UAT were combined. The MAJOR concern will be: a. increase in cost of testing b. inadequate documentation c. insufficient functional testing d. delays in test results
c. insufficient functional testing
An IS auditor is reviewing EDI application and observed that validation edit 'checksum' has been implemented for communication of financial transactions. Purpose of ' checksum' is to ensure: a. source validation b. authenticity c. integrity d. non-repudiation
c. integrity
Digital signature provides which of the following? a. non-repudiation, confidentiality and integrity b. integrity, privacy and non- repudiation c. integrity, authentication and non-repudiation d. Confidentiality, privacy and non- repudiation
c. integrity, authentication and non-repudiation
An IS steering committee should constitute of: a. board members b. user management c. key executives and representatives from user management d. members from IT dept.
c. key executives and representatives from user management
Digital signatures ensures tha the sender cannot later deny generating and sending the message. This is known as: a. integrity b. authentication c. non-repudiation d. security
c. non-repudiation
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: Select an answer: A. types of hardware B. software configuration C. ownership of intellectual property. D. employee training policy
c. ownership of intellectual property.
Which of the following sit he role of IT steering committee? a. Issuance of Purchase Order (PO) to empaneled vendor b. providing hardware support c. prioritization of IT projects as per business requirement d. advises board on IT strategy
c. prioritization of IT projects as per business requirement
An organization has outsourced data operations service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor? a. communication issues dur to geographical differences b. scope creep due to cross-border differences in project implementation c. privacy laws could prevent cross-border flow of information d. dissatisfaction of in0house IT team
c. privacy laws could prevent cross-border flow of information
Best Method to ensure confidentiality of the data transmitted in a wireless LAN is to: a. restrict access to predefined MAC addresses b. Protect the session be encrypting with use of static keys c. protect the session bye encrypting with use dynamic keys d. initiate the session by encrypted device
c. protect the session bye encrypting with use dynamic keys
In which of the following situation is it MOST appropriate to implement data mirroring as the recovery strategy? a. disaster tolerance is high b. recovery time object is high c. recovery point objective is low d. recovery point objective is high
c. recovery point objective is low
An organization is developing one of its applications using prototyping approach. Which of the following would be an advantage of using prototyping for systems development? a. sufficient controls will rebuilt in the system b. sufficient audit trail will be built in the system c. reduction in deployment time d. sufficient change control will be built in the system
c. reduction in deployment time
which of the following control BEST detects transmission errors by appending extra bits onto the end of each segment? a. checksum b. parity check c. redundancy check d. check digits
c. redundancy check
Mechanism that checks each request by a subject to access and use an object is as per security policy is known as: a. address resolution protocol b. access control analyzer c. reference monitor d. reverse address resolution protocol
c. reference monitor
An IS auditor is reviewing request for proposal (RFP) floated by IT department to procure services from independent service provider. inclusion of which of the below clause is MOST important while floating such RFP? a. details about Maintenance plan b. details about Proof of Concept (POC) c. references from other customers d. details about BCP
c. references from other customers
Accountability for maintenance of appropriate security measures over information assets resides with the: a. security administrator b. database administrator c. resource owners d. IT group
c. resource owners
Which of the following factors an IS auditor should primarily consider when determining the acceptable level of risk: a. risk acceptance is the responsibility of senior management b. all risks do not need to be eliminated for a business to be profittable c. risks must be identified and documented in order to perform proper analysis on them d. line management should be involved in the risk analysis because management sees risks daily that others would not recognize
c. risks must be identified and documented in order to perform proper analysis on them
The result of risk management process is used for making: a. business strategy plans b. audit charters c. security policy decisions d. decisions related to outsourcing
c. security policy decisions
Which of the following techniques is used to enhance the system buy extracting and reusing design and program components? a. object oriented b. reverse engineering c. software reengineering d. agile development
c. software reengineering
IS auditor is reviewing security of a payroll application. Which of the following should concern him? a. role-based access to users b. hardening of systems where application runs c. the ability of users to access and modify the data base directly d. two factor authentication for access
c. the ability of users to access and modify the data base directly
An IS auditor should be most concern about which of the following while reviewing a firewall? a. properly defined security policy b. use of latest firewall structure with most secure algorithm c. the effectiveness of the firewall in enforcing the security policy d. technical knowledge of user.
c. the effectiveness of the firewall in enforcing the security policy
What is recovery point objective (RPO)? a. extent of acceptable system downtime b. the time period the crisis is expected to last c. the extent of acceptable data loss d. the date by which lost data can be recovered buy recovery team
c. the extent of acceptable data loss
Use of statistical sampling will be more relevant as compared to judgement (non-statistical) sampling when: a. its is required to mitigate sampling risk b. auditor is inexperienced c. the probability of error must be objectively quantified d. it is required too mitigate audit risk
c. the probability of error must be objectively quantified
An organisation is implementing business process reengineering (BPR) project for its critical system. Which of the following is the impact of BPR? a. business processes will remain stable b. information technologies will not change c. the process will improve performance of product and services d. input from clients and customers will no longer be necessary
c. the process will improve performance of product and services
The purpose of Function Point analysis (FPA): a. to define functionalities of a software b. to identify risk in software development program c. to estimate efforts required to develop software d. to monitor the process the software development
c. to estimate efforts required to develop software
An IS auditor reviews an organization chart PRIMARILY for: a. getting information about data-flow b. to assess number of employees in each department c. understanding the responsibilities and authority of individuals d. to assess number of laptops/desktops in each department
c. understanding the responsibilities and authority of individuals
IS auditor observed that even though password policy requires passwords to be a combination of letter, number and special characters, users are not following the same rigorously. To ensure compliance within security policy, the IS auditor should recommend that: a. password policy to be simplified b. password policy to be sent to all users every month c. usage of automated password management tool d. monthly security awareness training to be delivered.
c. usage of automated password management tool
Which of the following is a substantive test? a. reviewing compliance with firewall policy b. reviewing adherence to change management policy c. using a statistical sample to inventory the tape library d. reviewing password history reports
c. using a statistical sample to inventory the tape library
Most important step in risk analysis is to identify a. Competitors b. controls c. vulnerabilities d. liabilities
c. vulnerabilities
Which of the following technique is more relevant to test wireless (wi-fi) security of an organization? a. WPA-2 b. war dialling c. war driving d. social engineering
c. war driving
For a software development, an organization has planned following tests. Failure in which stage can have the GREATESTT adverse impact on cost and time budgets? a. Unit testing b. Integration testing c. System testing d. Acceptance testing
d. Acceptance testing
Major advantaged of risk based approach for audit planning is: a. Audit planning can be communicated to client in advance b. Audit activity can be completed within allotted budget c. use of latest technology for audit activities d. Appropriate utilisation of resources for high risk areas
d. Appropriate utilisation of resources for high risk areas
Management of an organization is evaluating automated audit tool for its critical business processes. Which of the following audit tools is MOST useful for the early detection of errors or irregularities? a. Embedded audit module b. integrated test facility c. Snapshots d. Audit hooks
d. Audit hooks
IS auditor is reviewing wireless network security policy of the organization. Which of the following action would make the wireless network more secure? a. disabling MAC address filtering b. disabling WPA c. Enabling SSID broadcasting d. Disabling SSID broadcasting
d. Disabling SSID broadcasting
In an e-commerce application, which of the following should be rely on to prove tithe the transactions were actually made? a. proof of delivery b. authentication c. Encryption d. Non-repudiation
d. Non-repudiation
Which of the following techniques uses a prototype that can be updated regularly to meet ever changing user or business requirements? a. reverse engineering b. object-oriented system development (OOD) c. Software reengineering (BPR) d. Rapid application development (RAD)
d. Rapid application development (RAD)
Which of the following should be disabled too increase security of wireless network against unauthorized access? a. MAC (media access control) address filtering b. encryption c. WPA- 2 (wi-fi protected access protocol) d. SSID (service set identifier) broadcasting
d. SSID (service set identifier) broadcasting
Which of the following is the MOST cost-effective solution? a. a hot site that can be operational in two hours with data backup every 2 hours b. reciprocal agreement for alternate site with data backup every 2 hour c. Synchronous backup of the data and stands active systems in a hot site d. Synchronous backup of the data in a warm site that can be operation is 48 hours
d. Synchronous backup of the data in a warm site that can be operation is 48 hours
IT governance to be effective requires that: a. the business strategies and objectives supports the IT strategy b. the business strategy is derived from an IT strategy c. Cost effective IT governance d. The IT strategy supports the business strategies and objectives
d. The IT strategy supports the business strategies and objectives
An organization is developing one of mitts applications using prototyping approach. Which of tthe following testing methods is MOS effective during the initial phases of prototyping? a. bottom-up b. Parallel c. Volume d. Top- down
d. Top- down
A System is in development phase. Which of the following test is MOST likely to be conducted? a. User acceptance test b. Stress test c. Regression Test d. Unit Test
d. Unit Test
IS auditor is reviewing software development process. Which of the following islets way to ensure that business requirements are met during software development? a. proper training to developer b. Programmers with good business knowledge c. Adequate docuumentaiton d. User engagement in development process
d. User engagement in development process
Which of the following approach is applied during unit testing? a. top-up b. black box c. Bottom-up d. White box
d. White box
An IS auditor is reviewing a ERP system. To evaluate data integrity he should review atomicity to ensure that: a. hardware or software failure will not impact the database b. each transaction is isolated from other transactions c. database consistency is maintained d. a transaction is completely in its entirety.
d. a transaction is completely in its entirety.
Which of the following is the MAJOR advantage of a component-based development a. ability to manage multiple data types b. ability to model complex relationships c. ability to meet the demands of a changing environment d. ability to support multiple development environments
d. ability to support multiple development environments
Digital signature addresses which ofthte following concerns about electronic message? a. unauthorized archiving b. confidentiality c. unauthorized copying d. alteration
d. alteration
Which of the following authority is ultimately responsible for the development of an IS security policy? a. IS department b. security committee c. IS audit department d. board of directors
d. board of directors
Purpose of regression testing is to determine if: a. new or modified system can work without adversely impacting existing system b. flow of information between two or more system is correct and accurate c. new requirements have been met d. changes have not introduced any new errors in the unchanged code.
d. changes have not introduced any new errors in the unchanged code.
An IS auditor is reviewing a process where frequency of transposition and transcription errors are very high for data entry. Which of the following data validation edits will be effective in detecting such errors? a. parity check b. duplicate check c. validity check d. check digit
d. check digit
IS auditors are MOST likely to reduce substantive test procedure if after compliance test they conclude that: a. substantive test would be too costly b. the control environment is poor c. inherent risk is low d. control risks are within the acceptable limits.
d. control risks are within the acceptable limits.
Which among the below is the First step in implementation of access control listtt? a. a categorization of IS resources b. tithe grouping of IS resources c. implementation of access control rules d. creating inventory of available IS resource
d. creating inventory of available IS resource
Detection of bursts of errors in network transmissions is Best ensured by: a. parity check b. echo check c. checksum d. cyclic redundancy check
d. cyclic redundancy check
Which of the following situation is MOST suitable for implementation of hot site as a recovery strategy? a. disaster tolerance is high b. RPO is high c. RTO is high d. disaster tolerance is low
d. disaster tolerance is low
An organization is in process of entering into agreement with outsourced vendor. Which of the following should occur FIRST? a. deciding periodicity of contract b. approval from compliance team c. decide the level of penalties d. draft the service level requirements
d. draft the service level requirements
Main objective of a control self-assessment (CSA) program is to: a. substitute audit program b. substitute risk management program c. support regulatory requirements d. enhance audit responsibilities
d. enhance audit responsibilities
An IS auditor is reviewing process of acquisition of application software. Which of the following is MOST important consideration? a. documented operating procedure to be available b. a backup server be loaded with all the relevant software data c. training to staff d. escrow arrangement for source code
d. escrow arrangement for source code
Which of the following is a measure to ascertain accuracy of a biometric system? a. response time b. registration time c. verification time d. false-acceptance rate
d. false-acceptance rate
Backup scheme wherein every time data backup is taken of full database irrespective of earlier backup availability is known as: a. incremental backup b. differential backup c. grandfather-father-son rotation d. full backup
d. full backup
Which of the following backup scheme is more effective and faster for data restoration? a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup
d. full backup
Which of the following backup scheme takes requires more the and media capacity for backup storage a. incremental backup b. differential backup c. grandfather-father- son rotation d. full backup
d. full backup
IS auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should: a. identify stakeholder for that business process b. identifies information. assets and the underlying systems c. discloses the threats and impacts to management d. identifies and evaluates the existing controls
d. identifies and evaluates the existing controls
Which of the following is considered as limitation of the agile software development methodology? a. quality of system may be impacted due to speed of development and limited budget b. absence of well-defined requirements may end up with more requirements than needed c. absence of review mechanism to identify lesions learned for future use in the project d. incomplete documentation due to time management
d. incomplete documentation due to time management
IS auditor is facilitating a CSA program. Which of the following is the MOST important requirement for a successful CSA? a. ability of auditor to act as a workshop facilitator b. simplicity of the CSA programme c. frequency of CSA programme d. involvement of line managers
d. involvement of line managers
To improve the IS alignment with business, which of the following tis the best practice? a. outsourcing risks are managed b. use of latest technology to operate business c. structured way of sharing of business information d. involvement oft top management to mediate between business and information system
d. involvement oft top management to mediate between business and information system
An IS auditor is reviewing an organization's IS strategy. Which among below is the most important criteria for such review? a. in includes a mission statement b. it includes usage of latest technology c. it includes best security practices d. it supports the business objectives
d. it supports the business objectives
Risk of unauthorized access can be best control by: a. before-image/ after-image logging b. vitality detection c. multimodal biometrics d. kerberos
d. kerberos
Which of the following is the best technique for protecting critical data inside the server? a. security awareness b. regarding the securing policy c. security committee d. logical access control
d. logical access control
An IS auditor is determine the appropriate sample size for testing the effectiveness of change management process. No deviation noted in last 2 years audit review and management has assured no deviation I the process for the period under review. Auditor can adopt a: a. higher confidence coefficient resulting in a smaller sample size b. lower confidence coefficient resulting in a higher sample size c. high confidence coefficient resulting in a higher sample size d. lower confidence coefficient resulting in a lower sample size
d. lower confidence coefficient resulting in a lower sample size
An organization has outsourced some of its IS processes. What is the MOST important function to be performed by IS management in such scenario? a. ensuring that outsourcing charges are paid as per SLA b. Training to staffs of outsourced vendors c. Levy of penalty for non-compliances d. monitoring the outsourcing provider's performance
d. monitoring the outsourcing provider's performance
An organization has installe da IDS which monitor general patterns of activity and creates tthe database. Which of the following intrusion detection system (IDSs) has this feature? a. packet filtering b. signature-based c. statistical- based d. neural networks
d. neural networks
To prevent unauthorized entry to database of critical application, an IS auditor should recommend: a. online terminals are placed in restricted areas b. CCTV camera to be placed above terminals c. ID cards are required too gain access to online terminals d. online access to be blocked after a specified number of unsuccessful attempts.
d. online access to be blocked after a specified number of unsuccessful attempts.
An IS auditor is evaluating an organization's IS strategy. Which of the following would be the MOST important consideration? a. organization's IS strategy has been approved by CIO b. organization's IS strategy is defined as per IS department's budget c. organization's IS strategy is considered on the basis of latest technology available in the market d. organization's IS strategy supports the business objectives of the organization
d. organization's IS strategy supports the business objectives of the organization
The audit chapter should be approved by the highest level of management and should: a. is updated often to upgrade with the changing nature of technology and the audit profession b. include audit calendar along with resource allocation c. include plan of action in case of disruption of business services d. outlines the overall authority, scope, and responsibilities of the audit function
d. outlines the overall authority, scope, and responsibilities of the audit function
An IS auditor has been asked by the management to support its CSA program. Tthe role of an IS auditor in a control self-assessment (CSA) should be that of: a. program incharge b. program manager c. program partner d. program facilitator
d. program facilitator
Which among the following will have lowest expenditure in terms of recovery arrangements? a. warm site facility b. cold site c. hot site d. reciprocal agreement
d. reciprocal agreement
In which of the following attack, use of residual biometric information is done to gain unauthorized access? a. mimic b. bruute-force c. cryptographic d. replay
d. replay
Which of the following is the GREATEST concern when an organization's backup facility is at a hot site? a. timely availability of hardware b. availability of heat, humidity and air condition equipment c. adequacy of electrical power connections d. requirement of updated database
d. requirement of updated database
An IS auditor is reviewing firewall security of the organization. Which of the following is the BEST audit procedure to determine if a firewall is configured as per security policy? a. review incident logs b. review access control list c. review the actual procedures d. review the parameter settings
d. review the parameter settings
Which of the following is a substantive audit test? a. versifying that a management check has been performed regularly b. observing that user IDs and passwords are required too sign on the computer c. reviewing reports listing short shipments of goods received d. reviewing an aged trial balance of accounts receivable
d. reviewing an aged trial balance of accounts receivable
Which of the following is the characteristic of agile software development approach? a. systemic documentation b. more importance is placed on formal paper-based deliverables c. extensive use of software development tools to maximize steam productivity d. reviews a the end of each iteration to identify lessons learned for future use in the project
d. reviews a the end of each iteration to identify lessons learned for future use in the project
Which f the following s the most intelligent device? a. hub b. switch c. bridge d. router
d. router
Which of the following is the main advantage of RAD over the traditional SDLC? a. engages user in system development b. priorities testing of technical features c. simplifies conversion to the new system d. shortens the development time frame
d. shortens the development time frame
A new system has been added to client-server environment. Which of the following tests would confirm that modification in window registry will not impact performance of existing environment? a. regression testing b. parallel testing c. white box testing d. sociability testing
d. sociability testing
Encryption of which of the following can be considered as an efficient use of PKI: a. sender's private key b. sender's public key c. entire message d. symmetric session key
d. symmetric session key
IS auditor is reviewing level of access available for different user. Too determine the same, which of the following should an IS auditor review? a. log file maintained for system access b. job description of user c. logs maintaining for access control violation d. system configuration files for control options used
d. system configuration files for control options used
Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? a. secure sockets layer (SSL) has been implemented b. firewall policies are updated on the basis of changing requirements c. inbound traffic is blocked unless the traffic type and connections have been specifically permitted d. the firewall is placed on top of the commercial operating system with all installation options
d. the firewall is placed on top of the commercial operating system with all installation options
Which of the following is a major control weakness that can adversely affect a system development project? a. out of 10 recommendation from IT strategy committee, board has approved only 8 recommendations b. project deadlines have not been specified in project approval plan c. project manager has not been specified in project approval plan d. the organization has decided that a project steering committee is not required.
d. the organization has decided that a project steering committee is not required.
In public key infrastructure, which of the following would ban IS auditor consider a weakness? a. certificate authorities are centrally located however customers are widely dispersed geographically. b. transaction can be made from any computer or mobile device c. the certificate authority has multiple data processing centers to manage the certificates d. the organization is the owner of the certificate authority.
d. the organization is the owner of the certificate authority.
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: a. the controls already in place b. the effectiveness of the controls in place c. mechanism for monitoring the risks related to the assets d. the threats/vulnerabilities affecting the assets
d. the threats/vulnerabilities affecting the assets
An IS auditor is evaluating control self-assessment program in an organization, What is MAIN objective for implementing control self-assessment (CSA) program? a. tot replace audit responsibilities b. to enhance employee's capabilities c. to comply with regulatory requirements d. to concentrates on high risk area
d. to concentrates on high risk area
Which of the following is the PRIMARY objective of an IT performance measurement process? a. to reduce error b. too obtain performance data c. to finalize the requirement baseline d. to improve performance
d. to improve performance
Primary purpose of an audit chapter is two: a. describe audit procedure b. define resource requirement for audit department c. prescribe the code of ethics used by the auditor d. to prescribe authority and responsibilities of audit department
d. to prescribe authority and responsibilities of audit department
An organization implementing a new system adopted parallel testing. Which of the following is the PRIMARY purpose for conducting parallel testing? a. to ensure cost is within the budget b. to document system functionality c. to highlight errors in the program logic d. to validate system functionality with user requirements
d. to validate system functionality with user requirements
An organization has implemented prototyping approach for development of system. Which of the following methods is MOST effective during the initial phases of prototyping? a. Bottom-up b. parallel c. Volumes d. top-down
d. top-down
An organization is introducing a single sign-on (SSO) system. under the SSO system, users will be required to enter only one used ID and password for access to all application systems. A major risk of using SSO is that: a. it increases security administrator work load b. it reduces administrator's ability to manage user's accounts c. it increases time taken by user to log into multiple applications d. unauthorized password disclosure can have greater impact.
d. unauthorized password disclosure can have greater impact.
An IS auditor is reviewing process of acceptance testing. What should be the IS auditor's major concern? a. test objectives not documented b. expected test results not documented by used c. test problem log not update d. unsolved major issues
d. unsolved major issues
During review of critical application system, the IS auditor observes that user accounts are shared. The MAJOR risk resulting from this situation is that: a. passwords are changed frequently b. outsider can gain access to the system c. passwords are easily guessed d. user accountability may not be established.
d. user accountability may not be established.
In a public key infrastructure, role of a registration authority is to : a. issue the certificates to subscriber b. manage certificate throughout its life cycle c. maintain list of revoked list d. validate the information provided buy the subscriber requesting a certificate
d. validate the information provided buy the subscriber requesting a certificate
Absence of proper security measures represents a (n): a. threat b. asset c. impact d. vulnerability
d. vulnerability
Usage of witless infrastructure for use of mobile devices within the organization, increases risk of which of the following attacks? a. port scanning b. social engineering c. piggybacking d. war driving
d. war driving
The development of substantive tests is often dependent on what?
dependent on the outcome of compliance tests
When is Top- up testing method MOST effective?
during initial phases of prototyping
Audit Hook is useful when
early detection of error or fraud is required
Lower RTTO/RPO, __________ the cost of maintenance of environment
higher
What will be the main concern of IS auditor If there is an absence of proper clarification on legal jurisdiction?
it can have compliance and legal issues
What is recommended for low RPO?
mirror imagine or real time replication for data back-up
if RPO is zero, ________ backup strategy should be used
synchronous
What is the objective of control self-assessmentt?
the objective of control self assessment is to concentrate on areas of high risk and to enhance control monitoring by function staff
What are reviews done in agile approach
to identify lessons for future use in the project
Describe RAD
uses a prototype approach that can be updated continually to meet changing user or business requirementts
What is the appropriate strategy for unit testing?
white box approach
For critical data, RPO is ________
zero or near zero
For critical systems, RTO is __________
zero or near zero