CISA Questions (101-200)

An enterprise's risk appetite is BEST established by: Select an answer: A. the chief legal officer. B. security management. C. the audit committee. D. the steering committee.

A. Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite. B. The security management team is concerned with managing the security posture but not with determining the posture. C. The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise. CORRECT D. The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? Select an answer: A. Restricting physical access to computing equipment B. Reviewing transaction and application logs C. Performing background checks prior to hiring IT staff D. Locking user sessions after a specified period of inactivity

A. IT support staff usually require physical access to computing equipment to perform their job functions. It would not be reasonable to take this away. CORRECT B. Reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. C. Performing background checks is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. D. Locking user sessions after a specified period of inactivity acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently) of access privileges that have officially been granted.

Which of the following is the MOST important element for the successful implementation of IT governance? Select an answer: A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy

A. A scorecard is an excellent tool to implement a program based on good governance, but the most important factor in implementing governance is alignment with organizational strategies. CORRECT B. The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective. C. A risk assessment is important to ensure that the security program is based on areas of highest risk, but risk assessment must be based on organizational strategies. D. A policy is a key part of security program implementation, but even the policy must be based on organizational strategies.

When implementing an IT governance framework in an organization the MOST important objective is: Select an answer: A. IT alignment with the business. B. accountability. C. value realization with IT. D. enhancing the return on IT investments.

CORRECT A. The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies. B. Accountability is important, but the most important objective of IT governance is to ensure that IT investment and oversight is aligned with business requirements. C. IT must demonstrate value to the organization, but this value is dependent on the ability of IT to align with, and support, business requirements. D. Enhancing return is a requirement of the IT governance framework, but this requirement is only demonstrated through aligning IT with business requirements.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? Select an answer: A. Utilizing of intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

You are correct, the answer is D. A. Utilizing an intrusion detection system to report incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. B. Mandating the use of passwords is a policy decision, not an awareness issue. C. Installing an efficient user log system is not a part of an awareness program. D. Regular training is an important part of a security awareness program.

To support an organization's goals, an IT department should have: Select an answer: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

A. A low-cost philosophy is one objective, but more important is the cost-benefit and the relation of IT investment cost to business strategy. CORRECT B. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. C. Leading-edge technology is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals. D. Plans to acquire new hardware and software could be a part of the overall plan, but would be required only if hardware or software is needed to achieve the organizational goals.

When an employee is terminated from service, the MOST important action is to: Select an answer: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

A. All the work of the terminated employee needs to be handed over to a designated employee; however, this is not as critical as removing terminated employee access. B. All the work of the terminated employee needs to be backed up, but this is not as critical as removing terminated employee access. C. The employees need to be notified of the termination, but this is not as critical as removing terminated employee access. CORRECT D. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: Select an answer: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations

A. Cross-training helps decrease dependence on a single person. B. Cross-training assists in succession planning. CORRECT C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. D. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations.

Many organizations require employees to take a mandatory vacation each year PRIMARILY because the organization wants to ensure that: Select an answer: A. adequate cross-training exists between all functions of the organization. B. employee morale is maintained to ensure an effective internal control environment. C. potential irregularities in processing are identified by temporarily replacing an employee in the job function. D. rotation of employees reduces the risk of processing errors.

A. Cross-training is a good practice to follow but can be achieved without the requirement for mandatory vacation. B. Good employee morale and high levels of employee satisfaction are worthwhile objectives, but they should not be considered a means to achieve an effective internal control system. CORRECT C. Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected. D. Although rotating employees could contribute to fewer processing errors, this is not typically a reason to require a mandatory vacation policy.

When auditing a role-based access control system (RBAC), the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? Select an answer: A. Ensure that these employees are adequately supervised. B. Ensure that backups of the transaction logs are retained. C. Implement controls to detect the changes. D. Ensure that transaction logs are written in real time to Write Once and Read Many (WORM) drives.

A. IT security employees cannot be supervised in the traditional sense unless the supervisor were to monitor each keystroke entered on a workstation, which is obviously not a realistic option. B. Retaining backups of the transaction logs does not prevent the files from unauthorized modification prior to backup. C. The log files themselves are the main evidence that an unauthorized change was made, which is a sufficient detective control. Protecting the log files from modification requires preventive controls such as securely writing the logs. CORRECT D. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

An IS auditor of a large organization is reviewing the roles and responsibilities for the IT function and has found some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? Select an answer: A. Network administrators are responsible for quality assurance. B. System administrators are application programmers. C. End users are security administrators for critical applications. D. Systems analysts are database administrators.

A. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. CORRECT B. When individuals serve multiple roles this represents a separation of duties problem with associated risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective. C. In some distributed environments, especially with small staffing levels, users may also manage security. D. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.

In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a: Select an answer: A. requirement for job rotation on a periodic basis. B. process for formalized exit interviews. C. termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination. D. requirement for new employees to sign a nondisclosure agreement (NDA).

A. Job rotation is a valuable control to ensure continuity of operations, but not the most serious human resources policy risk. B. Holding an exit interview is desirable when possible to gain feedback, but is not a serious risk. CORRECT C. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of company property issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. D. Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a lack of an NDA is not the most serious risk listed.

The MOST likely effect of the lack of senior management commitment to IT strategic planning is: Select an answer: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. technology not aligning with organization objectives. D. an absence of control over technology contracts.

A. Lack of management commitment will almost certainly affect investment, but the primary loss will be the lack of alignment of IT strategy with the strategy of the business. B. Systems development methodology is a process-related function and not a key concern of management. CORRECT C. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with organization strategy. D. Approval for contracts is a business process and would be controlled through financial process controls. This is not applicable here.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: Select an answer: A. length of service, because this will help ensure technical competence. B. age, because training in audit techniques may be impractical. C. IT knowledge, because this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IT relationships.

A. Length of service will not ensure technical competency. B. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. C. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements. CORRECT D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: Select an answer: A. ensure the employee maintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potential disruption caused when an employee takes vacation one day at a time.

A. Maintaining a good quality of life is important, but the primary reason for a mandatory vacation is to catch fraud or errors. CORRECT B. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. C. Providing cross-training is an important management function, but the primary reason for mandatory vacations is to detect fraud or errors. D. Enforcing a rule that all vacations must be taken a week at a time is a management decision but not related to a mandatory vacation policy. The primary reason for mandatory vacations is to detect fraud or errors.

An IT steering committee should: Select an answer: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. maintain minutes of its meetings and keep the board of directors informed. D. be briefed about new trends and products at each meeting by a vendor.

A. Only senior management or high-level staff members should be on this committee because of its strategic mission. B. Ensuring that information security policies and procedures have been executed properly is not a responsibility of this committee, but the responsibility of IT management and the security administrator. CORRECT C. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee, and the board of directors should be informed about those decisions on a timely basis. D. A vendor should be invited to meetings only when appropriate.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? Select an answer: A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls

A. Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. CORRECT D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

From a control perspective, the key element in job descriptions is that they: Select an answer: A. provide instructions on how to do the job and define authority. B. are current, documented and readily available to the employee. C. communicate management's specific job performance expectations. D. establish responsibility and accountability for the employee's actions.

A. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job and is a management responsibility. Job descriptions, which are an human resources (HR)-related function, are primarily used to establish job requirements and accountability. B. It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability. C. Communication of management's specific expectations for job performance would not necessarily be included in job descriptions. CORRECT D. From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access.

Which of the following represents an example of a preventive control with respect to IT personnel? Select an answer: A. Review of visitor logs for the data center B. A log server that tracks logon IP addresses of users C. Implementation of a badge entry system for the IT facility D. An accounting system that tracks employee telephone calls

A. Review of visitor logs is a detective control in most circumstances. B. Review of log servers is a detective control in most circumstances. CORRECT C. Preventive controls are used to reduce the probability of an adverse event occurring. A badge entry system would prevent unauthorized entry to the facility. D. Review of telephone call accounting systems is a detective control in most circumstances.

Effective IT governance requires organizational structures and processes to ensure that: Select an answer: A. risk is maintained at a level acceptable for IT management. B. the business strategy is derived from an IT strategy. C. IT governance is separate and distinct from the overall governance. D. the IT strategy extends the organization's strategies and objectives.

A. Risk acceptance levels are set by senior management, not by IT management. B. The business strategy drives the IT strategy, not the other way around. C. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance. CORRECT D. Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy.

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? Select an answer: A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

A. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but it is not as meaningful as having job descriptions that require all staff to be responsible for information security. CORRECT B. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. C. Funding is important, but having funding does not ensure that the security program is effective or adequate. D. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but it is not a criterion for evaluating a security program.

Which of the following IT governance good practices improves strategic alignment? Select an answer: A. Supplier and partner risk is managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediates between the imperatives of business and technology.

A. Supplier and partner risk being managed is a risk management good practice but not a strategic function. B. A knowledge base on customers, products, markets and processes being in place is an IT value delivery good practice but does not ensure strategic alignment. C. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management good practice, but is not as effective as top management involvement in business and technology alignment. CORRECT D. Top management mediating between the imperatives of business and technology is an IT strategic alignment good practice.

An IS auditor reviewing the IT organization would be MOST concerned if the IT steering committee: Select an answer: A. is responsible for project approval and prioritization. B. is responsible for developing the long-term IT plan. C. reports the status of IT projects to the board of directors. D. is responsible for determining business goals.

A. The IT steering committee is responsible for project approval and prioritization. B. The IT steering committee is responsible for oversight of the development of the long-term IT plan. C. The IT steering committee advises the board of directors on the status of developments in IT. CORRECT D. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around

Responsibility for the governance of IT should rest with the: Select an answer: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

A. The IT strategy committee plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. B. The chief information officer (CIO) plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. C. The audit committee plays a significant role in monitoring and overseeing the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. CORRECT D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly

IT governance is PRIMARILY the responsibility of the: Select an answer: A. chief executive officer (CEO). B. board of directors. C. IT steering committee. D. audit committee.

A. The chief executive officer (CEO) is instrumental in implementing IT governance according to the directions of the board of directors. CORRECT B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? Select an answer: A. Set up an exit interview with human resources (HR). B. Initiate the handover process to ensure continuity of the project. C. Terminate the developer's logical access to IT resources. D. Ensure that management signs off on the termination paperwork.

A. The interview with human resources (HR) is also an important process if it is conducted by the last date of employment, but it is of secondary importance compared to removing the developer's access to systems. B. As long as the handover process to a designated employee is conducted by the last date of employment, there should be no problems. CORRECT C. To protect IT assets, terminating logical access to IT resources is the first and most important action to take after management has confirmed the employee's clear intention to leave the enterprise. D. Ensuring that management signs off on termination paperwork is important, but not as critical as terminating access to the IT systems.

Which of the following is a function of an IT steering committee? Select an answer: A. Monitoring vendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring major projects, such as the status of IT plans and budgets D. Liaising between the IT department and end users

A. Vendor change control is a sourcing issue and should be monitored by IT management. B. Ensuring a separation of duties within the information's processing environment is an IT management responsibility. CORRECT C. The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets. D. Liaising between the IT department and end users is a function of the individual parties and not a committee responsibility.

A local area network (LAN) administrator normally would be restricted from: Select an answer: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration.

A. While not ideal, a local area network (LAN) administrator may have end-user responsibilities. B. The LAN administrator may report to the director of the information processing facility (IPF) or, in a decentralized operation, to the end-user manager. CORRECT C. A LAN administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities. D. In small organizations, the LAN administrator may also be responsible for security administration over the LAN.

Which of the following would BEST provide assurance of the integrity of new staff? Select an answer: A. Background screening B. References C. Bonding D. Qualifications listed on a résumé

CORRECT A. A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc. B. References are important and would need to be verified, but they are not as reliable as background screening because the references themselves may not be validated as trustworthy. C. Bonding is directed at due-diligence compliance and does not ensure integrity. D. Qualifications listed on a résumé may be used to demonstrate proficiency but will not indicate the integrity of the candidate employee.

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? Select an answer: A. Approving IT project plans and budgets B. Aligning IT to business objectives C. Advising on IT compliance risk D. Promoting IT governance practices

CORRECT A. An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee because it provides insight and advice to the board. B. Aligning IT to business objectives is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. C. Issues related to compliance are tasks usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. D. IT governance is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets.

Which of the following activities performed by a database administrator (DBA) should be performed by a different person? Select an answer: A. Deleting database activity logs B. Implementing database optimization tools C. Monitoring database usage D. Defining backup and recovery procedures

CORRECT A. Because database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. B. Implementing database optimization tools is part of the DBA's normal job function. C. Monitoring database usage is part of the DBA's normal job function. D. Defining backup and recovery procedures is part of the DBA's normal job function.

An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? Select an answer: A. The organization's information security policy is not periodically reviewed by senior management. B. A policy to ensure that systems are patched in a timely manner does not exist. C. The audit committee did not review the global mission statement. D. An organizational policy related to malware protection does not exist.

CORRECT A. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure and therefore, this is the greatest concern. B. While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management. C. Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not the IS auditor's greatest concern because proper governance oversight could lead to meeting the objectives of the organization's mission statement. D. While it is a concern that there is no policy related to malware protection, the greater concern is that the security policy is not reviewed periodically by senior management.

The ultimate purpose of IT governance is to: Select an answer: A. encourage optimal use of IT. B. reduce IT costs. C. decentralize IT resources across the organization. D. centralize control of IT.

CORRECT A. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. B. Reducing IT costs may not be the best IT governance outcome for an enterprise. C. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. D. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact.

A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? Select an answer: A. The developers promote code into the production environment. B. The business analyst writes the requirements and performs functional testing. C. The IT manager also performs systems administration. D. The database administrator (DBA) also performs data backups.

CORRECT A. If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment. B. In situations in which there is no dedicated testing group, the business analyst is often the one to perform testing because the analyst has detailed knowledge of how the system must function as a result of writing the requirements. C. It is acceptable in a small team for the IT manager to perform system administration, as long as the manager does not also develop code. D. It may be part of the database administrator's duties to perform data backups.

As an outcome of information security governance, strategic alignment provides: Select an answer: A. security requirements driven by enterprise requirements. B. baseline security following good practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

CORRECT A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. B. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices (i.e., baseline security following best practices or institutionalized and commoditized solutions) is a part of value delivery. C. Value delivery addresses the effectiveness and efficiency of solutions, but is not a result of strategic alignment. D. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure.

Involvement of senior management is MOST important in the development of: Select an answer: A. strategic plans. B. IT policies. C. IT procedures. D. standards and guidelines.

CORRECT A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan. C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures. D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training and: Select an answer: A. succession planning. B. staff job evaluation. C. responsibilities definitions. D. employee award programs.

CORRECT A. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. B. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. C. Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals. D. Employee award programs provide motivation; however, they do not minimize dependency on key individuals.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: Select an answer: A. there is an integration of IT and business personnel within projects. B. there is a clear definition of the IT mission and vision. C. a strategic information technology planning scorecard is in place. D. the plan correlates business objectives to IT goals and objectives.

CORRECT A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.

Which of the following is normally a responsibility of the chief information security officer (CISO)? Select an answer: A. Periodically reviewing and evaluating the security policy B. Executing user application and software testing and evaluation C. Granting and revoking user access to IT resources D. Approving access to data and applications

CORRECT A. The role of the chief information security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. B. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. C. Granting and revoking access to IT resources is usually a function of system, network or database administrators. D. Approval of access to data and applications is the duty of the data or application owner.

An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern? Select an answer: A. Senior management has limited involvement. B. Return on investment (ROI) is not measured. C. Chargeback of IT cost is not consistent. D. Risk appetite is not quantified.

CORRECT A. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the role of senior management when evaluating the soundness of IT governance. B. Ensuring revenue is a part of the objectives in the IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. C. Introduction of a cost allocation system is part of the objectives in an IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. D. Estimation of risk appetite is important; however, at the same time, management should ensure that controls are in place. Therefore, checking only on risk appetite does not verify soundness of IT governance.

Sharing risk is a key factor in which of the following methods of managing risk? Select an answer: A. Transferring risk B. Tolerating risk C. Terminating risk D. Treating risk

CORRECT A. Transferring risk (e.g., by taking an insurance policy) is a way to share risk. B. Tolerating risk means that the risk is accepted, but not shared. C. Terminating risk would not involve sharing the risk because the organization has chosen to terminate the process associated with the risk. D. There are several ways of treating or controlling the risk, which may involve reducing or sharing the risk, but this is not as precise an answer as transferring the risk.

Effective IT governance will ensure that the IT plan is consistent with the organization's: Select an answer: A. business plan. B. audit plan. C. security plan. D. investment plan.

You are correct, the answer is A. A. To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. B. The audit plan is not part of the IT plan. C. The security plan is not a responsibility of IT and does not need to be consistent with the IT plan. D. The investment plan is not part of the IT plan.

Which of the following reasons BEST describes the purpose of a mandatory vacation policy? Select an answer: A. To ensure that employees are properly cross-trained in multiple functions B. To improve employee morale C. To identify potential errors or inconsistencies in business processes D. To be used as a cost-saving measure

Which of the following reasons BEST describes the purpose of a mandatory vacation policy? Select an answer: A. To ensure that employees are properly cross-trained in multiple functions B. To improve employee morale C. To identify potential errors or inconsistencies in business processes D. To be used as a cost-saving measure

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: Select an answer: A. are aligned with globally accepted industry good practices. B. are approved by the board of directors and senior management. C. strike a balance between business and security requirements. D. provide direction for implementing security procedures.

You answered A. The correct answer is C. A. An organization is not required to base its IT policies on industry good practices. Policies must be based on the culture and business requirements of the organization. B. It is essential that policies be approved; however, that is not the primary focus during the development of the policies. C. Information security policies must be first of all aligned with an organization's business and security objectives. D. Policies cannot provide direction if they are not aligned with business requirements.

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: Select an answer: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner.

You answered A. The correct answer is C. A. Establishment of a review board is not effective without visible sponsorship of top management. B. The creation of a security unit is not effective without visible sponsorship of top management. C. The executive sponsor would be in charge of supporting the organization's strategic security program and would aid in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). D. The selection of a security process owner is not effective without visible sponsorship of top management.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? Select an answer: A. Define a balanced scorecard (BSC) for measuring performance. B. Consider user satisfaction in the key performance indicators (KPIs). C. Select projects according to business benefits and risk. D. Modify the yearly process of defining the project portfolio.

You answered A. The correct answer is C. A. Measures such as a balanced scorecard (BSC) are helpful, but do not guarantee that the projects are aligned with business strategy. B. Key performance indicators (KPIs) are helpful to monitor and measure IT performance, but they do not guarantee that the projects are aligned with business strategy. C. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the BEST measure for achieving alignment of the project portfolio to an organization's strategic priorities. D. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is closely tied to organizational strategies.

The risk associated with electronic evidence gathering would MOST likely be reduced by an email: Select an answer: A. destruction policy. B. security policy. C. archive policy. D. audit policy.

You answered A. The correct answer is C. A. The email retention policy would include the destruction or deletion of emails. This must be compliant with legal requirements to retain emails. B. A security policy is too high level and would not address the risk of inadequate retention of emails or the ability to provide access to emails when required. C. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible. D. An audit policy would not address the legal requirement to provide emails as electronic evidence.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? Select an answer: A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

You answered B. The correct answer is A. A. Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. B. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. C. Punitive actions are needed to enforce the policy but are not the key to successful implementation. D. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: Select an answer: A. increase. B. decrease. C. remain the same. D. be unpredictable.

You answered B. The correct answer is A. A. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place). B. The implementation of a DRP will always result in additional costs to the organization. C. The implementation of a DRP will always result in additional costs to the organization. D. The costs of a DRP are fairly predictable and consistent.

Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? Select an answer: A. Have the current configuration approved by operations management. B. Ensure that there is an audit trail for all existing accounts. C. Implement individual user accounts for all staff. D. Amend the IT policy to allow shared accounts.

You answered B. The correct answer is C. A. Having the current configuration approved is a recommendation that is not in compliance with the enterprise's own policy and would violate good practice. B. Having an audit trail for existing shared accounts would not provide accountability or resolve the problem of noncompliance with policy. C. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. D. Shared user IDs do not allow for accountability of transactions and would not reflect good practice.

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: Select an answer: A. incorporates state of the art technology. B. addresses the required operational controls. C. articulates the IT mission and vision. D. specifies project management practices.

You answered B. The correct answer is C. A. The plan does not need to address state of the art technology; the decision to implement new technology is dependent on the approach to risk and management strategy. B. The plan does not need to address operational controls because those are too granular for strategic planning. C. The IT strategic plan must include a clear articulation of the IT mission and vision. D. The plan should be implemented with proper project management, but the plan does not need to address project management practices.

IS control objectives are useful to IS auditors because they provide the basis for understanding the: Select an answer: A. desired result or purpose of implementing specific control procedures. B. best IS security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.

You are correct, the answer is A. A. An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. B. Control objectives provide the actual objectives for implementing controls, and may or may not be based on good practices. C. Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself. D. A security policy mandates the use of IS controls, but the controls are not used to understand policy.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? Select an answer: A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D. The company does not have an information security policy committee.

You answered B. The correct answer is C. A. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a good practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. B. The lack of a revision history with respect to the IS policy document is an issue but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet. C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. D. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

You answered B. The correct answer is D. A. Testing a new accounting package is a tactical or short-term goal and would not be included in a strategic plan. B. Performing an evaluation of information technology needs is a way to identify needs and measure performance, but not a goal to be found in a strategic plan. C. Implementing a new project planning system within the next 12 months is project-oriented and is a method of implementing a goal but not the goal in itself. The goal would be to have better project management—the new system is how to achieve that goal. D. Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization's strategic plan.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

You answered C. The correct answer is B. A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: Select an answer: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

You answered C. The correct answer is D. A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: Select an answer: A. implementation. B. compliance. C. documentation. D. sufficiency.

You answered C. The correct answer is D. A. The first step is to review the baseline to ensure that it is adequate or sufficient to meet the security requirements of the organization. Then the IS auditor will ensure that it is implemented and measure compliance. B. Compliance cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. D. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IT department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs

You are correct, the answer is A. A. The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor will ensure that the resources are being managed adequately. B. Investments in IT need to be aligned with top management strategies rather than be relevant to short-term planning and focus on technology for technology's sake. C. Conducting control self-assessments is not as critical as allocating resources during short-term planning for the IT department. D. Evaluating hardware needs is not as critical as allocating resources during short-term planning for the IT department.

Which of the following is MOST indicative of the effectiveness of an information security awareness program? Select an answer: A. Employees report more information regarding security incidents. B. All employees have signed the information security policy. C. Most employees have attended an awareness session. D. Information security responsibilities have been included in job descriptions.

You answered D. The correct answer is A. A. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are taking action as a consequence of the awareness program. B. The existence of evidence that all employees have signed the security policy does not ensure that security responsibilities have been understood and applied. C. One of the objectives of the security awareness program is to inform the employees of what is expected of them and what their responsibilities are, but this knowledge does not ensure that employees will perform their activities in a secure manner. D. The documentation of roles and responsibilities in job descriptions is not an indicator of the effectiveness of the awareness program.

Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? Select an answer: A. Inclusion of a blanket legal statement in each policy B. Periodic review by subject matter experts C. Annual sign-off by senior management on organizational policies D. Policy alignment to the most restrictive regulations

You answered D. The correct answer is B. A. A blanket legal statement in each policy to adhere to all applicable laws and regulations is ineffective because the readers of the policy (internal personnel) will not know which statements are applicable or the specific nature of their requirements. As a result, personnel may lack the knowledge to perform the required activities for legal compliance. B. Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements. C. Annual sign-off by senior management on an organization's policies helps set the tone at the top, but does not ensure that the policies comply with regulatory and legal requirements. D. Aligning policies to the most restrictive regulations may create an unacceptable financial burden for the organization. This could then lead to securing minimal risk systems to the same degree as those containing sensitive customer data and other information protected by legislation.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? Select an answer: A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

You answered D. The correct answer is B. A. In postmerger integration programs, it is common to form project management offices (often staffed with external experts) to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. B. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. C. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process. D. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.

Which of the following BEST supports the prioritization of new IT projects? Select an answer: A. Internal control self-assessment (CSA) B. Information systems audit C. Investment portfolio analysis D. Business risk assessment

You answered D. The correct answer is C. A. Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. B. Like internal CSA, IS audits are mostly a detective control and may provide only part of the picture for the prioritization of IT projects. C. It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. D. Business risk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.

During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan (BCP) is to: Select an answer: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. review the experience of the vendor's staff. D. test the BCP.

You are correct, the answer is A. A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's business continuity plan (BCP). C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.

An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: Select an answer: A. this lack of knowledge may lead to unintentional disclosure of sensitive information. B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. the audit finding will cause management to provide continuous training to staff.

You are correct, the answer is A. A. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. B. Information security is everybody's business, and all staff should be trained in how to handle information correctly. C. Providing security awareness training is not an IS audit function. D. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness.

When reviewing an organization's strategic IT plan, an IS auditor should expect to find: Select an answer: A. an assessment of the fit of the organization's application portfolio with business objectives. B. actions to reduce hardware procurement cost. C. a listing of approved suppliers of IT contract resources. D. a description of the technical architecture for the organization's network perimeter security.

You are correct, the answer is A. A. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. B. Operational efficiency initiatives, including cost reduction of purchasing and maintenance activities of systems, belong to tactical planning, not strategic planning. C. A list of approved suppliers of IT contract resources is a tactical rather than a strategic concern. D. An IT strategic plan would not normally include detail of a specific technical architecture.

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: Select an answer: A. is driven by an IT department's objectives. B. is published, but users are not required to read the policy. C. does not include information security procedures. D. has not been updated in over a year.

You are correct, the answer is A. A. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. B. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. C. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. D. Policies should be reviewed annually, but they might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations.

The PRIMARY objective of implementing corporate governance is to: Select an answer: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement good practices.

You are correct, the answer is A. A. Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. B. Business operations are directed and controlled based on the strategic direction. C. Corporate governance applies strategic planning, monitoring and accountability to the entire organization, not just to IT. D. Governance is applied through the use of good practices, but this is not the objective of corporate governance.

A top-down approach to the development of operational policies helps ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

You are correct, the answer is A. A. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. B. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C. A top-down approach, of itself, does not ensure compliance. D. A top-down approach, of itself, does not ensure that policies are reviewed.

In the context of effective information security governance, the primary objective of value delivery is to: Select an answer: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.

You are correct, the answer is A. A. In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. B. The tools and techniques for implementing value delivery include implementation of a standard set of security practices; however, implementation of standards is a means to achieve the objective of supporting value delivery, not the objective itself. C. Value delivery may be supported through the use of standards-based solutions, but the use of standards-based solutions is not the goal of value delivery. D. Continuous improvement culture in relation to a security program is a process, not an objective.

A benefit of open system architecture is that it: Select an answer: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment.

You are correct, the answer is A. A. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. B. Closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems. C. The ability to obtain volume discounts is achieved through the use of bulk purchasing or a primary vendor, not through open system architecture. D. Open systems may be less expensive than proprietary systems depending on the supplier, but the primary benefit of open system architecture is its interoperability between vendors.

For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? Select an answer: A. There are regulations regarding data privacy. B. Member service representative training cost will be much higher. C. It is harder to monitor remote databases. D. Time zone differences could impede customer service.

You are correct, the answer is A. A. Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another country. B. Training cost is common and manageable regardless of where the data warehouse resides. C. Remote database monitoring is manageable regardless of where the data warehouse resides. D. Time zone difference issues are manageable through contract provisions regardless of where the data warehouse resides.

When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: Select an answer: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer.

You are correct, the answer is A. A. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. B. The storage capacity of the archiving solution would be irrelevant if the proper email messages have not been properly preserved and others have been deleted. C. The level of user awareness concerning email use would not directly affect the completeness and accuracy of the archived email. D. The support and stability of the archiving solution manufacturer is secondary to the need to ensure a retention policy. Vendor support would not directly affect the completeness and accuracy of the archived email.

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? Select an answer: A. A capability maturity model (CMM) B. Portfolio management C. Configuration management D. Project management body of knowledge (PMBOK)

You are correct, the answer is B. A. A capability maturity model (CMM) would not help determine the optimal portfolio of capital projects because it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. C. A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. D. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.

Which of the following should be included in an organization's information security policy? Select an answer: A. A list of key IT resources to be secured B. The basis for access control authorization C. Identity of sensitive security assets D. Relevant software security features

You are correct, the answer is B. A. A list of key IT resources to be secured is more detailed than that which should be included in a policy. B. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C. The identity of sensitive security assets is more detailed than that which should be included in a policy. D. A list of the relevant software security features is more detailed than that which should be included in a policy.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: Select an answer: A. recovery. B. retention. C. rebuilding. D. reuse.

You are correct, the answer is B. A. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate recovery. B. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention policy of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. C. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate rebuilding. D. Email policy should address the business and legal requirements of email retention. Reuse of email is not a policy matter.

When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT: Select an answer: A. has all the personnel and equipment it needs. B. plans are consistent with management strategy. C. uses its equipment and personnel efficiently and effectively. D. has sufficient excess capacity to respond to changing directions.

You are correct, the answer is B. A. Having personnel and equipment is an important requirement to meet the IT strategy but will not ensure that the IT strategy supports business objectives. B. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans. C. Using equipment and personnel efficiently and effectively is an effective method for determining the proper management of the IT function but does not ensure that the IT strategy is aligned with business objectives. D. Having sufficient excess capacity to respond to changing directions is important to show flexibility to meet organizational changes, but is not in itself a way to ensure that IT is aligned with business goals.

Which of the following is the initial step in creating a firewall policy? Select an answer: A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods

You are correct, the answer is B. A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Which of the following is the BEST enabler for strategic alignment between business and IT? Select an answer: A. A maturity model B. Goals and metrics C. Control objectives D. A responsible, accountable, consulted and informed (RACI) chart

You are correct, the answer is B. A. Maturity models enable assessment of current process capability and could be used for process improvement and measuring the maturity of the alignment process, but they do not directly enable strategic alignment. B. Goals and metrics ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment. C. Control objectives facilitate the implementation of controls in the related processes according to business requirements. D. RACI charts enable the assignment of responsibility to key functionaries but do not ensure strategic alignment.

The rate of change in technology increases the importance of: Select an answer: A. outsourcing the IT function. B. implementing and enforcing sound processes. C. hiring qualified personnel. D. meeting user requirements.

You are correct, the answer is B. A. Outsourcing the IT function is a business decision and not directly related to the rate of technological change, nor does the rate of change increase the importance of outsourcing. B. Change control requires that good change management processes be implemented and enforced. C. Personnel in a typical IT department can often be trained in new technologies to meet organizational requirements. D. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IT environment.

When developing a security architecture, which of the following steps should be executed FIRST? A. Developing security procedures B. Defining a security policy C. Specifying an access control methodology D. Defining roles and responsibilities

You are correct, the answer is B. A. Policy is used to provide direction for procedures, standards and baselines. Therefore, developing security procedures should be executed only after defining a security policy. B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. C. Specifying an access control methodology is an implementation concern and should be executed only after defining a security policy. D. Defining roles and responsibilities should be executed only after defining a security policy.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports

You are correct, the answer is B. A. Recommending that user acceptance testing (UAT) occur for all reports before release into production does not address the root cause of the problem described. B. This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. C. Recommending standard software tools be used for report development does not address the root cause of the problem described. D. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: Select an answer: A. recommend that this separate project be completed as soon as possible. B. report this issue as a finding in the audit report. C. recommend the adoption of the Zachmann framework. D. re-scope the audit to include the separate project as part of the current audit.

You are correct, the answer is B. A. The IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. C. The company is free to choose any EA framework, and the IS auditor should not recommend a specific framework. D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.

Which of the following is the BEST reason to implement a policy which places conditions on secondary employment for IT employees? Select an answer: A. To prevent the misuse of corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets

You are correct, the answer is B. A. The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment. B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing company. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. C. Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment. D. Theft of assets is a problem but not necessarily related to secondary employment.

An IS auditor reviewing an organization's IT strategic plan should FIRST review: Select an answer: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends.

You are correct, the answer is B. A. The organization's strategic plan drives the IT strategic plan, and IT's strategic plan drives the IT environment. The plan is where we want to be, not where we are. B. The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize himself/herself with the business plan. C. The budget is mandated by the plan. It is first necessary to review the IT plan for consistency with organizational objectives—then to ensure that the budget is appropriate. D. Current trends are important to monitor and may affect strategic decisions, but it is more important to ensure that the strategy is aligned with the business than to ensure that it is aligned with emerging trends.

Which of the following situations is addressed by a software escrow agreement? Select an answer: A. The system administrator requires access to software to recover from a disaster. B. A user requests to have software reloaded onto a replacement hard drive. C. The vendor of custom-written software goes out of business. D. An IT auditor requires access to software code written by the organization.

You are correct, the answer is C. A. Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party—not the internal libraries. B. Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party. C. A software escrow is a legal agreement between a software vendor and a customer, to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement. D. Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: Select an answer: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).

You are correct, the answer is C. A. Control self-assessments (CSAs) are used to improve monitoring of security controls, but are not used to align IT with organizational objectives. B. A business impact analysis (BIA) is used to calculate the impact on the business in the event of an incident that affects business operations, but it is not used to align IT with organizational objectives. C. An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. D. Business process reengineering (BPR) is an excellent tool to review and improve business processes, but is not focused on aligning IT with organizational objectives.

Which of the following would impair the independence of a quality assurance team? Select an answer: A. Ensuring compliance with development methods B. Checking the test assumptions C. Correcting coding errors during the testing process D. Checking the code to ensure proper documentation

You are correct, the answer is C. A. Ensuring compliance with development methods is a valid quality assurance function. B. Checking the test assumptions is a valid quality assurance function. C. Correction of code should not be a responsibility of the quality assurance team because it would not ensure segregation of duties and would impair the team's independence. D. Checking the code to ensure proper documentation is a valid quality assurance function.

The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: Select an answer: A. IT budget. B. existing IT environment. C. business plan. D. investment plan

You are correct, the answer is C. A. The IT budget is important to ensure that the resources are being used in the best manner, but this is secondary to the importance of reviewing the business plan. B. The existing IT environment is important and used to determine gap analysis but is secondary to the importance of reviewing the business plan. C. One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. D. The investment plan is important to set out project priorities, but secondary to the importance of reviewing the business plan.

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Select an answer: A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented.

You are correct, the answer is C. A. The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk. B. User accountability is important but not as great a risk as the actions of unauthorized users. C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. D. The failure to implement audit recommendations is a management problem but not as serious as the ability of unauthorized users making modifications.

Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations? Select an answer: A. Process maturity B. Performance indicators C. Business risk D. Assurance reports

You are correct, the answer is C. A. The level of process maturity will evolve as the implementation of the IT governance program occurs and may feed into the decision-making process. Those areas that represent real risk to the business should be given priority. B. The level of process performance will demonstrate the effectiveness of the program but will not be the means to establish priorities for governance. Those areas that represent real risk to the business should be given priority. C. Priority should be given to those areas which represent a known risk to the enterprise's operations. D. Audit reports will provide assurance of the effectiveness of the implementation of governance but will not determine the priorities for program. Those areas that represent real risk to the business should be given priority.

The initial step in establishing an information security program is the: Select an answer: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.

You are correct, the answer is C. A. The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. B. Audit and monitoring of controls related to the program can only come after the program is set up. C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. D. Access control software is an important security control but only after the policy and program are defined.

Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? Select an answer: A. Time zone differences could impede communications between IT teams. B. Telecommunications cost could be much higher in the first year. C. Privacy laws could prevent cross-border flow of information. D. Software development may require more detailed specifications.

You are correct, the answer is C. A. Time zone differences are usually manageable issues for outsourcing solutions. B. Higher telecommunications costs are a part of the cost-benefit analysis and not usually a reason to retain data in-house. C. Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. D. Software development typically requires more detailed specifications when dealing with offshore operations, but that is not a factor that should prohibit the outsourcing solution.

To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: Select an answer: A. the IT infrastructure. B. organizational policies, standards and procedures. C. legal and regulatory requirements. D. adherence to organizational policies, standards and procedures.

You are correct, the answer is C. A. To comply with requirements, the IS auditor must first know what the requirements are. They can vary from one jurisdiction to another. The IT infrastructure is related to the implementation of the requirements. B. The policies of the organization are subject to the legal requirements and should be checked for compliance after the legal requirements are reviewed. C. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures. D. Checking for compliance is only done after the IS auditor is assured that the policies, standards and procedures are aligned with the legal requirements.

The PRIMARY control purpose of required vacations or job rotations is to: Select an answer: A. allow cross-training for development. B. help preserve employee morale. C. detect improper or illegal employee acts. D. provide a competitive employee benefit.

You are correct, the answer is C. A. While cross-training is a good practice for business continuity, it is not achieved through mandatory vacations. B. It is a good practice to maintain good employee morale, but this is not a primary reason to have a required vacation policy. C. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. D. Vacation time is a competitive benefit, but that is not a control.

An organization's disaster recovery plan (DRP) should address early recovery of: Select an answer: A. all information systems processes. B. all financial processing applications. C. only those applications designated by the IS manager. D. processing in priority order, as defined by business management.

You are correct, the answer is D. A. A disaster recovery plan (DRP) will recover most critical systems first according to business priorities. B. Depending on business priorities, financial systems may or may not be the first to be recovered. C. The business manager, not the IS manager, will determine priorities for system recovery. D. Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.

Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IT strategy? That it: Select an answer: A. has been approved by line management. B. does not vary from the IT department's preliminary budget. C. complies with procurement procedures. D. supports the business objectives of the organization.

You are correct, the answer is D. A. A strategic plan is a senior management responsibility and would receive input from line managers, but would not be approved by them. B. The budget should not vary from the plan. C. Procurement procedures are organizational controls, but not a part of strategic planning. D. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals.

An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? Select an answer: A. Ignore the absence of management approval because employees follow the policies. B. Recommend immediate management approval of the policies. C. Emphasize the importance of approval to management. D. Report the absence of documented approval.

You are correct, the answer is D. A. Absence of management approval is an important (material) finding and while it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved. B. While the IS auditor would likely recommend that the policies should be approved as soon as possible, and may also remind management of the critical nature of this issue, the first step would be to report this issue to the relevant stakeholders. C. The first step is to report the finding and provide recommendations later. D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: Select an answer: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.

You are correct, the answer is D. A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

Which of the following is the MOST important function to be performed by IT management when a service has been outsourced? Select an answer: A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance

You are correct, the answer is D. A. Payment of invoices is a finance function, which would be completed per contractual requirements. B. Participating in systems design is a by-product of monitoring the outsourcing provider's performance. C. Renegotiating fees is usually a one-time activity and is not as important as monitoring the vendor's performance. D. In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required.

Which of the following is responsible for the approval of an information security policy? Select an answer: A. The IT department B. The security committee C. The security administrator D. The board of directors

You are correct, the answer is D. A. The IT department is responsible for the execution of the policy, having no authority in framing the policy. B. The security committee also functions within the broad security policy framed by the board of directors. C. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.