DB Qs

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? a) Data retention, backup and recovery b) Return or destruction of information c) Network and intrusion detection d) A patch management process

Return or destruction of information is correct. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. Data retention, backup and recovery is incorrect. These are important controls; however, they do not guarantee data privacy. Network and intrusion detection is incorrect. These are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. A patch management process is incorrect. This helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop: a) a business continuity strategy. b) a test and exercise plan. c) a user training program. c) the business continuity plan.

A business continuity strategy is correct. This is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase. A test and exercise plan is incorrect. The recovery strategy and plan development precede the test plan. A user training program is incorrect. Training can only be developed once the business continuity plan (BCP) is in place. The BCP is incorrect. A strategy must be determined before the BCP is developed

Which of the following is the MOST reasonable option for recovering a non-critical system? Warm site Mobile site Hot site Cold site

A cold site is correct. Generally, a cold site is contracted for a longer period at a lower cost. Because it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is incorrect. This is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations that should be recovered in a moderate amount of time. A mobile site is incorrect. This is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site depends upon the scale of operations. A hot site is incorrect. This is contracted for a shorter time period at a higher cost, and it is better suited for recovery of vital and critical applications.

An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? A cost analysis The security risk of the current technology Compatibility with existing systems A risk analysis

A risk analysis is correct. Prior to implementing new technology, an organization should perform a risk analysis, which is then presented to business unit management for review and acceptance. A cost analysis is incorrect. The information system solution should be cost-effective, but this is not the most important aspect. The security risk of the current technology is incorrect. This is one of the components of the risk analysis, and alone is not the most important factor. Compatibility with existing systems is incorrect. This is one consideration; however, the new system may be a major upgrade that is not compatible with existing systems, so this is not the most important consideration.

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? a) Walk-through with the reviewer of the operation of the control b) System-generated exception reports for the review period with the reviewer's sign-off c) A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer d) Management's confirmation of the effectiveness of the control for the review period

A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer is correct. This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report. Walk-through with the reviewer of the operation of the control is incorrect. A walk-through highlights how a control is designed to work, but it seldom highlights the effectiveness of the control, or exceptions or constraints in the process. System-generated exception reports for the review period with the reviewer's sign-off is incorrect. Reviewer sign-off does not demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified. Management's confirmation of the effectiveness of the control for the review period is incorrect and suffers from lack of independence—management might be biased toward the effectiveness of the controls put in place.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: length of service, because this will help ensure technical competence. age, because training in audit techniques may be impractical. IT knowledge, because this will bring enhanced credibility to the audit function. ability, as an IS auditor, to be independent of existing IT relationships.

Ability, as an IS auditor, to be independent of existing IT relationships is correct. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. Length of service is incorrect and does not ensure technical competency. Evaluating an individual's qualifications based on the age of the individual is incorrect and is illegal in many parts of the world. IT knowledge is incorrect. The fact that the employee has worked in IT for many years may not ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements.

AN org is considering connecting a critical PC based system to the internet. Which of the following would provide the best protection against hacking? a) An application-level gateway b) A remote access server c) A proxy server d) Port scanning

An application-level gateway is correct. This is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol, File Transfer Protocol, Simple Network Management Protocol, etc.).

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? Sign-off is required on the enterprise's security policies for all users. An indemnity clause is included in the contract with the service provider. Mandatory security awareness training is implemented for all users. Security policies should be modified to address compliance by third-party users.

An indemnity clause is included in the contract with the service provider is correct. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. Sign-off is required on the enterprise's security policies for all users is incorrect. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. Mandatory security awareness training is implemented for all users is incorrect. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. Security policies should be modified to address compliance by third-party users is incorrect. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.

Which of the following groups would create MOST concern to an IS auditor if they have full access to the production database? Application developers System administrators Business users Information security team

Application developers is correct. This bears the highest risk. Due to their focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes into production environment. System administrators is incorrect. These individuals may require full production access to conduct their administration duties; however, they should be monitored for unauthorized activity. Business users is incorrect. These individuals might not need a full access to database. Such set up might result in negatives scenarios (fraud), however developers having a direct access to production environment is a higher concern. Information security team is incorrect. The data recovery team will need full access to make sure the complete database is recoverable.

Regression testing is undertaken PRIMARILY to ensure that: system functionality meets customer requirements. a new system can operate in the target environment. applicable development standards have been maintained. applied changes have not introduced new errors.

Applied changes have not introduced new errors is correct. Regression testing is used to test for the introduction of new errors in the system after changes have been applied. System functionality meets customer requirements is incorrect. Validation testing is used to test the functionality of the system against detailed requirements to ensure that software construction is traceable to customer requirements. A new system can operate in the target environment is incorrect. Sociability testing is used to see whether the system can operate in the target environment without adverse impacts on the existing systems. Applicable development standards have been maintained is incorrect. Software quality assurance and code reviews are used to determine whether development standards are maintained.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: calculate a return on investment. compute the amortization of the related assets. spend the time needed to define the loss amount exactly. apply a qualitative approach.

Apply a qualitative approach is correct. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). Compute the amortization of the related assets is incorrect. Amortization is used in a profit and loss statement, not in computing potential losses. Calculate a return on investment (ROI) is incorrect. A ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Spend the time needed to define the loss amount exactly is incorrect. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and the result will be a not well-supported evaluation.

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: incorporates state of the art technology. addresses the required operational controls. articulates the IT mission and vision. specifies project management practices.

Articulates the it mission and vision is correct. The IT strategic plan must include a clear articulation of the IT mission and vision. Incorporates state of the art technology is incorrect. The plan does not need to address state of the art technology; the decision to implement new technology is dependent on the approach to risk and management strategy. Addresses the required operational controls is incorrect. The plan does not need to address operational controls because those are too granular for strategic planning. Specifies project management practices is incorrect. The plan should be implemented with proper project management, but the plan does not need to address project management practices.

An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should: a) accept the DBA access as a common practice. b) assess the controls relevant to the DBA function. c) recommend the immediate revocation of the DBA access to production data. d) review user access authorizations approved by the DBA.

Assess the controls relevant to the database administrator (DBA) function is correct. When reviewing privileged accounts, the auditor should look for compensating controls that may address a potential exposure. Accept the DBA access as a common practice is incorrect. Although granting access to production data to the DBA may be a common practice, the IS auditor should evaluate the relevant controls. Recommend the immediate revocation of the DBA access to production data is incorrect. The DBA should have access based on the principle of least privilege; unless care is taken to validate what access is required, revocation may remove access the DBA requires to do his/her job. Review user access authorizations approved by the DBA is incorrect. Granting user authorizations is the responsibility of the data owner, not the DBA, and access to production data is not generally associated with user access authorizations.

Which of the following is the responsibility of information asset owners? Implementation of information security within applications Assignment of criticality levels to data Implementation of access rules to data and programs Provision of physical and logical security for data

Assignment of criticality levels to data is correct. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. Implementation of information security within applications incorrect. This is the responsibility of the data custodians based on the requirements set by the data owner. Implementation of access rules to data and programs is incorrect. This is a responsibility of data custodians based on the requirements set by the data owner. Provision of physical and logical security for data is incorrect. This is the responsibility of the security administrator.

Which of the following is the PRIMARY objective of the business continuity plan process? To provide assurance to stakeholders that business operations will continue in the event of disaster To establish an alternate site for IT services to meet predefined recovery time objectives To manage risk while recovering from an event that adversely affected operations To meet the regulatory compliance requirements in the event of natural disaster

C

Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts? Rule-based Check-sum based Heuristic filtering Statistic-based

Check-sum based is correct. The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software. Rule-based is incorrect. This will trigger false-positive alert each time a key word is met in the message. Heuristic filtering is incorrect. A heuristic is a technique designed for solving a problem more quickly when classic methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or precision for speed. In a way, it can be considered a shortcut. Statistic-based is incorrect. Statistical filtering analyzes the frequency of each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds, however prone to false-positive alerts.

Which of the following is the GREATEST risk to the effectiveness of application system controls? Removal of manual processing steps Inadequate procedure manuals Collusion between employees Unresolved regulatory compliance issues

Collusion between employees is correct. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. Removal of manual processing steps is incorrect. Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls. Inadequate procedure manuals is incorrect. The lack of documentation is a problem on many systems but not a serious risk in most cases. Unresolved regulatory compliance issues is incorrect. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.

An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? Require the vendor to provide monthly status reports. Have periodic meetings with the client IT manager. Conduct periodic audit reviews of the vendor. Require that performance parameters be stated within the contract.

Conduct periodic audit reviews of the vendor is correct. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with which they want to continue to work. Require the vendor to provide monthly status reports is incorrect. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. Have periodic meetings with the client IT manager is incorrect. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. Require that performance parameters be stated within the contract is incorrect. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met.

While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor? Availability of customer data Integrity of customer data Confidentiality of customer data System storage performance

Confidentiality of customer data is correct. Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data. Availability of customer data is incorrect. This may be affected during an Internet connection outage, but this is of a lower concern than confidentiality. Integrity of customer data is incorrect. This is affected only if security controls are weak enough to permit unauthorized modifications to the data, and it may be tracked by logging of changes. Confidentiality of data is a larger concern. System storage performance is incorrect. This may be a concern due to the volume of data. However, the bigger issue is that the information is protected.

After reviewing the disaster recovery planning process of an organization, an IS auditor requests a meeting with organization management to discuss the findings. Which of the following BEST describes the main goal of this meeting? a) Obtaining management approval of the corrective action plan. b) Confirming factual accuracy of the findings. c) Assisting management in the implementation of corrective actions. d) Prioritizing the resolution of the items.

Confirm factual accuracy of the findings is correct. The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action. Obtain management approval of the corrective action plan is incorrect. Management approval of the corrective action plan is not required. Management can elect to implement another corrective action plan to address the risk. Assist management in the implementation of corrective actions is incorrect. Implementation of corrective actions should be done after the factual accuracy of findings is established, but the work of implementing corrective action is not typically assigned to the IS auditor, because this impairs the auditor's independence. Prioritize the resolution of the items is incorrect. Rating the audit findings provides guidance to management for allocating resources to the high-risk items first.

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan? Contact information of key personnel Server inventory documentation Individual roles and responsibilities Procedures for declaring a disaster

Contact information of key personnel is correct. In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. Server inventory documentation is incorrect. Asset inventory is important and should be linked to the change management process of the organization but having access to key people may compensate for outdated records. Individual roles and responsibilities is incorrect. These are important, but in a disaster many people could fill different roles depending on their experience. Procedures for declaring a disaster is incorrect. These are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.

Which of the following should an incident response team address FIRST after a major incident in an information processing facility? Restoration at the facility Documentation of the facility Containment at the facility Monitoring of the facility

Containment at the facility is correct. The first priority (after addressing life safety) is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation. Restoration at the facility is incorrect. Restoration ensures that the affected systems or services are restored to a condition specified in the restore point objective. This action will be possible only after containment of the damage. Documentation of the facility is incorrect. This should be prepared to inform management of the incident; however, damage must be contained first. Monitoring of the facility is incorrect. This is important, although containment must take priority to avoid spread of the damage.

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: quality management systems comply with good practices. continuous improvement targets are being monitored. standard operating procedures of IT are updated annually. key performance indicators are defined.

Continuous improvement targets are being monitored is correct. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). Quality management systems comply with good practices is incorrect. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices may or may not be a requirement of the business. Standard operating procedures of it are updated annually is incorrect. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. Key performance indicators are defined is incorrect. Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.

As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? Risk such as single point-of-failure and infrastructure risk Threats to critical business processes Critical business processes for ascertaining the priority for recovery Resources required for resumption of business

Critical business processes for ascertaining the priority for recovery is correct. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. Risk such as single point-of-failure and infrastructure risk is incorrect. Risk should be identified after the critical business processes have been identified. Threats to critical business processes is incorrect. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. Resources required for resumption of business is incorrect. Identification of resources required for business resumption will occur after the identification of critical business processes.

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Prioritize the identified risk. Define the audit universe. Identify the critical controls. Determine the testing approach.

Define the audit universe is correct. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. Prioritize the identified risk is incorrect. After the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. Identify the critical controls is incorrect. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. Determine the testing approach is incorrect. The testing approach is based on the risk ranking.

An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? a) Audit the new systems as requested by management. b) Audit systems not included in last year's scope. c) Determine the highest-risk systems and plan accordingly. d) Audit both the systems not in last year's scope and the new systems

Determine the highest-risk systems and plan accordingly is the correct answer. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources." Audit the new systems as requested by management is incorrect and does not reflect a risk-based approach. Although the system can contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision. Audit systems not included in last year's scope is incorrect and does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although, at first, the new system may seem to be the riskiest area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager. Audit both the systems not in last year's scope and the new systems is incorrect. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.

An IS auditor is developing an audit plan for an environment that includes new systems. The organization's management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? a) Audit the new systems as requested by management. b) Audit systems not included in last year's scope. c) Determine the highest-risk systems and plan accordingly. d) Audit both the systems not in last year's scope and the new systems

Determine the highest-risk systems and plan accordingly is the correct answer. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources." Audit the new systems as requested by management is incorrect and does not reflect a risk-based approach. Although the system can contain sensitive data and may present risk of data loss or disclosure to the organization, without a risk assessment, the decision to solely audit the newly implemented system is not a risk-based decision. Audit systems not included in last year's scope is incorrect and does not reflect a risk-based approach. In addition, management may know about problems with the new system and may be intentionally trying to steer the audit away from that vulnerable area. Although, at first, the new system may seem to be the riskiest area, an assessment must be conducted rather than relying on the judgment of the IS auditor or IT manager. Audit both the systems not in last year's scope and the new systems is incorrect. The creation of the audit plan should be performed in cooperation with management and based on risk. The IS auditor should not arbitrarily decide on what needs to be audited.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Minimizing costs for the services provided Prohibiting the provider from subcontracting services Evaluating the process for transferring knowledge to the IT department Determining if the services were provided as contracted

Determining if the services were provided as contracted is correct. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs for the services provided is incorrect. Minimizing costs, if applicable and achievable (depending on the customer's need), is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Prohibiting the provider from subcontracting services is incorrect. Subcontracting providers could be a concern but would not be the primary concern. This should be addressed in the contract. Evaluating the process for transferring knowledge to the IT department is incorrect. Transferring knowledge to the internal IT department might be desirable under certain circumstances but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? a) Developers have the ability to create or de-provision servers. b) Developers could gain elevated access to production servers. c) Developers can affect the performance of production servers with their applications. d) Developers could install unapproved applications to any servers

Developers have the ability to create or de-provision servers is correct. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? Developers have the ability to create or de-provision servers. Developers could gain elevated access to production servers. Developers can affect the performance of production servers with their applications. Developers could install unapproved applications to any servers.

Developers have the ability to create or de-provision servers is correct. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. Developers could gain elevated access to production servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. Developers can affect the performance of production servers with their applications is incorrect. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de-provision VMs. Developers could install unapproved applications to any servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? Pilot Parallel Direct cutover Phased

Direct cutover is correct. This implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization. Pilot is incorrect. All other alternatives are done gradually and, thus, provide greater recoverability and are less risky. A pilot implementation is the implementation of the system at a single location or region and then a rollout of the system to the rest of the organization after the application and implementation plan have been proven to work correctly at the pilot location. Parallel is incorrect. A parallel test requires running both the old and new system in parallel for a time period. This would highlight any problems or inconsistencies between the old and new systems. Phased is incorrect. A phased approach is used to implement the system in phases or sections—this minimizes the overall risk by only affecting one area at a time.

An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to: a) contact the appropriate law enforcement authorities to begin an investigation. b) immediately ensure that no additional data are compromised. c) disconnect the PC from the network. d) update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.

Disconnect the PC from the network is correct. The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network.

Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? Targeted testing Internal testing Double-blind testing External testing

Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator. Targeted testing is incorrect. In targeted testing, penetration testers are provided with information related to target and network design and the target's IT team is aware of the testing activities. Internal testing is incorrect. This refers to attacks and control circumvention attempts on the target from within the perimeter. The system administrator is typically aware of the testing activities. External testing is incorrect. This is a generic term that refers to attacks and control circumvention attempts on the target from outside the target system. The system administrator may or may not be aware of the testing activities, so this is not the correct answer. (Note: Rather than concentrating on specific terms, CISA candidates should understand the differences between various types of penetration testing.)

The phases and deliverables of a system development life cycle project should be determined: during the initial planning stages of the project. after early planning has been completed but before work has begun. throughout the work stages, based on risk and exposures. only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls.

During the initial planning stages of the project is correct. It is extremely important that the project be planned properly, and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management. After early planning has been completed but before work has begun is incorrect. Determining the deliverables and time lines of a project are a part of the early project planning work. Throughout the work stages, based on risk and exposures is incorrect. The requirements may change over the life of a project, but the initial deliverables should be documented from the beginning of the project. Only after all risk and exposures have been identified and the IS auditor has recommended appropriate controls is incorrect. Risk management is a never-ending process, so project planning cannot wait until all risk has been identified.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: a) each plan is consistent with one another b) all plans are integrated into a single plan. c) each plan is dependent on one another. d) the sequence for implementation of all plans is defined.

Each plan is consistent with one another is correct. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. All plans are integrated into a single plan is incorrect. The plans do not necessarily have to be integrated into one single plan. Each plan is dependent on one another is incorrect. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. The sequence for implementation of all plans is defined is incorrect. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

The PRIMARY benefit of implementing a security program as part of a security governance framework is the: alignment of the IT activities with IS audit recommendations. enforcement of the management of security risk. implementation of the chief information security officer's recommendations. reduction of the cost for IT security.

Enforcement of the management of security risk is correct. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. Alignment of the IT activities with IS audit recommendations is incorrect. Recommendations, visions and objectives of the IS auditor are usually addressed within a security program, but they would not be the major benefit. Implementation of the chief information security officer's recommendations is incorrect. Recommendations, visions and objectives of the chief information security officer are usually included within a security program, but they would not be the major benefit. Reduction of the cost for it security is incorrect. The cost of IT security may or may not be reduced.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? Preventing the compromise of the source code during the implementation process Ensuring that vendor default accounts and passwords have been disabled Removing the old copies of the program from escrow to avoid confusion Verifying that the vendor is meeting support and maintenance agreements

Ensuring that vendor default accounts and passwords have been disabled is correct. Disabling vendor default accounts and passwords is a critical part of implementing a new application. Preventing the compromise of the source code during the implementation process is incorrect. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation. Removing the old copies of the program from escrow to avoid confusion is incorrect. Because this is a new application, there should not be any problem with older versions in escrow. Verifying that the vendor is meeting support and maintenance agreements is incorrect. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.

A certificate authority (CA) can delegate the processes of: revocation and suspension of a subscriber's certificate. generation and distribution of the CA public key. establishing a link between the requesting entity and its public key. issuing and distributing subscriber certificates.

Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension of a subscriber's certificate is incorrect. These are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. Generation and distribution of the CA public key is incorrect. This is a part of the CA key life cycle management process and, as such, cannot be delegated. Issuing and distributing subscriber certificates is incorrect. These are functions of the subscriber certificate life cycle management, which the CA must perform.

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? Existing IT mechanisms enabling compliance Alignment of the policy to the business strategy Current and future technology initiatives Regulatory compliance objectives defined in the policy

Existing IT mechanisms enabling compliance is correct. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. Alignment of the policy to the business strategy is incorrect. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. Current and future technology initiatives is incorrect. They should be driven by the needs of the business and would not affect an organization's ability to comply with the policy. Regulatory compliance objectives defined in the policy is incorrect. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? Undocumented approval of some project changes Faulty migration of historical data from the old system to the new system Incomplete testing of the standard functionality of the ERP subsystem Duplication of existing payroll permissions on the new ERP subsystem

Faulty migration of historical data from the old system to the new system is correct. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. Undocumented approval of some project changes is incorrect. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. Incomplete testing of the standard functionality of the enterprise resource planning (ERP) subsystem is incorrect. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system. Duplication of existing payroll permissions on the new ERP subsystem is incorrect. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.

The MOST serious challenge in the operation of an intrusion detection system is: filtering false positive alerts. learning vendor specific protocols. updating vendor-specific protocols. blocking eligible connections.

Filtering false-positives alerts is correct. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.

In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table? Foreign key Primary key Secondary key Public key

Foreign key is correct. In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. Primary key is incorrect. It should not be possible to delete a row from a customer table when the customer number (primary key) of that row is stored with live orders on the orders table (the foreign key to the customer table). A primary key works in one table so it is not able to provide/ensure referential integrity by itself. Secondary key is incorrect. Secondary keys that are not foreign keys are not subject to referential integrity checks. Public key is incorrect. A public key is related to encryption and not linked in any way to referential integrity.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? a) Recommend redesigning the change management process. b) Gain more assurance on the findings through root cause analysis. c) Recommend that program migration be stopped until the change process is documented. d) Document the finding and present it to management.

Gain more assurance on the findings through root cause analysis is correct. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. Recommend redesigning the change management process is incorrect. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed. Recommend that program migration be stopped until the change process is documented is incorrect. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed. Document the finding and present it to management is incorrect. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.

The FIRST step in a successful attack to a system is: gathering information. gaining access. denying services. evading detection.

Gathering information is correct. Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack. Gaining access is incorrect. Once attackers have discovered potential vulnerabilities through information gathering, they will usually attempt to gain access. Denying services is incorrect. An attacker will usually launch a denial of service as one of the last steps in the attack. Evading detection is incorrect. When attackers have gained access and possibly infected the victim with a rootkit, they will delete audit logs and take other steps to hide their tracks.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? Commands typed on the command line are logged. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Access to the operating system command line is granted through an access restriction tool with preapproved rights. Software development tools and compilers have been removed from the production environment.

Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs is correct. The matching of hash keys over time would allow detection of changes to files. Commands typed on the command line are logged is incorrect. Having a log is not a control; reviewing the log is a control. Access to the operating system command line is granted through an access restriction tool with preapproved rights is incorrect. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. Software development tools and compilers have been removed from the production environment is incorrect. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? Selecting a more robust algorithm to generate challenge strings Implementing measures to prevent session hijacking attacks Increasing the frequency of associated password changes Increasing the length of authentication strings

Implementing measures to prevent session hijacking attacks is correct. Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. Selecting a more robust algorithm to generate challenge strings is incorrect. This will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. Increasing the frequency of associated password changes is incorrect. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. Increasing the length of authentication strings is incorrect. This will not prevent man-in-the-middle or session hijacking attacks.

The risk of dumpster diving is BEST mitigated by: implementing security awareness training. placing shred bins in copy rooms. developing a media disposal policy. placing shredders in individual offices.

Implementing security awareness training is correct. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. Placing shred bins in copy rooms is incorrect. The shred bins may not be properly used if users are not aware of proper security techniques. Developing a media disposal policy is incorrect. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. Placing shredders in individual offices is incorrect. The shredders may not be properly used if users are not aware of proper security techniques.

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: increased maintenance. improper documentation of testing. improper acceptance of a program. delays in problem resolution.

Improper acceptance of a program is correct. The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards. Increased maintenance is incorrect. The method of testing used will not affect the maintenance of the system. Improper documentation of testing is incorrect. Quality assurance and user acceptance testing are often led by business representatives according to a defined test plan. The combination of these two tests will not affect documentation. Delays in problem resolution is incorrect. The method of testing should not affect the time lines for problem resolution.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement between the organization and vendor should be the provisions for: documentation of staff background checks. independent audit reports or full audit access. reporting the year-to-year incremental cost reductions. reporting staff turnover, development or training.

Independent audit reports or full audit access is correct. When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Documentation of staff background checks is incorrect. Although it is necessary to document the fact that background checks are performed, this is only one of the provisions that should be in place for audits. Reporting the year-to-year incremental cost reductions is incorrect. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. Reporting staff turnover, development or training is incorrect. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

During the requirements definition stage of a proposed enterprise resource planning system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform? Unit testing Integration testing Sociability testing Quality assurance testing

Integration testing is correct. This is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design. Unit testing is incorrect. This is a technique that is used to test program logic within a particular program or module and does not specifically address the linkage between software modules. Integration testing is the best answer. Sociability testing is incorrect. This confirms that the new or modified system can operate in its target environment without adversely impacting existing systems and does not specifically address the linkage between software modules. Integration testing is the best answer. Quality assurance testing is incorrect. This is primarily used to ensure that the logic of the application is correct and does not specifically address the linkage between software modules. Integration testing is the best answer.

Applying a digital signature to data traveling in a network provides: confidentiality and integrity. security and nonrepudiation. integrity and nonrepudiation. confidentiality and nonrepudiation.

Integrity and nonrepudiation is correct. A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message. Confidentiality and integrity is incorrect. A digital signature does not encrypt the message, so it cannot provide confidentiality. Security and nonrepudiation is incorrect. A digital signature does not encrypt the message, so it cannot provide security. Confidentiality and nonrepudiation is incorrect. A digital signature does not provide confidentiality.

To support an organization's goals, an IT department should have: a low-cost philosophy. long- and short-term plans. leading-edge technology. plans to acquire new hardware and software.

Long- and short-term plans is correct. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. A low-cost philosophy is incorrect. This is one objective, but more important is the cost-benefit and the relation of IT investment cost to business strategy. Leading-edge technology is incorrect. This is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals. Plans to acquire new hardware and software is incorrect. This could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

Which of the following BEST describes the role of a directory server in a public key infrastructure? a) Encrypts the information transmitted over the network b) Makes other users' certificates available to applications c) Facilitates the implementation of a password policy d) Stores certificate revocation lists

Makes other users' certificates available to applications is correct. A directory server makes other users' certificates available to applications. Encrypts the information transmitted over the network is incorrect. This is a role performed by a security server. Facilitates the implementation of a password policy is incorrect. This is not relevant An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to: contact the appropriate law enforcement authorities to begin an investigation. immediately ensure that no additional data are compromised. disconnect the PC from the network. update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.to public key infrastructure. Stores certificate revocation lists is incorrect. This is a role performed by a security server.

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? Malicious code could be spread across the network. The VPN logon could be spoofed. Traffic could be sniffed and decrypted. The VPN gateway could be compromised.

Malicious code could be spread across the network is correct. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic. The VPN logon could be spoofed is incorrect. A secure VPN solution would use two-factor authentication to prevent spoofing. Traffic could be sniffed and decrypted is incorrect. Sniffing encrypted traffic does not generally provide an attack vector for its unauthorized decryption. The VPN gateway could be compromised is incorrect. A misconfigured or poorly implemented VPN gateway could be subject to attack, but if it is located in a secure subnet, then the risk is reduced.

During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: user raises a change request and tests it in the test environment. programmer codes a change in the development environment and tests it in the test environment. manager approves a change request and then reviews it in production. manager initiates a change request and subsequently approves it.

Manager initiates a change request and subsequently approves it is correct. Initiating and subsequently approving a change request violates the principle of segregation of duties. A person should not be able to approve their own requests. User raises a change request and tests it in the test environment is incorrect. Having a user involved in testing changes is common practice. Programmer codes a change in the development environment and tests it in the test environment is incorrect. Having a programmer code a change in development and then separately test the change in a test environment is a good practice and preferable over testing in production. Manager approves a change request and then reviews it in production is incorrect. Having a manager review a change to make sure it was done correctly is an acceptable practice.

An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: an effective preventive control. a valid detective control. not an adequate control. a corrective control.

Not an adequate control is correct. Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control). An effective preventive control is incorrect. Generation of an activity log is not a preventive control because it cannot prevent inappropriate access. A valid detective control is incorrect. Generation of an activity log is not a detective control because it does not help in detecting inappropriate access unless it is reviewed by appropriate personnel. A corrective control is incorrect. Generation of an activity log is not a corrective control because it does not correct the effect of inappropriate access.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: recommend that mandatory access control (MAC) be implemented. report this as a finding to upper management. report this to the data owners to determine whether it is an exception. not report this issue because discretionary access controls are in place.

Not report this issue because discretionary access controls are in place is correct. Discretionary access control (DAC) allows data owners to modify access, which is a normal procedure and is a characteristic of DAC. Recommend that mandatory access control be implemented is incorrect. It is more appropriate for data owners to have DAC in a low-risk application. Report this as a finding to upper management is incorrect. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. Report this to the data owners to determine whether it is an exception is incorrect. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan? a) Develop a recovery strategy. b) Perform a business impact analysis. c) Map software systems, hardware and network components. d)Appoint recovery teams with defined personnel, roles and hierarchy.

Perform a business impact analysis (BIA) is correct. The first step in any disaster recovery plan is to perform a BIA.

While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? Monthly committee meetings include the subcontractor's IS manager Management reviews weekly reports from the subcontractor Permission is obtained from the government agent regarding the contract Periodic independent audit of the work delegated to the subcontractor

Periodic independent audit of the work delegated to the subcontractor is correct. Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised. Monthly committee meetings include the subcontractor's IS manager is incorrect. Regular committee meetings are a good monitoring tool for delegated operations; however, independent reviews provide better assurance. Management reviews weekly reports from the subcontractor is incorrect. Management should not only rely on self-reported information from the subcontractor. Permission is obtained from the government agent regarding the contract is incorrect. Obtaining permission from the government agent is not related to ensuring the confidentiality of information.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Use of a capability maturity model Regular monitoring of task-level progress against schedule Extensive use of software development tools to maximize team productivity Post iteration reviews that identify lessons learned for future use in the project

Post iteration reviews that identify lessons learned for future use in the project is correct. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Use of a capability maturity model is incorrect. The capability maturity model places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Regular monitoring of task-level progress against schedule is incorrect. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. Extensive use of software development tools to maximize team productivity is incorrect. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? Power line conditioners Surge protective devices Alternative power supplies Interruptible power supplies

Power line conditioners is correct. These are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protective devices is incorrect. These protect against high-voltage bursts. Alternative power supplies is incorrect. These are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply to compensate for the power loss until the alternate power supply becomes available. Interruptible power supplies is incorrect. These would cause the equipment to come down whenever there was a power failure.

The BEST method of confirming the accuracy of a system tax calculation is by: review and analysis of the source code of the calculation programs. recreating program logic using generalized audit software to calculate monthly totals. preparing simulated transactions for processing and comparing the results to predetermined results. automatic flowcharting and analysis of the source code of the calculation programs.

Preparing simulated transactions for processing and comparing the results to predetermined results is correct and is the best method for confirming the accuracy of a tax calculation. Review and analysis of the source code of the calculation programs is incorrect. A review of source code is not an effective method of ensuring that the calculation is being computed correctly. Recreating program logic using generalized audit software to calculate monthly totals is incorrect. Recreating program logic may lead to errors, and monthly totals are not accurate enough to ensure correct computations. Automatic flowcharting and analysis of the source code of the calculation programs is incorrect. Flowcharting and analysis of source code are not effective methods to address the accuracy of individual tax calculations.

The PRIMARY purpose of a post-implementation review is to ascertain that: the lessons learned have been documented. future enhancements can be identified. the project has been delivered on time and budget. project objectives have been met.

Project objectives have been met is correct. A project manager performs a post-implementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them. The lessons learned have been documented is incorrect. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. Future enhancements can be identified is incorrect. Identifying future enhancements is not the primary objective of a post-implementation review. The project has been delivered on time and budget is incorrect. Although it is important to review whether the project was completed on time and budget, it is more important to determine whether the project met the business needs.

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? Provide and monitor separate developer login IDs for programming and for production support. Capture activities of the developer in the production environment by enabling detailed audit trails. Back up all affected records before allowing the developer to make production changes. Ensure that all changes are approved by the change manager prior to implementation.

Provide and monitor separate developer login IDs for programming and for production support is correct. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. Capture activities of the developer in the production environment by enabling detailed audit trails is incorrect. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. Back up all affected records before allowing the developer to make production changes is incorrect. This would allow for rollback in case of an error but would not prevent or detect unauthorized changes. Ensure that all changes are approved by the change manager prior to implementation is incorrect. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.

Change control for business application systems being developed using prototyping could be complicated by the: iterative nature of prototyping. rapid pace of modifications in requirements and design. emphasis on reports and screens. lack of integrated tools.

Rapid pace of modifications in requirements and design is correct. Changes in requirements and design happen so quickly that they are seldom documented or approved. Iterative nature of prototyping is incorrect. A characteristic of prototyping is its iterative nature, but it does not have an adverse effect on change control. Emphasis on reports and screens is incorrect. A characteristic of prototyping is its emphasis on reports and screens, but it does not have an adverse effect on change control. Lack of integrated tools is incorrect. This is a characteristic of prototyping, but it does not have an adverse effect on change control.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? Dumping the memory content to a file Generating disk images of the compromised system Rebooting the system Removing the system from the network

Rebooting the system is correct. This may result in a change in the system state and the loss of files and important evidence stored in memory. Dumping the memory content to a file is incorrect. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence. Generating disk images of the compromised system is incorrect. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate. Removing the system from the network is incorrect. When investigating a system, it is recommended to disconnect it from the network to minimize external infection or access.

After a disaster declaration, the media creation date at a warm recovery site is based on the: recovery point objective. recovery time objective. service delivery objective. maximum tolerable outage.

Recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. Recovery time objective is incorrect. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. Service delivery objective is in correct. This is directly related to the business needs and is the level of service to be reached during the alternate process mode until the normal situation is restored. Maximum tolerable outage is incorrect. This is the maximum time that an organization can support processing in alternate mode.

To address an organization's disaster recovery requirements, backup intervals should not exceed the: a) service level objective. b) recovery time objective. c)recovery point objective. d) maximum acceptable outage.

Recovery point objective is correct. This defines the point in time to which data must be restored after a disaster to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If the backups are not done frequently enough, then too many data are likely to be lost. Service level objective is incorrect. Organizations will try to set service level objective to meet established business targets. The resulting time for the service level agreement relates to recovery of services, not to recovery of data. Recovery time objective (RTO) is incorrect. defines the time period after the disaster in which normal business functionality needs to be restored. Maximum acceptable outage (MAO) is incorrect. This is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption or maximum allowable downtime. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

An IS auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? a) Ignore the absence of management approval because employees follow the policies. b) Recommend immediate management approval of the policies. c) Emphasize the importance of approval to management. d) Report the absence of documented approval.

Report the absence of documented approval is correct. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organization policy, and it was discovered that the policies had not been approved, the organization may face an expensive lawsuit. First step is to report the findings and provide recommendations later

Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Requirements should be tested in terms of importance and frequency of use. Test coverage should be restricted to functional requirements. Automated tests should be performed through the use of scripting. The number of required test runs should be reduced by retesting only defect fixes.

Requirements should be tested in terms of importance and frequency of use is correct. Maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects. Test coverage should be restricted to functional requirements is incorrect. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. Automated tests should be performed through the use of scripting is incorrect. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. The number of required test runs should be reduced by retesting only defect fixes is incorrect. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.

Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: determine user feedback on the system has been documented. assess whether the planned cost benefits are being measured, analyzed and reported. review controls built into the system to assure that they are operating as designed. review subsequent program change requests.

Review controls built into the system to assure that they are operating as designed is correct. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. Determine whether user feedback on the system has been documented is incorrect. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. Review subsequent program change requests is incorrect. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.

Establishing the level of acceptable risk is the responsibility of: a) quality assurance management. b) senior business management. c) the chief information officer. d)the chief security officer.

Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager. Quality assurance management is incorrect. QA is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. The chief information officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner. The chief security officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager.

An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern? Senior management has limited involvement. Return on investment is not measured. Chargeback of IT cost is not consistent. Risk appetite is not quantified.

Senior management has limited involvement is correct. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance. Return on investment is not measured is incorrect. Ensuring revenue management is a part of the objectives in the IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. Chargeback of IT cost is not consistent is incorrect. Introduction of a cost allocation system is part of the objectives in an IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. Risk appetite is not quantified is incorrect. Estimation of risk appetite is important; however, at the same time, management should ensure that controls are in place. Therefore, checking only on risk appetite does not verify soundness of IT governance.

To protect a Voice-over Internet Protocol infrastructure against a denial-of-service attack, it is MOST important to secure the: access control servers. session border controllers. backbone gateways. intrusion detection system.

Session border controllers is correct. These enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. Access control servers is incorrect. Securing the access control server may prevent account alteration or lockout but is not the primary protection against DoS attacks. Backbone gateways is incorrect. These are isolated and not readily accessible to hackers, so this is not a location of DoS attacks. Intrusion detection system is incorrect. This monitors traffic, but does not protect against DoS attacks.

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: stop-or-go sampling. substantive testing. compliance testing. discovery sampling.

Substantive testing is correct. Because both the inherent and control risk are high in this case, additional testing is required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Stop-or-go sampling is incorrect. This is used when an IS auditor believes few errors will be found in the population, and, thus, is not the best type of testing to perform in this case. Compliance testing is incorrect. This is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. Although performing compliance testing is important, performing additional substantive testing is more appropriate in this case. Discovery sampling is incorrect. This is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing is the better option.

An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: a) user accounts are not locked out after five failed attempts. b) passwords can be reused by employees within a defined time frame. c) system administrators use shared login credentials. d) password expiration is not automated.

System administrators use shared login credentials is correct. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: system and the IT operations team can sustain operations in the emergency environment. resources and the environment could sustain the transaction load. connectivity to the applications at the remote site meets response time requirements. workflow of actual business operations can use the emergency system in case of a disaster.

System and the IT operations team can sustain operations in the emergency environment is correct. The applications have been operated intensively, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. Resources and the environment could sustain the transaction load is incorrect. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load. Connectivity to the applications at the remote site meets response time requirements is incorrect. Because users were able to connect to and use the system, the response time must have been satisfactory. Workflow of actual business operations can use the emergency system in case of a disaster is incorrect. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.

Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? System owners System users System designers System builders

System owners is correct. These are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. System users is incorrect. These are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. System designers is incorrect. They translate business requirements and constraints into technical solutions. System builders is incorrect. They construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same.

An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor? The IT department's projects will not be adequately funded. IT projects are not following the system development life cycle process. IT projects are not consistently formally approved. The IT department may not be working toward a common goal.

The IT department may not be working toward a common goal is correct. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals. The IT department's projects will not be adequately funded is incorrect. Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company. IT projects are not following the system development life cycle process is incorrect. Although requiring steering committee approval may be part of the system development life cycle process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals. IT projects are not consistently formally approved is incorrect. Although having a formal approval process is important, the greatest concern would be for the steering committee to provide corporate direction for the projects.

An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk? a) Testing of the DRP has not been performed. b) The disaster recovery strategy does not specify use of a hot site. c) The business impact analysis was conducted, but the results were not used. d) The disaster recovery project manager for the implementation has recently left the organization.

The business impact analysis (BIA) was conducted, but the results were not used is correct. The risk of not using the results of the BIA for disaster recovery planning means that the disaster recovery plan (DRP) may not be designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization to recover from a disaster. Testing of the DRP has not been performed is incorrect. Although testing a DRP is a critical component of a successful disaster recovery strategy, this is not the biggest risk; the biggest risk comes from a plan that is not properly designed. The disaster recovery strategy does not specify use of a hot site is incorrect. Use of a hot site is a strategic determination based on tolerable downtime, cost and other factors. Although using a hot site may be considered a good practice, this is a very costly solution that may not be required for the organization. The disaster recovery project manager for the implementation has recently left the organization is incorrect. If the DRP is designed and documented properly, the loss of an experienced project manager should have minimal impact. The risk of a poorly designed plan that may not meet the requirements of the business is much more significant than the risk posed by loss of the project manager.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? The reporting of the mean time between failures over time The overall mean time to repair failures The first report of the mean time between failures The overall response time to correct failures

The first report of the mean time between failures is correct. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. The reporting of the mean time between failures over time is incorrect. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. The overall mean time to repair failures is incorrect. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. The overall response time to correct failures is incorrect. The response time reflects the agility of the response team or the help desk team in addressing reported issues.

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? a) A login screen is not displayed for guest users. b) The guest network is not segregated from the production network. c) Guest users who are logged in are not isolated from each other. d) A single factor authentication technique is used to grant access.

The guest network is not segregated from the production network is correct. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. A login screen is not displayed for guest users is incorrect. Using a web captive portal, which displays a login screen in the user's web browser, is a good practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. Guest users who are logged in are not isolated from each other is incorrect. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. A single factor authentication technique is used to grant access is incorrect. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented.

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: it has not been determined how the project fits into the overall project portfolio. the organizational impact of the project has not been assessed. not all IT stakeholders have been given an opportunity to provide input. the environmental impact of the data center has not been considered.

The organizational impact of the project has not been assessed is correct. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. It has not been determined how the project fits into the overall project portfolio is incorrect. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. Not all IT stakeholders have been given an opportunity to provide input is incorrect. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. The environmental impact of the data center has not been considered is incorrect. The environmental impact should be part of the feasibility study however the organizational impact is more important.

When reviewing a hardware maintenance program, an IS auditor should assess whether: the schedule of all unplanned maintenance is maintained. it is in line with historical trends. it has been approved by the IS steering committee. the program is validated against vendor specifications.

The program is validated against vendor specifications is correct. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications. The schedule of all unplanned maintenance is maintained is incorrect. Unplanned maintenance cannot be scheduled. It is in line with historical trends is incorrect. Hardware maintenance programs do not necessarily need to be in line with historic trends. It has been approved by the IS steering committee is incorrect. Maintenance schedules normally are not approved by the steering committee.

In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy? Disaster tolerance is high. The recovery time objective is high. The recovery point objective is low. The recovery point objective is high.

The recovery point objective (RPO) is low is correct. The RPO indicates the latest point in time at which it is possible to recover the data. This determines how often the data must be backed up to minimize data loss. If the RPO is low, then the organization does not want to lose much data and must use a process such as data mirroring to prevent data loss. Disaster tolerance is high is incorrect. Data mirroring is a data recovery technique, and disaster tolerance addresses the allowable time for an outage of the business. The recovery time objective (RTO) is high is incorrect. RTO is an indicator of the disaster tolerance. Data mirroring addresses data loss, not the RTO. The recovery point objective is high is incorrect. If the RPO is high, then a less expensive backup strategy can be used; data mirroring should not be implemented as the data recovery strategy.

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization? Data ownership is retained by the customer organization. The third-party provider reserves the right to access data to perform certain operations. Bulk data withdrawal mechanisms are undefined. The customer organization is responsible for backup, archive and restore. NEXT QUESTION

The third-party provider reserves the right to access data to perform certain operations is correct. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure. Data ownership is retained by the customer organization is incorrect. The customer organization would want to retain data ownership and, therefore, this would not be a risk. Bulk data withdrawal mechanisms are undefined is incorrect. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider. The customer organization is responsible for backup, archive and restore is incorrect. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's processes. This would only be a risk if the customer organization was unable to perform these activities itself.

An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? The vendor provides the latest third-party audit report for verification. The vendor provides the latest internal audit report for verification. The vendor agrees to implement controls in alignment with the enterprise. The vendor agrees to provide annual external audit reports in the contract.

The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits. The vendor provides the latest third-party audit report for verification is incorrect. Although the vendor is providing the most recent third-party audit report for review, there is no agreement contractually that would require the vendor to continue to provide annual reports for verification and review. The vendor provides the latest internal audit report for verification is incorrect. Although the vendor is providing the most recent internal audit report for review, there is no agreement contractually that would require the vendor to continue to provide annual reports for verification and review. The vendor agrees to implement controls in alignment with the enterprise is incorrect. Without a clause in the contract, an agreement to implement controls does not provide assurance that controls will continue to be implemented in alignment with the enterprise.

What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? To make sure that users are appropriately trained To verify that the project was within budget To check that the project meets expectations To determine whether proper controls were implemented

To check that the project meets expectations is correct. The objective of a post-implementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). To make sure that users are appropriately trained is incorrect. Post-implementation review does not target verifying user training needs. To verify that the project was within budget is incorrect. Project costs are monitored during development and are not the primary reason for a post-implementation review. To determine whether proper controls were implemented is incorrect. While an IS auditor would be interested in ensuring that proper controls were implemented, the most important consideration would be that the project meets expectations.

Which of the following IT governance good practices improves strategic alignment? Supplier and partner risk is managed. A knowledge base on customers, products, markets and processes is in place. A structure is provided that facilitates the creation and sharing of business information. Top management mediates between the imperatives of business and technology.

Top management mediates between the imperatives of business and technology is correct. This is an IT strategic alignment good practice. Supplier and partner risk is managed is incorrect. This is a risk management good practice but not a strategic function. A knowledge base on customers, products, markets and processes is in place is incorrect. This is an IT value delivery good practice but does not ensure strategic alignment. A structure is provided that facilitates the creation and sharing of business information is incorrect. This is an IT value delivery and risk management good practice but is not as effective as top management involvement in business and technology alignment.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Bottom-up testing Sociability testing Top-down testing System testing

Top-down testing is correct. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. Bottom-up testing is incorrect. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing is incorrect. This takes place at a later stage in the development process. System testing is incorrect. This takes place at a later stage in the development process.

Which of the following ensures the availability of transactions in the event of a disaster? Send tapes hourly containing transactions offsite. Send tapes daily containing transactions offsite. Capture transactions to multiple storage devices. Transmit transactions offsite in real time.

Transmit transactions offsite in real time is correct. The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility. Sending hourly tapes containing transactions offsite is incorrect. This is not in real time and, therefore, would possibly result in the loss of one hour's worth of transactional data. Sending daily tapes containing transactions offsite is incorrect. This is not in real time and, therefore, could result in the loss of one day's worth of transactional data. Capturing transactions to multiple storage devices is incorrect. This does not ensure availability at an offsite location.

Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ? a) Single sign-on authentication b) Password complexity requirements b) Two-factor authentication d) Internet protocol address restrictions

Two-factor authentication is correct. This is the best method to provide a secure connection because it uses two factors, typically "what you have" (for example, a device to generate one-time-passwords), "what you are" (for example, biometric characteristics) or "what you know" (for example, a personal identification number or password). Using a password in and of itself without the use of one or more of the other factors mentioned is not the best for this scenario. Single sign-on authentication is incorrect. This provides a single access point to system resources. It would not be best in this situation. Password complexity requirements is incorrect. While this would help prevent unauthorized access, two-factor authentication is a more effective control for this scenario. Internet Protocol (IP) address restrictions is incorrect. IP addresses can always change or be spoofed and, therefore, are not the best form of authentication for the scenario mentioned.

An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? System unavailability Exposure to malware Unauthorized access System integrity

Unauthorized access is correct. Untested common gateway interfaces (CGIs) can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. System unavailability is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. Exposure to malware is incorrect. Untested CGI scripts do not inherently lead to malware exposures. System integrity is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? Malware on servers Firewall misconfiguration Increased spam received by the email server Unauthorized network activities

Unauthorized network activities is correct. Unauthorized network activities—such as employee use of file or music sharing sites or online gambling or personal email containing large files or photos—could contribute to network performance issues. Because the IS auditor found the degraded performance during business hours, this is the most likely cause. Malware on servers is incorrect. The existence of malware on the organization's server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. Firewall misconfiguration is incorrect. This could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. Increased spam received by the email server is incorrect. The existence of spam on the organization's email server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours.

An IS auditor is performing a review of a network. Users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: use a protocol analyzer to perform network analysis and review error logs of local area network equipment. take steps to increase the bandwidth of the connection to the Internet. create a baseline using a protocol analyzer and implement quality of service to ensure that critical business applications work as intended. implement virtual local area networks to segment the network and ensure performance.

Use a protocol analyzer to perform network analysis and review error logs of local area network equipment is correct. In this case, the first step is to identify the problem through review and analysis of network traffic. Using a protocol analyzer and reviewing the log files of the related switches or routers will determine whether there is a configuration issue or hardware malfunction. Take steps to increase the bandwidth of the connection to the Internet is incorrect. Although increasing Internet bandwidth may be required, this may not be needed if the performance issue is due to a different problem or error condition. Create a baseline using a protocol analyzer and implement quality of service to ensure that critical business applications work as intended is incorrect. Although creating a baseline and implementing quality of service will ensure that critical applications have the appropriate bandwidth, in this case, the performance issue may be related to misconfiguration or equipment malfunction. Implement virtual local area networks to segment the network and ensure performance is incorrect. Although this may be good practice for ensuring adequate performance, in this case, the issue may be related to misconfigurations or equipment malfunction.

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: a) determine whether system developers have proper training on adequate security measures. b) determine whether system administrators have disabled security controls for any reason. c) verify that security requirements have been properly specified in the project plan. d) validate whether security controls are based on requirements which are no longer valid.

Verify that security requirements have been properly specified in the project plan is correct. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. Validate whether security controls are based on requirements which are no longer valid is incorrect. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: acknowledge receipt of electronic orders with a confirmation message. perform reasonableness checks on quantities ordered before filling orders. verify the identity of senders and determine if orders correspond to contract terms. encrypt electronic orders.

Verify the identity of senders and determine if orders correspond to contract terms is correct. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is incorrect. This is good practice but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before filling orders is incorrect. This is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. Encrypt electronic orders is incorrect. This is an appropriate step but does not prove authenticity of messages received.

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective? a) VoIP infrastructure needs to be segregated using virtual local area networks. b) Buffers need to be introduced at the VoIP endpoints. c) Ensure that end-to-end encryption is enabled in the VoIP system. d) Ensure that emergency backup power is available for all parts of the VoIP infrastructure.

Voice-over Internet Protocol (VoIP) infrastructure needs to be segregated using virtual local area networks (VLANs) is correct. This would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). Buffers need to be introduced at the VoIP endpoints is incorrect. The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method. Ensure that end-to-end encryption is enabled in the VoIP system is incorrect. Encryption is used when VoIP calls use the Internet (not the local LAN) for transport because the assumption is that the physical security of the building as well as the Ethernet switch and VLAN security is adequate. Ensure that emergency backup power is available for all parts of the VoIP infrastructure is incorrect. The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.

A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? Work is completed in tunnel mode with IP security. A digital signature with RSA has been implemented. Digital certificates with RSA are being used. Work is being completed in TCP services.

Work is completed in tunnel mode with IP security is correct. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security. A digital signature with RSA has been implemented is incorrect. A digital signature with RSA provides authentication and integrity but not confidentiality. Digital certificates with RSA are being used is incorrect. Digital certificates with RSA provide authentication and integrity but do not provide encryption. Work is being completed in Transmission Control Protocol (TCP) services is incorrect. These do not provide encryption and authentication.


Set pelajaran terkait

Lesson 4 - Vowel Sounds /oo/, /yoo/

View Set

A Beka 6th Grade Health Test 1 Review

View Set

CCNA1 FINAL EXAM STUDY GUIDE part5

View Set

ap human geography: chapter 7 ethnicity

View Set

Simple Diffusion and Active Transport

View Set

CompTIA Security Plus practice 9-17

View Set