November 16th Domain 2 226 Questions

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

You answered A. The correct answer is B. A. Developing a recovery strategy will come after performing a business impact analysis (BIA). B. The first step in any disaster recovery plan (DRP) is to perform a BIA. C. The BIA will identify critical business processes and the systems that support those processes. Mapping software systems, hardware and network components will come after performing a BIA. D. Appointing recovery teams with defined personnel, roles and hierarchy will come after performing a BIA.

For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that: A. KPIs are measured at consistent intervals. B. specific goals are defined. C. critical success factors (CSFs) are considered. D. KPIs are purely quantitative measures.

You answered A. The correct answer is B. A. Measurement at consistent intervals is important, but only if the key performance indicators (KPIs) are related to specific goals. B. The most important metric is the extent to which the key goal indicators (KGIs) are aligned with specific goals that are relevant and meaningful to the organization. C. Critical success factors (CSFs) are important considerations for determining that a goal is being achieved, but are not metrics in themselves. D. Quantitative measures are usually preferable, but not always possible and not essential.

Integrating the business continuity plan (BCP) into IT project management aids in: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.

You answered A. The correct answer is B. A. Testing the business continuity plan's (BCP) requirements is not related to IT project management. B. Integrating the BCP into the development process ensures complete coverage of the requirements through each phase of the project. C. A transaction flowchart aids in analyzing an application's controls, but does not affect business continuity. D. A BCP will not directly address the detailed processing needs of the users.

The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.

You answered A. The correct answer is C. A. The security program is driven by policy and the standards are driven by the program. The initial step is to have a policy and ensure that the program is based on the policy. B. Audit and monitoring of controls related to the program can only come after the program is set up. C. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. D. Access control software is an important security control, but only after the policy and program are defined.

Which of the following business continuity plan (BCP) tests involves participation of relevant members of the crisis management/response team to practice proper coordination? A. Tabletop B. Functional C. Full-scale D. Deskcheck

You answered B. The correct answer is A. A. The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. B. Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication. C. Full-scale testing involves enterprisewide participation and full involvement of external organizations. D. Deskcheck testing requires the least effort of the options given. Its aim is to ensure the plan is up to date and promote familiarity of the BCP to critical personnel from all areas.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment? A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime

You answered B. The correct answer is D. A. An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA). B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk assessment and a BIA. D. A determination of acceptable downtime is made only in a BIA.

Which of the following provides the BEST evidence of the adequacy of a security awareness program? A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise C. The implementation of security devices from different vendors D. Periodic reviews and comparison with best practices

You answered B. The correct answer is D. A. The number of stakeholders, including employees, trained provides a metric for measuring the coverage of a security awareness program, but does not help assess its content or effectiveness. B. Coverage of training at all locations provides a metric for measuring the coverage of a security awareness program, but does not help assess its content or effectiveness. C. The implementation of security devices from different vendors may be a policy of the organization, but it does not relate to the adequacy of an awareness program. D. The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? A. Full operational test B. Preparedness test C. Paper test D. Regression test

You answered C. The correct answer is B. A. A full operational test is conducted after the paper and preparedness test and is quite expensive. B. A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. C. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test, but a paper test (deskcheck) is not sufficient to test the viability of the plan. D. A regression test is not a disaster recovery plan test and is used in software development and maintenance.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

You answered C. The correct answer is B. A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? A. The existing DR plan is not updated to achieve the new RPO. B. The DR team has not been trained on the new RPO. C. Backups are not done frequently enough to achieve the new RPO. D. The plan has not been tested with the new RPO.

You answered D. The correct answer is C. A. If the plan is not updated to reflect the new strategic goals of recovery time objective (RTO) and recovery point objective (RPO), then the plan may not achieve those new goals. This is a less significant problem than not having the appropriate data available. B. The lack of training on the new disaster recovery (DR) strategy creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups. C. The RPO is defined in the ISACA glossary as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is created that the company will not have adequate backup data in the event of a disaster. This is the most significant risk because, without availability of the necessary data, all other DR considerations are not useful. D. The lack of testing of the revised plan creates risk in the team's ability to execute the plan; but, this risk is not as significant as not having data available due to the frequency of backups.

Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A. Have the current configuration approved by operations management. B. Ensure that there is an audit trail for all existing accounts. C. Implement individual user accounts for all staff. D. Amend the IT policy to allow shared accounts.

You are correct, the answer is C. A. Having the current configuration approved is a recommendation that is not in compliance with the enterprise's own policy and would violate best practice. B. Having an audit trail for existing shared accounts would not provide accountability or resolve the problem of noncompliance with policy. C. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. D. Shared user IDs do not allow for accountability of transactions and would not reflect best practice.

An IS auditor has been asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A. Require the vendor to provide monthly status reports. B. Have periodic meetings with the client IT manager. C. Conduct periodic audit reviews of the vendor. D. Require that performance parameters be stated within the contract.

You are correct, the answer is C. A. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. B. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C. Conducting periodic reviews of the vendor will ensure that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements (SLAs) as well as the client's requirements for security controls may become less of a focus for the vendor and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with whom they wish to continue to work. D. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met.

A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: A. length of service, because this will help ensure technical competence. B. age, because training in audit techniques may be impractical. C. IT knowledge, because this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IT relationships.

You are correct, the answer is D. A. Length of service will not ensure technical competency. B. Evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. C. The fact that the employee has worked in IT for many years may not, in itself, ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements. D. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities.

Which of the following is responsible for the approval of an information security policy? A. The IT department B. The security committee C. The security administrator D. The board of directors

You are correct, the answer is D. A. The IT department is responsible for the execution of the policy, having no authority in framing the policy. B. The security committee also functions within the broad security policy framed by the board of directors. C. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

You answered A. The correct answer is B. A. Risk transfer is the transference of risk to a third party, e.g., buying insurance for activities that pose a risk. B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan (DRP), it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. When an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it, that is risk acceptance.

After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? A. Test and maintain the plan. B. Develop a specific plan. C. Develop recovery strategies. D. Implement the plan.

You answered A. The correct answer is C. A. After selecting a strategy, a specific business continuity planning (BCP) can be developed, tested and implemented. B. After selecting a strategy, a specific BCP can be developed, tested and implemented. C. Once the business impact analysis (BIA) is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA. D. After selecting a strategy, a specific BCP can be developed, tested and implemented.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered A. The correct answer is C. A. All other choices are important, but the first step is to ensure that the contracts support the business—only then can an audit process be valuable. B. All service level agreements (SLAs) should be measureable and reinforced through key performance indicators (KPIs)—but the first step is to ensure that the SLAs are aligned with business requirements. C. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

Which of the following reduces the potential impact of social engineering attacks? A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives

You answered A. The correct answer is C. A. Compliance with regulatory requirements is not user-focused and will not reduce the impact of social engineering attacks. B. Promoting ethical understanding is important to direct user behavior, but will not effectively reduce the impact of social engineering attacks. C. Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. D. Effective performance incentives will not help reduce the impact of social engineering. Social engineering is based on deception, not on performance.

Which of the following is the PRIMARY objective of the business continuity plan (BCP) process? A. To provide assurance to stakeholders that business operations will continue in the event of disaster B. To establish an alternate site for IT services to meet predefined recovery time objectives (RTOs) C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster

You answered A. The correct answer is C. A. The business continuity plan (BCP) in itself does not provide assurance of continuing operations; however, it helps the organization to respond to disruptions to critical business processes. B. Establishment of an alternate site is more relevant to disaster recovery than the BCP. C. The BCP process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations. D. The regulatory compliance requirements may help establish the recovery time objective (RTO) requirements.

Which of the following is a PRIMARY objective of an acceptable use policy? A. Creating awareness about the secure use of proprietary resources B. Ensuring compliance with information security policies C. Defining sanctions for noncompliance D. Controlling how proprietary information systems are used `

You answered A. The correct answer is D. A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is often signed after employee orientation and during periodic user awareness training. The policy is used to enforce controls over use of systems—not just to create awareness. B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic. Information security policies are much broader in overall content and include a wider audience. C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary objective of the acceptable use policy; prevention is the primary objective. D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios, including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such risk, a policy supported by guidelines is put into effect to define how information system resources will be used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to acknowledge that they are aware.

An IS auditor reviewing the IT organization would be MOST concerned if the IT steering committee: A. is responsible for project approval and prioritization. B. is responsible for developing the long-term IT plan. C. reports the status of IT projects to the board of directors. D. is responsible for determining business goals.

You answered A. The correct answer is D. A. The IT steering committee is responsible for project approval and prioritization. B. The IT steering committee is responsible for oversight of the development of the long-term IT plan. C. The IT steering committee advises the board of directors on the status of developments in IT. D. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around.

A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? A. Approving IT project plans and budgets B. Aligning IT to business objectives C. Advising on IT compliance risk D. Promoting IT governance practices

You answered B. The correct answer is A. A. An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee because it provides insight and advice to the board. B. Aligning IT to business objectives is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. C. Issues related to compliance are tasks usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets. D. IT governance is a task usually assigned to an IT strategy committee. The steering committee would be more involved in approval and monitoring of individual projects and budgets.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: A. each plan is consistent with one another. B. all plans are integrated into a single plan. C. each plan is dependent on one another. D. the sequence for implementation of all plans is defined.

You answered B. The correct answer is A. A. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. B. The plans do not necessarily have to be integrated into one single plan. C. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. D. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: A. increase. Incorrect B. decrease. C. remain the same. D. be unpredictable.

You answered B. The correct answer is A. A. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place. B. The implementation of a DRP will always result in additional costs to the organization. C. The implementation of a DRP will always result in additional costs to the organization. D. The costs of a DRP are fairly predictable and consistent.

Overall quantitative business risk for a particular threat can be expressed as: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

You answered B. The correct answer is A. A. Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability, and provides the best measure of the risk to an asset. B. The calculation of risk must consider impact and likelihood of a threat (not a threat source) exploiting a vulnerability. C. Considering only the likelihood of an exploit and not the impact or damage caused is not sufficient to determine the overall risk. D. The collective judgment of the risk assessment team is a part of qualitative risk assessment, but must be combined with calculations of the impact on the business to determine overall risk.

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management.

You answered B. The correct answer is A. A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency. C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment. D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments.

An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)? A. Review whether the service provider's BCP process is aligned with the organization's BCP and contractual obligations. B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster. C. Review the methodology adopted by the organization in choosing the service provider. D. Review the accreditation of the third-party service provider's staff.

You answered B. The correct answer is A. A. Reviewing whether the service provider's business continuity plan (BCP) process is aligned with the organization's BCP and contractual obligations is the correct answer because an adverse effect or disruption to the business of the service provider has a direct bearing on the organization and its customers. B. Reviewing whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster is not the correct answer because the presence of penalty clauses, although an essential element of an SLA, is a last resort and not a primary concern. C. The methodology adopted by the organization in choosing a service provider is a possible concern, but of lesser importance than ensuring that the service provider can be relied on in the event of a disaster. D. The accreditation of the third-party service provider's staff is a possible concern, but of lesser importance than the requirement to ensure that the service provider can provide service in the event of a disruption.

Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training? A. Information security policy B. Acceptable usage policy C. Human resources (HR) policy D. End-user computing policy

You answered B. The correct answer is A. A. The information security policy states the organization's approach to managing information security. The policy contains the company's security objectives and explains the security policies, principles and standards and mandates compliance and accountability for the employee to adhere to policy. In addition, the policy outlines requirements such as compliance with regulations and employee education, training and awareness. B. The acceptable usage policy is a subset of the information security policy and outlines guidelines and rules for employee use of the company's information resources. It is focused and does not include requirements for security awareness training. C. The HR policy refers to the information security policy, but does not specifically list the requirements for security awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity and ethics, and compliance with regulations. D. The end-user computing policy is a subset of the information security policy and describes the parameters and usage of desktop tools by users. It does not contain requirements for security awareness training.

An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern? A. Senior management has limited involvement. B. Return on investment (ROI) is not measured. C. Chargeback of IT cost is not consistent. D. Risk appetite is not quantified.

You answered B. The correct answer is A. A. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the role of senior management when evaluating the soundness of IT governance. B. Ensuring revenue is a part of the objectives in the IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. C. Introduction of a cost allocation system is part of the objectives in an IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. D. Estimation of risk appetite is important; however, at the same time, management should ensure that controls are in place. Therefore, checking only on risk appetite does not verify soundness of IT governance.

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A. control self-assessments. B. a business impact analysis (BIA). C. an IT balanced scorecard (BSC). D. business process reengineering (BPR).

You answered B. The correct answer is C. A. Control self-assessments (CSAs) are used to improve monitoring of security controls, but are not used to align IT with organizational objectives. B. A business impact analysis (BIA) is used to calculate the impact on the business in the event of an incident that affects business operations, but it is not used to align IT with organizational objectives. C. An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. D. Business process reengineering (BPR) is an excellent tool to review and improve business processes, but is not focused on aligning IT with organizational objectives.

To optimize an organization's business continuity plan (BCP), an IS auditor should recommend a business impact analysis (BIA) to determine: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. B. the priorities and order for recovery to ensure alignment with the organization's business strategy. C. the business processes that must be recovered following a disaster to ensure the organization's survival. D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame.

You answered B. The correct answer is C. A. It is a common mistake to overemphasize financial value rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. B. The business strategy (which is often a long-term view) does not have a direct impact at this point in time. C. To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. D. The mere number of recovered systems does not have a direct impact at this point in time. The importance is to recover systems that would impact business survival.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

You answered B. The correct answer is C. A. Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. B. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals; thus, the management of risk is enhanced by comparing today's results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. C. When assessing IT security risk, it is important to take into account the entire IT environment. D. Measures of security risk do not identify tolerances.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: A. stored in a secure, offsite facility. B. approved by senior management C. communicated to appropriate personnel. D. made available through the enterprise's intranet.

You answered B. The correct answer is C. A. The business continuity plan (BCP), if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. B. Senior management approval is a prerequisite for designing and approving the BCP, but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. C. The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. D. Making a BCP available on an enterprise's intranet does not guarantee that personnel will be able to access, read or understand it.

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

You answered B. The correct answer is C. A. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. B. The recovery of the backups has no bearing on the notification system. C. If the notification system has been severely impacted by the damage, redundancy would be the best control. D. Storing the notification system in a vault would be of little value if the building is damaged.

Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

You answered B. The correct answer is D. A. Testing a new accounting package is a tactical or short-term goal and would not be included in a strategic plan. B. Performing an evaluation of information technology needs is a way to identify needs and measure performance, but not a goal to be found in a strategic plan. C. Implementing a new project planning system within the next 12 months is project-oriented and is a method of implementing a goal, but not the goal in itself. The goal would be to have better project management—the new system is how to achieve that goal. D. Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization's strategic plan.

Responsibility for the governance of IT should rest with the: A. IT strategy committee. B. chief information officer (CIO). C. audit committee. D. board of directors.

You answered B. The correct answer is D. A. The IT strategy committee plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. B. The CIO plays a significant role in the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. C. The audit committee plays a significant role in monitoring and overseeing the successful implementation of IT governance within an organization, but the ultimate responsibility resides with the board of directors. D. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A. implementation. B. compliance. C. documentation. D. sufficiency.

You answered B. The correct answer is D. A. The first step is to review the baseline to ensure that it is adequate or sufficient to meet the security requirements of the organization. Then the IS auditor will ensure that it is implemented and measure compliance. B. Compliance cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. D. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements.

A structured walk-through of a disaster recovery plan involves: A. representatives from each of the functional areas coming together to go over the plan. B. all employees who participate in the day-to-day operations coming together to practice executing the plan. C. moving the systems to the alternate processing site and performing processing operations. D. distributing copies of the plan to the various functional areas for review.

You answered C. The correct answer is A. A. A structured walk-through test of a disaster recovery plan involves representatives from each of the functional areas coming together to review the plan to determine if the plan pertaining to their area is accurate and complete, and can be implemented when required. B. To practice executing a plan is a simulation test to prepare and train the personnel who will be required to respond to disasters and disruptions. C. Moving the systems to an alternate facility is a form of parallel testing to ensure that critical systems will perform satisfactorily in the alternate site. D. Distributing copies of the plan for review is a checklist test.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.

You answered C. The correct answer is A. A. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that should be concerned. B. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, but should cover business requirements. D. Multisourcing is an acceptable way to reduce risk associated with a single point of failure.

Disaster recovery planning (DRP) addresses the: A. technological aspect of business continuity planning (BCP). B. operational part of business continuity planning. C. functional aspect of business continuity planning. D. overall coordination of business continuity planning.

You answered C. The correct answer is A. A. Disaster recovery planning (DRP) is the technological aspect of business continuity plan (BCP) that focuses on IT systems and operations. B. Business resumption planning addresses the operational part of BCP. C. Disaster recovery addresses the technical components of business recovery. D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training and: A. succession planning. B. staff job evaluation. C. responsibilities definitions. D. employee award programs.

You answered C. The correct answer is A. A. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. B. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. C. Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals. D. Employee award programs provide motivation; however, they do not minimize dependency on key individuals.

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: A. duration of the outage. B. type of outage. C. probability of the outage. D. cause of the outage.

You answered C. The correct answer is A. A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. B. The type of outage is not as important to the activation of the plan as the length or duration of the outage. C. The probability of the outage would be relevant to the frequency of incidents, not the need to activate the plan. The plan is designed to be activated after an event of a certain duration occurs. D. The cause of the outage may affect the response plan to be activated, but not the decision to activate the plan. The plan will be activated any time an event of a predetermined duration occurs.

Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy

You answered C. The correct answer is B. A. A scorecard is an excellent tool to implement a program based on good governance, but the most important factor in implementing governance is alignment with organizational strategies. B. The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective. C. A risk assessment is important to ensure that the security program is based on areas of highest risk, but risk assessment must be based on organizational strategies. D. A policy is a key part of security program implementation, but even the policy must be based on organizational strategies.

An IS auditor of a large organization is reviewing the roles and responsibilities for the IT function and has found some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? A. Network administrators are responsible for quality assurance. B. Security administrators are system programmers. C. End users are security administrators for critical applications. D. Systems analysts are database administrators.

You answered C. The correct answer is B. A. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. B. When individuals serve multiple roles this represents a separation of duties problem with associated risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. C. In some distributed environments, especially with small staffing levels, users may also manage security. D. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production B. Organizational data governance practices be put in place C. Standard software tools be used for report development D. Management sign-off on requirements for new reports

You answered C. The correct answer is B. A. Recommending that user acceptance testing (UAT) occur for all reports before release into production does not address the root cause of the problem described. B. This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. C. Recommending standard software tools be used for report development does not address the root cause of the problem described. D. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

You answered C. The correct answer is B. A. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but is not as meaningful as having job descriptions that require all staff to be responsible for information security. B. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. C. Funding is important, but having funding does not ensure that the security program is effective or adequate. D. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but is not a criterion for evaluating a security program.

Which of the following BEST supports the prioritization of new IT projects? A. Internal control self-assessment (CSA) B. Information systems audit C. Investment portfolio analysis D. Business risk assessment

You answered D. The correct answer is C. A. Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. B. Like internal CSA, IS audits are mostly a detective control and may provide only part of the picture for the prioritization of IT projects. C. It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. D. Business risk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: A. recommend that this separate project be completed as soon as possible. B. report this issue as a finding in the audit report. C. recommend the adoption of the Zachmann framework. D. re-scope the audit to include the separate project as part of the current audit.

You answered C. The correct answer is B. A. The IS auditor would not ordinarily provide input on the timing of projects, but rather provide an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. C. The company is free to choose any EA framework, and the IS auditor should not recommend a specific framework. D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.

The PRIMARY outcome of a business impact analysis (BIA) is: A. a plan for resuming operations after a disaster. B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan (DRP). D. an understanding of the cost of an interruption.

You answered C. The correct answer is D. A. A business impact analysis (BIA) helps determine the recovery strategy, which sets the starting point for planning how to resume operations after a disaster. The plan, however, is not an outcome of the BIA. B. The perception of an organization's physical and logical security is not the primary objective of a BIA. The BIA determines critical business processes and time lines for recovery. C. The BIA provides an important input into business continuity planning, but not a framework for effective disaster recovery planning (DRP). D. A BIA helps one understand the cost of an interruption and identifies which applications and processes are most critical to the continued functioning of the organization.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

You answered C. The correct answer is D. A. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. B. The walk-through test is a basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. C. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. The IT plan has been tested repeatedly so a disaster recovery test would not help in verifying the administrative and organizational parts of the BCP, which are not IT-related. D. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule.

Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors. B. Gather performance data. C. Establish performance baselines. D. Optimize performance.

You answered C. The correct answer is D. A. Minimizing errors is an aspect of performance, but not the primary objective of performance management. B. Gathering performance data is necessary to measure IT performance, but is not the objective of the process. C. The performance measurement process compares actual performance with baselines, but that is not the objective of the process. The objective is to optimize performance. D. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls

You answered C. The correct answer is D. A. Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan (BCP) is to: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. review the experience of the vendor's staff. D. test the BCP.

You are correct, the answer is A. A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's BCP. C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

You answered C. The correct answer is D. A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.

An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information. B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. the audit finding will cause management to provide continuous training to staff.

You answered D. The correct answer is A. A. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. B. Information security is everybody's business, and all staff should be trained in how to handle information correctly. C. Providing security awareness training is not an IS audit function. D. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

You answered D. The correct answer is A. A. Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. B. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. C. Punitive actions are needed to enforce the policy, but are not the key to successful implementation. D. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.

Involvement of senior management is MOST important in the development of: A. strategic plans. B. IT policies. C. IT procedures. D. standards and guidelines.

You answered D. The correct answer is A. A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan. C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures. D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.

Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C. Copies of the plan are kept at the homes of key decision-making personnel. D. Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current.

You answered D. The correct answer is A. A. The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. B. Having user management involved in identifying critical systems will not provide assurance that the recovery can be achieved in the event of a disaster. C. Having copies of the plan available offsite will not provide assurance that the plan will work in the event of a disaster. D. Providing feedback to management is important but must be based on assurance that the plan will work. This can only be obtained through testing and review.

IS control objectives are useful to IS auditors because they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IS security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.

You are correct, the answer is A. A. An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. B. Control objectives provide the actual objectives for implementing controls, and may or may not be based on best practices. C. Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself. D. A security policy mandates the use of IS controls, but the controls are not used to understand policy.

An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application that is hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A. Plan an audit of the cloud vendor. B. Review the vendor contract to determine its disaster recovery (DR) capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the disaster recovery plan (DRP) from the cloud vendor.

You answered D. The correct answer is B. A. Auditing the cloud vendor would be useful; however, this would only be useful if the vendor is contractually required to provide disaster recovery (DR) services. B. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Without the contractual language, the vendor is not required to provide DR services. C. An independent auditor's report, such as SSAE 16, on DR capabilities can be reviewed to ascertain the vendor's DR capabilities; however, this will only be fruitful if the vendor is contractually required to provide DR services. D. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

You answered D. The correct answer is B. A. Compliance with security standards is important, but there is no way to verify or prove that is the case without an independent review. B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. C. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak. D. Compliance with organizational security policies is important, but there is no way to verify or prove that that is the case without an independent review.

Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan (BCP) of an organization? A. Daily full backups are not performed for critical production files. B. A team of IT and information security staff conducted the business impact analysis (BIA). C. Sensitive information processes are manually performed during a disruption. D. An annual test of the BCP is not being performed.

You answered D. The correct answer is B. A. Daily full backups may not be required if incremental or differential backups are in place. B. To be effective, the business impact analysis (BIA) should be conducted with input from a wide array of stakeholders. The business requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery. Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical assets being overlooked. C. As long as the service delivery objective is met and data are handled in alignment with the data classification and handling policy, it is appropriate for "sensitive" functions to be performed manually in the case of a business continuity plan (BCP) event. D. The frequency of testing is less important than business involvement in the creation of the BCP.

Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods

You answered D. The correct answer is B. A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Which of the following is the MOST important requirement for the successful test of a disaster recovery plan (DRP)? A. Participation by all of the resources identified in the plan B. Management approval of the test scenario C. Advance notice for all of the impacted employees D. IT management approval of the test scenario

You answered D. The correct answer is B. A. Not all resources need to participate in a test—only the personnel involved in the actual test scenario. A disaster recovery plan (DRP) should be flexible enough to adapt to using whatever personnel are available. B. Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the test is critical to the success of the disaster recovery testing. C. Advance notice for the impacted employees is not necessarily required if the test exercise is not expected to create service disruptions or other issues. D. A test scenario approved by business management approval is more likely to reflect the needs of the business. IT management may select a test scenario more focused on IT priorities, which may be less effective.

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? A. Business continuity self-audit B. Resource recovery analysis C. Risk assessment D. Gap analysis

You answered D. The correct answer is C. A. Business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP), but not for gaining an understanding of the business. B. Resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy, but not for gaining an understanding of the business. C. Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. D. The role gap analysis can play in BCP is to identify deficiencies in a plan, but not for gaining an understanding of the business.

A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to: A. create a provision to allow local policies to take precedence where required by law. B. have the subsidiary revise its policies to conform to the parent organization's policies. C. revise the parent organization's policies so that they match the subsidiary's policies. D. track the issue as a violation of policy with a note of the extenuating circumstances.

You are correct, the answer is A. A. Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to implement the optimal level of control subject to legal limitations. B. This is not acceptable because it subjects the subsidiary to local fines and penalties. C. This is a less desirable alternative because the organization's overarching original policy may provide a superior or more suitable level of control and risk reduction from which the remainder of the organization should continue to benefit. D. Tracking the issue as a policy violation fails to satisfactorily resolve the issue and recognize the need for flexibility.

A top-down approach to the development of operational policies helps ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

You are correct, the answer is A. A. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. B. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C. A top-down approach, of itself, does not ensure compliance. D. A top-down approach, of itself, does not ensure that policies are reviewed.

As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterprise requirements. B. baseline security following best practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure.

You are correct, the answer is A. A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. B. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions, is a part of value delivery. C. Value delivery addresses the effectiveness and efficiency of solutions, but is not a result of strategic alignment. D. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure.

An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements.

You are correct, the answer is A. A. Monitoring systems performance and tracking problems as a result of program changes would be outside the role and responsibilities of a telecommunications analyst. B. The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes. C. The responsibilities of a telecommunications analyst include assessing the impact of network load or terminal response times and network data transfer rates. D. The responsibilities of a telecommunications analyst include recommending network balancing procedures and improvements.

A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment.

You are correct, the answer is A. A. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. B. Closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems. C. The ability to obtain volume discounts is achieved through the use of bulk purchasing or a primary vendor, not through open system architecture. D. Open systems may be less expensive than proprietary systems depending on the supplier, but the primary benefit of open system architecture is its interoperability between vendors.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

You are correct, the answer is A. A. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. B. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards and the results of tests of the plan. C. To evaluate effectiveness, the IS auditor should review the results from previous tests or incidents. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. D. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization has implemented plans to allow for an effective response.

A financial institution has recently developed and installed a new deposit system which interfaces with its customer web site and its automated teller machines (ATMs). During the project, the development team and the business continuity team maintained good communication and the business continuity plan (BCP) has been updated to include the new system. A suitable BCP test to perform at this point in time would be: A. using actual resources to perform a simulation of a system crash. B. a detailed paper walk-through of the plan. C. a penetration test for the web site interface application. D. performing a failover of the system at the designated secondary site.

You are correct, the answer is A. A. The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulated recovery exercise. This exercise would test the new recovery infrastructure under controlled conditions. B. Assuming that recovery options have been actively considered during development (as they would need to be for a mission-critical system), a paper walk-through would be of limited value because it is only a modification to an existing plan. C. A security assessment or penetration test is vital for any application exposed to the Internet, but should have been performed much earlier in the process. D. Performing a failover test should only be done after the more basic tests of a simulation and walk-through have been completed.

When implementing an IT governance framework in an organization the MOST important objective is: A. IT alignment with the business. B. accountability. C. value realization with IT. D. enhancing the return on IT investments.

You are correct, the answer is A. A. The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies. B. Accountability is important, but the most important objective of IT governance is to ensure that IT investment and oversight is aligned with business requirements. C. IT must demonstrate value to the organization, but this value is dependent on the ability of IT to align with, and support, business requirements. D. Enhancing return is a requirement of the IT governance framework, but this requirement is only demonstrated through aligning IT with business requirements.

When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer.

You are correct, the answer is A. A. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. B. The storage capacity of the archiving solution would be irrelevant if the proper email messages have not been properly preserved and others have been deleted. C. The level of user awareness concerning email use would not directly affect the completeness and accuracy of the archived email. D. The support and stability of the archiving solution manufacturer is secondary to the need to ensure a retention policy. Vendor support would not directly affect the completeness and accuracy of the archived email.

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? A. A capability maturity model (CMM) B. Portfolio management C. Configuration management D. Project management body of knowledge (PMBOK)

You are correct, the answer is B. A. A capability maturity model (CMM) would not help determine the optimal portfolio of capital projects because it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. C. A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. D. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.

To support an organization's goals, an IT department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. plans to acquire new hardware and software.

You are correct, the answer is B. A. A low-cost philosophy is one objective, but more important is the cost/benefit and the relation of IT investment cost to business strategy. B. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. C. Leading-edge technology is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals. D. Plans to acquire new hardware and software could be a part of the overall plan, but would be required only if hardware or software is needed to achieve the organizational goals.

IT governance is PRIMARILY the responsibility of the: A. chief executive officer (CEO). B. board of directors. C. IT steering committee. D. audit committee.

You are correct, the answer is B. A. The chief executive officer (CEO) is instrumental in implementing IT governance according to the directions of the board of directors. B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

You are correct, the answer is B. A. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments in IT assets. B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way the auditor can measure the success of the IT investment and strategy. C. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity, but does not ensure effectiveness of IT investment. D. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A. Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process

You are correct, the answer is B. A. Data retention, backup and recovery are important controls; however, they do not guarantee data privacy. B. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. C. Network and intrusion detection are helpful when securing the data, but on their own do not guarantee data privacy stored at a third-party provider. D. A patch management process helps secure servers, and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse.

You are correct, the answer is B. A. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate recovery. B. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention policy of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. C. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate rebuilding. D. Email policy should address the business and legal requirements of email retention. Reuse of email is not a policy matter.

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? A. Sign-off is required on the enterprise's security policies for all users. B. An indemnity clause is included in the contract with the service provider. C. Mandatory security awareness training is implemented for all users. D. Security policies should be modified to address compliance by third-party users.

You are correct, the answer is B. A. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. B. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies because any violations discovered would lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. C. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. D. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

You are correct, the answer is B. A. In postmerger integration programs, it is common to form project management offices (often staffed with external experts) to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. B. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. C. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process. D. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? A. The right to audit clause was not included in the contract. B. The business case was not established. C. There was no source code escrow agreement. D. The contract does not cover change management procedures.

You are correct, the answer is B. A. The lack of the right to audit clause presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. C. If the source code is held by the provider and not provided to the organization, the lack of source code escrow presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. D. The lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.

Which of the following is the BEST reason to implement a policy which places conditions on secondary employment for IT employees? A. To ensure that employees are not misusing corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets

You are correct, the answer is B. A. The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment. B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing company. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. C. Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment. D. Theft of assets is a problem but not necessarily related to secondary employment.

Which of the following is the MOST important aspect of effective business continuity management? A. The recovery site is secure and located an appropriate distance from the primary site. B. The recovery plans are tested periodically. C. Fully tested backup hardware is available at the recovery site. D. Network links are available from multiple service providers.

You are correct, the answer is B. A. The recovery site should be far enough away to avoid being affected by the same disaster that strikes the primary site, but that is not the most important part of the business continuity plan (BCP). It is more important that the plan is tested. B. Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. The other options are more tactical considerations that are secondary to the need for testing. C. Having tested backups is important, but only addresses a part of the BCP. It is more important that the entire plan is tested. D. Network redundancy is important for many organizations, but not as important as the need to test the plan.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define the loss amount exactly.

You are correct, the answer is C. A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change and, at the end of the day, the result will be a not well-supported evaluation.

Which of the following reasons BEST describes the purpose of a mandatory vacation policy? A. To ensure that employees are properly cross-trained in multiple functions B. To improve employee morale C. To identify potential errors or inconsistencies in business processes D. To be used as a cost-saving measure

You are correct, the answer is C. A. Ensuring that employees are properly cross-trained in multiple functions improves the skills of employees and provides for succession planning, but is not the primary purpose of mandatory vacations. B. Improving employee morale helps in reducing employee burnout, but is not the primary reason for mandatory vacations. C. Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal controls or processes take a mandatory vacation annually is often a regulatory requirement and, most important, a good way to uncover fraud. D. Mandatory vacations may or may not be a cost-saving measure, depending on the enterprise.

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner.

You are correct, the answer is C. A. Establishment of a review board is not effective without visible sponsorship of top management. B. The creation of a security unit is not effective without visible sponsorship of top management. C. The executive sponsor would be in charge of supporting the organization's strategic security program, and would aid in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). D. The selection of a security process owner is not effective without visible sponsorship of top management.

While reviewing the IT governance processes of an organization, an auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? A. Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. B. IT projects could suffer from cost overruns. C. Misleading indications of IT performance may be presented to management. D. IT service level agreements (SLAs) may not be accurate.

You are correct, the answer is C. A. If the performance indicators are not objectively measurable, the most significant risk would be the presentation of misleading performance results to management. This could result in a false sense of assurance and, as a result, IT resources may be misallocated or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management. B. Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. C. The IT BSC is designed to measure IT performance. To measure performance, a sufficient number of "performance drivers" or KPIs must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading. D. Although performance management issues related to SLAs could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.

An IT steering committee should: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. maintain minutes of its meetings and keep the board of directors informed. D. be briefed about new trends and products at each meeting by a vendor.

You are correct, the answer is C. A. Only senior management or high-level staff members should be on this committee because of its strategic mission. B. Ensuring that information security policies and procedures have been executed properly is not a responsibility of this committee, but the responsibility of IT management and the security administrator. C. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee, and the board of directors should be informed about those decisions on a timely basis. D. A vendor should be invited to meetings only when appropriate.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

You are correct, the answer is C. A. The hardware configuration is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. B. The access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. C. The contract must specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. D. The development methodology should be of no real concern in an outsourcing contract.

During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: A. responsibility for maintaining the business continuity plan. B. criteria for selecting a recovery site provider. C. recovery strategy. D. responsibilities of key personnel.

You are correct, the answer is C. A. The responsibility for maintaining the business continuity plan is decided after the selection or design of the appropriate recovery strategy and development of the plan. B. The criteria for selecting a recovery site provider are decided after the selection or design of the appropriate recovery strategy. C. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis (BIA). D. The responsibilities of key personnel are decided after the selection or design of the appropriate recovery strategy during the plan development phase.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? A. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). B. Examine the e-business application in development. C. Identify threats and the likelihood of occurrence. D. Check the budget available for risk management.

You are correct, the answer is C. A. The risk can only be determined after the threats, likelihood and vulnerabilities are all documented. B. The first step is to identify the risk levels to existing applications and then to apply those to applications in development. Risk can only be identified after the threats and likelihood have also been determined. C. To determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. D. The budget available for risk management is not relevant at this point because the risk has not yet been determined.

Which of the following must exist to ensure the viability of a duplicate information processing facility? A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

You are correct, the answer is C. A. The site chosen should not be subject to the same natural disaster as the primary site. Being close may be a risk or an advantage, depending on the type of expected disaster. B. A reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. D. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure that the operation will continue to perform as planned.

An organization's disaster recovery plan (DRP) should address early recovery of: A. all information systems processes. B. all financial processing applications. C. only those applications designated by the IS manager. D. processing in priority order, as defined by business management.

You are correct, the answer is D. A. A disaster recovery plan (DRP) will recover most critical systems first according to business priorities. B. Depending on business priorities, financial systems may or may not be the first to be recovered. C. The business manager, not the IS manager, will determine priorities for system recovery. D. Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management.

You are correct, the answer is D. A. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. B. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. C. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization. D. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.

An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? A. Ignore the absence of management approval because employees follow the policies. B. Recommend immediate management approval of the policies. C. Emphasize the importance of approval to management. D. Report the absence of documented approval.

You are correct, the answer is D. A. Absence of management approval is an important (material) finding and while it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved. B. While the IS auditor would likely recommend that the policies should be approved as soon as possible, and may also remind management of the critical nature of this issue, the first step would be to report this issue to the relevant stakeholders. C. The first step is to report the finding and provide recommendations later. D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit.

In a small manufacturing business, an employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario? A. Access restrictions to prevent the clerk from accessing the production environment B. Segregation of duties implemented by hiring additional staff C. Automated logging of all program changes in the production environment D. Procedures to verify that only approved program changes are implemented

You are correct, the answer is D. A. Denying the clerk access to the production environment would prevent work from being performed unless additional staff were retained, which is not a realistic solution and may not be economically viable for a small organization. B. Segregation of duties will prevent a combination of conflicting functions, but it may not be practical in a small business to hire and maintain additional staff to achieve the desired segregation of duties. C. Logging of program changes in the production environment will detect changes after they have been implemented, but will not prevent unauthorized changes. D. Procedures to verify and review that only approved changes are implemented would be an effective control in this scenario.

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. D. is aligned with the business plan.

You are correct, the answer is D. A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D. Company-defined security policies are not applied to the cloud application.

You are correct, the answer is D. A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, HR applications are usually not mission-critical and, therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy. D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.