CISA - EXAM 2

Q15) An Internet-based attack using password sniffing can: ​ A) be used to gain access to systems containing proprietary information. B) enable one party to act as if they are another party. C) result in major problems with billing systems and transaction processing agreements. D) cause modification to the contents of certain transactions.

A) Be used to gain access to systems containing proprietary information is correct. Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. B) Enable one party to act as if they are another party is incorrect. Spoofing attacks can be used to enable one party to act as if they are another party. D) Cause modification to the contents of certain transactions is incorrect. Data modification attacks can be used to modify the contents of certain transactions. C) Result in major problems with billing systems and transaction processing agreements is incorrect. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.

Q23) Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program? ​ A) Ask the security administrator. B) Interview a sample of employees. C) Review the security training program. D)​ Review the security reminders to employees.

B) Interview a sample of employees is correct. This is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined, and effective security is dependent on people. Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness training. C) Review the security training program is incorrect. A security training program may be well designed, but the results of the program will be determined by employee awareness. A) Ask the security administrator is incorrect. This would not show the effectiveness of a security awareness and training program because such a program should target more than just the administrator. D) Review the security reminders to the employees is incorrect. This is not the best way to find out the effectiveness of the training awareness because sending reminders may result in little actual awareness.

Q38) The use of residual biometric information to gain unauthorized access is an example of which of the following attacks? A) Mimic B) Cryptographic C) Replay D) Brute force

C) Replay is correct. Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. D) Brute force is incorrect. This involves feeding the biometric capture device numerous different biometric samples. B) Cryptographic is incorrect. This targets the algorithm or the encrypted data. A) Mimic is incorrect. In this attack, the attacker reproduces characteristics similar to those of the enrolled user such as forging a signature or imitating a voice.

Q8) An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A) Information security is not critical to all functions. B) IS audit should provide security training to the employees. C) this lack of knowledge may read to unintentional disclosure of sensitive information. D) The audit finding will cause management to provide continuous training to staff.

C) This lack of knowledge may lead to unintentional disclosure of sensitive information is correct. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. A) Information security is not critical to all functions is incorrect. Information security is everybody's business, and all staff should be trained in how to handle information correctly. B) IS audit should provide security training to the employees is incorrect. Providing security awareness training is not an IS audit function. D) The audit finding will cause management to provide continuous training to staff is incorrect. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness.

Q78) A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? A) Technical skills and knowledge within the organization related to sourcing and software development B) Whether the legacy system being replaced was developed in-house C) Privacy requirements as applied to the data processed by the application D) The users not devoting reasonable time to define the functionalities of the solution

A) Technical skills and knowledge within the organization related to sourcing and software development is correct. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. C) Privacy requirements as applied to the data processed by the application is incorrect. Privacy regulations would apply to both solutions. B) Whether the legacy system being replaced was developed in-house is incorrect. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make versus buy decision. D) The users not devoting reasonable time to define the functionalities of the solution is incorrect. Unclear business requirements (functionalities) will similarly affect either development process but are not the primary factor influencing the make versus buy decision.

Q80) An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? ​ A) The contractual warranties of the providers support the business needs of the organization. B) The service level agreement of each contract is substantiated by appropriate key performance indicators. C) At contract termination, support is guaranteed by each outsourcer for new outsourcers. D) An audit clause is present in all contracts.

A) The contractual warranties of the providers support the business needs of the organization is correct. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D) An audit clause is present in all contracts is incorrect. All other choices are important, but the first step is to ensure that the contracts support the business— only then can an audit process be valuable. B) The service level agreement of each contract is substantiated by appropriate key performance indicators is incorrect. All service level agreements should be measurable and reinforced through key performance indicators—but the first step is to ensure that the SLAs are aligned with business requirements. C) At contract termination, support is guaranteed by each outsourcer for new outsourcers is incorrect. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

Q42) Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? ​ A) Back up all affected records before allowing the developer to make production changes. B) Provide and monitor separate developer login IDs for programming and for production support. C) Capture activities of the developer in the production environment by enabling detailed audit trails. D) Ensure that all changes are approved by the change manager prior to implementation.

B) Provide and monitor separate developer login IDs for programming and for production support is correct. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. C) Capture activities of the developer in the production environment by enabling detailed audit trails is incorrect. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. A) Back up all affected records before allowing the developer to make production changes is incorrect. This would allow for rollback in case of an error but would not prevent or detect unauthorized changes. D) Ensure that all changes are approved by the change manager prior to implementation is incorrect. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.

Q99) Which of the following is the MOST effective control when granting temporary access to vendors? ​ A) Administrator access is provided for a limited period. B) User IDs are deleted when the work is completed. C) Vendor access corresponds to the service level agreement. D) User accounts are created with expiration dates and are based on services provided.

D) User accounts are created with expiration dates and are based on services provided is correct. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ID. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities. C) Vendor access corresponds to the service level agreement is incorrect. The service level agreement may have a provision for providing access, but this is not a control; it would merely define the need for access. A) Administrator access is provided for a limited period is incorrect. Vendors may require administrator access for a limited period during the time of service. However, it is important to ensure that the level of access granted is set according to least privilege and that access during this period is monitored. B) User IDs are deleted when the work is completed is incorrect. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. The access should only be granted at the level of work required.

Q150) The GREATEST benefit of having well-defined data classification policies and procedures is: ​ A) a decreased cost of controls. B) a reduced risk of inappropriate system access. C) a more accurate inventory of information assets. D) an improved regulatory compliance.

A) A decreased cost of controls is correct. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, costlier than is required based on the data classification. C) A more accurate inventory of information assets is incorrect. This is a benefit but would not be the greatest benefit of the choices listed. B) A reduced risk of inappropriate system access is incorrect. Classifying the data may assist in reducing the risk of inappropriate system access, but that would not be the greatest benefit. D) An improved regulatory compliance is incorrect. This would be a benefit; however, achieving a cost reduction would be a greater benefit.

Q115) An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? A)​ A privilege escalation B) An impersonation C) A race condition D) A buffer overflow

A) A privilege escalation is correct. This is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level. C) A race condition is incorrect. This exploit involves the timing of two events and an action that causes one event to happen later than expected. The scenario given is not an example of a race condition exploit. D) A buffer overflow is incorrect. This involves applications of actions that take advantage of a defect in the way an application or system uses memory. By overloading the memory storage mechanism, the system will perform in unexpected ways. The scenario given is not an example of a buffer overflow exploit. B) An impersonation is incorrect. Impersonation attacks involve an error in the identification of a privileged user. The scenario given is not an example of this exploit.

Q128) Which of the following is the BEST control over a guest wireless ID that is given to vendor staff? A) Assignment of a renewable user ID which expires daily B) Ensuring that wireless network encryption is configured properly C) Use of a user ID format similar to that used by employees D) A write-once log to monitor the vendor's activities on the system

A) Assignment of a renewable user ID which expires daily is correct. A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization. D) A write-once log to monitor the vendor's activities on the system is incorrect. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventive control. C) Use of a user ID format similar to that used by employees is incorrect. The user ID format does not change the overall security of the wireless connection. B) Ensuring that wireless network encryption is configured properly is incorrect. Controls related to the encryption of the wireless network are important; however, the access to that network is a more critical issue.

Q139) Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? A) Only select personnel should have rights to view or delete audit logs. B) Actions performed on log files should be tracked in a separate log. C) Backups of audit logs should be performed periodically. D) Write access to audit logs should be disabled.

A) Only select personnel should have rights to view or delete audit logs is correct. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. B) Actions performed on log files should be tracked in a separate log is incorrect. Having additional copies of log file activity would not prevent the original log files from being deleted. D) Write access to audit logs should be disabled is incorrect. For servers and applications to operate correctly, write access cannot be disabled. C) Backups of audit logs should be performed periodically is incorrect. Frequent backups of audit logs would not prevent the logs from being deleted.

Q141) The specific advantage of white box testing is that it: ​ A) determines procedural accuracy or conditions of a program's specific logic paths. B) examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system. C) ensures a program's functional operating effectiveness without regard to the internal program structure. D) verifies a program can operate successfully with other parts of the system.

A) Determines procedural accuracy or conditions of a program's specific logic paths is correct. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D) Verifies a program can operate successfully with other parts of the system is incorrect. Verifying the program can operate successfully with other parts of the system is sociability testing. C) Ensures a program's functional operating effectiveness without regard to the internal program structure is incorrect. Testing the program's functionality without knowledge of internal structures is black box testing. B) Examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system is incorrect. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

Q144) Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? ​ A) Power line conditioners B) Surge protective devices C) Interruptible power supplies D) Alternative power supplies

A) Power line conditioners is correct. These are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. B) Surge protective devices is incorrect. These protect against high-voltage bursts. D) Alternative power supplies is incorrect. These are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply to compensate for the power loss until the alternate power supply becomes available. C) Interruptible power supplies is incorrect. These would cause the equipment to come down whenever there was a power failure.

Q125) Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor? ​ A) Process owners have not been identified. B) ​Multiple application owners exist. C) The billing cost allocation method has not been determined. D) A training program does not exist.

A) Process owners have not been identified is correct. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. The absence of a defined process owner, may cause issues with monitoring or authorization controls. C) The billing cost allocation method has not been determined is incorrect. The allocation method of application usage cost is of less importance. B) Multiple application owners exist is incorrect. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified. D) A training program does not exist is incorrect. The fact that a training program does not exist is only be a minor concern for the IS auditor.

Q127) An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk? ​ A) Self-signed digital certificates B) Expired digital certificates C) Using the same digital certificate for multiple web sites D) Using 56-bit digital certificates

A) Self-signed digital certificates is correct. These are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. B) Expired digital certificates is incorrect. This leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. C) Using the same digital certificate for multiple web sites is incorrect. This is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites. D) Using 56-bit digital certificates is incorrect. These may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

Q103) Which of the following is a passive attack to a network? ​ A) Traffic analysis B) Message modification C) Masquerading D) Denial-of-service

A) Traffic analysis is correct. This allows a watching threat actor to determine the nature of the flow of traffic between defined hosts, which may allow the threat actor to guess the type of communication taking place without taking an active role. B) Message modification is incorrect. This involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. An attack that modifies the data would be an active attack. C) Masquerading is incorrect. This is an active attack in which the intruder presents an identity other than the original identity. D) Denial-of-service is incorrect. This occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed. This is an active attack.

Q130) The use of digital signatures: A) validates the source of a message. B) requires the use of a one-time password generator. C) provides encryption to a message. D) ensures message confidentiality.

A) Validates the source of a message is correct. The use of a digital signature verifies the identity of the sender. B) Requires the use of a one-time password generator is incorrect. This is not a requirement for using digital signatures. C) Provides encryption to a message is incorrect. A digital signature provides for integrity and proof of origin for a message but does not address confidentiality. D) Ensures message confidentiality is incorrect. A digital signature does not ensure message confidentiality.

Q147) Which of the following controls helps prevent duplication of vouchers during data entry? A) A range check B) A sequence check C) Transposition and substitution D) A cyclic redundancy check

B) A sequence check is correct. This involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. A) A range check is incorrect. This works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. C) Transposition and substitution is incorrect. These are used in encoding but will not help in establishing unique voucher numbers. D) A cyclic redundancy check is incorrect. This is used for completeness of data received over the network but is not useful in application code level validations.

Q133) What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team? ​ A) White box testing B) Beta testing C) Regression testing D) Alpha testing

B) Beta testing is correct. This is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort. D) Alpha testing is incorrect. This is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users. A) White box testing is incorrect. This is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users. C) Regression testing is incorrect. This is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users.

Q101) An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: A) the project manager.​ B) business unit management. C) systems development management. D) the quality assurance team.

B) Business unit management is correct. This group assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. A) The project manager is incorrect. This individual provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. C) Systems development management is incorrect. This group provides technical support for hardware and software environments. D) The quality assurance team is incorrect. This group ensures the quality of the project by measuring adherence to the organization's system development life cycle. They will conduct testing but not sign off on the project requirements.

Q145) Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? A) Backup and recovery B) Configuration management C) Incident management D) Change management

B) Configuration management is correct. The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. D) Change management is incorrect. This is important to control changes to the configuration, but the baseline itself refers to a standard configuration. A) Backup and recovery is incorrect. Backup and recovery of the configuration are important, but not used to create the baseline. C) Incident management is incorrect. This will determine how to respond to an adverse event but is not related to recording baseline configurations.

Q131) An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? ​ A) Undocumented approval of some project changes B) Faulty migration of historical data from the old system to the new system C) Duplication of existing payroll permissions on the new ERP subsystem D) Incomplete testing of the standard functionality of the ERP subsystem

B) Faulty migration of historical data from the old system to the new system is correct. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. A) Undocumented approval of some project changes is incorrect. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. D) Incomplete testing of the standard functionality of the enterprise resource planning (ERP) subsystem is incorrect. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system. C) Duplication of existing payroll permissions on the new ERP subsystem is incorrect. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.

Q122) Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? ​ A) Increasing the length of authentication strings B) Implementing measures to prevent session hijacking attacks C) Selecting a more robust algorithm to generate challenge strings D) Increasing the frequency of associated password changes

B) Implementing measures to prevent session hijacking attacks is correct. Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. C) Selecting a more robust algorithm to generate challenge strings is incorrect. This will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. D) Increasing the frequency of associated password changes is incorrect. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. A) Increasing the length of authentication strings is incorrect. This will not prevent man-in-the-middle or session hijacking attacks.

Q148) Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program? ​ A) Control costs will exceed planned budget. B) ​Important business risk may be overlooked. C) Previously audited areas may be inadvertently included. D) Key stakeholders are incorrectly identified.

B) Important business risk may be overlooked is correct. Without an audit scope, the appropriate risk assessment has not been performed, and therefore, the auditor might not audit those areas of highest risk for the organization. D) Key stakeholders are incorrectly identified is incorrect. In certain cases, it may be more difficult to discuss findings when incorrect stakeholders are identified, thus delaying the communication of audit findings. However, this is not as concerning as important business risk not being included in audit scope. A) Control costs will exceed planned budget is incorrect. Many factors determine the cost of controls. Therefore, it is difficult to state that only audit objectives will determine the control cost. However, this is not as important if key risk is not identified. C) Previously audited areas may be inadvertently included is incorrect. Auditing previously audited areas is not an efficient use of resources; however, this is not as big of a concern as key risk not being identified.

Q129) From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy: A) has the appropriate priority level assigned. B) is aligned with the business strategy. C) is cost-effective. D) is future thinking and innovative.

B) Is aligned with the business strategy is correct. The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy. C) Is cost-effective is incorrect. The IT strategy should be cost-effective, but it must align with the business strategy for the strategy to be effective. D) Is future thinking and innovative is incorrect. The IT strategy should be forward thinking and innovative, but it must align with the business strategy to be effective. A) Has the appropriate priority level assigned is incorrect. The IT strategy should be appropriately prioritized; however, it must align with the business strategy first and then it will be prioritized.

Q146) When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with - ​ A) disclosure. B) preservation. C) evaluation. D) analysis.

B) Preservation is correct. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when investigating. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings. D) Analysis is incorrect. This is important but not the primary concern related to evidence in a forensic investigation. C) Evaluation is incorrect. This is important but not the primary concern related to evidence in a forensic investigation. A) Disclosure is incorrect. This is important but not of primary concern to the IS auditor in a forensic investigation.

Q143) An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: A) ​ technical competence. B) professional independence. C) organizational independence. D) professional competence.

B) Professional independence is correct. When an IS auditor recommends a specific vendor, the auditor's professional independence is compromised. C) Organizational independence is incorrect. This has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. A) Technical competence is incorrect. This is not relevant to the requirement of independence. D) Professional competence is incorrect. This is not relevant to the requirement of independence.

Q126) During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: ​ A) only systems administrators perform the patch process. B) the client's change management process is adequate. C) patches are validated using parallel testing in production. D) an approval process of the patch, including a risk assessment, is developed.

B) The client's change management process is adequate is correct. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. A) Only systems administrators perform the patch process is incorrect. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. C) Patches are validated using parallel testing in production is incorrect. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. D) An approval process of the patch, including a risk assessment, is developed is incorrect. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval.

Q114) Information for detecting unauthorized input from a user workstation would be BEST provided by the: ​ A) user error report. B) transaction journal. C) automated suspense file listing. D) console log printout.

B) Transaction journal is correct. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input. D) A console log printout is incorrect. This is not the best because it does not record activity from a specific terminal. C) An automated suspense file listing is incorrect. This lists only transaction activity where an edit error occurred. A) The user error report is incorrect. This lists only input that resulted in an edit error and does not record improper user input.

Q116) An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? A) Reperformance B) Walk-through C) Inquiry D) Interview

B) Walk-through is correct. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control, because it actually exists. D) Interview is incorrect. An interview is not as strong an evidence as an observation or walk-throughs. In addition, personnel might add some bias to interviews if they know they are being interviewed for an audit. C) Inquiry is incorrect. This can be used to understand the controls in a process only if it is accompanied by verification of evidence. However, interviewees might be biased if they know they are being audited. A) Reperformance is incorrect. This is used to evaluate the operating effectiveness of the control rather than the design of the control.

Q124) Which of the following is BEST suited for secure communications within a small group? A) Key distribution center B) Web of trust C) Kerberos Authentication System D) Certificate authority

B) Web of trust is correct. This is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy and distributes the public keys of users within a group. A) Key distribution center is incorrect. This is a part of a Kerberos implementation suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. D) Certificate authority is incorrect. This is a trusted third party that ensures the authenticity of the owner of the certificate. C) This is necessary for large groups and formal communication. Kerberos Authentication System is incorrect. This extends the function of a key distribution center by generating "tickets" to define the facilities on networked machines, which are accessible to each user.

Q134) Overall quantitative business risk for a particular threat can be expressed as: ​ A) the magnitude of the impact if a threat source successfully exploits the vulnerability. B) the likelihood of a given threat source exploiting a given vulnerability. C) a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability. D) ​the collective judgment of the risk assessment team.

C) A product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability is correct. Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability, and provides the best measure of the risk to an asset. A) The magnitude of the impact if a threat source successfully exploits the vulnerability is incorrect. The calculation of risk must consider impact and likelihood of a threat (not a threat source) exploiting a vulnerability. B) The likelihood of a given threat source exploiting a given vulnerability is incorrect. Considering only the likelihood of an exploit and not the impact or damage caused is not sufficient to determine the overall risk. D) The collective judgment of the risk assessment team is incorrect. This is a part of qualitative risk assessment but must be combined with calculations of the impact on the business to determine overall risk.

Q109) As an IS auditor you are auditing the integrity of information stored in a data warehouse, which of the following security measures BEST ensures the integrity? A) Change management procedures B) Data dictionary maintenance C) A read-only restriction D) Validated daily backups

C) A read-only restriction is correct. Because most data in a data warehouse are historic and do not need to be changed, applying read-only restrictions prevents data manipulation. D) Validated daily backups is incorrect. Backups address availability, not integrity. Validated backups ensure that the backup will work when needed. A) Change management procedures is incorrect. Adequate change management procedures protect the data warehouse and the systems with which the data warehouse interfaces from unauthorized changes but are not usually concerned with the data. B) Data dictionary maintenance is incorrect. These procedures provide for the definition and structure of data that are input to the data warehouse. This will not affect the integrity of the data already stored.

Q137) Which of the following does a lack of adequate controls represent? A) An asset B) An impact C) A vulnerability D) A threat

C) A vulnerability is correct. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. B) An impact is incorrect. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have. A) An asset is incorrect. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D) A threat is incorrect. A threat is a potential cause of an unwanted incident.

Q102) A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? A) The IP address space is smaller than the number of PCs. B) Most employees use laptops. C) Access to a network port is not restricted. D) A packet filtering firewall is used.

C) Access to a network port is not restricted is correct. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network. B) Most employees use laptops is incorrect. Dynamic Host Configuration Protocol provides convenience (an advantage) to the laptop users. D) A packet filtering firewall is used is incorrect. The existence of a firewall can be a security measure and would not normally be of concern. A) The IP address space is smaller than the number of PCs is incorrect. A limited number of IP addresses can be addressed through network address translation or by increasing the number of IP addresses assigned to a particular subnet.

Q132) Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? A) Results of business continuity tests B) Results of independent audit reports C) Agreed-on key performance metrics D) Compliance with the master agreement

C) Agreed-on key performance indicators is correct. Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. D) Compliance with the master contract is incorrect. The master contract typically includes terms, conditions and costs but does not typically include service levels. A) Results of business continuity tests is incorrect. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. B) Results of independent audit reports is incorrect. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.

Q142) Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? ​ A) Stratified mean per unit B) Unstratified mean per unit C) Attribute sampling D) ​Variable sampling

C) Attribute sampling is correct. This is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control. D) Variable sampling is incorrect. This is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values. A) Stratified mean per unit is incorrect. This is used in variable sampling. B) Unstratified mean per unit is incorrect. This is used in variable sampling.

Q119) Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit? ​ A) Insurance coverage is adequate and premiums are current. B) A hot site is contracted for and available as needed. C) Data backups are performed timely and stored offsite. D) A business continuity manual is available and current.

C) Data backups are performed timely and stored offsite is correct. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process. B) A hot site is contracted for and available as needed is incorrect. A hot site is important, but it is of no use if there are no data backups for it. D) A business continuity manual is available and current is incorrect. A business continuity manual is advisable but not most important in a disaster recovery audit. A) Insurance coverage is adequate and premiums are current is incorrect. Insurance coverage should be adequate to cover costs but is not as important as having the data backup.

Q135) The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: ​ A) dataflow diagrams. B) semantic nets. C) decision trees. D) rules.

C) Decision trees is correct. These use questionnaires to lead a user through a series of choices until a conclusion is reached. D) Rules is incorrect. These refer to the expression of declarative knowledge through the use of if-then relationships. B) Semantic nets is incorrect. These consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. A) Dataflow diagrams is incorrect. A dataflow diagram is used to map the progress of data through a system and examine logic, error handling and data management.

Q104) Before implementing an IT balanced scorecard, an organization must: A) deliver effective and efficient services. B) provide business value to IT projects. C) define key performance indicators. D) control IT expenses.

C) Define key performance indicators is correct. Because a balanced scorecard (BSC) is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. A) Deliver effective and efficient services is incorrect. A BSC is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B) Provide business value to it projects is incorrect. A BSC will measure the value of IT to business, not the other way around. D) Control IT expenses is incorrect. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC.

Q111)The BEST audit procedure to determine if unauthorized changes have been made to production code is to: ​ A) examine the change control system records and trace them forward to object code files. B) review access control permissions operating within the production program libraries. C) examine object code to find instances of changes and trace them back to change control records. D) review change approved designations established within the change control system.

C) Examine object code to find instances and trace them back to change control records is correct. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. A) Examine the change control system records and trace them forward to object code files is incorrect. Checking the change control system will not detect changes that were not recorded in the control system. B) Reviewing access control permissions will not identify unauthorized changes made previously. D) Review change approved designations established within the change control system is incorrect. Reviewing change approved designations will not identify unauthorized changes.

Q138) Which of the following should an IS auditor be MOST concerned about in a financial application? ​ A) The information security officer does not authorize all application changes. B) Programmers have access to source code in user acceptance testing environment. C) Programmers have access to the production database. D) Secondary controls are documented for identified role conflicts.

C) Programmers have access to the production database is correct. This is considered to be a segregation of duties conflict. B) Programmers have access to application source code in user acceptance testing (UAT) environment is incorrect. are not of concern to the IS auditor because programmers need access to source code to do their jobs. The UAT environment is a separate from production environment, changes cannot be moved into production environment without prior authorization. D) Secondary controls are documented for identified role conflicts is incorrect. When segregation of duties conflicts are identified, secondary controls should be in place to mitigate risk. While the IS auditor reviews secondary controls, in this case the greater concern is programmers having access to the production database. A) The information security officer does not authorize all application changes is incorrect. The information security officer is not likely to authorize all application changes; therefore, this is not a concern for an IS auditor.

Q106) An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization's procedures. Which of the following is the auditor's BEST course of action? A) Recommend regular physical inventory counts. B) Do not report the lack of reconciliation. C) Report the lack of daily reconciliations. D) Recommend the implementation of a more secure access system.

C) Report the lack of daily reconciliations is correct. The IS auditor should report the lack of daily reconciliation as an exception, because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity. B) Do not report the lack of reconciliation is incorrect. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed. A) Recommend regular physical inventory counts is incorrect. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. D) Recommend the implementation of a more secure access system is incorrect. While the IS auditor may in some cases recommend a more secure solution, the primary goal is to observe and report when the current process is deficient.

Q118) Which of the following does a lack of adequate security controls represent? A) Threat B) Asset C) Vulnerability D) Impact

C) Vulnerability is correct. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This can result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability. A) Threat is incorrect. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls. B) Asset is incorrect. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls. D) Impact is incorrect. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact.

Q136) Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts? ​ A) Statistic-based ​ B) Rule-based C) Heuristic filtering D) Check-sum based

D) Check-sum based is correct. The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software. B) Rule-based is incorrect. This will trigger false-positive alert each time a key word is met in the message. C) Heuristic filtering is incorrect. A heuristic is a technique designed for solving a problem more quickly when classic methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or precision for speed. In a way, it can be considered a shortcut. A) Statistic-based is incorrect. Statistical filtering analyzes the frequency of each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds, however prone to false-positive alerts.

Q108) In transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides: ​ A) antireplay service. B) data origin authentication. C) connectionless integrity.​ D) confidentiality.

D) Confidentiality is correct. Only the Encapsulating Security Payload (ESP) protocol provides confidentiality via encryption. C) Connectionless integrity is incorrect. Both forms of Internet Protocol security (IPSec), authentication header (AH) and ESP, provide connectionless integrity. B) Data origin authentication is incorrect. Both AH and ESP authenticate data origin. A) Antireplay service is incorrect. The time stamps used in IPSec will prevent replay attacks.

Q149) Which of the following is MOST indicative of the effectiveness of an information security awareness program? ​ A) Information security responsibilities have been included in job descriptions. B) All employees have signed the information security policy. C) Most employees have attended an awareness session. D) Employees report more information regarding security incidents.

D) Employees report more information regarding security incidents is correct. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are acting as a consequence of the awareness program. B) All employees have signed the information security policy is incorrect. The existence of evidence that all employees have signed the security policy does not ensure that security responsibilities have been understood and applied. C) Most employees have attended an awareness session is incorrect. One of the objectives of the security awareness program is to inform the employees of what is expected of them and what their responsibilities are, but this knowledge does not ensure that employees will perform their activities in a secure manner. A) Information security responsibilities have been included in job descriptions is incorrect. The documentation of roles and responsibilities in job descriptions is not an indicator of the effectiveness of the awareness program.

Q113) After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools? ​ A) False-positive B) Less-detail C) Differential D) False-negative

D) False-negative is correct. This type of reporting on weaknesses means the control weaknesses in the network are not identified and, therefore, may not be addressed, leaving the network vulnerable to attack. C) Differential is incorrect This reporting function provided by this tool compares scan results over a period of time. A) False-positive is incorrect. This type of reporting is one in which the system falsely reports a vulnerability. Controls may be in place, but are evaluated as weak, which should prompt a rechecking of the controls. B) Less-detail is incorrect. This type of reporting would require additional tools or analysis to determine the existence and severity of vulnerabilities.

Q121) The FIRST step in a successful attack to a system is: A) gaining access. B) denying services. C) evading detection. D) gathering information.

D) Gathering information is correct. Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack. A) Gaining access is incorrect. Once attackers have discovered potential vulnerabilities through information gathering, they will usually attempt to gain access. B) Denying services is incorrect. An attacker will usually launch a denial of service as one of the last steps in the attack. C) Evading detection is incorrect. When attackers have gained access and possibly infected the victim with a rootkit, they will delete audit logs and take other steps to hide their tracks.

Q117) The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is: ​ A) greater flexibility for the audit department B) reduction in the time to have access to the information. C) reduction of human resources needed to support the audit. D) greater assurance of data validity

D) Greater assurance of data validity is correct. If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness, and, therefore, all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity. C) Reduction of human resources needed to support the audit is incorrect. Although the burden on human resources to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B) Reduction in the time to have access to the information is incorrect. This will not necessarily reduce the time to have access to the information because time will need to be scheduled for training and granting access. A) Greater flexibility for the audit department is incorrect. There may be more flexibility for the IS auditor to adjust the data extracts to meet various audit requirements; however, this is not the main advantage.

Q112) Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? ​ A) Have the current configuration approved by operations management. B) Ensure that there is an audit trail for all existing accounts. C) Amend the IT policy to allow shared accounts. D) Implement individual user accounts for all staff.

D) Implement individual user accounts for all staff is correct. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. A) Have the current configuration approved by operations management is incorrect. Having the current configuration approved is a recommendation that is not in compliance with the enterprise's own policy and would violate good practice. B) Ensure that there is an audit trail for all existing accounts is incorrect. Having an audit trail for existing shared accounts would not provide accountability or resolve the problem of noncompliance with policy. C) Amend the IT policy to allow shared accounts is incorrect. Shared user IDs do not allow for accountability of transactions and would not reflect good practice.

Q105) When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? ​ A) Acceptance B) Avoidance C) Transfer D) Mitigation

D) Mitigation is correct. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. C) Transfer is incorrect. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B) Avoidance is incorrect. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. A) Acceptance is incorrect. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.

Q123) Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A) provide proper cross-training for another employee. B) ensure that the employee maintains a good quality of life, which will lead to greater productivity. C) eliminate the potential disruption caused when an employee takes vacation one day at a time. D) reduce the opportunity for an employee to commit an improper or illegal act.

D) Reduce the opportunity for an employee to commit an improper or illegal act is correct. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time off, it may be possible to discover any fraudulent activity that was taking place. B) Ensure that the employee maintains a good quality of life, which will lead to greater productivity is incorrect. Maintaining a good quality of life is important, but the primary reason for a mandatory vacation is to catch fraud or errors. A) Provide proper cross-training for another employee is incorrect. Providing cross-training is an important management function, but the primary reason for mandatory vacations is to detect fraud or errors. C) Eliminate the potential disruption caused when an employee takes vacation one day at a time is incorrect. Enforcing a rule that all vacations must be taken a week at a time is a management decision but not related to a mandatory vacation policy. The primary reason for mandatory vacations is to detect fraud or errors.

Q107) While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: A) perform an access review. B) perform a risk assessment. C) discuss the issue with the service provider. D) report the issue to IT management.

D) Report the issue to IT management is correct. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report. C) Discuss the issue with the service provider is incorrect. The IS auditor may discuss the issue with the service provider; however, the appropriate response is to report the issue to IT management because they are ultimately responsible. B) Perform a risk assessment is incorrect. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes there is a significant risk. A)Perform an access review is incorrect. The IS auditor could perform an access review as part of the audit to determine if there are errors, but not on behalf of the third-party IT service provider. It is more important to report the issue in the audit report to management.

Q110) An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? ​ A) Review the request for proposal. B) Research other clients of the ISP. C) Review monthly performance reports generated by the ISP. D) Review the service level agreement.

D) Review the service level agreement is correct. A service level agreement provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service. A) Review the request for proposal is incorrect. Because the request for proposal is not the contracted agreement, it is more relevant to review the terms of the service level agreement. C) Review monthly performance reports generated by the Internet service provider (ISP) is incorrect. The reports from the ISP are indirect evidence that may require further review to ensure accuracy and completeness. B) Research other clients of the ISP is incorrect. The services provided to other clients of the ISP are irrelevant to the IS auditor.

Q140) The MAJOR advantage of a component-based development approach is the: ​ A) ability to manage an unrestricted variety of data types. B) provision for modeling complex relationships. C) capacity to meet the demands of a changing environment. D) support of multiple development environments.

D) Support of multiple development environments is correct. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic. A) Ability to manage an unrestricted variety of data types is incorrect. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types. B) Provision for modeling complex relationships is incorrect. Component-based development is no better than many other development methods at modeling complex relationships. C) Capacity to meet the demands of a changing environment is incorrect. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.

Q120) During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? ​ A) The policy for data backup and retention has not been reviewed by the business owner for the past three years. B) Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator. C) Restoration testing for backup media is not performed; however, all data restore requests have been successful. D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.

D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually is correct. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. C) Restoration testing for backup media is not performed; however, all data restore requests have been successful is incorrect. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. A) The policy for data backup and retention has not been reviewed by the business owner for the past three years is incorrect. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. B) Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator is incorrect. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

Q35) Which of the following should be considered FIRST when implementing a risk management program? ​ A) An understanding of the organization's threat, vulnerability and risk profile B) A determination of risk management priorities that are based on potential consequences C) A risk mitigation strategy sufficient to keep risk consequences at an acceptable level D) An understanding of the risk exposures and the potential consequences of compromise

A) An understanding of the organization's threat, vulnerability and risk profile is correct. Implementing risk management, as one of the outcomes of effective information security governance, requires a collective understanding of the organization's threat, vulnerability and risk profile as a first step. D) An understanding of risk exposure and potential consequences of compromise is incorrect. This can be determined only after there is an understanding the organization's threat, vulnerability and risk profile. B) A determination of risk management priorities that are based on potential consequences is incorrect. Risk management priorities that are based on potential consequences can only be developed after the organization's threat, vulnerability and risk profile is determined. C) A risk mitigation strategy sufficient to keep risk consequences at an acceptable level is incorrect. Risk mitigation priorities are based on the risk profile, risk acceptance levels and potential mitigating controls. These elements provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.

Q62) In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? ​ A) Approve and document the change the next business day. B) Limit developer access to production to a specific time frame. C) Obtain secondary approval before releasing to production. D) Disable the compiler option in the production machine.

A) Approve and document the change the next business day is correct. It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. B) Limit developer access to production to a specific time frame is incorrect. Restricting release time frame may help somewhat; however, it would not apply to emergency changes and cannot prevent unauthorized release of the programs. C) Obtain secondary approval before releasing to production is incorrect. This is not relevant in an emergency situation. D) Disable the compiler option in the production machine is incorrect. This is not relevant in an emergency situation.

Q26) An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: A) backout procedures. B) problem management procedures. C) incident management procedures. D) software development procedures.

A) Backout procedures is correct. These are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state. B) Problem management procedures is incorrect. These are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. D) Software development procedures is incorrect. These procedures such as the software development life cycle (SDLC) are used to manage the creation or acquisition of new or modified software. C) Incident management procedures is incorrect. These are used to manage errors or problems with system operation. They are usually used by a help desk. One of the incident management procedures may be how to follow a fallback plan.

Q29) While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to: ​ A) continue to test the accounting application controls and include the deficiency in the final report. B) continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. C) complete the audit and not report the control deficiency because it is not part of the audit scope. D) cease all audit activity until the control deficiency is resolved.

A) Continue to test the accounting application controls and include the deficiency in the final report is correct. It is the responsibility of the IS auditor to report on findings that can have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit. B) Continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions is incorrect. The IS auditor should not assume that the IT manager will follow through on a verbal notification to resolve the change management control deficiency, and it is inappropriate to offer consulting services on issues discovered during an audit. C) Complete the audit and not report the control deficiency because it is not part of the audit scope is incorrect. Although not technically within the audit scope, it is the responsibility of the IS auditor to report findings discovered during an audit that can have a material impact on the effectiveness of controls. D) Cease all audit activity until the control deficiency is resolved is incorrect. It is not the role of the IS auditor to demand that IT work be completed before performing or completing an audit.

Q18) A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: ​ A) corrective control. B) directive control. C) compensating control. D)detective control.

A) Corrective control is correct. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation. B) Directive control is incorrect. Directive controls, such as IT policies and procedures, do not apply in this case because this is an automated control. C) Compensating control is incorrect. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device. D) Detective control is incorrect. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur.

Q89) This question refers to the following diagram. Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: ​ A) create an entry in the log. B) alert the appropriate staff. C) close firewall-1. D) close firewall-2.

A) Create an entry in the log is correct. This is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet. B) Alert the appropriate staff is incorrect. The first action taken by an intrusion detection system (IDS) will be to create a log entry and then alert the appropriate staff. D) Close firewall-2 is incorrect. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. After the IDS has logged the suspicious traffic, it may signal firewall-2 to close, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator, valuable time can be lost, in which a hacker could also compromise firewall-2. C) Close firewall-1 is incorrect. The IDS will usually only protect the internal network by closing firewall-2 and will not close the externally facing firewall-1.

Q58) During the system testing phase of an application development project the IS auditor should review the: A) error reports. B) vendor contract. C) program change requests. D) conceptual design specifications.

A) Error reports is correct. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. D) A conceptual design specifications is incorrect. This is a document prepared during the requirements definition phase. The system testing will be based on a test plan. B) A vendor contract is incorrect. This is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports. C) Program change requests is incorrect. These would be reviewed normally as a part of the post-implementation phase.

Q67) Which of the following is the BEST enabler for strategic alignment between business and IT? A) ​Goals and metrics B) A maturity model C) A responsible, accountable, consulted and informed (RACI) chart D) Control objectives

A) Goals and metrics is correct. These ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment. B) A maturity model is incorrect. Maturity models enable assessment of current process capability and could be used for process improvement and measuring the maturity of the alignment process, but they do not directly enable strategic alignment. D) Control objectives is incorrect. These facilitate the implementation of controls in the related processes according to business requirements. C) A responsible, accountable, consulted and informed (RACI) chart is incorrect. RACI charts enable the assignment of responsibility to key functionaries but do not ensure strategic alignment.

Q93) An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? ​ A) IT risk is presented in business terms. B) The risk management framework is based on global standards. C) Controls are implemented based on cost-benefit analysis. D) The approval process for risk response is in place.

A) IT risk is presented in business terms is correct. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms. C) Controls are implemented based on cost-benefit analysis is incorrect. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B) The risk management framework is based on global standards is incorrect. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. D) The approval process for risk response is in place is incorrect. Approvals for risk response come later in the process.

Q9) The PRIMARY objective of performing a post incident review is that it presents an opportunity to A) improve internal control procedures. B) highlight the importance of incident response management to management. C) improve employee awareness of the incident response process. D) harden the network to industry good practices.

A) Improve internal control procedures is correct. A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. D) Harden the network to industry good practices is incorrect. A postincident review may result in improvements to controls, but its primary purpose is not to harden a network. B) Highlight the importance of incident response management to management is incorrect. The purpose of postincident review is to ensure that the opportunity is presented to learn lessons from the incident. It is not intended as a forum to educate management. A) Improve employee awareness of the incident response process is incorrect. An incident may be used to emphasize the importance of incident response, but that is not the intention of the postincident review.

Q84) Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? ​ A) Lack of transaction authorizations B) Loss or duplication of EDI transmissions C) Transmission delay D) Deletion or manipulation of transactions prior to or after establishment of application controls

A) Lack of transaction authorizations is correct. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk. B) Loss or duplication of electronic data interchange transmissions is incorrect. This is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. C) Transmission delay is incorrect. This may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. D) Deletion or manipulation of transactions prior to, or after, establishment of application controls is incorrect. This is an example of risk. Logging detects any alteration to the data, and the impact is not as great as that of unauthorized transactions.

Q69) Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? ​ A) Parallel changeover B) Rollback procedure C) Phased changeover D) Abrupt changeover

A) Parallel changeover is correct. This involves first running the old system, then running both the old and new systems in parallel, and finally fully changing to the new system after gaining confidence in the functionality of the new system. C) Phased changeover is incorrect. This involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system. D) Abrupt changeover is incorrect. In abrupt changeover, the new system is changed from the old system on a cutoff date and time, and the old system is discontinued after changeover to the new system takes place. Therefore, the old system is not available as a backup if there are problems when the new system is implemented. B) Rollback procedure is incorrect. This involves restoring all systems to their previous working state; however, parallel changeover is the better strategy.

Q77) An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? ​ A) Permission from the data owner of the server B) The tools used to conduct the test C) An intrusion detection system is enabled D) Certifications held by the IS auditor

A) Permission from the data owner of the server is correct. The data owner should be informed of the risk associated with a penetration test, the timing of the test, what types of tests are to be conducted and other relevant details. B) The tools used to conduct the test is incorrect. The choice of tools is important to ensure a valid test and prevent system failure; however, the permission of the owner is most important. D) Certifications held by the IS auditor is incorrect. Whether the IS auditor holds certifications is not relevant to the effectiveness of the test. C) An intrusion detection system is enabled is incorrect. An intrusion detection system is not required for a penetration test.

Q16) Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? ​ A) Program coding standards B) The development environment C) A version control system D) The programming language

A) Program coding standards is correct. These are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications. D) The programming language is incorrect. This may be a concern if it is not a commonly used language; however, program coding standards are more important. B) The development environment is incorrect. This may be relevant to evaluate the efficiency of the program development process but not future maintenance of the program. C) A version control system is incorrect. This helps manage software code revisions; however, it does not ensure that coding standards are consistently applied.

Q46) During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor? A) Report the identified condition. B) Analyze the quality assurance dashboards. C) Recommend compensating controls. D) Review the code created by the developer.

A) Report the identified condition is correct. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified. C) Recommend compensating controls is incorrect. Although compensating controls may be a good idea, the primary response in this case should be to report the condition, because the risk associated with this should be reported to the users of the audit report. D) Review the code created by the developer is incorrect. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. B) Analyze the quality assurance dashboards is incorrect. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties but does not address the underlying risk. The primary response should be to report the condition.

Q57) Which of the following is a MAJOR concern during a review of help desk activities? ​ A) Resolved incidents are closed without reference to end users. B) A dedicated line is not assigned to the help desk team. C) Certain calls could not be resolved by the help desk team. D) The help desk instant messaging has been down for over six months.

A) Resolved incidents are closed without reference to end users is correct. The help desk function is a service-oriented unit. The end users must be advised before an incident can be regarded as closed. C) Certain calls could not be resolved by the help desk team is incorrect. Although this is of concern, it should be expected. A problem escalation procedure should be developed to handle such scenarios. B) A dedicated line is not assigned to the help desk team is incorrect. Ideally, a help desk team should have dedicated lines, but this exception is not as serious as the technical team unilaterally closing an incident. D) The help desk instant messaging has been down for more than six months is incorrect. Instant messaging is an add-on to improve the effectiveness of the help desk team. Its absence cannot be seen as a major concern as long as calls can still be made.

Q63) Digital signatures require the: A) signer to have a private key and the receiver to have a public key. B) signer to have a public key and the receiver to have a private key. C) signer and receiver to have a public key. D) signer and receiver to have a private key.

A) Signer to have a private key and the receiver to have a public key is correct. Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is based on the sender encrypting a digest of the message with their private key and the receiver validating the message with the public key. B) Signer to have a public key and the receiver to have a private key is incorrect. If a sender encrypts a message with a public key, it will provide confidential transmission to the receiver with the private key. C) Signer and receiver to have a public key is incorrect. Asymmetric key cryptography always works with key pairs. Therefore, a message encrypted with a public key could only be opened with a private key. D) Signer and receiver to have a private key is incorrect. If both the sender and receiver have a private key there would be no way to validate the digital signature.

Q73) The MAIN reason for requiring that all computer clocks across an organization are synchronized is to: ​ A) support the incident investigation process. B) ensure that email messages have accurate time stamps. C) prevent omission or duplication of transactions. D) ensure smooth data transition from client machines to servers.

A) Support the incident investigation process is correct. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult, because a time line of events occurring on different systems might not be easily established. C) Prevent omission or duplication of transactions is incorrect. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization. D) Ensure smooth data transition from client machines to servers is incorrect. Data transfer has nothing to do with the time stamp. B) Ensure that email messages have accurate time stamps is incorrect. Although the time stamp on an email may not be accurate, this is not a significant issue.

Q60) Which of the following does an IS auditor consider to be MOST important when evaluating an organization's IT strategy? That it: A) supports the business objectives of the organization. B) does not vary from the IT department's preliminary budget. C) was approved by line management.​ D) complies with procurement procedures.

A) Supports the business objectives of the organization is correct. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. C) Was approved by line management is incorrect. A strategic plan is a senior management responsibility and would receive input from line managers but would not be approved by them. B) Does not vary from the IT department's preliminary budget is incorrect. The budget should not vary from the plan. D) Complies with procurement procedures is incorrect. Procurement procedures are organizational controls, but not a part of strategic planning.

Q6) Which of the following should be included in an organization's information security policy? A) The basis for access control authorization B) Relevant software security features C) A list of key IT resources to be secured D) Identity of sensitive security assests

A) The basis for access control authorization is correct. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C) A list of key IT resources to be secured is incorrect. This is more detail than should be included in a policy. D) Identity of sensitive security assets is incorrect. The identity of sensitive security assets is more detailed than that which should be included in a policy. B) Relevant software security features is incorrect. A list of the relevant software security features is more detailed than that which should be included in a policy.

Q48) An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? ​ A) The information security policy is not periodically reviewed by senior management. B) The audit committee did not review the organizations's global mission statement. C) A policy ensuring systems are patched in a timely manner does not exist. D) An organizational policy related to information asset protection does not exist.

A) The information security policy is not periodically reviewed by senior management is correct. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern. C) A policy ensuring systems are patched in a timely manner does not exist is incorrect. While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management. B)The audit committee did not review the organization's mission statement is incorrect. Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not the IS auditor's greatest concern because proper governance oversight could lead to meeting the objectives of the organization's mission statement. D) An organizational policy related to information asset protection does not exist is incorrect. While it is a concern that there is no policy related to the protection of information assets, the greater concern is that the security policy is not reviewed periodically by senior management because top level support is fundamental to information security governance.

Q45) Which of the following reasons BEST describes the purpose of a mandatory vacation policy? ​ A) To identify potential errors or inconsistencies in business processes B) To be used as a cost-saving measure C) To ensure that employees are properly cross-trained in multiple functions D) To improve employee morale

A) To identify potential errors or inconsistencies in business processes is correct. Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal controls or processes take a mandatory vacation annually is often a regulatory requirement and, most importantly, a good way to uncover fraud. C) To ensure that employees are properly cross-trained in multiple functions is incorrect. Ensuring that employees are properly cross-trained in multiple functions improves the skills of employees and provides for succession planning but is not the primary purpose of mandatory vacations. D) To improve employee morale is incorrect. Improving employee morale helps in reducing employee burnout but is not the primary reason for mandatory vacations. B) To be used as a cost-saving measure is incorrect. Mandatory vacations may or may not be a cost-saving measure, depending on the enterprise.

Q40) Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? ​ A) Unauthorized report copies might be printed. B) Sensitive data might be read by operators. C) Output might be lost in the event of system failure. D) Data might be amended without authorization.

A) Unauthorized report copies might be printed is correct. Spooling for offline printing may enable additional copies to be printed unless adequate safeguards exist as compensating controls. B) Sensitive data might be read by operators is incorrect. Operators often have high-level access as a necessity to perform their job duties. To the extent that this is a risk, it exists for any form of non-local printing and is not specifically tied to spooled reports. D) Data might be amended without authorization is incorrect. Data on spool files are no easier to amend without authority than any other file. C) Output might be lost in the event of system failure is incorrect. Loss of data at the spooler level would only require reprinting.

Q47) Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? A) User acceptance test specifications B) Detailed test plans C) Test data covering critical applications D)​ Quality assurance test specifications

A) User acceptance test specifications is correct. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. C) Test data covering critical applications is incorrect. Test data will usually be created during the system testing phase. B) Detailed test plans is incorrect. These are created during system testing. D) Quality assurance test specifications is incorrect. These are set out later in the development process.

Q68) When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? ​ A) Wiring and schematic diagram B) Users' lists and responsibilities C) Backup and recovery procedures D) Application lists and their details

A) Wiring and schematic diagram is correct. This is necessary to carry out a network audit. The IS auditor needs to know what equipment, configuration and addressing is used on the network to perform an audit of the network setup. B) Users' lists and responsibilities is incorrect. When performing an audit of network setup, the users' lists would not be of value. D) Application lists and their details is incorrect. These are not required to audit network configuration. C) Backup and recovery procedures is incorrect. These are important but not as important as knowing the network layout.

Q49) An organization purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following helps to mitigate the risk relating to continued application support? A) A viability study on the vendor B) A software escrow agreement C) A contractual agreement for future enhancements D) ​Financial evaluation of the vendor

B) A software escrow agreement is correct. Considering that the vendor has been in the business for only one year, the biggest concern is financial stability or viability of the vendor and the risk of the vendor going out of business. The best way that this risk can be addressed is to have a software escrow agreement for the source code of the application, which provides the entity access to the source code if the vendor goes out of business. A) A viability study on the vendor is incorrect. Although a viability study on the vendor may provide some assurance on the long-term availability of the vendor's services to the entity, in this case, it is more important that the company has the rights to the source code. D) Financial evaluation of the vendor is incorrect. Considering that the vendor has been in business for only one year, financial evaluation of the vendor would not be of much value and cannot provide assurance on the long-term availability of the vendor's services to the entity. In this case, it is more important that the company has rights to the source code. C) A contractual agreement for future enhancements is incorrect. A contractual agreement, while binding, is not enforceable or only has limited value in the event of bankruptcy.

Q43) Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program? ​ A) Regularly scheduled maintenance log B) A system downtime log C) Vendors' reliability figures D) A written preventive maintenance schedule

B) A system downtime log is correct. This provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. C) Vendor's reliability figures is incorrect. These are not an effective measure of a preventive maintenance program. A) Regularly scheduled maintenance log is incorrect. Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. D) A written preventive maintenance schedule is incorrect. A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

Q51) An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A) Enforce standard compliance by adopting punitive measures against violators. B) Achieve standards alignment through an increase of resources devoted to the project. C) Delay the project until compliance with standards can be achieved. D) Align the data definition standards after completion of the project.

B) Achieve standards alignment through an increase of resources devoted to the project is correct. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. D) Align the data definition standards after completion of the project is incorrect. The usage of nonstandard data definitions would lower the efficiency of the new development and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C) Delay the project until compliance with standards can be achieved is incorrect. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. A) Enforce standard compliance by adopting punitive measures against violators is incorrect. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined.

Q82) Which of the following is an attribute of the control self-assessment approach? ​ A) Auditors are the primary control analysts B) Broad stakeholder involvement C) Policy driven D) Limited employee participation

B) Broad stakeholder involvement is correct. The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement. A) Auditors are the primary control analysts is incorrect. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors. D) Limited employee participation is incorrect. This is an attribute of a traditional audit approach. C) Policy driven is incorrect. This is an attribute of a traditional audit approach.

Q96) Which of the following is an advantage of elliptic curve encryption over RSA encryption? ​ A) Ability to support digital signatures B) Computation speed C) Simpler key distribution D) Message integrity controls

B) Computation speed is correct. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. A) Ability to support digital signatures is incorrect. Both encryption methods support digital signatures. C) Simpler key distribution is incorrect. Both encryption methods are used for public key encryption and distribution. D) Message integrity controls is incorrect. Both ECC and RSA offer message integrity controls

Q100) When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? ​ A) The audit department does not have a consulting role in the BPR effort. B) Controls are eliminated as part of the streamlining BPR effort. C) Resources are not adequate to support the BPR process. D) The BPR effort includes employees with limited knowledge of the process area.

B) Controls are eliminated as part of the streamlining business process reengineering (BPR) effort is correct. A primary risk of BPR is that controls are eliminated as part of the reengineering effort. This is the primary concern. C) Resources are not adequate to support the BPR process is incorrect. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. A) The audit department does not have a consulting role in the BPR effort is incorrect. Although BPR efforts often involve many different business functions, it is not a significant concern if audit is not involved, and, in most cases, it is not appropriate for audit to be involved in such an effort. D) The BPR effort includes employees with limited knowledge of the process area is incorrect. A recommended good practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this is not a concern.

Q30) Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? ​ A) Implement the changes users have suggested. B) Develop a baseline and monitor system usage. C)​ Prepare the maintenance manual. D) Define alternate processing procedures.

B) Develop a baseline and monitor system usage is correct. An IS auditor should recommend the development of a performance baseline and monitor the system's performance against the baseline to develop empirical data upon which decisions for modifying the system can be made. D) Define alternate processing procedures is incorrect. Alternate processing procedures will not alter a system's performance, and no changes should be made until the reported issue has been examined more thoroughly. C) Prepare the maintenance manual is incorrect. A maintenance manual will not alter a system's performance or address the user concerns. A) Implement the changes users have suggested is incorrect. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.

Q75) Which of the following BEST encrypts data on mobile devices? A) Data encryption standard B) Elliptical curve cryptography C) Advanced encryption standard D) The Blowfish algorithm

B) Elliptical curve cryptography (ECC) is correct. requires limited bandwidth resources and is suitable for encrypting mobile devices. A) Data encryption standard is incorrect. This uses less processing power when compared with advanced encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices. C) Advanced encryption standard is incorrect. AES is a symmetric algorithm and has the problem of key management and distribution. ECC is an asymmetric algorithm and is better suited for a mobile environment. D) The Blowfish algorithm is incorrect. The use of the Blowfish algorithm consumes too much processing power.

Q32) The PRIMARY benefit of an IT manager monitoring technical capacity is to: A) identify the need for new hardware and storage procurement. B) ensure that the service level requirements are met. C) determine the future capacity need based on usage. D) ensure that systems operate at optimal capacity.

B) Ensure that the service level requirements are met is correct. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT. A) Identify the need for new hardware and storage procurement is incorrect. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. C) Determine the future capacity need based on usage is incorrect. Determining future capacity is one definite benefit of technical capability monitoring. D) Ensure that systems operate at optimal capacity is incorrect. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business.

Q17) An IS auditor reviewing access controls for a client-server environment should FIRST: ​ A) review the application-level access controls. B) identify the network access points. C) review the identity management system. D) evaluate the encryption technique.

B) Identify the network access points is correct. A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. D) Evaluate the encryption techniques is incorrect. This would be performed at a later stage of the review. C) Review the identity management system is incorrect. This would be performed at a later stage of the review. A) Review the application level access controls is incorrect. This would be performed at a later stage of the review.

Q11) Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? A) No actual incidents have occurred that have caused a loss or a public embarrassment. B) Job descriptions contain clear statements of accountability for information security. C) In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D) Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.

B) Job descriptions contain clear statements of accountability for information security is correct. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. D) Senior management is aware of critical information assets and demonstrates an adequate concern for their protection is incorrect. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but it is not as meaningful as having job descriptions that require all staff to be responsible for information security. C) In accordance with the degree of risk and business impact, there is adequate funding for security efforts is incorrect. Funding is important but having funding does not ensure that the security program is effective or adequate. A) No actual incidents have occurred that have caused a loss or a public embarrassment is incorrect. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but it is not a criterion for evaluating a security program.

Q10) While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? A) IT projects could suffer from cost overruns B) Misleading indications of IT performance may be presented to management. C) Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC. D) IT service level agreements may not be accurate.

B) Misleading indications of IT performance may be presented to management is correct. The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators [KPIs]) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions. C) Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC is incorrect. If the performance indicators are not objectively measurable, the most significant risk would be the presentation of misleading performance results to management. This could result in a false sense of assurance and, as a result, IT resources may be misallocated, or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management. A) IT projects could suffer from cost overruns is incorrect. Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. D) IT service level agreements may not be accurate is incorrect. Although performance management issues related to service level agreements could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.

Q52) A characteristic of User Datagram Protocol in network communications is: ​ A) incompatibility with packet broadcast. B) packets may arrive out of order. C) increased communication latency. D) error correction may slow down processing.

B) Packets may arrive out of order is correct. User Datagram Protocol (UDP) uses a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped. C) Increased communication latency is incorrect. The advantage of UDP is that the lack of error checking allows for reduced latency. Time-sensitive applications, such as online video or audio, often use UDP because of the reduced latency of this protocol. A) Incompatibility with packet broadcast is incorrect. UDP is compatible with packet broadcast (sending to all on the local network) and multicasting (sending to all subscribers). D) Error correction may slow down processing is incorrect. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.

Q1) Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process? A) Interview personnel in charge of the change control process B) Perform an end-to-end walk-through of the process C) Test a sample of authorized changes D) Test a sample population of change requests

B) Perform an end-to-end walk-through of the process is correct. Observation is the best and most effective method to test changes to ensure that the process is effectively designed. D) Test a sample population of change requests is incorrect. Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. C) Test a sample of authorized changes is incorrect. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. A) Interview personnel in charge of the change control process is incorrect. This is not as effective as a walk-through of the change controls process because people may know the process but not follow it.

Q12) As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? A) Revise compliance enforcement processes. B) Request that senior management accepts the risk. C) Use cloud providers for low-risk operations. D) Postpone low-priority security procedures.

B) Request that senior management accept the risk is correct. Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions. C) Use cloud providers for low-risk operations is incorrect. The use of cloud providers may or may not provide cost savings or lower risk. A) Revise compliance enforcement processes is incorrect. Compliance enforcement processes that identify high levels of residual risk are working as intended and should not be revised. D) Postpone low-priority security procedures is incorrect. The IS auditor should not recommend postponing any procedures. This is a management decision, and management should first accept the risk.

Q39) Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity? A) Host-based B) Signature-based​ C) Neural network D) Statistical-based

B) Statistical-based is correct. A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. B) Signature-based is incorrect. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. Signature-based systems traditionally have low levels of false positives but may be weak at detecting new attacks. C) Neural network is incorrect. A neural network combines the statistical- and signature-based IDSs to create a hybrid and better system. A) Host-based is incorrect. This is another type of IDS, but it would not be used to monitor network activity.

Q72) An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: ​ A) analytical testing. B) substantive testing. C) control testing. D) compliance testing.

B) Substantive testing is correct. This obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. D) Compliance testing is incorrect. This is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. A) Analytical testing is incorrect. This evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. C) Control testing is incorrect. This is the same as compliance testing.

Q85) An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? ​ A) Message digest 5 B) Secure Shell C) Advanced Encryption Standard D) Data Encryption Standard

C) Advanced Encryption Standard (AES) is correct. This provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. D) Data Encryption Standard (DES) is incorrect. This is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. A) Message digest 5 (MD5) is incorrect. This is an algorithm used to generate a one-way hash of data (a fixed- length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive. B) Secure Shell (SSH) is incorrect. This is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.

Q79) The implementation of access controls FIRST requires: A) the creation of an access control list. B) a classification of IS resources. C) an inventory of IS resources. D) the labeling of IS resources.

C) An inventory of IS resources is correct. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification. B) A classification of IS resources is incorrect. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. D) The labeling of IS resources is incorrect. Labeling resources cannot be done without first determining the resources' classifications. A) The creation of an access control list is incorrect. The access control list would not be done without a meaningful classification of resources.

Q27) An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of - ​ A) variable sampling. B) stop-or-go sampling. C) compliance testing. D) substantive testing.

C) Compliance testing is correct. This determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. A) Variable sampling is incorrect. It is used to estimate numerical values such as dollar values. D) Substantive testing is incorrect. This substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. B) Stop-or-go sampling is incorrect. This allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

Q14) For the annual internal IS audit plan, which of the following is the FIRST step performed prior to creating a risk ranking? A) Prioritize the identified risk. B) Identify the critical controls. C) Determine the testing approach. D) Define the audit universe.

C) Define the audit universe is correct. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. A) Prioritize the identified risk is incorrect. After the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B) Identify the critical controls is incorrect. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. C) Determine the testing approach is incorrect. The testing approach is based on the risk ranking

Q91) Following good practices, formal plans for implementation of new information systems are developed during the: A) testing phase. B) development phase. C) design phase. D) deployment phase.

C) Design phase is correct. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses. B) Development phase is incorrect. The implementation plans are updated during the development of the system, but the plans were already addressed during the design phase. A) Testing phase is incorrect. The testing phase focuses on testing the system and is not concerned with implementation planning. D) Deployment phase is incorrect. The deployment phase implements the system according to the plans set out earlier in the design phase.

Q74) A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST? A) Dump the volatile storage data to a disk. B) Run the server in a fail-safe mode. C) Disconnect the web server from the network. D) Shut down the web server.

C) Disconnect the web server from the network is correct. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker. A) Dump the volatile storage data to a disk is incorrect. This may be used at the investigation stage but does not contain an attack in progress. B) Run the server in a fail-safe mode is incorrect. In order to do this, the server needs to be shut down. D) Shut down the web server is incorrect. This could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

Q66) Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is: ​ A) initiated from devices that have encrypted storage. B) restricted to predefined media access control addresses. C) encrypted using dynamic keys. D) encrypted using static keys.

C) Encrypted using dynamic keys is correct. When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. B) Restricted to predefined media access control addresses is incorrect. Limiting the number of devices that can access the network via media access control address filtering is an inefficient control and does not address the issue of encrypting the session. D) Encrypted using static keys is incorrect. Encryption with static keys—using the same key for a long period of time—carries a risk that the key would be compromised. A) Initiated from devices that have encrypted storage is incorrect. Encryption of the data on the connected device (laptop, smart phone, etc.) addresses the confidentiality of the data on the device, not the wireless session.

Q98) An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A) Commands typed on the command line are logged. B) Access to the operating system command line is granted through an access restriction tool with preapproved rights. C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. D) Software development tools and compilers have been removed from the production environment.

C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs is correct. The matching of hash keys over time would allow detection of changes to files. A) Commands typed on the command line are logged is incorrect. Having a log is not a control; reviewing the log is a control. B) Access to the operating system command line is granted through an access restriction tool with preapproved rights is incorrect. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D) Software development tools and compilers have been removed from the production environment is incorrect. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

Q50) The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely: ​ A) remain the same. B) decrease. C) increase. D) be unpredictable.

C) Increase is correct. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place). B) Decrease is incorrect. The implementation of a DRP will always result in additional costs to the organization. A) Remain the same is incorrect. The implementation of a DRP will always result in additional costs to the organization. D) Be unpredictable is incorrect. The costs of a DRP are fairly predictable and consistent.

Q97) During which phase of software application testing should an organization perform the testing of architectural design? A) ​Unit testing B) Acceptance testing C) Integration testing D) System testing

C) Integration testing is correct. This evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design. B) Acceptance testing is incorrect. This determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing and user acceptance testing, although not combined. D) System testing is incorrect. This relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. A) Unit testing is incorrect. This references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

Q34) An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee: A) reports the status of IT projects to the board of directors. B) is responsible for project approval and prioritization. C) is responsible for determining business goals. D) is responsible for developing the long-term IT plan.

C) Is responsible for determining business goals is correct. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around. B) Is responsible for project approval and prioritization is incorrect. The IT steering committee is responsible for project approval and prioritization. D) Is responsible for developing the long-term it plan is incorrect. The IT steering committee is responsible for oversight of the development of the long-term IT plan. A) Reports the status of it projects to the board of directors is incorrect. The IT steering committee advises the board of directors on the status of developments in IT.

Q76) Which of the following results in a denial-of-service attack? A) Negative acknowledgment attack B) Leapfrog attack C) Ping of death D) Brute force attack

C) Ping of death is correct. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. D) Brute force attack is incorrect. This is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords. B) Leapfrog attack is incorrect. This is the act of telneting through one or more hosts to preclude a trace and makes use of user ID and password information obtained illicitly from one host to compromise another host. A) Negative acknowledgment attack is incorrect. This is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

Q31) An IS auditor should recommend the use of library control software to provide reasonable assurance that: ​ A) modified programs are automatically moved to production. B) only thoroughly tested programs are released. C) program changes have been authorized. D) source and executable code integrity is maintained.

C) Program changes have been authorized is correct. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B) Only thoroughly tested programs are released is incorrect. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. A) Modified programs are automatically moved to production is incorrect. Programs should not be moved automatically into production without proper authorization. D) Source and executable code integrity is maintained is incorrect. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

Q64) The extent to which data will be collected during an IS audit should be determined based on the: A) availability of critical and required information. B) auditee's ability to find relevant evidence. C) purpose and scope of the audit being done. D) auditor's familiarity with the circumstances.

C) Purpose and scope of the audit being done is correct. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope. A) Availability of critical and required information is incorrect. The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor's familiarity with the area being audited. D) Auditor's familiarity with the circumstances is incorrect. An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited. B) Auditee's ability to find relevant evidence is incorrect. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. If evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area that is subject to audit.

Q28) The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed? ​ A) Means of authentication B) Privacy of voice transmissions C) Reliability and quality of service D) Confidentiality of data transmissions

C) Reliability and quality of service (QoS) is correct. These are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls. A) Means of authentication is incorrect. The company currently has a virtual private network (VPN); authentication has been implemented by the VPN using tunneling. B) Privacy of voice transmissions is incorrect. This is provided by the VPN protocol. D) Confidentiality of data transmissions is incorrect. The company currently has a VPN; confidentiality of both data and Voice-over Internet Protocol traffic has been implemented by the VPN using tunneling.

Q13) During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: A) document for future review. B) work with database administrators to correct the issue. C) report the weaknesses as observed. D) include a review of the database controls in the scope.

C) Report the weaknesses as observed is correct. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during an application software review need to be reported to management. D) Include a review of the database controls in the scope is incorrect. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time. A) Document for future review is incorrect. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. B) Work with database administrators to correct the issue is incorrect. It is not appropriate for the IS auditor to work with database administrators to correct the issue.

Q87) Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: ​ A) assess whether the planned cost benefits are being measured, analyzed and reported. B) determine whether the system's objectives were achieved. C) review the impact of program changes made during the first phase on the remainder of the project. D)​ review control balances and verify that the system is processing data accurately.

C) Review the impact of program changes made during the first phase on the remainder of the project is correct. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. A) Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. While all choices are valid, the post-implementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. D) Review control balances and verify that the system is processing data accurately is incorrect. The review should assess whether the control is working correctly but should focus on the problems that led to project overruns in budget and time. B) Determine whether the system's objectives were achieved is incorrect. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

Q3) Which of the following choices would be the BEST source of information when developing a risk-based audit plan? A) System custodians identify vulnerabilities. B)Process owners identify key controls. C) Senior management identify key business processes. D) Peer auditors understand previous audit results.

C) Senior management identify key business processes is correct. Developing a risk-based audit plan must start with the identification of key business processes, which determine and identify the risk that needs to be addressed. B) Process owners identify key controls is incorrect. Although process owners should be consulted to identify key controls, senior management is a better source to identify business processes, which are more important. System custodians identify vulnerabilities is incorrect. A) System custodians are a good source to better understand the risk and controls as they apply to specific applications; however, senior management is a better source to identify business processes, which are more important. D) Peer auditors understand previous audit results is incorrect. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope or if the key business processes have changed and/or new business processes have been introduced, then this does contribute to the development of a risk-based audit plan.

Q7) Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A) Parallel testing B) Interface/integration testing C) Sociability testing D) Pilot testing

C) Sociability testing is correct. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. A) Parallel testing is incorrect. This is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. This allows a new system to be tested without affecting existing systems. D) Pilot testing is incorrect. This takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. In most cases the cutover to the new system will disable existing systems. B) Interface/integration testing is incorrect. This is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. This will not test in a true production environment.

Q20) An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: A) ​passwords can be reused by employees within a defined time frame. B) user accounts are not locked out after five failed attempts. C) system administrators use shared login credentials. D) password expiration is not automated.

C) System administrators use shared login credentials is correct. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts. B) User accounts are not locked out after five failed attempts is incorrect. If user accounts are not locked after multiple failed attempts, a brute force attack could be used to gain access to the system. While this is a risk, a typical user would have limited system access compared to an administrator. A) Passwords can be reused by employees within a defined time frame is incorrect. The reuse of passwords is a risk. However, the use of shared login credentials by administrators is a more severe risk. D) Password expiration is not automated is incorrect. If password expiration is not automated, it is most likely that employees will not change their passwords regularly. However, this is not as serious as passwords being shared, and the use of shared login credentials by administrators is a more severe risk.

Q22) A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? ​ A) Set up an exit interview with human resources. B) Ensure that management signs off on the termination paperwork. C) Terminate the developer's logical access to IT resources. D)Initiate the handover process to ensure continuity of the project.

C) Terminate the developer's logical access to IT resources is correct. To protect IT assets, terminating logical access to IT resources is the first and most important action to take after management has confirmed the employee's clear intention to leave the enterprise. A) Set up an exit interview with human resources is incorrect. The interview with human resources is also an important process if it is conducted by the last date of employment, but it is of secondary importance compared to removing the developer's access to systems. D) Initiate the handover process to ensure continuity of the project is incorrect. As long as the handover process to a designated employee is conducted by the last date of employment, there should be no problems. B) Ensure that management signs off on termination paperwork is incorrect. This is important, but not as critical as terminating access to the IT systems.

Q54) An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: ​ A) a signature-based IDS is weak against new types of attacks. B) IDS sensors are placed outside of the firewall. C) the IDS is used to detect encrypted traffic. D) a behavior-based IDS is causing many false alarms.

C) The IDS is used to detect encrypted traffic is correct. An IDS cannot detect attacks within encrypted traffic, but there may be good reason to detect the presence of encrypted traffic, such as when a next-generation firewall is configured to terminate encrypted connections at the perimeter. In such cases, detecting encrypted packets flowing past the firewall could indicate improper configuration or even a compromise of the firewall itself. B) IDS sensors are placed outside of the firewall is incorrect. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. D) A behavior-based IDS is causing many false alarms is incorrect. An excessive number of false alarms from a behavior-based intrusion detection system (IDS) indicates that additional tuning is needed. False positives cannot be eliminated entirely, but ignoring this warning sign may negate the value of the system by causing those responsible for monitoring its warnings to become convinced that anything reported is false. A) A signature-based IDS is weak against new types of attacks is incorrect. Being weak against new types of attacks is expected from a signature-based IDS because it can only recognize attacks that have been previously identified.

Q61) A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? ​ A) The business analyst writes the requirements and performs functional testing. B) The IT manager also performs systems administration. C) The developers promote code into the production environment. D) The database administrator (DBA) also performs data backups.

C) The developers promote code into the production environment is correct. If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment. A) The business analyst writes the requirements and performs functional testing is incorrect. In situations in which there is no dedicated testing group, the business analyst is often the one to perform testing because the analyst has detailed knowledge of how the system must function as a result of writing the requirements. B) The IT manager also performs systems administration is incorrect. It is acceptable in a small team for the IT manager to perform system administration, as long as the manager does not also develop code. D) The database administrator (DBA) also performs data backups is incorrect. It may be part of the database administrator's duties to perform data backups.

Q2) An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall. C) The firewall is placed on top of the commercial operating system with all default instillation options. D) Firewall policies are updated on the basis of changing requirements

C) The firewall is placed on top of the commercial operating system with all default installation options is correct. The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached, that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risk of vulnerabilities and exploits. B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall is incorrect. Using Secure Sockets Layer for firewall administration is important because changes in user and supply chain partners' roles and profiles will be dynamic. D) Firewall policies are updated on the basis of changing requirements is incorrect. It is appropriate to maintain the firewall policies as needed. A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted is incorrect. It is prudent to block all inbound traffic to an extranet unless permitted.

Q41) An organization allows for the use of universal serial bus drives to transfer operational data between offices. Which of the following is the GREATEST risk associated with the use of these devices? ​ A) Files are not backed up B) Use of the devices for personal purposes C) Theft of the devices D) Introduction of malware into the network

C) Theft of the devices is correct. Because universal serial bus (USB) drives tend to be small, they are susceptible to theft or loss. This represents the greatest risk to the organization. A) Files are not backed up is incorrect. While this is a risk, theft of an unencrypted device is a greater risk. B) Use of the devices for personal purposes is incorrect. Use of USB drives for personal purposes is a violation of company policy; however, this is not the greatest risk. D) Introduction of malware into the network is incorrect. Good general IT controls will include the scanning of USB drives for malware once they are inserted in a computer. The risk of malware in an otherwise robust environment is not as great as the risk of loss or theft.

Q24) In the planning phase of an IS audit, which of the following is the MAIN reason to perform a risk assessment? A) To ensure management's concerns are addressed B) To develop the audit program and procedures to perform the audit C) To provide reasonable assurance material items will be addressed D) To ensure the audit team will perform audits within budget

C) To provide reasonable assurance material items will be addressed is correct. A risk assessment helps to focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is also important. A) To ensure management's concerns are addressed is incorrect. Management concerns have no bearing on the risk assessment process. If management has concerns and wants the auditor to focus on a certain area, the auditor should ensure adequate time is allocated to address the concerns. D) To ensure the audit team will perform audits within budget is incorrect. A risk assessment is performed to determine where to place time and personnel resources, while budget constraints are limited to time resources. B) To develop audit program and procedures needed to perform the audit is incorrect. A risk assessment is not used in the development of the audit program and procedures. However, the risk assessment is used to allocate resources to audits.

Q71) Which of the following controls would be MOST effective in reducing the risk of loss due to fraudulent online payment requests? ​ A) Protecting web sessions using Secure Sockets Layer B) Inputting validation checks on web forms C) Transaction monitoring D) Enforcing password complexity for authentication

C) Transaction monitoring is correct. An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. Protecting web sessions using Secure A) Sockets Layer is incorrect. Using Secure Sockets Layer would help to ensure the secure transmission of data to and from the user's web browser and help to ensure that the end user has reached the correct web site, but this would not prevent fraudulent transactions. D) Enforcing password complexity for authentication is incorrect. Online transactions are not necessarily protected by passwords; for example, credit card transactions are not necessarily protected. The use of strong authentication would help to protect users of the system from fraud by attackers guessing passwords, but transaction monitoring would be the better control. B) Inputting validation checks on web forms is incorrect. This is important to ensure that attackers do not compromise the web site, but transaction monitoring would be the best control.

Q55) An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? ​ A) Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. B) Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. C) Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. D) System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

C) Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for is correct. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. Transaction totals are recorded on a daily basis in the sales systems. A) Daily sales system totals are aggregated and totaled is incorrect. Totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system, but rather considers only the sales system. Processing systems check for duplicated transaction numbers. B) If a transaction number is duplicated (already present), it is rejected is incorrect. Checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded). System time is synchronized hourly using a centralized time server. D) All transactions have a date/time stamp is incorrect. A date/time stamp does not help account for transactions that are missing or incomplete by the accounting and delivery department.

Q88) A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor? ​ A) Duplex communication links ​ B) Reciprocal agreement with another organization​ C) Alternate processor in the same location D) Alternate processor at another network node

D) Alternate processor at another network node is correct. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. B) Reciprocal agreement with another organization is incorrect. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. C) Alternate processor in the same location is incorrect. Having an alternate processor in the same location resolves the equipment problem but would not be effective if the failure was caused by environmental conditions (i.e., power disruption). A) Duplex communication links is incorrect. The installation of duplex communication links would only be appropriate if the failure were limited to the communication link.

Q95) Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A) Access controls B) Overlapping controls C) Boundary controls ​ D) Compensating controls

D) Compensating controls is correct. These are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. B) Overlapping controls is incorrect. These are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. C) Boundary controls is incorrect. These establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. A) Access controls is incorrect. Access controls for resources are based on individuals and not on roles. For a lack of segregation of duties, the IS auditor expects to find that a person has higher levels of access than are ideal. The IS auditor wants to find compensating controls to address this risk.

Q36) During a system development life cycle audit of a human resources and payroll application, the IS auditor notes that the data used for user acceptance testing have been masked. The purpose of masking the data is to ensure the: ​ A) reliability of the data. B) accuracy of the data. C) completeness of the data. D) confidentiality of the data.

D) Confidentiality of the data is correct. Masking is used to ensure the confidentiality of data, especially in a user acceptance testing exercise in which the testers have access to data that they would not have access to in normal production environments. B) Accuracy of the data is incorrect. Masking does not ensure accuracy of the data. If the underlying data are inaccurate, the masked data also would be inaccurate. C) Completeness of the data is incorrect. Masking does not ensure completeness of the data. If the underlying data are incomplete, the masked data also would be incomplete. A) Reliability of the data is incorrect. Masking does not ensure reliability of the data. If the underlying data are unreliable, the masked data also would be unreliable.

Q19) Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal? ​ A) Initializing the tape labels B) Erasing the tapes C) Overwriting the tapes D)Degaussing the tapes

D) Degaussing the tapes is correct. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes. C) Overwriting the tapes is incorrect. This is a good practice, but if the tapes have contained sensitive information then it is necessary to degauss them. A) Initializing the tape labels is incorrect. This would not remove the data on the tape and could lead to compromise of the data on the tape. B) Erasing the tapes is incorrect. This will make the data unreadable except for sophisticated attacks; therefore, tapes containing sensitive data should be degaussed

Q33) Which of the following is the MOST effective control over visitor access to a data center? A) Visitors sign in. B) Visitor badges are required. C)​ Visitors are spot-checked by operators. D) Visitors are escorted.

D) Visitors are escorted is correct. Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility. B) Visitor badges are required is incorrect. This is a good practice, but not a reliable control. A) Visitors sign in is incorrect. This is good practice, but not a reliable control. After visitors are in the building, the sign-in process will not prevent them from accessing unauthorized areas. C) Visitors are spot-checked by operators incorrect. Visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.

Q70) Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? ​ A) Identify relevant risk and related opportunities. B) Determine relevant enablers and their applicability. C)​ Ensure that assurance objectives are defined. D) Determine stakeholder requirements and involvement.

D) Determine stakeholder requirements and involvement is correct. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined. C) Ensure that assurance objectives are defined is incorrect. Stakeholders' needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. A) Identify relevant risk and related opportunities is incorrect. The relevant risk and related opportunities are identified and driven by the assurance objectives. B) Determine relevant enablers and their applicability is incorrect. The relevant enablers and their applicability for the IT governance implementation are considered based on assurance objectives.

Q21) During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: A) identification B) storage C) verification D) enrollment

D) Enrollment is correct. The users of a biometric device must first be enrolled in the device. A) Identification is incorrect. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes. C) Verification is incorrect. A user applying for access will be verified against the stored enrolled value. B) Storage is incorrect. The biometric stores sensitive personal information, so the storage must be secure.

Q59) Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds? ​ A) An integrated test facility B) Regression tests C) Transaction snapshots D) Generalized audit software

D) Generalized audit software (GAS) is correct. This is a data analytic tool that can be used to filter large amounts of data. A) An integrated test facility is incorrect. Integrated test facilities test the processing of the data and cannot be used to monitor real-time transactions. B) Regression tests is incorrect. These are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes. C) Transaction snapshots is incorrect. Gathering information through snapshots alone is not sufficient. GAS will assist with an analysis of the data.

Q92) An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? ​ A) Configuration as a virtual private network endpoint. B) Rules permitting or denying access to systems or networks. C) An implicit deny rule as the last rule in the rule base D) Installation on an operating system configured with default settings.

D) Installation on an operating system configured with default settings is correct. Default settings of most equipment—including operating systems—are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. C) An implicit deny rule as the last rule in the rule base is incorrect. Configuring a firewall with an implicit deny rule is common practice. B) Rules permitting or denying access to systems or networks is incorrect. A firewall configuration should have rules allowing or denying access according to policy. A) Configuration as a virtual private network endpoint is incorrect. A firewall is often set up as the endpoint for a virtual private network.

Q83) Applying a digital signature to data traveling in a network provides: A) ​confidentiality and nonrepudiation. B) confidentiality and integrity. C) security and nonrepudiation. ​ D) integrity and nonrepudiation.

D) Integrity and nonrepudiation is correct. A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message. B) Confidentiality and integrity is incorrect. A digital signature does not encrypt the message, so it cannot provide confidentiality. C) Security and nonrepudiation is incorrect. A digital signature does not encrypt the message, so it cannot provide security. A) Confidentiality and nonrepudiation is incorrect. A digital signature does not provide confidentiality.

Q53) When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following? ​ A) Default detection settings B) Network performance downgrade C) High number of false-positive alarms D) Low coverage of network traffic

D) Low coverage of network traffic is correct. The cybersecurity attacks might not be timely identified if only small portion of network traffic is analyzed. C) High number of false-positive alarms is incorrect. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. B) Network performance downgrade is incorrect. Intrusion detection system might decrease an overall network performance, however it is a secondary risk in this case. A) Default detection settings is incorrect. It is a good practice to customize intrusion detection system settings to specific network perimeter, however there is a higher likelihood to miss the attacks due to insufficient network coverage.

Q81) An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? ​ A) Make sure that only the IP addresses of existing customers are allowed through the firewall. B) Inspect file and access permissions on all servers to ensure that all files have read-only access. C) Ensure that ports 80 and 443 are blocked at the firewall. D) Perform a web application security review.

D) Performing a web application security review is correct. This is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. C) Ensure that ports 80 and 443 are blocked at the firewall is incorrect. Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol to operate. B) Inspect file and access permissions on all servers to ensure that all files have read-only access is incorrect. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. A) Make sure that only the IP addresses of existing customers are allowed through the firewall is incorrect. Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.

Q56) While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? ​ A) Monthly committee meetings include the subcontractor's IS manager B) Management reviews weekly reports from the subcontractor C) Permission is obtained from the government agent regarding the contract D) Periodic independent audit of the work delegated to the subcontractor

D) Periodic independent audit of the work delegated to the subcontractor is correct. Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised. A) Monthly committee meetings include the subcontractor's IS manager is incorrect. Regular committee meetings are a good monitoring tool for delegated operations; however, independent reviews provide better assurance. B) Management reviews weekly reports from the subcontractor is incorrect. Management should not only rely on self-reported information from the subcontractor. C) Permission is obtained from the government agent regarding the contract is incorrect. Obtaining permission from the government agent is not related to ensuring the confidentiality of information.

Q44) The PRIMARY purpose of a post-implementation review is to ascertain that: ​ A) future enhancements can be identified. B) the lessons learned have been documented. C) the project has been delivered on time and budget. D) project objectives have been met.

D) Project objectives have been met is correct. A project manager performs a post-implementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them. B) The lessons learned have been documented is incorrect. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. A) Future enhancements can be identified is incorrect. Identifying future enhancements is not the primary objective of a post-implementation review. C) The project has been delivered on time and budget is incorrect. Although it is important to review whether the project was completed on time and budget, it is more important to determine whether the project met the business needs.

Q86) A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft? ​ A) Web browser cookies are not automatically deleted. B) System updates have not been applied on the computer. ​ C) The computer is improperly configured. D) Session time out is not activated.

D) Session time out is not activated is correct. If an authenticated session is inactive and unattended, it can be hijacked and used for illegal purposes. It might then be difficult to establish the intruder because a legitimate session was used. A) Web browser cookies are not automatically deleted is incorrect. If web browser cookies are not automatically deleted, it might be possible to determine the web sites that a user has accessed. However, if sessions do not time out, it is easier for identity theft to occur. C) The computer is improperly configured is incorrect. If the PC is not configured properly and does not have antivirus software installed, there could be a risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur. B) System updates have not been applied on the computer is incorrect. If system updates have not been applied, there could be a greater risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur.

Q90) During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? ​ A) The organization does not encrypt all of its outgoing email messages. B) An individual's computer screen saver function is disabled. C) Server configuration requires the user to change the password annually. D) Staff have to type [PHI] in the subject field of email messages to be encrypted.

D) Staff have to type [PHI] in the subject field of email messages to be encrypted is correct. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information. A) The organization does not encrypt all of its outgoing email messages is incorrect. Encrypting all outgoing email is expensive and is not common business practice. B) An individual's computer screen saver function is disabled is incorrect. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. C) Server configuration requires the user to change the password annually is incorrect. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

Q25) Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? ​ A) System builders B) System designers C) System users D) System owners

D) System owners is correct. These are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. C) System users is incorrect. These are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. B) System designers is incorrect. They translate business requirements and constraints into technical solutions. A) System builders is incorrect. They construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same

Q37) To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: ​ A) IT organizational structure. B) historical financial statements. C) enterprise data model. D) IT balanced scorecard.

D) The IT balanced scorecard is correct. This is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way, the auditor can measure the success of the IT investment and strategy. C) An enterprise data model is incorrect. This is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments in IT assets. A) The IT organizational structure is incorrect. This provides an overview of the functional and reporting relationships in an IT entity but does not ensure effectiveness of IT investment. B) Historical financial statements is incorrect. These do not provide information about planning and lack sufficient detail to enable one to fully understand management's activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

Q4) Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process? A)The maturity of the project management process B) The regulatory environment C) Past audit findings D) The IT project portfolio analysis

D) The IT project portfolio analysis is correct. Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy. A) The maturity of the project management process is incorrect. The maturity of the project management process is more important with respect to managing the day-to-day operations of IT versus performing strategic planning. B) The regulatory environment is incorrect. Regulatory requirements may drive investment in certain technologies and initiatives; however, having to meet regulatory requirements is not typically the main focus of the IT and business strategy. C) Past audit findings is incorrect. Past audit findings may drive investment in certain technologies and initiatives; however, having to remediate past audit findings is not the main focus of the IT and business strategy.

Q94) An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor? ​ A) The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. B) The service level agreement (SLA) ensures strict limits for uptime and performance. C) The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider. D) The cloud provider's data centers are in multiple cities and countries.

D) The cloud provider's physical data centers are in multiple cities and countries is correct. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information. There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. B) The service level agreement (SLA) ensures strict limits for uptime and performance is incorrect. Although this application may have strict requirements for availability, it is assumed that the service level agreement (SLA) would contain these same elements; therefore, this is not a concern. A) The cloud provider will not agree to an unlimited right-to-audit as part of the SLA is incorrect. The right-to-audit clause is good to have, but there are limits on how a cloud service provider may interpret this requirement. The task of reviewing and assessing all the controls in place at a multinational cloud provider would likely be a costly and time-consuming exercise; therefore, such a requirement may be of limited value. C) The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider is incorrect. Because the SLA would normally specify uptime requirements, the means used to achieve those goals (which would include the specific disaster recovery plan capabilities of the provider) are typically not reviewed in-depth by the customer, nor are they typically specified in a SLA.

Q65) In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit? ​ A) Wireless intrusion detection and intrusion prevention systems B) Device authentication and data origin authentication C) Packet headers and trailers D) The use of cryptographic hashes

D) The use of cryptographic hashes is correct. Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks. B) Device authentication and data origin authentication is incorrect. These allow wireless endpoints to authenticate each other to prevent man-in-the-middle attacks and masquerading. A) Wireless intrusion detection and intrusion prevention systems is incorrect. These have the ability to detect misconfigured devices and rogue devices and detect and possibly stop certain types of attacks. C) Packet headers and trailers is incorrect. These alone do not ensure that the content has not been altered because an attacker could alter both the data and the trailer.

Q5) The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server? A) Password expiration and lockout policy B) Password complexity rules C) Host intrusion detection software installed on a server D) Two-factor authentication

D) Two-factor authentication is correct. This requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems. C) Host intrusion detection software installed on the server is incorrect. This will assist in the detection of unauthorized system access but does not prevent such access. A) Password expiration and lockout policy is incorrect. While controls regarding password expiration and lockout from failed login attempts are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Password-only based authentication may not provide adequate security. B) Password complexity rules is incorrect. While controls regarding password complexity are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials.