CISA integrated 75Qs

Allowing applications programmers to access live production applications for patching and security maintenance breaches proper segregation of duties. True or false? A. True B. False

Answer: A Although it is common practice in many organizations, allowing application programmers to change code in production programs increases the risk of fraud.

Which of the following network configurations BEST supports availability? A. Mesh with host forwarding enabled B. Ring C. Star D. Bus

Answer: A Although it is not very practical because of physical implementation constraints, a fully connected mesh with host forwarding enabled provides the most redundancy of network communication paths.

These are steps included in business process re-engineering: a) Gain an understanding of the business process to be reviewed, b) Establish a continuous improvement process, c) Redesign and streamline the process, d) Define the areas to be reviewed, e) Implement and monitor the new process, f) Develop a project plan. What is the proper sequence of these steps? A. d, f, a, c, e, b B. a, f, d, c, e, b C. f, a, d, c, e, b D. d, a, f, c, e, b

Answer: A Answer A describes the correct sequence of steps performed in business process re-engineering. All other answers are out of proper sequence.

Authorization is BEST characterized as: A. Providing access to a resource according to the principle of least privilege B. A user providing an identity and a password C. Authenticating a user's identity with a password D. Certifying a user's authority

Answer: A Authorization is the process of providing a user with access to a resource based upon the specific needs of the user to perform an authorized task. This process relies upon a verified understanding of the user's identity. Therefore, a user must provide a claim of identity, which is then verified through an authentication process. Following the authentication process, access can be authorized according to the principle of least privilege.

Regarding alternate site data-processing facilities, which of the following best practices is MOST important? A. The facility is not clearly identified as belonging to the company. B. The facility is clearly identified as belonging to the company. C. Primary-site recovery teams can reach the facility within an hour to ensure minimal business impact from the disruptive event. D. The facility does not provide any external windows.

Answer: A Because a potential disruptive event could be facility sabotage or bomb threat, the alternate processing facility should not be easily identified as belonging to the company. Because off-site facilities mitigate the risk of widespread natural disasters such as hurricanes and earthquakes, the facilities should be geographically distant from the primary site. External windows should be avoided because such windows expose the facility to unauthorized physical access, as well as storm damage. However, this best practice is not considered as important as answer A.

When a business attempts to streamline its business processes through business process re-engineering (BPR), utilization of technology often: A. Increases B. Decreases C. Stays the same D. Is a waste of money

Answer: A Business process re-engineering often results in increased automation, which results in a greater number of people using technology. Cost-effectiveness is evaluated within BPR and should not be negatively affected by BPR.

Data mining is a technique that BEST detects which of the following? A. Fraudulent transactions B. Password compromise C. Malicious network traffic D. Malicious code

Answer: A By comparing and cross-indexing transaction data from multiple databases, data mining can be used to determine suspicious transactions that fall outside the norm. Data-mining techniques can be used to support investigation of a password compromise, but this is still more appropriate for answer A. Network-based intrusion detection is better suited for detecting malicious network traffic. Host-based intrusion detection, code auditing, and antivirus software are better suited for detecting malicious code.

The use of decision trees implemented by leading users through a series of questions or choices from a knowledge base to compute a logical finding is implemented by which of the following? A. Expert systems B. Artificial neural networks (ANN) C. Critical path analysis D. Function point analysis

Answer: A Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion. Artificial neural networks attempt to emulate human thinking by analyzing many attributes of knowledge to reach a conclusion. Critical path analysis is used in project management. Function point analysis is used in determining a proposed software application's size for development planning purposes.

Disaster recovery planning often comes down to a compromise between cost and target recovery times. Which of the following statements is true regarding this compromise? A. Disaster-recovery duration times and costs should decrease. B. Disaster-recovery duration times should decrease, but recovery costs will necessarily increase. C. Disaster-recovery duration times should remain constant, but recovery costs should decrease. D. Disaster-recovery times should remain constant, but recovery costs should increase.

Answer: A Effective recovery-control planning incorporates a control feasibility study, including a cost/benefit analysis. The objective of DRP is to reduce the financial business impact of a disaster or disruptive event to a greater extent than the cost of implementing a disaster-recovery control. Therefore, a control that decreases the recovery time and associated net recovery costs of the disaster is accepted and implemented.

An IS auditor is reviewing an organization's change-development process and finds that the development calls for using fourth-generation programming languages (4GLs). Which of the following statements is NOT true regarding 4GLs? A. 4GLs provide extensive lower-level detail commands necessary to perform data-intensive or online operations. B. 4GLs can use simple language subsets, which can be utilized by lesser-skilled users. C. 4GLs make extensive use of object-oriented programming concepts. D. 4GLs are often platform portable.

Answer: A Fourth-generation languages (4GLs) are most appropriate for designing the application's graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. All other statements are true.

Which of the following would an IS auditor review to BEST determine user access to systems or data? A. Access-control lists (ACLs) B. User account management C. Systems logs D. Applications logs

Answer: A IS auditors should review access-control lists (ACLs) to determine user permissions that have been granted for a particular resource.

Which of the following is a risk if system backups are only performed weekly? A. System defaults are inaccurate B. System files are not synchronized with data access C. System files are partially fragmented D. System defaults are lost

Answer: A If system defaults are inaccurate, the impact for systems that are only backed up in a weekly basis is a major concern. Choices B and C do not apply to these system backups. Choice D, system defaults, could only be modified, not lost.

Which of the following is the MOST appropriate type of risk to be associated with authorized program exits (trap doors)? A. Inherent B. Audit C. Detection D. Business

Answer: A Inherent risk is associated with authorized program exits (trap doors).

Which of the following methods would BEST ensure the adequacy of the disaster recovery plan? A. Regular reviews of the currency of the information detailed in the plan B. Unannounced shut down of the primary installation during quiet periods C. Regular recovery exercises using expert personnel, trained in the execution of the recovery procedures D. Unannounced recovery exercises at regular intervals

Answer: A Of the options, the most effective would be to regularly review the currency of information detailed in the plan, such as contact names and locations, backup frequency and content, recovery procedures, etc. Regular recovery exercises should be held, but it is better that staff who are not recovery experts are involved. This will provide better assurance that, should a disaster occur, the plan can be used by any staff available. Exercises should be planned and announced, an unplanned test, however frequently performed, will be more difficult to evaluate and is less likely to provide assurance that the plan is effective. Unannounced shut down of primary processing should not be a consideration at any time due to the potential effect on "live" processing should the recovery fail.

Proper segregation of duties does not prohibit a quality-control administrator from performing change control and problem management. True or false? A. True B. False

Answer: A Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management.

Which of the following would be the first evidence to review when performing a network audit? A. Network topology chart B. Systems inventory C. Applications inventory D. Database architecture

Answer: A Reviewing a diagram of the network topology is often the best first step when auditing IT systems. This diagram provides the auditor with a foundation-level understanding of how systems, applications, and databases interoperate. Obtaining the systems and applications inventory would be a logical next step. Reviewing the database architecture is much more granular and can be performed only after adequately understanding the basics of how an organization's systems and networks are set up.

Which of the following roles is accountable for the maintenance of appropriate security measures over information assets? A. Data and systems owners, such as the corporate officers B. Data and systems custodians, such as the network administrator and firewall administrator C. Data and systems users, such as the payroll department D. Data and systems managers

Answer: A Specific security administration is directed by senior management and implemented by system custodians. Still, ultimate accountability for data and system security lies with senior management.

In IS Auditor should be involved in: A. observing tests of the disaster recovery plan B. developing the disaster recovery plan C. maintaining the disaster recovery plan D. reviewing the disaster recovery requirements of supplier contracts.

Answer: A The IS Auditor should always be present when disaster recovery plans are tested, to ensure that the test meets the required targets for restoration and recovery procedures are effective and efficient, reporting on the results as appropriate. IS Auditors may be involved in overseeing plan development, but they are unlikely to be involved in the actual development process. Similarly, an audit of plan maintenance may be conducted, but the IS auditor would not normally have any responsibility for the actual maintenance. An IS auditor may be asked to comment upon various elements of a supplier contract but, again, this is not always the case.

Which of the following is considered the MOST significant advantage of implementing a continuous auditing approach? A. It can improve system security when used in time-sharing environments that process a large number of transactions. B. It can provide more actionable audit results because of the increased input from management and staff. C. It can identify high-risk areas that might need a detailed review later. D. It can significantly reduce the amount of resources necessary for performing the audit because time constraints are more relaxed.

Answer: A The PRIMARY advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.

An IS Auditor reviewing the results of a test of the disaster recovery plan conducted at a warm site notes that clients were unable to log-on to the restored on-line systems as there were insufficient data lines connecting the client premises to the recovery site. The MOST likely conclusion that the IS auditor would draw is that the: A. clients were not sufficiently involved in plan development B. use of a warm site is inappropriate C. impact of a potential disaster was not fully analyzed D. external communications service providers were not involved in the test

Answer: A The most likely cause of this situation is that the clients did not define their own needs following restoration at the remote site. The fact that the recovery involves a "warm site" , where essentially hardware and software exists but in a dormant state, would not affect the existence of data communications capacity. The impact analysis certainly did not consider client needs, but this was not likely due to insufficient involvement of clients in the plan development. It is unlikely that external service providers would be involved in a recovery test.

The offline print spooling feature of print servers should be carefully monitored to ensure that unauthorized viewing access to sensitive information is controlled and prevented. Which of the following issues is an IS auditor MOST concerned with? A. Some users have the technical authority to print documents from the print spooler even though the users are not authorized with the appropriate classification to view the data they can print. B. Some users have the technical authority to modify the print spooler file even though the users do not have the subject classification authority to modify data within the file. C. Some users have the technical authority to delete the print job from the spooler even though the users do not have the authority to modify the data output of the print job. D. Some users have the technical authority to pause the print jobs of certain information even though they do not have the subject classification authority to create, modify, or view the data output of the print job.

Answer: A The question focuses on the confidentiality aspect of access control. A user with technical printer administration authority can print jobs from the print spooler, regardless of the user's authorization to view the print output. All other answers are potential compromises of information integrity or availability.

When assessing the potential scope of an application-development project, which of the following provides the most reliable estimate of the size of an information system? A. Critical path analysis B. Function point analysis C. Program evaluation review technique D. Rapid application development

Answer: B A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project. PERT is used in both the planning and control of projects for network management. RAD is a methodology that enables organizations to develop strategically important systems more quickly and to reduce development costs. Critical path analysis is a process for finding the shortest project duration by optimizing utilization of project resources.

Which of the following firewall types provides the most thorough inspection and control of network traffic? A. Packet-filtering firewall or stateful inspection firewall B. Application-layer gateway or stateful inspection firewall C. Application-layer gateway or circuit-level gateway D. Packet-filtering firewall or circuit-level gateway

Answer: B An application-layer gateway, or proxy firewall, and stateful inspection firewalls provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic. A packet-filtering firewall, also known as a circuit-level gateway, reliably inspects only through OSI Layer 3.

When analyzing and developing a new system, when should security first be considered? A. During the feasibility study of the proposed system B. During the development of the software project's functional specifications C. During user acceptance testing D. During the system development

Answer: B Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications. Success of all other phases relies upon proactive security controls planning.

Which of the following BCP/DRP processes MOST requires end-user participation for effective business continuity and disaster-recovery planning? A. Development of recovery strategies B. Business impact assessment (BIA) C. Development of the BCP/DRP plan documents D. Final testing of the BCP and DRP

Answer: B As the initial step of effective business continuity and disaster-recovery planning, a business impact assessment (BIA) must be accurate to effectively perform an additional BCP/DRP processes. Therefore, end-user involvement is most critical to the BIA phase, to make sure that continuity risks are fully understood and properly assessed.

Which of the following is considered to present the GREATEST challenge to using test data for validating processing? A. Potential corruption of actual live data B. Creation of test data that covers all possible valid and invalid conditions C. Test results being compared to expected results from live processing D. Data isolation issues associated with high-speed transaction processing

Answer: B Creating test data that covers all possible valid and invalid conditions is often the greatest challenge in using test data.

Data classification must begin with: A. Determining specific data sensitivity according to organizational and legal requirements for data confidentiality and integrity B. Determining data ownership C. A review of organizational security policies D. A review of logical access controls

Answer: B Data classification is a process that allows an organization to implement appropriate controls according to data sensitivity. Before data sensitivity can be determined by the data owners, data ownership must be established. Logical access controls and organizational security policies are controlled and driven by the data owners.

Which of the following risks results when the auditor uses an insufficient test procedure, resulting in the auditor's ill-informed conclusion that material errors do not exist, when, in fact, they do? A. Business risk B. Detection risk C. Audit risk D. Inherent risk

Answer: B Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when, in fact, they do.

Which of the following firewalls can be configured to MOST reliably control FTP traffic between the organization's network and the Internet? A. Packet-filtering firewall B. Application-layer gateway or a stateful inspection firewall C. A router configured as a firewall with access-control lists D. Circuit-level firewall

Answer: B FTP is a network protocol that operates at the application layer of the OSI model. Of the choices available, only an application-layer gateway or a stateful inspection firewall can reliably filter all the way through to the application layer. The remaining answers are examples of a firewall that can reliably filter only through OSI Layer 3, the network layer.

When performing an IS strategy audit, which of the following is LEAST important for the auditor to consider? A. Reviewing short-term plans (one year) and long-term plans (three to five years) B. Reviewing information systems procedures C. Interviewing appropriate corporate management personnel D. Ensure that the external environment has been considered

Answer: B Information systems procedures are not strategic in nature.

An organization has automated data transfer between two database applications. How should controls be implemented to ensure data integrity? A. Input controls on the application sending the data, and output controls on the application receiving the data B. Input and output controls on both the sending and receiving applications C. Output controls on the application sending the data, and input controls on the application receiving the data D. Input and output controls in the application sending the data, but only input controls are necessary on the application receiving the data

Answer: B Input and output controls should be implemented for both the sending and receiving applications in an integrated systems environment.

"Dangling tuples" within a database represent a breach in which of the following? A. Attribute integrity B. Referential integrity C. Relational integrity D. Interface integrity

Answer: B It is important that database referential integrity be enforced, to avoid orphaned references, or "dangling tuples." Relational integrity is enforced more at the record level. The remaining answers are misleading.

Software library control ensures that application programmers never have access to production application processing and that users do not have access to source code. Which of the following statements is NOT true regarding the software librarian's access to code or data? A. The software librarian does not have read-write access to application source code used by programmers. B. The software librarian has read-only access to application production code. C. The software librarian does not have access to live data. D. The software librarian has read access to test data.

Answer: B Library control software restricts source code to read-only access. All other statements are true.

Proper segregation of duties does not prohibit a LAN administrator from also having programming responsibilities. True or false? A. True B. False

Answer: B Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities because the administrator would have custody of the computing assets, while also having the potential to control transaction authorization and recording.

A primary responsibility of an auditor with regard to improper segregation of duties is to: A. Ensure the enforcement of proper segregation of duties. B. Advise senior management of the risk involved in not implementing proper segregation of duties. C. Participate in the organization's definition of roles and responsibilities, to prevent improper segregation of duties. D. Simply document breaches of proper segregation of duties.

Answer: B Remember, it is not an auditor's place to participate in the implementation of controls. As to improper segregation of duties, an IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.

6. When performing an audit of an organization's systems, the auditor's first step should be to: A. Develop a strategic audit plan B. Gain an understanding of the focus of the business of the organization C. Perform an initial risk assessment to provide the foundation for a risk-based audit D. Determine and define audit scope and materiality

Answer: B The IS auditor's first step is to understand the business focus of the organization. Until the auditor has a good understanding of the organization's business goals, objectives, and operations, the auditor will not be able to competently complete any of the other tasks listed.

If an organization chooses to implement a control self-assessment program, the auditor should participate primarily as a: A. Monitor B. Facilitator C. Project leader D. The auditor should not participate in the organization's CSA program because doing so would create a potential conflict of interest.

Answer: B The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.

Various cryptosystems offer differing levels of compromise between services provided versus computational speed and potential throughput. Which of the following cryptosystems would provide services including confidentiality, authentication, and nonrepudiation at the cost of throughput performance? A. Symmetric encryption B. Asymmetric encryption C. Shared-key cryptography D. Digital signatures

Answer: B Through the use of key pairs, asymmetric encryption algorithms can provide confidentiality and authentication. By providing authentication, nonrepudiation is also supported. Symmetric encryption, also known as shared-key cryptography, uses only a single shared key. Because the key is shared, there is no sole ownership of the key, which precludes its use as an authentication tool. Digital signatures are used to verify authenticity and data integrity only.

A company is backing up its transactional database to an offsite location. Which of the following is the MOST important issue if the backups are not kept up-to-date and fully synchronized with the live transaction-processing databases? A. The capability of the primary data to survive disruptive events without losing accuracy B. The capability of the primary data to survive disruptive events without losing completeness C. The capability of the primary data to survive disruptive events without losing availability D. The capability of the primary data to survive disruptive events without losing confidentiality

Answer: B When storing data archives offsite, data must be synchronized to ensure backup data completeness. Failure to maintain backup synchronization in a live transaction-based processing environment could result in the incapability to restore all transactional data lost in the event of primary data or systems failure. Failure to synchronize does not affect the accuracy, availability, or confidentiality of the data that exists in backup.

A bottom-up approach to the development of organizational policies is driven by: A. A review of corporate goals and objectives. B. A structured approach that maps policy objectives to corporate strategy. C. A risk assessment of asset vulnerabilities. D. A business impact analysis of known threats.

Answer: C A bottom-up approach to the development of organizational policies is often driven by risk assessment.

An IS auditor needs to check for proper software licensing and license management. Which of the following management audits would consider software licensing? A. Facilities B. Operations C. Configuration D. Hardware

Answer: C A configuration-management audit should always verify software licensing for authorized use. The remaining answers do not focus on software licensing.

The organization desires to ensure integrity, authenticity, and nonrepudiation of emails for sensitive communications between security administration and network administration personnel through the use of digitally signed emails. Which of the following is a valid step in signing an email with keys from a digital certificate? A. The sender encrypts the email using the sender's public key. B. The sender creates a message digest of the email and attachments using the sender's private key. C. The sender creates a message digest of the email and attachments using a common hashing algorithm, such as DSA. D. The sender encrypts the message digest using the sender's public key.

Answer: C A digital signature provides the recipient with a mechanism for validating the integrity of the email and its attachments by creating a message digest as a result of the application of a common hashing algorithm such as MD5 or DSA. The message digest is then "signed" by encrypting it with the sender's private key. The recipient uses the sender's public key to decrypt the message digest and then uses the same hashing algorithm as the sender of the email and attachments. If the decrypted message digest matches that created independently by the recipient, the recipient can rest assured that the message has not been tampered with since transmission by the sender.

Which of the following goals is MOST important to a system-development project? A. The system to be developed makes the most efficient use of current IT resources. B. The system to be developed does not compromise the security of existing systems and controls. C. The system to be developed meets organizational goals and objectives. D. The system to be developed is approved by the project feasibility committee.

Answer: C A primary high-level goal for an auditor who is reviewing a system-development project is to ensure that business objectives are achieved. This objective guides all other systems-development objectives.

Which of the following is MOST important when evaluating an IS strategy? A. Making sure that the IS strategy maximizes efficiency and utilization of current and future IT resources B. Ensuring that information security is considered in all IS initiatives C. Making sure the IS strategy supports corporate goals and objectives D. Ensuring that systems administrators are allowed to provide accurate input on true systems capabilities

Answer: C Above all else, an IS strategy must support the business objectives of the organization.

When auditing software change-control practices, which of the following is considered MOST important to the IS auditor? A. Change requests are well documented with thorough specifications. B. Change requests provide need justification. C. Appropriate business process user approval is obtained before change implementation. D. Business process users are informed about the change before implementation.

Answer: C Although all answers are recognized as good practices, the IS auditor is primarily concerned with having the change properly evaluated and approved by business process users before implementation.

An organization's software-development projects are planned according to formal software Development Life Cycle (SDLC) processes. In which of the following phases would the software-development project's baselines and scope be established? A. Feasibility B. Requirements definition C. Design D. Development E. Implementation

Answer: C Although all answers are valid SDLC phases, procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model.

Disaster recovery planning is a critical component of protecting data availability and integrity. Which of the following is the MOST important consideration of a disaster recovery plan? A. Alternative processing capability B. Protection and redundancy of data C. Protection of human life D. Ensuring that the disaster-recovery plan effectively supports organizational goals and objectives

Answer: C Although all the answers are important considerations of disaster recovery planning, the primary objective is to protect human life.

What is the PRIMARY purpose of audit trails? A. To better evaluate and correct audit risk resulting from potential errors the auditor might have committed by failing to detect controls failure B. To establish a chronological chain of events for audit work performed C. To establish accountability and responsibility for processed transactions D. To compensate for a lack of proper segregation of duties

Answer: C Although secure audit trails and other logging are used as a compensatory control for a lack of proper segregation of duties, the primary purpose of audit trails is to establish accountability and responsibility for processed transactions.

Which of the following processes is MOST important to ensure that implementation of applications and systems is optimized to the organization's goals and objectives? A. Obtaining a comprehensive network diagram B. Reviewing the organization's IT policies and procedures C. Obtaining a thorough understanding of the organization's business processes D. Performing compliance testing on current controls

Answer: C An IS auditor must first understand relative business processes before performing a systems or application audit. All other answers describe processes to be performed after obtaining a thorough understanding of the organization's business processes.

An IS Auditor discovers that an information processing facility's business continuity plan provides for an alternate processing site which will accommodate fifty percent of the primary processing facility's processing capability. Based on this discovery, which of the following actions should the IS auditor take? A. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization's survival and the backup capacity is therefore adequate. B. Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing. C. Ensure that critical applications have been identified and that the alternate site could process all such applications. D. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing.

Answer: C Business continuity plans should only provide for the recovery of critical systems, not necessarily all systems. Perhaps only fifty percent of the company's systems are critical. Therefore, careful assessment of critical systems and capacity requirements should be part of the IS Auditor's test of the plan.

Which of the following is ultimately accountable for protecting and securing sensitive data? A. Data users B. Security administrators C. Data owners D. Data custodians

Answer: C Data owners, such as corporate officers, are ultimately responsible and accountable for access control of data. Although security administrators are indeed responsible for securing data, they do so at the direction of the data owners. A security administrator is an example of a data custodian. Data users access and utilize the data for authorized tasks.

Which of the following elements must be present to properly log activities and achieve accountability for actions performed by a user? A. Identification and authorization only B. Authentication and authorization only C. Identification and authentication only D. Authorization only

Answer: C If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.

A review of logical access controls is performed primarily to: A. Ensure that organizational security policies conform to the logical access design and architecture B. Ensure that the technical implementation of access controls is performed as intended by security administration C. Ensure that the technical implementation of access controls is performed as intended by the data owners D. Understand how access control has been implemented

Answer: C Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization's data owners. Logical access design and architecture should conform to policies, not vice versa. Understanding how access control has been implemented is an essential element of a logical access controls review, but the ultimate purpose of the review is to make sure that access controls adequately support and protect the organizational needs of the data owners.

Which of the following must be proven to ensure message or transaction nonrepudiation? A. The integrity of the message or transaction cannot have been compromised after it was last controlled by the party sending the message or performing the transaction. B. The level of nonrepudiation is tightly linked to the strength of authentication of the party sending the message or performing the transaction. C. Both A and B are true. D. Neither A nor B is true.

Answer: C Nonrepudiation is provided by having proof that an action occurred and proof of the identity of the party performing the action.

Which of the following is the MOST important control aspect of maintaining data backup at off-site storage facilities? A. The security of the storage facility is as secure as or more secure than the primary site. B. The data backups are always tested for accuracy and reliability. C. Critical and time-sensitive data is kept current at the off-site storage facility. D. Applications for processing the data are backed up to the off-site storage facility along with critical data.

Answer: C Organizations should use off-site storage facilities to maintain redundancy of current and critical information within backup files. All other answers are important, too, but answer C is considered most important.

Which of the following BEST supports communication availability, acting as a countermeasure to the vulnerability of component failure? A. Careful network monitoring with a dynamic real-time alerting system B. Integrated corrective network controls C. Simple component redundancy D. High network throughput rate

Answer: C Providing network path redundancy is the best countermeasure or control for potential network device failures. Careful monitoring only supports timely response to component failure. Integrated corrective network controls is misleading and loosely describes simple component redundancy. High network throughput rate provides increased performance but does not address component failure.

When attempting to assess financial risk when accurate financial impact cannot be determined, which of the following is the MOST appropriate approach to risk assessment? A. Quantitative risk assessment B. Decision support system approach C. Qualitative risk assessment approach D. Quantum risk assessment approach

Answer: C Quantitative risk assessment is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate. Answers B and D are invalid and are misleading.

When reviewing firewall configuration, which of the following represents the greatest vulnerability for an IS auditor? A. The firewall software has been configured with rules permitting or denying access to systems or networks based upon source and destination networks or systems, protocols, and user authentication. B. The firewall software is configured with an implicit deny rule as the last rule in the rule base. C. The firewall software is installed on a common operating system that is configured with default settings. D. The firewall software is configured as a VPN endpoint for site-to-site VPN connections.

Answer: C When auditing any critical application, an IS auditor is always concerned about software or an operating system that is installed according to default settings. Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. Installing firewall software onto an otherwise robust and fully functioning operating system poses a greater risk of firewall compromise. To mitigate this risk, firewall software is often installed onto a system using an operating system that has very limited functionality, providing only the services necessary to support the firewall software. An example of such an operating system is the ISO operating system installed onto Nokia routing/firewall appliances. ISO provides the functionality necessary to support installation of Check Point firewall software but little else. The remaining answers are normal firewall configurations and are not of concern to the IS auditor.

Within the Software Capability Maturity Model, Level 3, "Defined" best describes which of the following? A. Develop and apply quantitative managed control over software-development processes. B. Management processes are established to oversee the project to plan and track cost, schedule, and functionality. Successfully defined and applied processes can be repeated on another project of similar size and scope. C. The organization improves upon managed development by implementing continuous process-improvement strategies facilitated by innovative solutions and state-of-the-art technologies. D. Repeatable processes are used to develop a standard software-development process across the organization.

Answer: D A standard software-development process is included within Level 3 (Defined) of the software capability maturity model (CMM). Answer A describes CMM phase 4, "Managed." Answer B describes CMM phase 2, "Repeatable." Answer C describes CMM phase 5, "Optimized."

Decreasing collisions because of network congestion is important for supporting network communications availability. Which of the following devices is best suited for logically segmenting and creating collision domains based upon OSI Layer 2 MAC addressing? A. Router B. Hub C. Repeater D. Switch

Answer: D A switch is most appropriate for segmenting the network into multiple collision domains to achieve the result of fewer network communications errors because of congestion-related collisions. As OSI Layer 1 devices, repeaters and hubs cannot understand MAC addressing, which is necessary to logically segment collision domains. As an OSI Layer 3 device, a router segments the network according to logical network addressing.

To which of the following should an IS auditor give the MOST consideration when auditing systems affected by a recent business process re-engineering (BPR) project? A. Cultural feasibility of the re-engineered business process incorporates input from affected end users. B. Financial feasibility of the re-engineered business process was properly conducted by appropriate parties. C. The technical feasibility of the re-engineered business process was properly evaluated by the appropriate parties. D. The re-engineered business process incorporates new internal controls where appropriate, and does not inadvertently negate prior internal controls.

Answer: D An IS auditor should always check to make sure that a re-engineered business process has not inadvertently removed key controls from the previous control environment, and has taken newly introduced risks and corresponding controls into consideration. For example: BPR often results in higher levels of automation, so the human resources staff is often consolidated. This can easily result in improper segregation of duties by users, which can result in unauthorized activity. The re-engineered business process planning should recognize this and implement appropriate new compensatory internal controls.

When should a business continuity or disaster plan be updated? A. Annually B. Biannually C. Semiannually D. Upon any significant change to the organization, such as asset acquisition or release

Answer: D Business continuity and disaster recovery planning should be an ongoing program that is event-triggered rather than simply a periodic project. After all, newly acquired assets should be protected sooner rather than later.

An IS auditor strives to ensure that IT is effectively used to support organizational goals and objectives regarding information confidentiality, integrity, and availability. Which of the following processes best supports this mandate? A. Network monitoring B. Systems monitoring C. Staffing monitoring D. Capacity planning and management

Answer: D Computer resources should be carefully monitored to match utilization needs with proper resource capacity levels. Capacity planning and management relies upon network, systems, and staffing monitoring to ensure that organizational goals and objectives regarding information confidentiality, integrity, and availability are met.

Critical real-time data such as that associated with transaction processing requires special backup procedures. Which of the following is recommended for backing up transaction-processing files? A. Duplicate logging of transactions B. Time stamping of transactions and communications data C. Use of before-and-after images of master records D. All of the above

Answer: D Duplicate logging of transactions, use of before-and-after images of master records, and time stamping of transactions and communications data are all recommended best practices for establishing effective redundancy of transaction databases.

An IS auditor wants to ensure that the organization's network is adequately protected from network-based intrusion via the Internet and the World Wide Web. A firewall that is properly configured as a gateway to the Internet protects against such intrusion by: A. Preventing external users from accessing the network via internal rogue modems B. Preventing unauthorized access to the Internet by internal users C. Preventing unauthorized access to the network by external users via ad-hoc wireless networking D. Preventing unauthorized access by external users to the internal network via the firewalled gateway

Answer: D Firewalls are used to prevent unauthorized access to the internal network from the Internet. Firewalls provide little protection from users who do not need to access the network via the firewall, such as via internal rogue modems or via peer-to-peer ad-hoc wireless network connections. Preventing unauthorized access to the Internet by internal users is the opposite of the goal stated in the question.

In planning a new software-application development project, function point analysis (FPA) can be used to understand the potential size of a projected application. Which of the following best describes how FPA works? A. Based upon the number of function lines of source code, FPA can estimate the size of a software application. B. Based upon the number of functional intersections of source code design, FPA can estimate the size of a software application. C. Based upon the number of function application calls within an application, FPA can estimate the size of a software application. D. Based upon the number and complexity of inputs and files that a user interacts with, FPA can estimate the size of a software application.

Answer: D Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system's inputs, outputs, and files. All other answers are misleaders.

Hot-site off-site processing facilities are characterized by: A. High implementation and maintenance costs B. Reduced recovery time C. Decreased disaster preparation costs D. Both answers A and B E. Both answers B and C

Answer: D Hot sites are the most expensive type of alternate processing redundancy, but they are very appropriate for operations that require immediate or very short recovery times.

If an IS auditor observes that proper project-approval procedures do not exist, the auditor should: A. Provide detailed procedures that the auditor recommends for implementation. B. Look for evidence of other undocumented approval procedures. C. Recognize that the lack of proper project-approval procedures is a risk indicator for insufficient project-management skills, and recommend project-management training as a compensatory control. D. Recommend to management that proper project-approval procedures be adopted and documented.

Answer: D If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.

When initially planning a risk-based audit, which of the following steps is MOST critical? A. Evaluating the organization's entire environment as a whole B. Establishing an audit methodology based on accepted frameworks, such as COBIT or COSO C. Documenting procedures to ensure that the auditor achieves the planned audit objectives D. The identification of the areas of high risk for controls failure

Answer: D In planning an audit, the MOST critical step is identifying areas of high risk.

Which of the following controls is MOST effective for protecting software and access to sensitive data? A. Security policies B. Biometric physical access control for the server room C. Fault tolerance with complete systems and data redundancy D. Logical access controls for the operating systems, applications, and data

Answer: D Logical access controls are often the primary safeguards for authorized access to systems software and data. All the other controls complement logical access control to applications and data.

Processing controls should ensure that: A. All data is accurate B. All data is complete C. All transactions are authorized D. All of the above

Answer: D Processing controls ensure that data is accurate and complete, and is processed only through authorized routines.

Which of the following is ultimately accountable for effective business continuity and disaster-recovery controls? A. Stockholders B. Security administrators C. Network administrators D. Executive officers

Answer: D The executive officers of an organization are ultimately accountable corporate governance, which includes decisions to have or forego BCP/DRP controls. Although security administrators and network administrators might actually implement the controls that the executive officers or the board of directors approves, stockholders hold executive management accountable for making sure organizational viability is protected.

When auditing third-party service providers, an auditor should be concerned with: A. Ownership of programs and files. B. A statement of due care and confidentiality. C. The capability for continued service in the event of a disaster. D. All of the above.

Answer: D When auditing third-party service providers, an auditor should be concerned with ownership of the program and files, a statement of due care and confidentiality, and the service provider's capability to provide continued service in the event of a disaster.

When an IS auditor finds evidence of minor weaknesses in controls, such as use of weak passwords, or poor monitoring of reports, which of the following courses of action is MOST appropriate for the auditor? A. Take corrective action by informing affected users and management of the controls vulnerabilities B. Realize that such minor weaknesses of controls are usually not material to the audit C. Immediately report such weaknesses to IT management D. Take no corrective action whatsoever, and simply record the observations and associated risk arising from the collective weaknesses into the audit report

Answer: D While preparing the audit report, the IS auditor should record the observations and the risk arising from the collective weaknesses.

Which of the following is considered MOST appropriate for backing up real-time transaction databases? A. Periodic imaging of transaction database master records, along with automated periodic incremental tape backups B. Electronic vaulting C. Remote journaling D. Answers A and C E. Answers B and C

Answer: E Electronic vaulting and remote journaling are both considered effective redundancy controls for backing up real-time transaction databases. Periodic imaging of transaction database master records along with automated periodic incremental tape-backups does not support immediate or short recovery times.