CISA Questions (801 - 900)
Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment? Select an answer: A. Successful regression testing by the developer B. Approval from the information asset owner C. Approval from the security officer D. Patch installation at alternate sites
You answered A. The correct answer is B. A. While testing is important for any patch, in this case it should be assumed that the operating system (OS) vendor tested the patch before releasing it. Before this OS patch is put into production, the organization should do system testing to ensure that no issues will occur. B. It is most important that information owners approve any changes to production systems to ensure that no serious business disruption takes place as the result of the patch release. C. The security officer does not normally need to approve every OS patch. D. Security patches need to be deployed consistently across the organization, including alternate sites. However, approval from the information asset owner is still the most important consideration.
When conducting a penetration test of an IT system, an organization should be MOST concerned with: Select an answer: A. the confidentiality of the report. B. finding all possible weaknesses on the system. C. restoring all systems to the original state. D. logging all changes made to the production system.
You answered A. The correct answer is C. A. A penetration test report is a sensitive document because it lists the vulnerabilities of the target system. However, the main requirement for the penetration test team is to restore the system to its original condition. B. It is important to find possible weaknesses and determine their priorities, but the test must not leave the system with altered data or insecure configurations at the end of the test. C. After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created or false files uploaded. These must all be cleaned up before the test is completed. D. All changes made should be recorded, but the most important concern is to ensure that the changes are reversed at the end of the test.
An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should: Select an answer: A. not report the lack of reconciliation because no discrepancies were discovered. B. recommend regular physical inventory counts be performed in lieu of daily reconciliation. C. report the lack of daily reconciliation as an exception. D. recommend the implementation of a more robust access system.
You answered A. The correct answer is C. A. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed. B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity. D. While the IS auditor may in some cases recommend a more robust solution, the primary goal is to observe and report when the current process is deficient.
Which of the following is the MOST reliable sender authentication method? Select an answer: A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code
You answered A. The correct answer is C. A. Digital signatures are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. B. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. C. Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D. Message authentication code is used for message integrity verification.
Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? Select an answer: A. Halon gas B. Wet-pipe sprinklers C. Dry-pipe sprinklers D. Carbon dioxide gas
You answered A. The correct answer is C. A. Halon gas is an efficient and effective fire suppression system, but it does threaten human life and is environmentally damaging. It is also very expensive. B. Water is an acceptable medium, but the pipes should be empty to avoid leakage or breakage. Therefore, a wet pipe system is not ideal. C. Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to prevent the risk of leakage. D. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatically release in a staffed site because it threatens life.
Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? Select an answer: A. Sensitive data can be read by operators. B. Data can be amended without authorization. C. Unauthorized report copies can be printed. D. Output can be lost in the event of system failure.
You answered A. The correct answer is C. A. Operators often have high-level access as a necessity to perform their job duties. This is addressed through compensating controls. B. Data on spool files are no easier to amend without authority than any other file. C. Unless controlled, spooling for offline printing may enable additional copies to be printed. D. In the event of a system failure, it is usually possible to recreate reports or recover them from backup.
Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements? Select an answer: A. Benchmark test results B. Server logs C. Downtime reports D. Server utilization data
You answered A. The correct answer is D. A. Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. B. A server log contains data showing activities performed on the server, but does not contain the utilization data required to ensure the optimal configuration of servers. C. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure, but is not useful in determining optimal server configurations. D. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment (ROI).
Which of the following BEST ensures that users have uninterrupted access to a critical, heavily utilized web-based application? Select an answer: A. Disk mirroring B. Redundant Array of Inexpensive Disks (RAID) technology C. Dynamic domain name system (DDNS) D. Load balancing
You answered A. The correct answer is D. A. Disk mirroring provides real-time replication of disk drives, but does not ensure uninterrupted system availability in the event a server crashes. B. Redundant Array of Inexpensive Disks (RAID) technology improves resiliency but does not protect against failure of a network interface card (NIC) or central processing unit (CPU) processor failure. C. Dynamic domain name system (DDNS) is a method used to assign a host name to an Internet protocol (IP) address that is dynamic. This is a useful technology, but does not help ensure availability. D. Load balancing best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps ensure consistent response time for web applications. Also, if a web server fails, load balancing ensures that traffic will be directed to a different, functional server.
There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to: Select an answer: A. ensure that all failed authentication attempts are monitored. B. review log files regularly. C. ensure that all unused accounts are deactivated. D. mandate a strong password policy.
You answered A. The correct answer is D. A. Ensuring that all failed authentication attempts are monitored is a good practice; however, a strong password policy is a better preventive control. B. Reviewing the log files can increase the probability of detecting unauthorized access but may not be effective in preventing unauthorized access. C. Ensuring that all unused accounts are deactivated is important; however, a strong password policy is a better preventive control. D. Single sign-on (SSO) is a great productivity boost for users and the IT organization because users do not need to enter user IDs and passwords repeatedly. SSO significantly reduces the number of IT help desk calls regarding lost passwords. For any authentication system, SSO or a strong password policy is crucial.
A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft? Select an answer: A. Web browser cookies are not automatically deleted. B. The computer is improperly configured. C. System updates have not been applied on the computer. D. Session time out is not activated.
You answered A. The correct answer is D. A. If web browser cookies are not automatically deleted, it might be possible to determine the web sites that a user has accessed. However, if sessions do not time out, it is easier for identity theft to occur. B. If the PC is not configured properly and does not have antivirus software installed, there could be a risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur. C. If system updates have not been applied, there could be a greater risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur. D. If an authenticated session is inactive and unattended, it can be hijacked and used for illegal purposes. It might then be difficult to establish the intruder because a legitimate session was used.
Which of the following BEST ensures uninterrupted operations in an organization with IT operation centers in several countries? Select an answer: A. Distribution of key procedural documentation B. Reciprocal agreement between business partners C. Strong senior management leadership D. Employee training on the business continuity plan (BCP)
You answered A. The correct answer is D. A. Procedural documentation should always be up to date and distributed to major locations. However, documents alone are insufficient if employees do not know their role in the plan. B. A reciprocal agreement is an emergency processing agreement between two or more enterprises with similar equipment or applications. Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises. While it is integral to business continuity to have a location for business operations, it does not necessarily need to be a reciprocal agreement. For example, in some cases, business operations may be carried out from each employee's home. C. Senior management may not be readily available to provide leadership during a disaster. Therefore, it is most important that employees fully understand their roles in the business continuity plan (BCP). D. During a disaster, the chain of command might be interrupted. Therefore, it is important that employees know their roles in the BCP, including where to report and how to perform their job functions. Employee training on the plan is especially important for businesses with offices that are geographically separated because there is a greater chance of communication disruption.
The implementation of access controls FIRST requires: Select an answer: A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access control list (ACL). D. an inventory of IS resources.
You answered A. The correct answer is D. A. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. B. Labeling resources cannot be done without first determining the resources' classifications. C. The access control list (ACL) would not be done without a meaningful classification of resources. D. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.
During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? Select an answer: A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition.
You answered A. The correct answer is D. A. While compensating controls may be a good idea, the primary response in this case should be to report the condition. B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition. D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.
The FIRST step in data classification is to: Select an answer: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary.
You answered B. The correct answer is A. A. Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. B. A criticality analysis is required to determine the appropriate levels of protection of data, according to the data classification. C. Access rules are set up dependent on the data classification. D. Input for a data dictionary is prepared from the results of the data classification process.
An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? Select an answer: A. False-acceptance rate (FAR) B. Equal-error rate (EER) C. False-rejection rate (FRR) D. False-identification rate (FIR)
You answered B. The correct answer is A. A. False-acceptance rate (FAR) is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptance is more important that the impact on the false reject rate. B. Equal-error rate (EER) (also called the crossover error rate) is the point where the FAR equals the false-rejection rate (FRR). This is the criteria used to measure the optimal accuracy of the biometric system, but in a highly secure environment, the FAR is more important that the EER. C. FRR denies an authorized person access, but this is less important than the FAR because it is better to deny access to an authorized individual than to grant access to an unauthorized individual. D. False-identification rate (FIR) is the probability that an authorized person is identified, but is assigned a false ID.
What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? Select an answer: A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. B. The contingency plan for the organization cannot effectively test controlled access practices. C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. D. Removing access for those who are no longer authorized is complex.
You answered B. The correct answer is A. A. Piggybacking or tailgating can compromise the physical access controls. B. The testing of controlled access would be of minimal concern in a disaster recovery environment. C. Duplicating access control cards or keys is technically challenging. D. An access control system should have easily followed procedures for managing user access throughout the access life cycle.
A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? Select an answer: A. Rewrite the hard disk with random 0's and 1's. B. Low-level format the hard disk. C. Demagnetize the hard disk. D. Physically destroy the hard disk.
You answered C. The correct answer is D. A. Rewriting data is impractical because the hard disk is damaged. B. Low-level formatting is impractical because the hard disk is damaged. C. Demagnetizing is a good practice and should be done but is not as effective as physical destruction. D. Physically destroying the hard disk is the most effective way to ensure that the data cannot be recovered.
Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? Select an answer: A. Adequate involvement of stakeholders B. Selection of a risk management framework C. Identification of risk mitigation strategies D. Understanding of the regulatory environment
You answered B. The correct answer is A. A. The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before proceeding. B. Selecting a risk management framework helps the organization define the approach to addressing risk but still requires adequate involvement of stakeholders to be successful. C. Identifying risk mitigation strategies helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. D. Having an understanding of the regulatory environment is important to ensure that risk is addressed in the context of the applicable regulation, but adequate stakeholder involvement is required to ensure success.
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: Select an answer: A. enrollment. B. identification. C. verification. D. storage.
You answered B. The correct answer is A. A. The users of a biometric device must first be enrolled in the device. B. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes. C. A user applying for access will be verified against the stored enrolled value. D. The biometric stores sensitive personal information, so the storage must be secure.
An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. The IS auditor should conclude that this is: Select an answer: A. an effective preventive control. B. a valid detective control. C. not an adequate control. D. a corrective control.
You answered B. The correct answer is C. A. Generation of an activity log is not a preventive control because it cannot prevent inappropriate access. B. Generation of an activity log is not a detective control because it does not help in detecting inappropriate access unless it is reviewed by appropriate personnel. C. Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control). D. Generation of an activity log is not a corrective control because it does not correct the effect of inappropriate access.
A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center? Select an answer: A. Badge readers are installed in locations where tampering would be noticed. B. The computer that controls the badge system is backed up frequently. C. A process for promptly deactivating lost or stolen badges exists. D. All badge entry attempts are logged.
You answered B. The correct answer is C. A. Tampering with a badge reader cannot open the door, so this is irrelevant. B. The configuration of the system does not change frequently; therefore, frequent backup is not necessary. C. The biggest risk is from unauthorized individuals who can enter the data center, whether they are employees or not. Thus, a process of deactivating lost or stolen badges is important. D. Logging the entry attempts is important, but not as important as ensuring that a lost or stolen badge is disabled as quickly as possible.
Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? Select an answer: A. Implementing a fault-tolerant disk-to-disk backup solution B. Making a full backup to tape weekly and an incremental backup nightly C. Creating a duplicate storage area network (SAN) and replicating the data to a second SAN D. Creating identical server and storage infrastructure at a hot site
You answered C. The correct answer is A. A. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set. B. While a backup strategy involving tape drives is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to tape, or deploy a disk-to-disk solution, which is effectively the same thing. C. While creating a duplicate storage area network (SAN) and replicating the data to a second SAN provides some redundancy and data protection, this is not really a backup solution. If the two systems are at the same site, there is a risk that an incident such as a fire or flood in the data center could lead to data loss. D. While creating an identical server and storage infrastructure at a hot site provides a great deal of redundancy, there is still the need to create a backup of the data, and typically there is the need to archive certain data for long-term storage. A cutover to a hot site cannot usually be performed in a short enough time for a continuous availability system. Therefore, this is not the best strategy.
Which of the following BEST encrypts data on mobile devices? Select an answer: A. Elliptical curve cryptography (ECC) B. Data encryption standard (DES) C. Advanced encryption standard (AES) D. The Blowfish algorithm
You answered C. The correct answer is A. A. Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for encrypting mobile devices. B. Data encryption standard (DES) uses less processing power when compared with advanced encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices. C. AES is a symmetric algorithm and has the problem of key management and distribution. ECC is an asymmetric algorithm and is better suited for a mobile environment. D. The use of the Blowfish algorithm consumes too much processing power.
Electromagnetic emissions from a terminal represent a risk because they: Select an answer: A. could damage or erase nearby storage media. B. can disrupt processor functions. C. could have adverse health effects on personnel. D. can be detected and displayed.
You answered C. The correct answer is D. A. While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern. B. Electromagnetic emissions should not cause disruption of CPUs. C. Most electromagnetic emissions are low level and do not pose a significant health risk. D. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.
An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult? Select an answer: A. Project sponsors B. Project managers C. End-user groups D. Business analysts
You answered C. The correct answer is A. A. The project sponsor is the owner of the project, and therefore, the most appropriate person to discuss whether the business requirements defined as part of the project objectives have been met. B. Project managers organize and ensure that the direction of the project aligns to the overall direction, complies with standards and monitors project milestones. The sponsor is in a better position to determine whether requirements have been met and is most likely to be consulted by the IS auditor. C. End-user groups can be a valuable resource; however, the project sponsor has managerial authority and is involved in strategic planning and is therefore a better answer. D. Although business analysts have detailed knowledge of business requirements, the project sponsor has a more accurate view of actual past project performance.
During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? Select an answer: A. The organization does not encrypt all of its outgoing email messages. B. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. C. An individual's computer screen saver function is disabled. D. Server configuration requires the user to change the password annually.
You answered C. The correct answer is B. A. Encrypting all outgoing email is expensive and is not common business practice. B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information. C. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. D. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.
Which of the following is in the BEST position to approve changes to the audit charter? Select an answer: A. Board of directors B. Audit committee C. Executive management D. Director of internal audit
You answered C. The correct answer is B. A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter. D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.
Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? Select an answer: A. Virus infection B. Data leakage C. Network performance issues D. Unauthorized software usage
You answered C. The correct answer is B. A. While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe, especially if it contains proprietary data or intellectual property. B. Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern. C. Peer-to-peer computing may utilize more network bandwidth and therefore may create performance issues. However, data leakage is a more severe risk. D. Peer-to-peer computing may be used to download or share unauthorized software, which users could install on their PCs unless other controls prevent it. However, data leakage is a more severe risk.
An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that: Select an answer: A. effective preventive controls are enforced. B. system integrity is ensured. C. errors can be corrected in a timely fashion. D. fraud can be detected more quickly.
You answered C. The correct answer is D. A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies. B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources. C. Continuous audit will detect errors but not correct them. Error identification and handling is the primary responsibility of management. While audit's responsibility also is to find errors, audit can only report errors, not fix them. D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely fashion and allows auditors to focus on relevant data.
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?? Select an answer: A. Internal quality requirements B. The audit guidelines C. The audit methodology D. Professional standards
You answered C. The correct answer is D. A. Internal quality requirements may exist but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards. D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more.
Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? Select an answer: A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies
You answered D. The correct answer is A. A. Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. B. Surge protection devices protect against high-voltage bursts. C. Alternative power supplies are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. D. An interruptible power supply would cause the equipment to come down whenever there was a power failure.
The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: Select an answer: A. symmetric encryption. B. message authentication code (MAC). C. hash function. D. digital signature certificates.
You answered D. The correct answer is A. A. Secure Sockets Layer (SSL) uses a symmetric key for message encryption. B. A message authentication code (MAC) is used for ensuring data integrity. C. Hash function is used for generating a message digest which can provide message integrity; it is not used for message encryption. D. Digital signature certificates are used by SSL for server authentication.
The responsibility for authorizing access to a business application system belongs to the: Select an answer: A. data owner. B. security administrator. C. IT security manager. D. requestor's immediate supervisor.
You answered D. The correct answer is A. A. When a business application is developed, a good practice is to assign an information or data owner to the application. The information owner should be responsible for authorizing access to the application itself or to back-end databases for queries. B. The security administrator normally does not have responsibility for authorizing access to business applications. C. The IT security manager normally does not have responsibility for authorizing access to business applications. D. The requestor's immediate supervisor may share the responsibility for approving user access to a business application system; however, the final responsibility should go to the information owner.
Which of the following is the BEST method of controlling scope creep in a system development project? Select an answer: A. Defining penalties for changes in requirements B. Establishing a software baseline C. Adopting a matrix project management structure D. Identifying the critical path of the project
You answered D. The correct answer is B. A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better way to accomplish this goal. B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. C. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. D. Although the critical path is important, it will change over time and will not control scope creep.
An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? Select an answer: A. To detect data transposition errors B. To ensure that transactions do not exceed predetermined amounts C. To ensure that data entered are within reasonable limits D. To ensure that data entered are within a predetermined range of values
You are correct, the answer is A. A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check.
Which of the following is the BEST way to satisfy a two-factor user authentication? A. A smart card requiring the user's personal identification number (PIN) B. User ID along with password C. Iris scanning plus fingerprint scanning D. A magnetic card requiring the user's PIN
You are correct, the answer is A. A. A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows (e.g., a keyboard password or personal identification number [PIN]). This is an example of two-factor authentication. B. An ID and password, what the user knows, is a single-factor user authentication. C. Using two of the same factors (in this case biometrics) is not a two-factor user authentication. D. This is an example of two-factor authentication; however, a magnetic card is much easier to copy than a smart card so the use of a smart card with a PIN is better.
When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: Select an answer: A. hardware is protected against power surges. B. integrity is maintained if the main power is interrupted. C. immediate power will be available if the main power is lost. D. hardware is protected against long-term power fluctuations.
You are correct, the answer is A. A. A voltage regulator protects against short-term power fluctuations. B. A voltage regulator does not maintain the integrity if power is interrupted or lost. C. An uninterruptible power supply (UPS) is used to provide constant power even if main power is lost. D. A voltage regulator protects against short-term power fluctuations.
What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? Select an answer: A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources.
You are correct, the answer is A. A. Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present. C. CSAs may not reduce the audit function's workload and are not a major difference between the two approaches. D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed.
The risk of dumpster diving is BEST mitigated by: Select an answer: A. implementing security awareness training. B. placing shred bins in copy rooms. C. developing a media disposal policy. D. placing shredders in individual offices.
You are correct, the answer is A. A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques.
Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? Select an answer: A. To collect evidence while transactions are processed B. To reduce requirements for periodic internal audits C. To identify and report fraudulent transactions D. To increase efficiency of the audit function
You are correct, the answer is A. A. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
Which of the following is the MOST effective control over visitor access to a data center? Select an answer: A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.
You are correct, the answer is A. A. Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility. B. Requiring visitors to wear badges is a good practice, but not a reliable control. C. Requiring that visitors sign in is good practice, but not a reliable control. After visitors are in the building, the sign-in process will not prevent them from accessing unauthorized areas. D. Visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.
Value delivery from IT to the business is MOST effectively achieved by: Select an answer: A. aligning the IT strategy with the enterprise strategy. B. embedding accountability in the enterprise. C. providing a positive return on investment (ROI). D. establishing an enterprisewide risk management process.
You are correct, the answer is A. A. IT's value delivery to the business is driven by aligning IT with the enterprise's strategy. B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance). C. While return on investment (ROI) is important, it is not the only criterion by which the value of IT is assessed. D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: Select an answer: A. the users may not remember to manually encrypt the data before transmission. B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability.
You are correct, the answer is A. A. If the data is not encrypted, an unauthorized external party may download sensitive company data. B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it. C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. D. Tracing accountability is of minimal concern compared to the compromise of sensitive data.
If inadequate, which of the following would be the MOST likely contributor to a denial-of-service (DoS) attack? Select an answer: A. Router configuration and rules B. Design of the internal network C. Updates to the router system software D. Audit testing and review techniques
You are correct, the answer is A. A. Improper router configuration and rules could lead to an exposure to denial-of-service (DoS) attacks. B. An inefficient design of the internal network may also lead to a DoS but this is not as high a risk as router misconfiguration errors. C. Updates to router software has led to a DoS in the past, but this is a subset of router configuration and rules. D. Audit testing and review techniques can cause a DoS if tests disable systems or applications, but this is not the most likely risk.
From a control perspective, the PRIMARY objective of classifying information assets is to: Select an answer: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses.
You are correct, the answer is A. A. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset. B. Not all information needs to be protected through access controls. Overprotecting data would be expensive. C. The classification of information is usually based on the risk assessment, not the other way around. D. Insuring assets is valid; however, this is not the primary objective of information classification.
Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? Select an answer: A. Load testing B. Stress testing C. Recovery testing D. Volume testing
You are correct, the answer is A. A. Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. B. Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. C. Recovery testing evaluates the ability of a system to recover after a failure. D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.
An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? Select an answer: A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation.
You are correct, the answer is A. A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so. B. The documentation of user acceptance testing (UAT) is a much less important concern than not having a viable backout plan. C. The lack of stress testing is a much less important concern than not having a viable backout plan. D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no backout plan.
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: Select an answer: A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. B. access cards are not labeled with the organization's name and address to facilitate easy return of a lost card. C. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. D. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure.
You are correct, the answer is A. A. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license). B. Having the name and address of the organization on the card may be a concern because a malicious finder could use a lost or stolen card to enter the organization's premises. C. Separating card issuance from technical rights management is a method to ensure the proper segregation of duties so that no single person can produce a functioning card for a restricted area within the organization's premises. The long lead time is an inconvenience but not a serious audit risk. D. System failure of the card programming device would normally not mean that the readers do not function anymore. It simply means that no new cards can be issued, so this option is minor compared to the threat of improper identification.
An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? Select an answer: A. Physically secure wireless access points to prevent tampering. B. Use service set identifiers (SSIDs) that clearly identify the organization. C. Encrypt traffic using the Wired Equivalent Privacy (WEP) mechanism. D. Implement the Simple Network Management Protocol (SNMP) to allow active monitoring.
You are correct, the answer is A. A. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to restore weak default passwords and encryption keys, or to totally remove authentication and encryption from the network. B. Service set identifiers (SSIDs) should not be used to identify the organization because hackers can associate the wireless local area network (WLAN) with a known organization and this increases both their motivation to attack and, potentially, the information available to do so. C. The original Wired Equivalent Privacy (WEP) security mechanism has been demonstrated to have a number of exploitable weaknesses. The more recently developed Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) standards represent considerably more secure means of authentication and encryption. D. Installing Simple Network Management Protocol (SNMP) on wireless access points can actually open up security vulnerabilities. If SNMP is required at all, then SNMP v3, which has stronger authentication mechanisms than earlier versions, should be deployed.
Which of the following methods BEST mitigates the risk of disclosing confidential information through the use of social networking sites? Select an answer: A. Providing security awareness training B. Requiring a signed acceptable use policy C. Monitoring the use of social media D. Prohibiting the use of social media through network controls
You are correct, the answer is A. A. Providing security awareness training is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical. B. Requiring a signed acceptable use policy can be a good control. However, if users are not aware of the risk, then this policy may not be effective. C. Monitoring the use of social media through the use of a proxy server that tracks the web sites users visit is not an effective control because users may access these services through other means such as mobile phones and home computers. D. Prohibiting the use of social media through network controls is not an effective control because users may access these services through other means such as mobile phones and home computers.
The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should: Select an answer: A. review the patch management policy and determine the risk associated with this condition. B. recommend that IT systems personnel test and then install the patches immediately. C. recommend that patches be applied every month. D. take no action, because the IT processes related to patch management appear to be adequate.
You are correct, the answer is A. A. Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices. B. While there may be instances in which the patch is an urgent fix for a serious security issue, IT may have made the determination that the risk to system stability is greater than the risk identified by the software vendor who issued the patch. Therefore, the time frame selected by IT may be appropriate, and this is not the correct answer. C. While keeping critical systems properly patched helps to ensure that they are secure, the requirement for a precise timetable to patch systems may create other issues if patches are improperly tested prior to implementation. Therefore, this is not the correct answer. D. Even if the IS auditor concludes that the patch management process is adequate, the observation related to the time delay in applying patches should be reported.
An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: Select an answer: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing.
You are correct, the answer is A. A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. D. Control testing is the same as compliance testing.
The purpose of a mantrap controlling access to a computer facility is PRIMARILY to: Select an answer: A. prevent piggybacking. B. prevent toxic gases from entering the data center. C. starve a fire of oxygen. D. prevent an excessively rapid entry to, or exit from, the facility.
You are correct, the answer is A. A. The intended purpose of a mantrap controlling access to a computer facility is primarily to prevent piggybacking. B. Preventing toxic gases from entering the data center could be accomplished with a single self-closing door. C. Starving a fire of oxygen could be accomplished with a single self-closing fire door. D. A rapid exit may be necessary in some circumstances (e.g., a fire).
Which of the following would be BEST prevented by a raised floor in the computer machine room? Select an answer: A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water flood damage
You are correct, the answer is A. A. The primary reason for having a raised floor is to enable ventilation systems, power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor. B. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. C. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. D. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.
An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: Select an answer: A. lower confidence coefficient, resulting in a smaller sample size. B. higher confidence coefficient, resulting in a smaller sample size. C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size.
You are correct, the answer is A. A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sample size. C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. D. A lower confidence coefficient will result in the use of a smaller sample size.
Which of the following BEST ensures that business requirements are met prior to implementation? Select an answer: A. Feasibility study B. User acceptance testing (UAT) C. Postimplementation review D. Implementation plan
You are correct, the answer is B. A. A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and therefore is of greater value. B. UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. C. The postimplementation review occurs after the implementation. D. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.
While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor? Select an answer: A. Availability of customer data B. Integrity of customer data C. Confidentiality of customer data D. System storage performance
You are correct, the answer is C. A. Availability of customer data may be affected during an Internet connection outage, but this is of a lower concern than confidentiality. B. Integrity of customer data is affected only if security controls are weak enough to permit unauthorized modifications to the data, and it may be tracked by logging of changes. Confidentiality of data is a larger concern. C. Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data. D. System storage performance may be a concern due to the volume of data. However, the bigger issue is that the information is protected.
An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? Select an answer: A. Stateful inspection firewall B. Web content filter C. Web cache server D. Proxy server
You are correct, the answer is B. A. A stateful inspection firewall is of little help in filtering web traffic because it does not review the content of the web site, nor does it take into consideration the site's classification. B. A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator (URL) blacklists and classifications for millions of web sites. C. A web cache server is designed to improve the speed of retrieving the most common or recently visited web pages. D. A proxy server is incorrect because a proxy server services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.
Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster? Select an answer: A. Incident response plan B. Business impact analysis (BIA) C. Threat and risk analysis D. Recovery time objective (RTO)
You are correct, the answer is B. A. An incident response plan is an organized approach to addressing and managing a security breach or attack. The plan defines what constitutes an incident and the process to follow when an incident occurs. It does not prioritize recovery during a disaster. B. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business. C. Identifying threats and analyzing risk to the business is an important part of disaster planning, but it does not determine the priority of recovery. D. The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. This is included as part of the BIA and used to represent the prioritization of recovery.
The MOST likely explanation for a successful social engineering attack is: Select an answer: A. that computers make logic errors. B. that people make judgment errors. C. the computer knowledge of the attackers. D. the technological sophistication of the attack method.
You are correct, the answer is B. A. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the basic argument in designing a social engineering attack. B. Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. C. Generally, social engineering attacks do not require technological expertise; often, the attacker is not proficient in information technology or systems. D. Social engineering attacks are human-based and generally do not involve complicated technology.
After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol (VoIP) technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? Select an answer: A. Fine-grained access control B. Role-based access control (RBAC) C. Access control lists D. Network/service access control
You are correct, the answer is B. A. Fine-grained access control on Voice-over Internet Protocol (VoIP) web applications does not scale to enterprisewide systems because it is primarily based on individual user identities and their specific technical privileges. B. Authorization in this case can best be addressed by role-based access control (RBAC) technology. RBAC controls access according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. C. Access control lists on VoIP web applications do not scale to enterprisewide systems because they are primarily based on individual user identities and their specific technical privileges. D. Network/service addresses VoIP availability but does not address application-level access or authorization.
Which of the following does a lack of adequate controls represent? Select an answer: A. An impact B. A vulnerability C. An asset D. A threat
You are correct, the answer is B. A. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident.
Which of the following is the responsibility of information asset owners? Select an answer: A. Implementation of information security within applications B. Assignment of criticality levels to data C. Implementation of access rules to data and programs D. Provision of physical and logical security for data
You are correct, the answer is B. A. Implementation of information security within an application is the responsibility of the data custodians based on the requirements set by the data owner. B. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. C. Implementation of access rules is a responsibility of data custodians based on the requirements set by the data owner. D. Provision of physical and logical security for data is the responsibility of the security administrator.
When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? Select an answer: A. Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization. B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. C. Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization. D. The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded.
You are correct, the answer is B. A. Overwriting a hard disk at the sector level would completely erase data, directories, indices and master file tables. Reformatting is not necessary because all contents are destroyed. Overwriting several times makes useless some forensic measures, which are able to reconstruct former contents of newly overwritten sectors by analyzing special magnetic features of the platter's surface. B. Deleting and formatting does not completely erase the data but only marks the sectors that contained files as being free. There are tools available over the Internet which allow one to reconstruct most of a hard disk's contents. C. While hole-punching does not delete file contents, the hard disk cannot be used anymore, especially when head parking zones and track zero information are impacted. Reconstructing data would be extremely expensive because all analysis must be performed under a clean room atmosphere and is only possible within a short time frame or until the surface is corroded. D. Data reconstruction from shredded hard disks is virtually impossible, especially when the scrap is mixed with other metal parts. If the transport can be secured and the destruction be proved as described in the option, this is a valid method of disposal.
An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following? Select an answer: A. Privileged access to the wire transfer system B. Wire transfer procedures C. Fraud monitoring controls D. Employee background checks
You are correct, the answer is B. A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of duties of the end users to help prevent fraud. B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system. C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control. D. While controls related to background checks are important, the controls related to segregation of duties as found in the wire transfer procedures are more critical.
Which of the following is the BEST indicator that a newly developed system will be used after it is in production? Select an answer: A. Regression testing B. User acceptance testing (UAT) C. Sociability testing D. Parallel testing
You are correct, the answer is B. A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. User acceptance testing (UAT) is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. C. Sociability test results indicate how the application works with other components within the environment and is not indicative of the user experience. D. Parallel testing is performed when the comparison of two applications is needed but will not provide feedback on user satisfaction.
An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor's report? Select an answer: A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. B. Both fire suppression systems present a risk of suffocation when used in a closed room. C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper). D. The documentation binders should be removed from the equipment room to reduce potential risk.
You are correct, the answer is B. A. The Montreal Protocol allows existing halon installations to remain, although some countries may have laws that require its removal. B. Protecting people's lives should always be of highest priority in fire suppression activities. Carbon dioxide (CO2) and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries, installing or refilling halon fire suppression systems is not allowed. C. CO2 extinguishers can be used on most types of fires, and their use in a server room would be appropriate. D. Although not of highest priority, removal of the documentation would probably reduce some of the risk.
The MOST effective biometric control system is the one: Select an answer: A. which has the highest equal-error rate (EER). B. which has the lowest EER. C. for which the false-rejection rate (FRR) is equal to the false-acceptance rate (FAR). D. for which the FRR is equal to the failure-to-enroll rate (FER).
You are correct, the answer is B. A. The biometric that has the highest equal-error rate (EER) is the most ineffective. B. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective. C. For any biometric, there will be a measure at which the FRR will be equal to the FAR. This is the EER. D. Failure-to-enroll rate (FER) is an aggregate measure of FRR.
Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? A. Compliance with the master agreement B. Agreed-on key performance metrics C. Results of business continuity tests D. Results of independent audit reports
You are correct, the answer is B. A. The master agreement typically includes terms, conditions and costs but does not typically include service levels. B. Metrics allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. C. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. D. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.
An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? Select an answer: A. A login screen is not displayed for guest users. B. The guest network is not segregated from the production network. C. Guest users who are logged in are not isolated from each other. D. A single factor authentication technique is used to grant access.
You are correct, the answer is B. A. Using a web captive portal, which displays a login screen in the user's web browser, is a good practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. B. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. C. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. D. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented.
An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern? Select an answer: A. The service contract on the diesel generator is not current. B. The battery room does not contain hydrogen sensors. C. The door to the battery room is kept locked. D. The battery room is next to the diesel generator yard.
You are correct, the answer is B. A. While a valid service contract is important, the bigger risk would be from a hydrogen explosion. B. Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequate ventilation systems. C. It is good practice to keep the door to the battery room locked to prevent entry by unauthorized personnel. D. With the generators located outdoors, the risk of a hydrogen explosion caused by the generators is negligible. Hydrogen sensors would notify data center personnel of a potential gas buildup so they could take the appropriate measures.
Which of the following provides the GREATEST assurance for database password encryption? Select an answer: A. Secure hash algorithm-256 (SHA-256) B. Advanced encryption standard (AES) C. Secure Shell (SSH) D. Triple data encryption standard (DES)
You are correct, the answer is B. A. While hashing functions are used to protect passwords, hashing is not encryption. B. The use of advanced encryption standard (AES) is a secure encryption algorithm that is appropriate for encrypting passwords. C. Secure Shell (SSH) can only be used to encrypt passwords that are being transmitted. It cannot encrypt data at rest. D. Triple Data Encryption Standard (DES) is a valid encryption method; however, AES is a stronger and more recent encryption algorithm.
An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: Select an answer: A. it has not been determined how the project fits into the overall project portfolio. B. the organizational impact of the project has not been assessed. C. not all IT stakeholders have been given an opportunity to provide input. D. the environmental impact of the data center has not been considered.
You are correct, the answer is B. A. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. B. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. C. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. D. While an IT project such as the construction of a data center may require an environmental impact study, this occurs after the impact to the organization is determined.
An organization with a history of strong internal controls allows for the use of universal serial bus (USB) drives to transfer data between offices. Which of the following is the GREATEST risk associated with the use of these devices? Select an answer: A. Files are not backed up B. Theft of the devices C. Use of the devices for personal purposes D. Introduction of malware into the network
You are correct, the answer is B. A. While this is a risk, theft of an unencrypted device is a greater risk. B. Because universal serial bus (USB) drives tend to be small, they are susceptible to theft or loss. This represents the greatest risk to the organization. C. Use of USB drives for personal purposes is a violation of company policy; however, this is not the greatest risk. D. Good general IT controls will include the scanning of USB drives for malware once they are inserted in a computer. The risk of malware in an otherwise robust environment is not as great as the risk of loss or theft.
Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program? Select an answer: A. Review the security training program. B. Ask the security administrator. C. Interview a sample of employees. D. Review the security reminders to employees.
You are correct, the answer is C. A. A security training program may be well designed, but the results of the program will be determined by employee awareness. B. Asking the security administrator would not show the effectiveness of a security awareness and training program because such a program should target more than just the administrator. C. Interviewing a sample of employees is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined and effective security is dependent on people. Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness training. D. Reviewing the security reminders to the employees is not the best way to find out the effectiveness of the training awareness because sending reminders may result in little actual awareness.
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment? Select an answer: A. Alpha testing B. Regression testing C. Beta testing D. White box testing
You are correct, the answer is C. A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be a simulated test. B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality. C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing and involves sending the beta version of the product to independent beta test sites or offering it free to interested users. D. White box testing is used to assess the effectiveness of program logic.
Which of the following can be used to help ensure confidentiality of transmitted data? Encrypting the: Select an answer: A. message digest with the sender's private key. B. session key with the sender's public key. C. message with the receiver's private key. D. session key with the receiver's public key.
You are correct, the answer is D. A. This will ensure authentication and nonrepudiation. B. This will make the message accessible to only the sender. C. Ideally, a sender cannot have access to a receiver's private key. D. Access to the session key can only be obtained using the receiver's private key.
An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect? Select an answer: A. Control risk B. Compliance risk C. Inherent risk D. Residual risk
You are correct, the answer is C. A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected.
The responsibility for authorizing access to application data should be with the: Select an answer: A. data custodian. B. database administrator (DBA). C. data owner. D. security administrator.
You are correct, the answer is C. A. Data custodians are responsible only for storing and safeguarding the data according to the direction provided by the data owner. B. The database administrator (DBA) is responsible for managing the database, not determining who is authorized to access the data in the database. C. Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible and ensuring that appropriate controls are in place to protect their data and systems. The ultimate responsibility for data resides with the data owner. D. The security administrator may lead investigations and is responsible for implementing and maintaining information security policy, but not for authorizing data access.
The project steering committee is ultimately responsible for: Select an answer: A. day-to-day management and leadership of the project. B. allocating the funding for the project. C. project deliverables, costs and timetables. D. ensuring that system controls are in place.
You are correct, the answer is C. A. Day-to-day management and leadership of the project is the function of the project manager. B. Providing the funding for the project is the function of the project sponsor. C. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D. Ensuring that system controls are in place is the function of the project security officer.
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: Select an answer: A. user accounts are not locked out after five failed attempts. B. passwords can be reused by employees within a defined time frame. C. system administrators use shared login credentials. D. password expiration is not automated.
You are correct, the answer is C. A. If user accounts are not locked after multiple failed attempts, a brute force attack could be used to gain access to the system. While this is a risk, a typical user would have limited system access compared to an administrator. B. The reuse of passwords is a risk. However, the use of shared login credentials by administrators is a more severe risk. C. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts. D. If password expiration is not automated, it is most likely that employees will not change their passwords regularly. However, this is not as serious as passwords being shared, and the use of shared login credentials by administrators is a more severe risk.
An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? Select an answer: A. Inspection B. Inquiry C. Walk-through D. Reperformance
You are correct, the answer is C. A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control. C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee.
An organization bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems? Select an answer: A. Parallel testing B. Pilot testing C. Sociability testing D. Integration testing
You are correct, the answer is C. A. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and computing the results in parallel. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. B. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see whether the new system operates satisfactorily in one place before implementing it at other locations. C. The purpose of sociability testing is to ensure that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interface with other systems, as well as changes to the desktop in a client-server or web development. D. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. In this case, the tests are not necessarily between systems that interact with one another so sociability testing is a better answer.
Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process? Select an answer: A. The application owner requested new functionality. B. Changes are developed using an agile methodology. C. There is a high probability of a significant impact on operations. D. The operating system (OS) vendor has released a security patch.
You are correct, the answer is C. A. Requests for new functionality by the application owner generally follow normal change control procedures, unless they have an impact on the business function. B. The agile system development methodology breaks down projects into short time-boxed iterations. Each iteration focuses on developing end-to-end functionality from user interface to data storage for the intended architecture. However, the release does not need to follow emergency release procedures unless there is a significant impact on operations. C. Emergency releases to an application are fixes that require implementation as quickly as possible to prevent significant user downtime. Emergency release procedures are followed in such situations. D. Operating system (OS) security patches are applied after testing, and therefore there is no need for an emergency release.
Which of the following is the MOST important security consideration to an organization that wants to reduce its IS infrastructure by using servers provided by a platform as a service (PaaS) vendor? Select an answer: A. Require users of the new application to adopt specific, minimum-length passwords. B. Implement a firewall that monitors incoming traffic using the organization's standard settings. C. Review the need for encryption of stored and transmitted application data. D. Make the service vendor responsible for application security through contractual terms.
You are correct, the answer is C. A. Requiring application users to maintain another password may not be popular. A more fundamental reason is that many cloud service providers expose their services via application programming interfaces (APIs). These APIs are designed to accept tokens, not passwords. Ideally, they use an open standard such as Security Assertion Markup Language (SAML) or WS-Federation for exchanging authentication and authorization information. An authentication scheme needs to take into account the type of application users—organization employees, employees of partner organizations, customers or a combination of user types. Additionally, the increasing trend is for web applications to be accessible by multiple device types. Therefore, the organization may need to employ a "bring your own identity" scheme of authentication. An appropriate mechanism (such as a security token, smart card, one-time password via short message service [SMS] or telephone) based on assessed risk should be used to confirm user identity. B. In a platform as a service (PaaS) cloud computing model, network security remains the responsibility of the cloud service provider. Because multiple tenants use the cloud service provider's infrastructure, insisting on a specific firewall configuration is not practical, although it may be possible to agree to some arrangements when negotiating the service contract. The "deperimeterized" nature of cloud computing enhances the need for strong application security controls to be designed, tested and implemented. C. With cloud computing, an application does not run on an organization's trusted environment. Instead, it runs on infrastructure shared by other tenants and administered by people not employed by the organization. Therefore, depending on the nature of the data, there may be a greater need to rely on encryption to protect privacy. This may apply not just to data when they are stored in the cloud but also during transmission. However, careful consideration must be given to the nature of the data to understand what degree of protection is needed. Using encryption can increase complexity and have performance implications. The possibility of using compensating controls (e.g., protecting stored data through database access controls, should also be considered). D. In a PaaS cloud computing model, the service provider supplies the computing infrastructure and development frameworks. While requirements for basic infrastructure security can be discussed and possibly included as contract terms, responsibility for building a secure application rests with the customer organization. Given that cloud computing enhances some threats present with traditional in-house hosted systems as well as introducing some new threats, it is particularly important that application security controls be given strong focus during application development.
The BEST overall quantitative measure of the performance of biometric control devices is: Select an answer: A. false-rejection rate (FRR). B. false-acceptance rate (FAR). C. equal-error rate (EER). D. estimated-error rate.
You are correct, the answer is C. A. The false-rejection rate (FRR) only measures the number of times an authorized person is denied entry. B. The false-acceptance rate (FAR) only measures the number of times an unauthorized person may be accepted as authorized. C. A low equal-error rate (EER) is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device. D. The estimated-error rate is not a valid biometric term.
A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response? Select an answer: A. Initial rejection of the request because it is against the security policy B. Approval of the exception to policy to meet business needs C. Assessment of the risk and identification of compensating controls D. Revision of the OS baseline configuration
You are correct, the answer is C. A. The security policy may be waived with management approval to meet business requirements; it is not up to the security manager to refuse the deviation. B. The security manager may make a case for deviation from the policy, but this should be based on a risk assessment and compensating controls. The deviation itself should be approved in accordance with a defined exception handling process. C. Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation. D. Updating or revising the baseline configuration is not associated with requests for deviations.
Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy? Select an answer: A. Users should not leave tokens where they could be stolen. B. Users must never keep the token in the same bag as their laptop computer. C. Users should select a PIN that is completely random, with no repeating digits. D. Users should never write down their PIN.
You are correct, the answer is D. A. Access to the token is of no value without the personal identification number (PIN); one cannot work without the other. B. Access to the token is of no value without the PIN; one cannot work without the other. C. The PIN does not need to be random as long as it is secret. D. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.
An accuracy measure for a biometric system is: Select an answer: A. system response time. B. registration time. C. input file size. D. false-acceptance rate (FAR).
You are correct, the answer is D. A. An important consideration in the implementation of biometrics is the time required to process a user. If the system is too slow then it will impact productivity and lead to frustration. However, this is not an accuracy measure. B. The registration time is a measure of the effort taken to enroll a user in the system. This is not an accuracy measure. C. The file size to retain biometric information varies depending on the type of biometric solution selected. This is not an accuracy measure. D. Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate.
Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information? Select an answer: A. Degaussing B. Defragmenting C. Erasing D. Destroying
You are correct, the answer is D. A. Degaussing or demagnetizing is a good control, but not sufficient to fully erase highly confidential information from magnetic media. B. The purpose of defragmentation is to improve efficiency by eliminating fragmentation in file systems; it does not remove information. C. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information. D. Destroying magnetic media is the only way to assure that confidential information cannot be recovered.
Which of the following BEST helps ensure that deviations from the project plan are identified? Select an answer: A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria
You are correct, the answer is D. A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success. D. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.
Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to: Select an answer: A. ensure prompt recovery from system outages. B. contain costs related to maintaining disaster recovery plan (DRP) capabilities. C. ensure that customers are promptly notified of issues such as security breaches. D. minimize the impact of an adverse event.
You are correct, the answer is D. A. Incident response plans generally deal with a wide range of possible issues, but are not a replacement for a DRP or business continuity plan (BCP). The primary focus of a DRP, not the incident response plan, is to restore IT systems to a working state. B. An effective incident response plan could minimize damage to the organization, which minimizes costs, but the main purpose of the incident response plan is to minimize damage. Possible damage could include nonfinancial metrics, such as damage to a company's reputation. C. While an incident response plan includes elements such as when and how to contact customers about a significant incident, the primary purpose of the plan is to minimize the impact. D. An incident response plan helps minimize the impact of an incident because it provides a controlled response to incidents. The phases of the plan include planning, detection, evaluation, containment, eradication, escalation, response, recovery, reporting, postincident review and a review of lessons learned.
What is the BEST approach to mitigate the risk of a phishing attack? Select an answer: A. Implementation of an intrusion detection system (IDS) B. Assessment of web site security C. Strong authentication D. User education
You are correct, the answer is D. A. Intrusion detection systems (IDSs) will capture network or host traffic for analysis and may detect malicious activity but are not effective against phishing attacks. B. Assessing web site security does not mitigate the risk. Phishing is based on social engineering and often distributed through email. Web site security is only a small part of the problem. C. Phishing attacks can be mounted in various ways, often through email; strong two-factor authentication cannot mitigate most types of phishing attacks. D. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious Internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and email.
The PRIMARY purpose of a postimplementation review is to ascertain that: Select an answer: A. the lessons learned have been documented. B. future enhancements can be identified. C. the project has been delivered on time and budget. D. project objectives have been met.
You are correct, the answer is D. A. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. B. Identifying future enhancements is not the primary objective of a postimplementation review. C. Although it is important to review whether the project was completed on time and budget, it is more important to determine whether the project met the business needs. D. A project manager performs a postimplementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them.
Which of the following is the BEST method to ensure that critical IT system failures do not recur? Select an answer: A. Invest in redundant systems. B. Conduct a follow-up audit. C. Monitor system performance. D. Perform root cause analysis.
You are correct, the answer is D. A. Redundancy may be a solution; however, a root cause analysis enables an educated decision to address the origin of the problem instead of simply assuming that system redundancy is the solution. B. While an audit may discover the root cause of the problem, an audit is not a solution to an operational problem. Identifying the origins of operational failures needs to be part of day-to-day IT processes and owned by the IT department. C. Use of monitoring tools is a means to gather data and can contribute to root cause analysis, but it does not by itself help prevent an existing problem from recurring. D. Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring.
An IS auditor discovers a potential material finding. The BEST course of action is to: Select an answer: A. report the potential finding to business management. B. discuss the potential finding with the audit committee. C. increase the scope of the audit. D. perform additional testing.
You are correct, the answer is D. A. The item should be confirmed through additional testing before it is reported to management. B. The item should be confirmed through additional testing before it is discussed with the audit committee. C. Additional testing to confirm the potential finding should be within the scope of the engagement. D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if it is later discovered that the finding was not justified.
Which of the following is the MOST reliable form of single factor personal identification? Select an answer: A. Smart card B. Password C. Photo identification D. Iris scan
You are correct, the answer is D. A. There is no guarantee that a smart card is being used by the correct person because it can be shared, stolen, or lost and found. B. Passwords can be shared and, if written down, carry the risk of discovery. C. Photo IDs can be forged or falsified. D. Because no two irises are alike, identification and verification can be done with confidence.
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? Select an answer: A. A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall. B. Firewall policies are updated on the basis of changing requirements. C. Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. D. The firewall is placed on top of the commercial operating system with all default installation options.
You are correct, the answer is D. A. Using Secure Sockets Layer (SSL) for firewall administration is important because changes in user and supply chain partners' roles and profiles will be dynamic. B. It is appropriate to maintain the firewall policies as needed. C. It is prudent to block all inbound traffic to an extranet unless permitted. D. The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risk of vulnerabilities and exploits.
When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that: Select an answer: A. vulnerability testing was performed. B. the project was formally closed. C. the project schedule and budget were met. D. business requirements were met.
You are correct, the answer is D. A. Vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements were met. As stated in the question, the business requirements in this case included adequate security. B. Formally closing the project is important, but the primary goal of meeting business requirements is most important. C. Although meeting the designated project time line and budget is an important goal, the overall purpose of the project is to fulfill a business need. Therefore, validating that the project met the business requirements is the most important task for the IS auditor. D. Established procedures for postimplementation review should primarily ensure that business requirements were met.