Information Systems Operations and Business Resilience

Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? Change management Backup and recovery Incident management Configuration management

Configuration management This is important to control changes to the configuration, but the baseline itself refers to a standard configuration. Backup and recovery of the configuration are important, but not used to create the baseline. This will determine how to respond to an adverse event but is not related to recording baseline configurations. The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return.

Which of the following distinguishes a business impact analysis from a risk assessment? An inventory of critical assets An identification of vulnerabilities A listing of threats A determination of acceptable downtime

A determination of acceptable downtime This is completed in both a risk assessment and a BIA. This is relevant in both a risk assessment and a BIA. This is relevant both in a risk assessment and a BIA. A determination of acceptable downtime correct. This is made only in a business impact analysis (BIA).

Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program? A system downtime log Vendors' reliability figures Regularly scheduled maintenance log A written preventive maintenance schedule

A system downtime log This provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. These are not an effective measure of a preventive maintenance program. Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

An IS auditor is conducting a review of the disaster recovery procedures for a data center. Which of the following indicators BEST shows that the procedures meet the requirements? Documented procedures were approved by management. Procedures were reviewed and compared with industry good practices. A tabletop exercise using the procedures was conducted. Recovery teams and their responsibilities are documented.

A tabletop exercise using the procedures was conducted. Management approval does not necessarily mean that the disaster recovery procedures are sufficient to meet the needs of the business. While it is useful to compare the procedures with documented industry good practices, a tabletop exercise (paper test) is a better indicator that the procedures meet requirements. Conducting a tabletop exercise (paper-based test) of the procedures with all responsible members, best ensures that the procedures meet the requirements. This type of test can identify missing or incorrect procedures because representatives responsible for performing the tasks are present. The documentation of recovery teams and their responsibilities would be part of the procedures and not necessarily validate that the procedures are correct and complete thus meeting requirements.

A large chain of shops with electronic funds transfer at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? Offsite storage of daily backups Alternative standby processor onsite Installation of duplex communication links Alternative standby processor at another network node

Alternative standby processor at another network node This would not help, because electronic funds transfer tends to be an online process and offsite storage will not replace the dysfunctional processor. The provision of an alternate processor onsite would be fine if it were an equipment problem but would not help in the case of a power outage and may require technical expertise to cutover to the alternate equipment. This would be most appropriate if it were only the communication link that failed. Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications.

An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor? Disaster recovery plans may be invalid and need to be revised. Transactional business data may be lost in the event of system failure. The new maintenance vendor is not familiar with the organization's policies. Application owners were not informed of the change.

Application owners were not informed of the change. Disaster recovery plans (DRPs) must support the needs of the business, but the greater risk is that application owners are not aware of the change in resolution time. Transactional business data loss is determined by data backup frequency and, consequently, the backup schedule. The vendor must abide by the terms of the contract and those should include compliance with the privacy policies of the organization, but the lack of application owner involvement is the most important concern. The greatest risk of making a change to the maintenance of critical systems is that the change could have an adverse impact on a critical business process. While there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business.

An IS auditor analyzing the audit log of a database management system finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? Consistency Isolation Durability Atomicity

Atomicity This ensures that the database is in a proper state when the transaction begins and ends and that the transaction has not violated integrity rules. This means that, while in an intermediate state, the transaction data are invisible to external operations. This prevents two transactions from attempting to access the same data at the same time. This guarantees that a successful transaction will persist and cannot be undone. This guarantees that either the entire transaction is processed or none of it is.

Which of the following is the BEST reason for integrating the testing of noncritical systems in disaster recovery plans (DRPs) with business continuity plans (BCPs)? To ensure that DRPs are aligned to the business impact analysis. Infrastructure recovery personnel can be assisted by business subject matter experts. BCPs may assume the existence of capabilities that are not in DRPs. To provide business executives with knowledge of disaster recovery capabilities.

BCPs may assume the existence of capabilities that are not in DRPs. DRPs should be aligned with the business impact analysis; however, this has no impact on integrating the testing of noncritical systems in DRPs with BCPs. Infrastructure personnel will be focused on restoring the various platforms that make up the infrastructure, and it is not necessary for business subject matter experts to be involved. BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities (e.g., they cannot support a large number of employees working from home). While the noncritical systems are important, it is possible that they are not part of the DRPs. For example, an organization may use an online system that does not interface with the internal systems. If the business function using the system is a critical process, the system should be tested, and it may not be part of the DRP. Therefore, DRP and BCP testing should be integrated. While business executives may be interested in the benefits of disaster recovery, testing is not the best way to accomplish this task.

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis? Business processes owners IT management Senior business management Industry experts

Business processes owners These individuals have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs. While IT management must be involved, they may not be fully aware of the business processes that need to be protected. While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected. The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value.

An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is required for smooth functioning of business operations, but this practice may not be addressed in the enterprise's access management policy. Which of the following controls would the IS auditor MOST likely recommend first for long-term resolution? A. Redesign of the controls related to data authorization. B. Implementation of additional segregation of duties controls as these users take on different roles. C. Amendment of the access management policy to document a formal exception process. D. Implementation of additional logging controls to identify any abuse of elevated system access.

C. Amendment of the access management policy to document a formal exception process. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. While adequate segregation of duties is important, the IS auditor must first review policy to see if there is a formal documented process for this type of temporary access controls to enforce segregation of duties. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made. Audit trails are needed whenever temporary elevated access is required. However, but this is not the first step the auditor should take in reviewing the overall process.

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Postpone the audit until the agreement is documented. Report the existence of the undocumented agreement to senior management. Confirm the content of the agreement with both departments. Draft a service level agreement for the two departments.

Confirm the content of the agreement with both departments. There is no reason to postpone an audit because a service agreement is not documented, unless that is all that is being audited. The agreement can be documented after it has been established that there is an agreement in place. Reporting to senior management is not necessary at this stage of the audit because this is not a serious immediate vulnerability. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties agree with the terms of the agreement. Drafting a service level agreement is not the IS auditor's responsibility.

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan? Contact information of key personnel Server inventory documentation Individual roles and responsibilities Procedures for declaring a disaster

Contact information of key personnel In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. Asset inventory is important and should be linked to the change management process of the organization but having access to key people may compensate for outdated records. These are important, but in a disaster many people could fill different roles depending on their experience. These are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.

Question As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? Risk such as single point-of-failure and infrastructure risk Threats to critical business processes Critical business processes for ascertaining the priority for recovery Resources required for resumption of business

Critical business processes for ascertaining the priority for recovery Risk should be identified after the critical business processes have been identified. The identification of threats to critical business processes can only be determined after the critical business processes have been identified. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented. Identification of resources required for business resumption will occur after the identification of critical business processes.

Which of the following choices would MOST likely ensure that a disaster recovery effort is successful? The tabletop test was performed. Data restoration was completed. Recovery procedures are approved. Appropriate staff resources are committed.

Data restoration was completed. Performing a tabletop test is extremely helpful but does not ensure that the recovery process is working properly. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly. This will not ensure that data can be successfully restored. While this is appropriate, without data the recovery would not be successful.

Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? Release-to-release source and object comparison reports Library control software restricting changes to source code Restricted access to source code and object code Date and time-stamp reviews of source and object code

Date and time-stamp reviews of source and object code Using version control software and comparing source and object code is a good practice but may not detect a problem where the source code is a different version than the object code. All production libraries should be protected with access controls, and this may protect source code from tampering. However, this will not ensure that source and object codes are based on the same version. It is a good practice to protect all source and object code—even in development. However, this will not ensure the synchronization of source and object code. This would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.

Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information? Degaussing Defragmenting Erasing Destroying

Destroying Degaussing or demagnetizing is a good control, but not sufficient to fully erase highly confidential information from magnetic media. The purpose of defragmentation is to improve efficiency by eliminating fragmentation in file systems; it does not remove information. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information. Destroying magnetic media is the only way to assure that confidential information cannot be recovered.

A hard disk containing confidential data was damaged beyond repair. If the goal is to positively prevent access to the data by anyone else, what should be done to the hard disk before it is discarded? Overwriting Low-level formatting Degaussing Destruction

Destruction Rewriting data is impractical because the hard disk is damaged and offers less assurance than physical destruction even when done successfully. This is impractical because the hard disk is damaged and offers less assurance than physical destruction even when done successfully. This is highly effective but offers less assurance than physical destruction. Physically destroying the hard disk is the most effective way to ensure that data cannot be recovered.

Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? Develop a baseline and monitor system usage. Define alternate processing procedures. Prepare the maintenance manual. Implement the changes users have suggested.

Develop a baseline and monitor system usage. An IS auditor should recommend the development of a performance baseline and monitor the system's performance against the baseline to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures will not alter a system's performance, and no changes should be made until the reported issue has been examined more thoroughly. A maintenance manual will not alter a system's performance or address the user concerns. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? Draft and publish a clear practice for enterprise-level incident response. Establish a cross-departmental working group to share perspectives. Develop a scenario and perform a structured walk-through. Develop a project plan for end-to-end testing of disaster recovery.

Develop a scenario and perform a structured walk-through. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement for the availability of outsourced telecommunication services? Downtime reports on the telecommunication services generated by the ISP A utilization report of automatic failover services generated by the enterprise A bandwidth utilization report provided by the ISP Downtime reports on the telecommunication services generated by the enterprise

Downtime reports on the telecommunication services generated by the enterprise The ISP-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. These reports may not indicate compliance with the service level agreement, just that the failover systems had been used. Utilization reports are used to measure the usage of bandwidth, not uptime. The enterprise should use internally generated downtime reports to monitor the service provided by the Internet service provider (ISP) and, as available, to compare with the reports provided by the ISP.

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? Perform disaster recovery exercises annually. Ensure that partnering organizations are separated geographically. Regularly perform a business impact analysis. Select a partnering organization with similar systems.

Ensure that partnering organizations are separated geographically. While disaster recovery exercises are important but difficult to perform in a reciprocal agreement, the greater risk is geographic proximity. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. A business impact analysis will help both organizations identify critical applications, but separation is a more important consideration when entering reciprocal agreements. Selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST? Evacuation plan Recovery priorities Backup storages Call tree

Evacuation plan Protecting human resources during a disaster-related event should be addressed first. Having separate business continuity plans could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. These may be unique to each department and could be addressed separately, but still should be reviewed for possible conflicts and/or the possibility of cost reduction, but only after the issue of human safety has been analyzed. These are not critical to the integration of the plans for the various departments. Life safety is always the first priority. Communication during a crisis is always a challenge, but the call tree is not as important as ensuring life safety first.

An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? Change permissions to prevent DBAs from purging logs. Forward database logs to a centralized log server to which the DBAs do not have access. Require that critical changes to the database are formally approved. Back up database logs to tape.

Forward database logs to a centralized log server to which the DBAs do not have access. This may not be feasible and does not adequately protect the availability and integrity of the database logs. To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access. This does not adequately protect the availability and integrity of the database logs. Backing up database logs to tape does not adequately protect the availability and integrity of the database logs.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? Full-scale test with relocation of all departments, including IT, to the contingency site Walk-through test of a series of predefined scenarios with all critical personnel involved IT disaster recovery test with business departments involved in testing the critical applications Functional test of a scenario with limited IT involvement

Functional test of a scenario with limited IT involvement A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk-through test is a basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. The IT plan has been tested repeatedly so a disaster recovery test would not help in verifying the administrative and organizational parts of the BCP, which are not IT-related. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? Commands typed on the command line are logged. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Access to the operating system command line is granted through an access restriction tool with preapproved rights. Software development tools and compilers have been removed from the production environment.

Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Having a log is not a control; reviewing the log is a control. The matching of hash keys over time would allow detection of changes to files. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization? Review software migration records and verify approvals. Identify changes that have occurred and verify approvals. Review change control documentation and verify approvals. Ensure that only appropriate staff can migrate changes into production.

Identify changes that have occurred and verify approvals. Software migration records may not have all changes listed—changes could have been made that were not included in the migration records. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved. Change control records may not have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key control process but, in itself, does not verify compliance.

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? Implement a properly documented process for application role change requests. Hire additional staff to provide a segregation of duties for application role changes. Implement an automated process for changing application roles. Document the current procedure in detail and make it available on the enterprise intranet.

Implement a properly documented process for application role change requests. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. While it is preferred that a strict segregation of duties be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes. An automated process for managing application roles may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application. Making the existing process available on the enterprise intranet would not provide any value to protect the system.

Question An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? Ask the SaaS vendor to provide a weekly report on application uptime. Implement an online polling tool to monitor the application and record outages. Log all application outages reported by users and aggregate the outage time weekly. Contract an independent third party to provide weekly reports on application uptime.

Implement an online polling tool to monitor the application and record outages. Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated. This is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. Logging the outage times reported by users is helpful but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.

In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions? Performing database changes according to change management procedures Installing patches or upgrades to the operating system Sizing table space and consulting on table join limitations Performing backup and recovery procedures

Installing patches or upgrades to the operating system This would be a normal function of the DBA and would be compliant with the procedures of the organization. This is a function that should be performed by a systems administrator, not by a database administrator (DBA). If a DBA were performing this function, there would be a risk based on inappropriate segregation of duties. A DBA is expected to support the business through helping design, create and maintain databases and the interfaces to the databases. The DBA often performs or supports database backup and recovery procedures.

A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation? Integrity of the data Timing of the cutover Authorization level of users Normalization of the data

Integrity of the data A critical issue when migrating data from one database to another is the integrity of the data and ensuring that the data are migrated completely and correctly. The timing of the cutover is important, but because the data are being migrated to a new database, duplication should not be an issue. The authorization of the users is not as relevant as the authorization of the application because the users will interface with the database through an application, and the users will not directly interface with the database. Normalization is used to design the database and is not necessarily related to database migration.

When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? Transfer Mitigation Avoidance Acceptance

Mitigation Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.

Which of the following is the MOST critical element to effectively execute a disaster recovery plan? Offsite storage of backup data Up-to-date list of key disaster recovery contacts Availability of a replacement data center Clearly defined recovery time objective (RTO)

Offsite storage of backup data Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. Having a list of key contacts is important but not as important as having adequate data backup. A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement. Having a clearly defined recovery time objective is especially important for business continuity planning, but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.

Question Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process? Test a sample population of change requests Test a sample of authorized changes Interview personnel in charge of the change control process Perform an end-to-end walk-through of the process

Perform an end-to-end walk-through of the process Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. This is not as effective as a walk-through of the change controls process because people may know the process but not follow it. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Compare the hash total before and after the migration. Verify that the number of records is the same for both databases. Perform sample testing of the migrated account balances. Compare the control totals of all of the transactions.

Perform sample testing of the migrated account balances. The hash total will only validate the data integrity at a batch level rather than at a transaction level. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. This will involve the comparison of a selection of individual transactions from the database before and after the migration. This does not imply that the records are complete or that individual values are accurate.

Which of the following would contribute MOST to an effective business continuity plan? The document is circulated to all interested parties. Planning involves all user departments. The plan is approved by senior management. An audit is performed by an external IS auditor.

Planning involves all user departments. The BCP circulation will ensure that the BCP document is received by all users. Although essential, this does not contribute significantly to the success of the BCP. The involvement of user departments in the business continuity plan (BCP) is crucial for the identification of the business processing priorities and the development of an effective plan. A BCP approved by senior management would not necessarily ensure the effectiveness of the BCP. An audit would not necessarily improve the quality of the BCP.

Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness? Paper test Posttest Preparedness test Walk-through

Preparedness test This is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. This is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. This is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. This a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? Full operational test Preparedness test Paper test Regression test

Preparedness test This is conducted after the paper and preparedness test and is quite expensive. This is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. This is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test, but a paper test (deskcheck) is not sufficient to test the viability of the plan. This is not a disaster recovery plan test and is used in software development and maintenance.

An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? Production access is granted to the individual support ID when needed. Developers use a firefighter ID to promote code to production. A dedicated user promotes emergency changes to production. Emergency changes are authorized prior to promotion.

Production access is granted to the individual support ID when needed. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change. Some organizations may use a firefighter ID, which is a generic/shared ID, to promote changes to production. When needed, the developer can use this ID to access production. It may still be difficult to determine who made the change; therefore, although this process is commonly used, the use of a production support ID is a better choice. Having a dedicated user who promotes changes to production in an emergency is ideal but is generally not cost-effective and may not be realistic for emergency changes. Emergency changes are, by definition, unauthorized changes. Approvals usually are obtained following promotion of the change to production. All changes should be auditable, and that can best be accomplished by having a user ID added/removed to the production support group as needed.

Which of the following is a network diagnostic tool that monitors and records network information? Online monitor Downtime report Help desk report Protocol analyzer

Protocol analyzer These measure telecommunication transmissions and determine whether transmissions were accurate and complete. These track the availability of telecommunication lines and circuits. These are prepared by the help desk, which is staffed or supported by IS technical support personnel trained to handle problems occurring during the course of IS operations. These are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? Provide and monitor separate developer login IDs for programming and for production support. Capture activities of the developer in the production environment by enabling detailed audit trails. Back up all affected records before allowing the developer to make production changes. Ensure that all changes are approved by the change manager prior to implementation.

Provide and monitor separate developer login IDs for programming and for production support. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. This would allow for rollback in case of an error but would not prevent or detect unauthorized changes. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.

In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database? Daily data backup to tape and storage to a remote site Real-time replication to a remote site Hard disk mirroring to a local server Real-time data backup to the local storage area network

Real-time replication to a remote site Daily tape backup recovery could result in a loss of a day's work of data. With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information located in the remote site. This assumes that both sites were not affected by the same disaster. Hard disk mirroring to a local server takes place in the same data center and could possibly be affected by the same disaster. Real-time data backup to the local storage area network takes place in the same data center and could possibly be affected by the same disaster.

Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster? Members of the recovery team were available. Recovery time objectives were met. Inventory of backup tapes was properly maintained. Backup tapes were completely restored at an alternate site.

Recovery time objectives were met. The availability of key personnel does not ensure that backup and restore procedures will work effectively. The effectiveness of backup and restore procedures is best ensured RTOs being met because these are the requirements that are critically defined during the business impact analysis stage, with the inputs and involvement of all business process owners. The inventory of the backup tapes is only one element of the successful recovery. The restoration of backup tapes is a critical success, but only if they were able to be restored within the time frames set by the RTO.

An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? Review and evaluate the business continuity plan for adequacy Perform a full simulation of the business continuity plan Train and educate employees regarding the business continuity plan Notify critical contacts in the business continuity plan

Review and evaluate the business continuity plan for adequacy The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Performing a simulation should be completed after the business continuity plan has been deemed adequate for the organization. Training of the employees should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? Manually copy files to accomplish replication. Review changes in the software version control system. Ensure that developers do not have access to the backup server. Review the access control log of the backup server.

Review changes in the software version control system. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system program will prevent the transfer of development or earlier versions. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

Which of the following choices BEST ensures accountability when updating data directly in a production database? Review of audit logs Principle of least privilege Approved validation plan Segregation of duties

Review of audit logs Detailed audit logs that contain the user ID of the individual who performed the change as well as the data before and after the change are the best evidence of database changes. A review of these logs would evidence the individual who changed the data (ensuring accountability) as well as the correctness of the change. Although access to production databases should be controlled by the principle of least privilege, this does not evidence who made the change or if the change was made correctly. Having an approved validation plan evidences that the change was made correctly but does not show who made the change in production. Only a system-generated audit log can prove accountability. This only ensures that the user making the data change is different than the individual who approved the data change. It would not evidence the individual who made the change, nor would it ensure that the data change was correct.

An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? Review the request for proposal. Review monthly performance reports generated by the ISP. Review the service level agreement. Research other clients of the ISP.

Review the service level agreement. Because the request for proposal is not the contracted agreement, it is more relevant to review the terms of the service level agreement. The reports from the ISP are indirect evidence that may require further review to ensure accuracy and completeness. A service level agreement provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service. The services provided to other clients of the ISP are irrelevant to the IS auditor.

A programmer maliciously modified a production program to change data and then restored it back to the original code. Which of the following would MOST effectively detect the malicious activity? Comparing source code Reviewing system log files Comparing object code Reviewing executable and source code integrity

Reviewing system log files Source code comparisons are ineffective because the original programs were restored, and the changed program does not exist. This is the only trail that may provide information about the unauthorized activities in the production library. Object code comparisons are ineffective because the original programs were restored, and the changed program does not exist. This is an ineffective control, because the source code was changed back to the original and will agree with the current executable.

Which of the following is the BEST method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? Ensure that automatic updates are enabled on critical production servers. Verify manually that the patches are applied on a sample of production servers. Review the change management log for critical production servers. Run an automated tool to verify the security patches on production servers.

Run an automated tool to verify the security patches on production servers. This may be a valid way to manage the patching process; however, this would not provide assurance that all servers are being patched appropriately. This will be less effective than automated testing and introduces a significant audit risk. Manual testing is also difficult and time consuming. The change management log may not be updated on time and may not accurately reflect the patch update status on servers. A better testing strategy is to test the server for patches, rather than examining the change management log. An automated tool can immediately provide a report on which patches have been applied and which are missing.

Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly? Backup time would steadily increase. Backup operational costs would significantly increase. Storage operational costs would significantly increase. Server recovery work may not meet the recovery time objective.

Server recovery work may not meet the recovery time objective. Backup time may increase, but that can be managed. The most important issue is the time taken to recover the data. The backup cost issues are not as significant as not meeting the RTO. The storage cost issues are not as significant as not meeting the RTO. In case of a crash, recovering a server with an extensive amount of data could require a significant amount of time. If the recovery cannot meet the RTO, there will be a discrepancy in IT strategies. It is important to ensure that server restoration can meet the RTO.

Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements? Benchmark test results Server logs Downtime reports Server utilization data

Server utilization data Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. A server log contains data showing activities performed on the server but does not contain the utilization data required to ensure the optimal configuration of servers. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure but is not useful in determining optimal server configurations. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Staging and job setup Supervisory review of logs Regular backup of tapes Offsite storage of tapes

Staging and job setup If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. This is a detective control that would not prevent loading of the wrong tapes. This is not related to bypassing tape header records. This would not prevent loading the wrong tape because of bypassing header records.

A disaster recovery plan for an organization's financial system specifies that the recovery point objective is zero and the recovery time objective is 72 hours. Which of the following is the MOST cost-effective solution? A hot site that can be operational in eight hours with asynchronous backup of the transaction logs Distributed database systems in multiple locations updated asynchronously Synchronous updates of the data and standby active systems in a hot site Synchronous remote copy of the data in a warm site that can be operational in 48 hours

Synchronous remote copy of the data in a warm site that can be operational in 48 hours A hot site would meet the RTO but would incur higher costs than necessary. Asynchronous updates of the database in distributed locations do not meet the recovery point objective (RPO). These meet the RPO and RTO requirements but are costlier than a warm site solution. This is correct as it meets the required recovery time objective (RTO).

Which of the following controls would provide the GREATEST assurance of database integrity? Audit log procedures Table link/reference checks Query/table access time checks Rollback and rollforward database features

Table link/reference checks These enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database contents. Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Querying/monitoring table access time checks helps designers improve database performance but not integrity. These ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.

An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? Changes are authorized by IT managers at all times. User acceptance testing is performed and properly documented. Test plans and procedures exist and are closely followed. Capacity planning is performed as part of each development project.

Test plans and procedures exist and are closely followed. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? Restoration testing for backup media is not performed; however, all data restore requests have been successful. The policy for data backup and retention has not been reviewed by the business owner for the past three years. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Confidentiality of the information stored in the database The hardware being used to run the database application Backups of the information in the overseas database Remote access to the backup database

The hardware being used to run the database application This is not a major concern, because the information is intended for public use. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. These are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. This does not impact availability.

During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? The client did not pay for the open source software components. The organization and client must comply with open source software license terms. Open source software has security vulnerabilities. Open source software is unreliable for commercial use.

The organization and client must comply with open source software license terms. A major benefit of using open source software is that it is free. The client is not required to pay for the open source software components; however, both the developing organization and the client should be concerned about the licensing terms and conditions of the open source software components that are being used. There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences. Open source software, just like any software code, should be tested for security flaws and should be part of the normal system development life cycle (SDLC) process. This is not more of a concern than licensing compliance. Open source software does not inherently lack quality. Like any software code, it should be tested for reliability and should be part of the normal SDLC process. This is not more of a concern than licensing compliance.

In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy? Disaster tolerance is high. The recovery time objective is high. The recovery point objective is low. The recovery point objective is high.

The recovery point objective is low. Data mirroring is a data recovery technique, and disaster tolerance addresses the allowable time for an outage of the business. RTO is an indicator of the disaster tolerance. Data mirroring addresses data loss, not the RTO. The RPO indicates the latest point in time at which it is possible to recover the data. This determines how often the data must be backed up to minimize data loss. If the RPO is low, then the organization does not want to lose much data and must use a process such as data mirroring to prevent data loss. If the RPO is high, then a less expensive backup strategy can be used; data mirroring should not be implemented as the data recovery strategy.

Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? The disaster levels are based on scopes of damaged functions but not on duration. The difference between low-level disaster and software incidents is not clear. The overall BCP is documented, but detailed recovery steps are not specified. The responsibility for declaring a disaster is not identified.

The responsibility for declaring a disaster is not identified. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to identify someone with the authority to invoke the business continuity plan (BCP). The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery if, in fact, someone has invoked the BCP. If nobody declares the disaster, the BCP would not be invoked, making all other concerns less important.

Which of the following must exist to ensure the viability of a duplicate information processing facility? The site is near the primary site to ensure quick and efficient recovery. The site contains the most advanced hardware available. The workload of the primary site is monitored to ensure adequate backup is available. The hardware is tested when it is installed to ensure it is working properly.

The workload of the primary site is monitored to ensure adequate backup is available. The site chosen should not be subject to the same natural disaster as the primary site. Being close may be a risk or an advantage, depending on the type of expected disaster. A reasonable compatibility of hardware/software must exist to serve as a basis for backup. The latest or newest hardware may not adequately serve this need. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. Testing the hardware when the site is established is essential, but regular testing of the actual backup data is necessary to ensure that the operation will continue to perform as planned.

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? There are a growing number of emergency changes. There were instances when some jobs were not completed on time. There were instances when some jobs were overridden by computer operators. Evidence shows that only scheduled jobs were run.

There were instances when some jobs were overridden by computer operators. Emergency changes are acceptable as long as they are properly documented as part of the process. Instances of jobs not being completed on time is a potential issue and should be investigated, but it is not the greatest concern. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The audit should find that all scheduled jobs were run and that any exceptions were documented. This would not be a violation.

Which of the following is the PRIMARY objective of the business continuity plan process? To provide assurance to stakeholders that business operations will continue in the event of disaster To establish an alternate site for IT services to meet predefined recovery time objectives To manage risk while recovering from an event that adversely affected operations To meet the regulatory compliance requirements in the event of natural disaster

To manage risk while recovering from an event that adversely affected operations The BCP in itself does not provide assurance of continuing operations; however, it helps the organization to respond to disruptions to critical business processes. Establishment of an alternate site is more relevant to disaster recovery than the BCP. The business continuity plan (BCP) process primarily focuses on managing and mitigating risk during recovery of operations due to an event that affected operations. The regulatory compliance requirements may help establish the recovery time objective (RTO) requirements.

An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? Select a sample of change tickets and review them for authorization. Perform a walk-through by tracing a program change from start to finish. Trace a sample of modified programs to supporting change tickets. Use query software to analyze all change tickets for missing fields.

Trace a sample of modified programs to supporting change tickets. This helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. This assists the IS auditor in understanding the process but does not ensure that all changes adhere to the normal process. This is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. This does not identify program changes that were made without supporting change tickets.

Which of the following ensures the availability of transactions in the event of a disaster? Send tapes hourly containing transactions offsite. Send tapes daily containing transactions offsite. Capture transactions to multiple storage devices. Transmit transactions offsite in real time.

Transmit transactions offsite in real time. This is not in real time and, therefore, would possibly result in the loss of one hour's worth of transactional data. This is not in real time and, therefore, could result in the loss of one day's worth of transactional data. This does not ensure availability at an offsite location. The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility.

An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review? Permanent table-space allocation Commitment and rollback controls User spool and database limit controls Read/write access log controls

User spool and database limit controls Table-space allocation will not affect performance at different times of the day. This will only apply to errors or failures and will not affect performance at different times of the day. User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data volume stored and the physical device capacity. Additionally, it prevents users from consuming excessive resources in ad hoc table builds (as opposed to scheduled production loads that often can run overnight and are optimized for performance purposes). In a data warehouse, because you are not running online transactions, commitment and rollback does not have an impact on performance. This will not affect performance at different times of the day.

An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop: a business continuity strategy. a test and exercise plan. a user training program. the business continuity plan.

a business continuity strategy. This is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase. The recovery strategy and plan development precede the test plan. Training can only be developed once the business continuity plan (BCP) is in place. A strategy must be determined before the BCP is developed.

An organization has a business process with a recovery time objective equal to zero and a recovery point objective close to one minute. This implies that the process can tolerate: a data loss of up to one minute, but the processing must be continuous. a one-minute processing interruption but cannot tolerate any data loss. a processing interruption of one minute or more. both a data loss and a processing interruption longer than one minute.

a data loss of up to one minute, but the processing must be continuous. Recovery time objective (RTO) measures an organization's tolerance for downtime and recovery point objective (RPO) measures how much data loss can be accepted. A processing interruption of one minute would exceed the zero RTO set by the organization. This would exceed the continuous availability requirements of an RTO of zero. An RPO of one minute would only allow data loss of one minute.

An IS auditor is auditing an IT disaster recovery plan. The IS auditor should PRIMARILY ensure that the plan covers: a resilient IT infrastructure. alternate site information. documented disaster recovery test results. analysis and prioritization of business functions.

analysis and prioritization of business functions. This is typically required to minimize interruptions to IT services; however, if a critical business function does not require high availability of IT, this may not be required for all DRP elements. While the selection of an alternate site is important, the more critical issue is the prioritization of resources based on impact and RTOs of business functions. These are helpful when maintaining the DRP; however, the DRP must first and foremost be aligned with business requirements. The disaster recovery plan (DRP) must primarily focus on recovering critical business functions in the event of disaster within predefined recovery time objectives (RTOs); thus, it is necessary to align the recovery of IT services based on the criticality of business functions.

An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should: accept the DBA access as a common practice. assess the controls relevant to the DBA function. recommend the immediate revocation of the DBA access to production data. review user access authorizations approved by the DBA.

assess the controls relevant to the DBA function. Although granting access to production data to the DBA may be a common practice, the IS auditor should evaluate the relevant controls. When reviewing privileged accounts, the auditor should look for compensating controls that may address a potential exposure. The DBA should have access based on the principle of least privilege; unless care is taken to validate what access is required, revocation may remove access the DBA requires to do his/her job. Granting user authorizations is the responsibility of the data owner, not the DBA, and access to production data is not generally associated with user access authorizations.

In determining the acceptable time period for the resumption of critical business processes: only downtime costs need to be considered. recovery operations should be analyzed. both downtime costs and recovery costs need to be evaluated. indirect downtime costs should be ignored.

both downtime costs and recovery costs need to be evaluated. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to rapidly recover information resources might be prohibitive for nonessential business processes. Recovery operations alone do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. These both need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis should be a recovery strategy that represents the optimal balance. The indirect costs of a serious disruption to normal business activity (e.g., loss of customer and supplier goodwill and loss of market share) may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be: stored in a secure, offsite facility. approved by senior management communicated to appropriate personnel. made available through the enterprise's intranet.

communicated to appropriate personnel. The BCP, if kept in a safe place, will not reach the users; users will never implement the BCP and, thus, the BCP will be ineffective. Senior management approval is a prerequisite for designing and approving the BCP but is less important than making sure that the plan is available to all key personnel to ensure that the plan will be effective. The implementation of a business continuity plan (BCP) will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. Making a BCP available on an enterprise's intranet does not guarantee that personnel will be able to access, read or understand it.

During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: event error log generated at the disaster recovery site. disaster recovery test plan. disaster recovery plan. configurations and alignment of the primary and disaster recovery sites.

configurations and alignment of the primary and disaster recovery sites. If the issue cannot be clarified, the IS auditor should then review the event error log. This would not identify any issues related to system performance unless the test was poorly designed and inefficient, but that would come after checking the configuration. Reviewing the disaster recovery plan would be unlikely to provide any information about system performance issues. Because the configuration of the system is the most probable cause, the IS auditor should review that first.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: database integrity checks. validation checks. input controls. database commits and rollbacks.

database commits and rollbacks. These are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point. These will prevent introduction of corrupt data but will not address system failure. These are important to protect the integrity of input data but will not address system failure. These ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully.

An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: the training needs for users after applying the patch. any beneficial impact of the patch on the operational systems. delaying deployment until testing the impact of the patch. the necessity of advising end users of new patches.

delaying deployment until testing the impact of the patch. Normally, there is no need for training users when a new operating system patch has been installed. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. Deploying patches without testing exposes an organization to the risk of system disruption or failure. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations.

The MAIN criterion for determining the severity level of a service disruption incident is: cost of recovery. negative public opinion. geographic location. downtime.

downtime. The cost of recovery could be minimal, yet the service downtime could have a major impact. This is a symptom of an incident; it is a factor in determining impact but not the most important one. does not determine the severity of the incident. The longer the period of time a client cannot be serviced, the greater the severity (impact) of the incident.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: each plan is consistent with one another. all plans are integrated into a single plan. each plan is dependent on one another. the sequence for implementation of all plans is defined.

each plan is consistent with one another. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. The plans do not necessarily have to be integrated into one single plan. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

The GREATEST advantage of using web services for the exchange of information between two systems is: secure communication. improved performance. efficient interfacing. enhanced documentation.

efficient interfacing. Communication is not necessarily more secure using web services. The use of web services will not necessarily increase performance. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used. There is no documentation benefit in using web services.

The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks level 1 in a file server is to: achieve performance improvement. provide user authentication. ensure availability of data. ensure the confidentiality of data.

ensure availability of data. RAID level 1 does not improve performance. It writes the data to two separate disk drives. RAID level 1 has no relevance to authentication. Redundant Array of Inexpensive Disks (RAID) level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does nothing to provide for data confidentiality.

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: apply the patch according to the patch's release notes. ensure that a good change management process is in place. thoroughly test the patch before sending it to production. approve the patch after doing a risk assessment.

ensure that a good change management process is in place. The IS auditor should not apply the patch. That is an administrator responsibility. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The testing of the patch is the responsibility of the development or production support team, not the auditor. The IS auditor is not authorized to approve a patch. That is a responsibility of a steering committee.

The PRIMARY benefit of an IT manager monitoring technical capacity is to: identify the need for new hardware and storage procurement. determine the future capacity need based on usage. ensure that the service level requirements are met. ensure that systems operate at optimal capacity.

ensure that the service level requirements are met. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. Determining future capacity is one definite benefit of technical capability monitoring. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business.

The BEST audit procedure to determine if unauthorized changes have been made to production code is to: examine the change control system records and trace them forward to object code files. review access control permissions operating within the production program libraries. examine object code to find instances of changes and trace them back to change control records. review change approved designations established within the change control system.

examine object code to find instances of changes and trace them back to change control records. Checking the change control system will not detect changes that were not recorded in the control system. Reviewing access control permissions will not identify unauthorized changes made previously. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. Reviewing change approved designations will not identify unauthorized changes.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: assessment of the situation may be delayed. execution of the disaster recovery plan could be impacted. notification of the teams might not occur. potential crisis recognition might be delayed.

execution of the disaster recovery plan could be impacted. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

The PRIMARY objective of testing a business continuity plan is to: familiarize employees with the business continuity plan. ensure that all residual risk is addressed. exercise all possible disaster scenarios. identify limitations of the business continuity plan.

identify limitations of the business continuity plan. This is a secondary benefit of a test. It is not cost-effective to address all residual risk in a business continuity plan. It is not practical to test all possible disaster scenarios. Testing the business continuity plan provides the best evidence of any limitations that may exist.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely: increase. decrease. remain the same. be unpredictable.

increase. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place). The implementation of a DRP will always result in additional costs to the organization. The implementation of a DRP will always result in additional costs to the organization. The costs of a DRP are fairly predictable and consistent.

The database administrator suggests that database efficiency can be improved by denormalizing some tables. This would result in: loss of confidentiality. increased redundancy. unauthorized accesses. application malfunctions.

increased redundancy. Denormalization should not cause loss of confidentiality even though confidential data may be involved. The database administrator should ensure that access controls to the databases remain effective. Redundancy, which is usually considered positive when it is a question of resource availability, is negative in a database environment because it demands additional and otherwise unnecessary data handling efforts. Denormalization, which is sometimes advisable for functional reasons, increases redundancy while normalization decreases redundancy. Denormalization pertains to the structure of the database, not the access controls. It should not result in unauthorized access. Denormalization may require some changes to the calls between databases and applications but should not cause application malfunctions.

An IS auditor should recommend the use of library control software to provide reasonable assurance that: program changes have been authorized. only thoroughly tested programs are released. modified programs are automatically moved to production. source and executable code integrity is maintained.

program changes have been authorized. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. Programs should not be moved automatically into production without proper authorization. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: adequately monitoring service levels of IT resources and services. providing data to enable timely planning for capacity and performance requirements. providing accurate feedback on IT resource capacity. properly forecasting performance, capacity and throughput of IT resources.

providing accurate feedback on IT resource capacity. Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important. While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability. Accurate capacity monitoring of IT resources would be the most critical element of a continuous monitoring process. While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate.

To address an organization's disaster recovery requirements, backup intervals should not exceed the: service level objective. recovery time objective. recovery point objective. maximum acceptable outage.

recovery point objective. Organizations will try to set service level objective to meet established business targets. The resulting time for the service level agreement relates to recovery of services, not to recovery of data. defines the time period after the disaster in which normal business functionality needs to be restored. This defines the point in time to which data must be restored after a disaster to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If the backups are not done frequently enough, then too many data are likely to be lost. This is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption or maximum allowable downtime. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

During the design of a business continuity plan, the business impact analysis identifies critical processes and supporting applications. This will PRIMARILY influence the: responsibility for maintaining the business continuity plan. criteria for selecting a recovery site provider. recovery strategy. responsibilities of key personnel.

recovery strategy. This is decided after the selection or design of the appropriate recovery strategy and development of the plan. These are decided after the selection or design of the appropriate recovery strategy. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis. These are decided after the selection or design of the appropriate recovery strategy during the plan development phase.

Recovery procedures for an information processing facility are BEST based on: recovery time objective. recovery point objective. maximum tolerable outage. information security policy.

recovery time objective. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives. This has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse. This does not address recovery procedures.

IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: upgrading to a level 5 RAID. increasing the frequency of onsite backups. reinstating the offsite backups. establishing a cold site in a secure location.

reinstating the offsite backups. This will not address the problem of catastrophic failure of the data center housing all the data. This is not relevant to RAID 1 because all data are being mirrored already. A Redundant Array of Inexpensive Disks (RAID) system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups. A cold site is an offsite recovery location but will not provide for data recovery because a cold site is not used to store data.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: IT department implement control mechanisms to prevent unauthorized software installation. security policy be updated to include the specific language regarding unauthorized software. IT department prohibit the download of unauthorized software. users obtain approval from an IS manager before installing nonstandard software.

security policy be updated to include the specific language regarding unauthorized software. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.

To ensure structured disaster recovery, it is MOST important that the business continuity plan and disaster recovery plan are: stored at an alternate location. communicated to all users. tested regularly. updated regularly.

tested regularly. Storing the BCP at an alternate location is useful in the case of complete site outage; however, the BCP is not useful during a disaster without adequate tests. Communicating to users is not of much use without actual tests. If the business continuity plan (BCP) is tested regularly, the BCP and disaster recovery plan team is adequately aware of the process and that helps in structured disaster recovery. Even if the plan is updated regularly, it is of less use during an actual disaster if it is not adequately tested.

An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: test systems run different configurations than do production systems. change management records are paper based. the configuration management database is not maintained. the test environment is installed on the production server.

the configuration management database is not maintained. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained or leave out critical dependencies during the test phase. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s).

If the recovery time objective increases: the disaster tolerance increases. the cost of recovery increases. a cold site cannot be used. the data backup frequency increases.

the disaster tolerance increases. The longer the recovery time objective (RTO), the higher disaster tolerance. The disaster tolerance is the amount of time the business can afford to be disrupted before resuming critical operations. The longer the RTO, the lower the recovery cost. It cannot be concluded that a cold site is inappropriate; with a longer RTO the use of a cold site may become feasible. RTO is not related to the frequency of data backups—that is related to recovery point objective.

An IS auditor notes during an audit that an organization's business continuity plan does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include: the level of information security required when business recovery procedures are invoked. information security roles and responsibilities in the crisis management structure. information security resource requirements. change management procedures for information security that could affect business continuity arrangements.

the level of information security required when business recovery procedures are invoked. Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis need to be identified. During a time of crisis, the security needs of the organization may increase because many usual controls such as separation of duties are missing. Having security roles in the crisis management plan is important, but that is not the best answer to this scenario. Identifying the resource requirements for information security, as part of the business continuity plan (BCP), is important, but it is more important to set out the security levels that would be required for protected information. Change management procedures can help keep a BCP up to date but are not relevant to this scenario.

Question Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST: include the statement from management in the audit report. verify the software is in use through testing. include the item in the audit report. discuss the issue with senior management because it could have a negative impact on the organization.

verify the software is in use through testing. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.

A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: with their named account to make the changes. with the shared DBA account to make the changes. to the server administrative account to make the changes. to the user's account to make the changes.

with their named account to make the changes. Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes. The DBA account is typically a shared user account. The shared account makes it difficult to establish the identity of the support user who is performing the database update. The server administrative accounts are shared and may be used by multiple support users. In addition, the server privilege accounts may not have the ability to perform database changes. The use of a normal user account would not have sufficient privileges to make changes on the database.

If a database is restored using before-image dumps, where should the process begin following an interruption? Before the last transaction After the last transaction As the first transaction after the latest checkpoint As the last transaction before the latest checkpoint

Before the last transaction If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures.

A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of: concurrent access. deadlocks. unauthorized access to data. a loss of data integrity.

a loss of data integrity. Denormalization will have no effect on concurrent access to data in a database; concurrent access is resolved through locking. These are a result of locking of records. This is not related to normalization. Access to data is controlled by defining user rights to information and is not affected by denormalization. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity.