IT Audit Exam 1

Ace your homework & exams now with Quizwiz!

Which one of the following is not one of the seven domains of a typical IT infrastructure? A. User Domain B. Workstation Domain C. LAN-to-LAN Domain D. WAN Domain E. Remote Access Domain

LAN to LAN domain

Which of the following provides a framework for assessing the adequacy of implemented controls? A. NIST 800-53 B. NIST 800 C. NIST 800-53A D. NIST 800A

NIST 800-53A

Which of the following uses "engagements" to report on the evaluation of controls of third-party service businesses that host or process data on behalf of customers

SOC

National Institute of Standards and Technology (NIST) security controls are classified as being preventive, detective, or __

corrective

PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data. A. True B. False

False

The decision to apply or not apply controls is based on risk.

true

To comply with the Red Flags Rule, financial institutions and creditors must do which of the following? A. Identify red flags for covered accounts. B. Detect red flags. C. Respond to detected red flags. D. Update the program periodically. E. All of the above F. Answers B and C only

All of the above

Which of the following is an example of why an ongoing IT compliance program is important? A. Organizations are dynamic, growing environments. B. Threats evolve. C. Laws and regulations evolve. D. All of the above

All of the above

Which of the following is not one of the titles within Sarbanes-Oxley? A. Corporate Responsibility B. Enhanced Financial Disclosures C. Analyst Conflicts of Interest D. Studies and Reports E. Auditor Conflicts of Interest

Auditor conflicts of interest

If a baseline security control cannot be implemented, which of the following should be considered? A. Compensating control B. Baseline security standard revision C. Policy revision D. None of the above

Compensating control

An unauthorized user has gained access to data and viewed it. What has been lost?

Confidentiality

Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy? A. WorldCom B. Enron C. TJX D. All of the above E. A and B only

WorldCom and Enron

RMF provides for the authorization of the operation of an information system based on an acceptable level of ________.

Risk

Which one of the following is true with regard to audits and assessments? A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls. B. Assessments are attributive and audits are not. C. An audit is typically a precursor to an assessment. D. An audit may be conducted independently of an organization, whereas internal IT staff always conducts an IT security assessment. E. Audits can result in blame being placed upon an individual.

audits can result in blame being placed upon an individual

The process of selecting security controls is considered within the context of risk management. A. True B. False

True

Which one of the following is not an example of a level of depth required to assess a control? A. Comprehensive B. Generalized C. Focused D. Detailed

comprehensive

providing access for applications developers to the test environment...

creates a segregation of duties weakness in the configuration management process

A configuration ________ database provides a central repository of configuration items.

management

The COSO framework is targeted to which of the following groups within a company? A. Executive management B. First-line management C. Security analysts D. Application developers

executive management

Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.

false

A _______ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.

framework

Policies, standards, and guidelines are part of the policy ________.

framework

Responding to business requirements in alignment with the business strategy is an example of an IT ________.

goal

Which one of the following is not an example of a review technique? A. Password cracking B. File integrity checking C. Log review D. Network sniffing

password and cracking

A ________ is an assessment method that uses methods similar to what a real-world attacker might use.

penetration testing

Some regulations are subject to ________, which means even if there wasn't intent of noncompliance, an organization can still incur large fines.

strict liability

the IT security controls covered by the NAtional institute of standards and technology (NIST) include management, operational, and ___

technical

Frameworks differ from each other in that they might offer varying levels of depth and breadth. A. True B. False

true

Whereas only qualified auditors perform security audits, anyone may do security assessments.

true

While the Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, the act does permit the use of the last four digits of a SSN. A. True B. False

False

Noncompliance with regulatory standards may result in which of the following? A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only

all of the above

Which of the following are examples of information provided by audit logs? A. Failed authentication attempts B. Account changes C. Privileged use D. All of the above

all of the above

What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process? A. Auditing Standard No. 1 B. Auditing Standard No. 11 C. Auditing Standard No. 55 D. Auditing Standard No. 5

auditing standard no 5

COSO is the acronym for which of the following? A. Compliance Objectives Standards Organization B. Committee of Sponsoring Organizations C. Compliance Organization Standard Operation D. Committee on Standard Objectives

committee of sponsoring organizations

what is generally not tracked in a configuration management

cost of software

which of the following is a common system management environment that requires review during an audit

development environment, test environment, production environment

Which of the following benefits does an automated security information and event management log solution provide? A. Diagnosing and preventing operational problems B. Assigning appropriate responsibilities to security operations C. Management of a configuration change control board D. All of the above

diagnosing and preventing operational problems

Which one of the following is not part of the change management process? A. Identify and request B. Evaluate change request C. Decision response D. Implement unapproved change E. Monitor change

implement unapproved changes

Which one of the following is not considered a principal part of the Gramm-Leach-Bliley Act? A. Financial Privacy Rule B. Pretexting provisions C. Safeguards Rule D. Information Security Rule

information security rule

production environments...

should only contain fully tested and authorized applications

If required, an auditor is justified in the use of security assessment techniques such as penetration testing and vulnerability analysis and may consider using the work of other experts.

true

Mitigating a risk from an IT security perspective is about eliminating the risk to zero.

False

Regarding the seven domains of IT infrastructure, the Workstation Domain includes which of the following? (Select three.) A. Desktop computers B. Laptop computers C. Remote access systems D. E-mail servers E. Handheld devices

desktop computers, laptop computers, handheld devices

which of the following best describes a prescriptive IT control?

helps standardize IT operations and tasks

An IT infrastructure audit __ is the system in a known acceptable state, with the applied minimum controls relative to the accepted risk

baseline

At all levels of an organization, compliance is closely related to which of the following? A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D

governance and risk management

Adequate controls over privacy data helps prevent ________ theft.

identity

Which one of the following is not one of the four domains of COBIT? A. Plan and Organize B. Implement and Support C. Acquire and Implement D. Deliver and Support E. Monitor and Evaluate

implement and support

Which one of the following is not true of COBIT? A. It is business-focused. B. It is security-centered. C. It is process-oriented. D. It is controls-based. E. It is measurement-driven.

it is security centered

ISO/IEC 27002 is a code of ________ for information security management.

practice

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.

risk-based approach

Preventing a user who approves a configuration change from being the person who implements the change is an example of which of the following? A. Rotation of duties B. Least privilege C. Segregation of duties D. Dual control

segregation of duties

Which of the following should organizations do when selecting a standard? (Select three.) A. Select a standard that can be followed. B. Employ the selected standard. C. Select a flexible standard. D. Select a standard that other organizations in the same geographic location are using.

select a standard that can be followed, employ the selected standard, select a flexible standard

which of the following is not an important step for conducting effective IT audit interviews?

setting organizational goals during the interview.

Which of the following best describes documents such as policies, procedures, plans, and architectural designs? A. Specification objects B. Mechanism objects C. Activity objects D. Configuration objects

specification objects

An organization creates policies and a framework for the application of controls. The organization then maps existing controls to each regulation to which it must comply. Thereafter, the organization performs a __ to identify anything that is missing.

Gap analysis

Which of the following is an examination of the current state of controls against the desired state of controls? A. Control objective B. Gap analysis C. Baseline analysis D. Log review

Gap analysis

Which regulatory department is responsible for the enforcement of HIPAA laws? A. HHS B. FDA C. U.S Department of Agriculture D. U.S. EPA E. FTC

HHS

An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.

Independent

Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems? A. NIST B. FISMA C. Congress D. PCI SSC E. U.S. Department of the Navy

NIST

Which of the following requires organizations to have an annual assessment by a Qualified Security Assessor (QSA)

Payment Card Industry Data Security Standard (PCI DSS)

Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan

Penetration testing

Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information? A. Security management B. Compliance management C. Privacy management D. Personal management E. Collection management

Privacy management

Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures. A. True B. False

false

SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.

false

The purpose of a network scan is to identify as many vulnerabilities as possible.

false

NIST has three IT security control categories. The following are controls in one of the categories: 1. identification and authorization 2. logical access control 3. audit trail 4. cryptography the above controls are examples of which control category

technical

which of the following best describes security configuration management

the process and techniques around managing security-related configuration items that directly relate to control or settings.

An acceptable use policy (AUP) is part of the ___ domain

user domain

In an IT infrastructure, the end users' operating environment is called the ___

workstation domain

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit

Compliance audit

NIST 800-53A provides ________.

A guide for assessing security controls

What can be done to manage risk? (Select three.) A. Accept B. Transfer C. Avoid D. Migrate

Accept, transfer, avoid

After mapping existing controls to new regulations, an organization needs to conduct a ________ analysis.

Gap

Assurance against unauthorized modification or destruction of data is the definition of:

Integrity

which of the following best describes a descriptive IT control?

Aligns IT with business goals

What term describes the identification, control, logging, and auditing of all changes made across the infrastructure?

Configuration and change management

Regarding privacy, what is a common characteristic of "personal information"

It can be used to identify a person

The internal audit function may be outsourced to an external consulting firm.

True

Which of the following best describes control objectives for information and related technology (COBIT)?

a framework providing best practices for IT governance and control

Which one of the following best describes an assessment objective for a control? A. A high-level statement to determine the effectiveness of a control B. A detailed statement on what activities need to occur to implement a control C. A definition of responsibilities to be assigned to security operations for the management of a control D. A statement about the required depth or coverage required to test a control

a high-level statement to determine the effectiveness of a control

What does CAATT stand for? A. Computer Assisted Audit Tools and Techniques B. Computer Aided Assessment Tools and Techniques C. Compliance Auditing Assisted Tactical Techniques D. Compliance Assisted Audit Tactical Tools

computer assisted audit tools and techniques

A security assessment is a method for proving the strength of security systems.

False

Sarbanes-Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting. A. True B. False

False

Which one of the following is the best example of avoiding risk? A. The IT department decides to install an antivirus device at its network border. B. The IT department outsources its vulnerability management program to a third party. C. The IT department disables the ability for end users to use portable storage devices. D. The IT department installs data loss prevention software on all end users' workstations.

the IT department disables the ability for end users to use portable storage devices

Which of the following policies would apply to the User Domain concerning the seven domains of a typical IT infrastructure? A. Acceptable use policy B. Internet access policy C. Security incident policy D. Firewall policy E. Answers A and B F. Answers B and D

Acceptable use policy and internet access policy

Account management and separation of duties are examples of what type of controls? A. Audit and accountability B. Access control C. Security assessment and authorization D. Personal security

Access control

Which of the following best describes the Gramm-Leach-Billey Act (GLBA)

An act of Congress that prohibits banks from offering investment , commercial banking, and insurance services all under one umbrella

Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security? A. FISMA B. GLBA C. HIPAA D. FACTA E. FERPA

FISMA

What organization was tasked to develop standards to apply to federal information systems using a risk-based approach? A. Public Entity Risk Institute B. International Organization for Standardization C. National Institute of Standards and Technology D. International Standards Organization E. American National Standards Institute

National institute of standards and technology

Which one of the following is not one of the safeguards provided within the HIPAA Security Rule? A. Administrative B. Operational C. Technical D. Physical

Operational

Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits? A. COSO B. Enron C. PCAOB D. Sarbanes-Oxley E. None of the above

PCAOB

Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate

Remediate

A large financial organization wants to outsource its payroll function. which of the following should the financial organization ensure the payroll company has?

SOC report

Which act, which consists of 11 titles, mandated many reforms to enhance corporate responsibility, enhance financial disclosures, and prevent fraud.

Sarbanes-Oxley Act

What section of Sarbanes-Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting? A. Section 301 B. Section 404 C. Section 802 D. Section 1107

Section 404

In accordance with the Children's Internet Protection Act, who determines what is considered inappropriate material? A. FCC B. U.S. Department of Education C. The local communities D. U.S. Department of the Interior Library E. State governments

The local communities

Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation

to adhere to an auditors reccommendation


Related study sets

Chapter 3 Section 1: Benefits of Free Enterprise

View Set

ADMJ 300 key words - chapters 1-14

View Set

H&I 3 - Cardiac (IGGY Study Guide Chapter 31)

View Set

Part 3 - Investment Vehicles (CONSOLIDATED)

View Set

Chapter 26 - Ozone depletion study guide

View Set

Chapter 9: Lifespan Development, unit 9 psych, Chapter 9 PY, Psyc102 - Test 3, Home Quiz 9 (Chapter 9), PYSCH Ch 9, psych quiz ch 9- development, Psychology Ch 9 1-2, Chapter 9:, Psychology Ch. 9, chapter 6 psych quiz, psychology final, Chapter 9 Psy...

View Set