Domain 4: Information Systems Operations and Business Resilience- PART 4A Flashcards
1
Q
An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable:
A
Reduces crosstalk between pairs.
2
Q
Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:
A
Verify the software is in use through testing.
3
Q
The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open- source software?
A
Identify and test suitable patches before applying them.
4
Q
As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?
A
Critical business processes for ascertaining the priority for recovery
5
Q
Authorizing access to application data is the responsibility of the:
A
Data owner.
6
Q
A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future?
A
Ensure that developers do not have access to code after testing.
7
Q
The BEST audit procedure to determine if unauthorized changes have been made to production code is to:
A
examine object code to find instances of changes and trace them back to change control records.
8
Q
Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend?
A
Develop a baseline and monitor system usage.
9
Q
A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
A
The system will not process the change until the clerk’s manager confirms the change by entering an approval code.
10
Q
Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review?
A
The change did not have change management approval.
11
Q
A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:
A
With their named account to make the changes.
12
Q
A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of:
A
a loss of data integrity.
13
Q
The database administrator suggests that database efficiency can be improved by denormalizing some tables. This would result in:
A
increased redundancy.
14
Q
Data flow diagrams are used by IS auditors to:
A
graphically summarize data paths and storage.
15
Q
Doing which of the following during peak production hours could result in unexpected downtime?
A
Doing which of the following during peak production hours could result in unexpected downtime?
16
Q
Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production?
A
Provide and monitor separate developer login IDs for programming and for production support
17
Q
During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?
A
Gain more assurance on the findings through root cause analysis.
18
Q
During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?
A
Staging and job setup
19
Q
During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?
A
Confirm the content of the agreement with both departments.
20
Q
During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?
A
Foreign key structure
21
Q
During an application audit, the IS auditor finds several problems related to corrupt data in the database. Which of the following is a CORRECTIVE control that the IS auditor should recommend?
A
Proceed with restore procedures.
22
Q
During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software?
A
The organization and client must comply with open source software license terms.
23
Q
During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor’s GREATEST concern?
A
The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.
24
Q
During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?
A
Implement a properly documented process for application role change requests.
25
During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern?
The support model was not properly developed and implemented.
26
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:
the client's change management process is adequate.
27
During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:
the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed.
28
During the audit of a database server, which of the following would be considered the GREATEST exposure?
Default global security settings for the database remain unchanged.
29
During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization:
performs maintenance during noncritical processing times.
30
During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a:
manager initiates a change request and subsequently approves it.
31
During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions?
Transaction logs
32
Emergency changes that bypass the normal change control process are MOST acceptable if:
management reviews and approves the changes after they have occurred.
33
An enterprise uses privileged accounts to process configuration changes for mission- critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?
Ensure that supervisory approval and review are performed for critical changes.
34
The FIRST step in the execution of a problem management mechanism should be:
exception reporting.
35
The GREATEST advantage of using web services for the exchange of information between two systems is
efficient interfacing.
36
A hard disk containing confidential data was damaged beyond repair. If the goal is to positively prevent access to the data by anyone else, what should be done to the hard disk before it is discarded?
Destruction
37
If a database is restored using before- image dumps, where should the process begin following an interruption?
Before the last transaction
38
In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:
atomicity.
39
In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?
Foreign key
40
In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?
Approve and document the change the next business day.
41
In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions?
Installing patches or upgrades to the operating system
42
In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?
A validity check
43
An IS auditor analyzing the audit log of a database management system finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated?
Atomicity
44
An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor?
Application owners were not informed of the change.
45
An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?
Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.
46
An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST:
determine the sensitivity of the information on the hard drives.
47
An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the:
security policy be updated to include the specific language regarding unauthorized software.
48
An IS auditor examining the security configuration of an operating system should review the:
parameter settings.
49
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?
Implement integrity constraints in the database.
50
An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should:
assess the controls relevant to the DBA function.
51
An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored?
Forward database logs to a centralized log server to which the DBAs do not have access.
52
An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review?
User spool and database limit controls
53
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?
There were instances when some jobs were overridden by computer operators.
54
An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend?
Assess the overall risk, then recommend whether to deploy the patch.
55
An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important?
Review the service level agreement.
56
An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?
Production access is granted to the individual support ID when needed.
57
An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation?
Unauthorized network activities
58
An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?
Test plans and procedures exist and are closely followed.
59
An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?
To detect data transposition errors
60
An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk?
The business impact analysis was conducted, but the results were not used.
61
An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?
The default configurations are changed.
62
An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes?
Trace a sample of modified programs to supporting change tickets.
63
An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a:
transition clauses from the old supplier to a new supplier or back to internal in the case of expiration or termination.
64
An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:
backout procedures.
65
An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered:
delaying deployment until testing the impact of the patch.
66
An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution?
Review policy to see if a formal exception process is required.
67
The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should:
review the patch management policy and determine the risk associated with this condition.
68
An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization?
The third- party provider reserves the right to access data to perform certain operations.
69
An IS auditor performing an application maintenance audit would review the log of program changes for the:
authorization of program changes.
70
An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?
A clause providing a "right to audit" the service provider
71
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?
Use the DBA user account to make changes, log the changes and review the change log the following day.
72
An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when:
the configuration management database is not maintained.
73
An IS auditor should recommend the use of library control software to provide reasonable assurance that:
program changes have been authorized.
74
A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application?
Ensuring that vendor default accounts and passwords have been disabled
75
A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation?
Integrity of the data
76
A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk?
The hardware being used to run the database application
77
The objective of concurrency control in a database system is to:
ensure integrity when two processes attempt to update the same data at the same time.
78
Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether:
a cost- effective, built-in resilience can be implemented.
79
Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:
database commits and rollbacks.
80
An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide?
Implement an online polling tool to monitor the application and record outages.
81
An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement?
First call resolution rate
82
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:
ensure that a good change management process is in place.
83
An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?
The proposed service level agreement with the service provider
84
The PRIMARY benefit of an IT manager monitoring technical capacity is to:
ensure that the service level requirements are met.
85
The PRIMARY objective of service-level management is to:
define, agree on, record and manage the required levels of service.
86
A programmer maliciously modified a production program to change data and then restored it back to the original code. Which of the following would MOST effectively detect the malicious activity?
Reviewing system log files
87
The purpose of code signing is to provide assurance that:
the software has not been subsequently modified.
88
Responsibility and reporting lines cannot always be established when auditing automated systems because:
ownership is difficult to establish where resources are shared.
89
The responsibility for authorizing access to a business application system belongs to the:
data owner.
90
To verify that the correct version of a data file was used for a production run, an IS auditor should review:
system logs.
91
A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take?
Continue the current process of testing and applying patches.
92
Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?
Assess the impact of patches prior to installation.
93
What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?
Implement a log management process.
94
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:
review the justification.
95
When reviewing a hardware maintenance program, an IS auditor should assess whether:
the program is validated against vendor specifications.
96
When reviewing system parameters, an IS auditor's PRIMARY concern should be that:
they are set to meet both security and performance requirements.
97
When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:
is not listed in the approved software standards document.
98
Which of the following activities performed by a database administrator should be performed by a different person?
Deleting database activity logs
99
Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?
Update the IT asset inventory
100
Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party?
A recent independent third-party external audit report
101
Which of the following BEST ensures that users have uninterrupted access to a critical, heavily used web-based application?
Load balancing
102
Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?
Business impact analysis
103
Which of the following choices BEST ensures accountability when updating data directly in a production database?
Review of audit logs
104
Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?
Date and time-stamp reviews of source and object code
105
Which of the following controls would provide the GREATEST assurance of database integrity?
Table link/reference checks
106
Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?
Commitment and rollback controls
107
Which of the following is a MAJOR concern during a review of help desk activities?
Resolved incidents are closed without reference to end users.
108
Which of the following is a network diagnostic tool that monitors and records network information?
Protocol analyzer
109
Which of the following is a prevalent risk in the development of end-user computing applications?
Applications may not be subject to testing and IT general controls.
110
Which of the following is MOST directly affected by network performance monitoring tools?
Availability
111
Which of the following is MOST important when an operating system patch is to be applied to a production environment?
Approval from the information asset owner
112
Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?
Service measures were not included in the SLA.
113
Which of the following is the BEST method for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor?
Run an automated tool to verify the security patches on production servers.
114
Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity?
Develop a scenario and perform a structured walk- through.
115
Which of the following is the MOST critical to the quality of data in a data warehouse?
Accuracy of the source data
116
Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?
Perform sample testing of the migrated account balances.
117
Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process?
Perform an end- to-end walk- through of the process
118
Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?
There is a high probability of a significant impact on operations.
119
Which of the following is widely accepted as one of the critical components in networking management?
Configuration and change management
120
Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?
Configuration management
121
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?
Review changes in the software version control system.
122
Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement for the availability of outsourced telecommunication services?
Downtime reports on the telecommunication services generated by the enterprise
123
Which of the following reports should an IS auditor use to check compliance with a service level agreement's requirement for uptime?
Availability reports
124
Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?
A read-only restriction
125
Which of the following should an incident response team address FIRST after a major incident in an information processing facility?
Containment at the facility
126
Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in a data warehouse?
Implement column- and row- level permissions
127
Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?
Server utilization data
128
Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization?
Identify changes that have occurred and verify approvals.
129
Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program?
A system downtime log
130
Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit?
Data backups are performed timely and stored offsite.
131
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?
Compliance testing
132
Which of the following would BEST help to detect errors in data processing?
Hash totals
133
Which of the following would help to ensure the portability of an application connected to a database?
Usage of a Structured Query Language
134
While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor?
Confidentiality of customer data
135
While conducting an audit on the customer relationship management application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend?
Establish performance measurement criteria for the authentication servers.
136
While designing the business continuity plan for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:
shadow file processing.
137
While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering:
an inadequate software escrow agreement.
138
While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on:
providing accurate feedback on IT resource capacity.
