Exam 3 Flashcards
1
Q
The success of control self-assessment depends highly on:
A) assigning staff managers, the responsibility for building controls.
B) the implementation of a stringent control policy and rule-driven controls.
C) line managers assuming a portion of the responsibility for control monitoring.
D) the implementation of supervision and monitoring of controls of assigned duties.
A
C) line managers assuming a portion of the responsibility for control monitoring.
Line managers assuming a portion of the responsibility for control monitoring is correct. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
2
Q
An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?
A) The vendor agrees to implement controls in alignment with the enterprise.
B) The vendor agrees to provide annual external audit reports in the contract.
C) The vendor provides the latest internal audit report for verification.
D) The vendor provides the latest third- party audit report for verification.
A
B) The vendor agrees to provide annual external audit reports in the contract.
The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits.
3
Q
What is the purpose of using data flow diagrams, used by the IS auditors?
A) identify key controls.
B) highlight high-level data definitions.
C) portray step-by-step details of data generation.
D) graphically summarize data paths and storage.
A
D) graphically summarize data paths and storage.
Graphically summarize data paths and storage is correct. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.
4
Q
The MOST serious challenge in the operation of an intrusion detection system is:
A) learning vendor specific protocols.
B) blocking eligible connections.
C) filtering false positive alerts.
D) updating vendor-specific protocols.
A
C) filtering false positive alerts.
Filtering false-positives alerts is correct. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.
5
Q
A company’s development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects?
A) Functional verification of the prototypes is assigned to end users.
B) Project responsibilities are not formally defined at the beginning of a project.
C) Program documentation is inadequate.
D) The project is implemented while minor issues are open from user acceptance testing.
A
B) Project responsibilities are not formally defined at the beginning of a project.
Project responsibilities are not formally defined at the beginning of a project is correct. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.
6
Q
Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?
A) Allocating resources
B) Attention to detail
C) Managing audit staff
D) Project management
A
D) Project management
Project management is correct. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.
7
Q
Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?
A) Business impact analysis
B) Incident response plan
C) Recovery time objective
D) Threat and risk analysis
A
A) Business impact analysis
Business impact analysis is correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business.
8
Q
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:
A) hardware configuration.
B) ownership of intellectual property.
C) application development methodology.
D) access control software.
A
B) ownership of intellectual property.
Ownership of intellectual property is correct. The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.
9
Q
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?
A) Project manager
B) Data owner
C) IS auditor
D) Database administrator
A
B) Data owner
Data owner is correct. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid.
10
Q
Establishing the level of acceptable risk is the responsibility of:
A) the chief information officer.
B) quality assurance management.
C) senior business management.
D) the chief security officer.
A
C) senior business management.
Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.
11
Q
An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A) Inquiry
B) Walk-through
C) Re-performance
D) Inspection
A
B) Walk-through
Walk-through is correct. These procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
12
Q
An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when:
A) the service level agreement does not address the responsibility of the vendor in the case of a security breach.
B) the organization is not permitted to assess the controls in the participating vendor’s site.
C) the organization is using an older version of a browser and is vulnerable to certain types of security risk.
D) laws and regulations are different in the countries of the organization and the vendor.
A
A) the service level agreement does not address the responsibility of the vendor in the case of a security breach.
The service level agreement does not address the responsibility of the vendor in the case of a security breach is correct. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.
13
Q
The ultimate purpose of IT governance is to:
A) reduce IT costs.
B) encourage optimal use of IT.
C) centralize control of IT.
D) decentralize IT resources
A
B) encourage optimal use of IT.
Encourage optimal use of IT is correct. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.
14
Q
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?
A) Three users with the ability to capture and verify the messages of other users and to send their own messages
B) Five users with the ability to verify other users and to send their own messages
C) Five users with the ability to capture and send their own messages
D) Three users with the ability to capture and verify their own messages
A
D) Three users with the ability to capture and verify their own messages
Three users with the ability to capture and verify their own messages is correct. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message.
15
Q
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?
A) Significant cost savings over other testing approaches
B) Assurance that new, faster hardware is compatible with the new system
C) Assurance that the new system meets functional requirements
D) Increased resiliency during the parallel processing time
A
C) Assurance that the new system meets functional requirements
Assurance that the new system meets functional requirements is correct. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.
16
Q
Which of the following is normally a responsibility of the chief information security officer?
A) Executing user application and software testing and evaluation
B) Granting and revoking user access to IT resources
C) Approving access to data and applications
D) Periodically reviewing and evaluating the security policy
A
D) Periodically reviewing and evaluating the security policy
Periodically reviewing and evaluating the security policy is correct. The role of the chief information security officer is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.
17
Q
Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target?
A) Blind testing
B) Double-blind testing
C) External testing
D) Targeted testing
A
B) Double-blind testing
Double-blind testing is correct. This is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.
18
Q
A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is:
A) use of the user’s electronic signature by another person if the password is compromised.
B) impersonation of a user by substitution of the user’s public key with another person’s public key.
C) forgery by using another user’s private key to sign a message with an electronic signature.
D) forgery by substitution of another person’s private key on the computer.
A
A) use of the user’s electronic signature by another person if the password is compromised.
Use of the user’s electronic signature by another person if the password is compromised is correct. The user’s digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk.
19
Q
Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy?
A) Users should never write down their PIN
B) Users must never keep the token in the same bag as their laptop computer.
C) Users should select a PIN that is completely random, with no repeating digits.
D) Users should not leave tokens where they could be stolen.
A
A) Users should never write down their PIN
Users should never write down their personal identification number (PIN) is correct. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.
20
Q
The purpose of code signing is to provide assurance that:
A) the private key of the signer has not been compromised.
B) the signer of the application is trusted.
C) the application can safely interface with another signed application.
D) the software has not been subsequently modified.
A
D) the software has not been subsequently modified.
The software has not been subsequently modified is correct. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed.
21
Q
During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?
A) Draft a service level agreement for the two departments.
B) Postpone the audit until the agreement is documented.
C) Report the existence of the undocumented agreement to senior management.
D) Confirm the content of the agreement with both departments.
A
D) Confirm the content of the agreement with both departments.
Confirm the content of the agreement with both departments is correct. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties agree with the terms of the agreement.
22
Q
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:
A) IS audit resources to be deployed.
B) most valuable information assets.
C) control objectives and activities.
D) auditee personnel to be interviewed.
A
C) control objectives and activities.
Control objectives and activities is correct. After the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.
23
Q
Which of the following represents an example of a preventive control with respect to IT personnel?
A) An intrusion detection system
B) A security guard stationed at the server room door
C) Implementation of a badge entry system for the IT facility
D) A fire suppression system in the server room
A
C) Implementation of a badge entry system for the IT facility
Implementation of a badge entry system for the IT facility is correct. Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility
24
Q
The PRIMARY objective of conducting a post-implementation review for a business process automation project is to:
A) confirm compliance with regulatory requirements.
B) evaluate the adequacy of controls.
C) ensure that the project meets the intended business requirements.
D) confirm compliance with technological standards.
A
C) ensure that the project meets the intended business requirements.
Ensure that the project meets the intended business requirements is correct. This is the primary objective of a post-implementation review.
25
During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely:
A) evaluate system testing.
B) review access control configuration.
C) review detailed design documentation.
D) evaluate interface testing.
B) review access control configuration.
Review access control configuration is correct. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system.
26
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:
A) apply a qualitative approach.
B) calculate a return on investment.
C) compute the amortization of the related assets.
D) spend the time needed to define the loss amount exactly.
A) apply a qualitative approach.
Apply a qualitative approach is correct. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
27
While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project:
A) cannot be evaluated until the activity is completed.
B) is on schedule.
C) is ahead of schedule.
D) is behind schedule.
D) is behind schedule.
Is behind schedule is correct. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.
28
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:
A) the application may not meet the requirements of the business users.
B) the application technology may be inconsistent with the enterprise architecture.
C) the application may create unanticipated support issues for IT.
D) the security controls of the application may not meet requirements.
B) the application technology may be inconsistent with the enterprise architecture.
The application technology may be inconsistent with the enterprise architecture is correct. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.
29
Which of the following should an incident response team address FIRST after a major incident in an information processing facility?
A) Documentation of the facility B) Restoration at the facility
C) Monitoring of the facility
D) Containment at the facility
D) Containment at the facility
Containment at the facility is correct. The first priority (after addressing life safety) is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation.
30
An enterprise uses privileged accounts to process configuration changes for mission- critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?
A) Ensure that audit trails are accurate and specific.
B) Ensure that personnel background checks are performed for critical personnel.
C) Ensure that personnel have adequate training.
D) Ensure that supervisory approval and review are performed for critical changes.
D) Ensure that supervisory approval and review are performed for critical changes.
Ensure that supervisory approval and review are performed for critical changes is correct. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.
31
Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?
A) Decline to deal with these vendors in the future.
B) Assess the impact of patches prior to installation.
C) Install the security patch immediately.
D) Ask the vendors for a new software version with all fixes included.
B) Assess the impact of patches prior to installation.
Assess the impact of patches prior to installation is correct. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization.
32
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:
A) inform management of the possible conflict of interest after completing the audit assignment.
B) communicate the possibility of conflict of interest to audit management prior to starting the assignment.
C) inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D) decline the assignment.
B) communicate the possibility of conflict of interest to audit management prior to starting the assignment.
Communicate the possibility of conflict of interest to audit management prior to starting the assignment is correct. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment.
33
IT governance is PRIMARILY the responsibility of the:
A) IT steering committee.
B) board of directors.
C) audit committee.
D) chief executive officer.
B) board of directors.
Board of directors is correct. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).
34
Involvement of senior management is MOST important in the development of:
A) standards and guidelines.
B) strategic plans.
C) IT policies.
D) IT procedures.
B) strategic plans.
Strategic plans is correct. These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.
35
Which of the following does an IS auditor FIRST reference when performing an IS audit?
A) Internal standards
B) Approved policies
C) Implemented procedures
D) Documented practices
B) Approved policies
Approved policies is correct. Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.
36
Which of the following is widely accepted as one of the critical components in networking management?
A) Proxy server troubleshooting
B) Configuration and change management
C) Application of monitoring tools
D) Topological mappings
B) Configuration and change management
Configuration and change management is correct. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services.
37
An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?
A) System-generated exception reports for the review period with the reviewer's sign-off
B) Management's confirmation of the effectiveness of the control for the review period
C) Walk-through with the reviewer of the operation of the control
D) A sample system- generated exception report for the review period, with follow-up action items noted by the reviewer
D) A sample system- generated exception report for the review period, with follow-up action items noted by the reviewer
A sample system-generated exception report for the review period, with follow- up action items noted by the reviewer is correct. This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report.
38
Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium- sized organization?
A) Dedicated line
B) Leased line
C) Virtual private network
D) Integrated services digital network
C) Virtual private network
Virtual private network is correct. The most secure method is a virtual private network, using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet.
39
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:
A) accountability system and the ability to identify any terminal accessing system resources.
B) maintenance of access logs of usage of various system resources.
C) authorization and authentication of the user prior to granting access to system resources.
D) adequate protection of stored data on servers by encryption or other means.
C) authorization and authentication of the user prior to granting access to system resources.
40
During an audit of a small enterprise, the IS auditor noted that the IS director has superuser- privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?
A) Hire additional staff to provide a segregation of duties for application role changes.
B) Implement a properly documented process for application role change requests.
C) Document the current procedure in detail and make it available on the enterprise intranet.
D) Implement an automated process for changing application roles.
B) Implement a properly documented process for application role change requests.
Implement a properly documented process for application role change requests is correct. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application.
41
An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR- related testing. What is the NEXT course of action for the IS auditor to pursue?
A) Plan an audit of the cloud vendor.
B) Review an independent auditor's report of the cloud vendor.
C) Review the vendor contract to determine its DR capabilities.
D) Request a copy of the DRP from the cloud vendor.
C) Review the vendor contract to determine its DR capabilities.
Review the vendor contract to determine its disaster recovery (DR) capabilities is correct. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives and recovery point objectives. Without the contractual language, the vendor is not required to provide DR services.
42
An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of:
A) a rented rack space in the NOC.
B) a wet pipe-based fire suppression system.
C) a carbon dioxide-based fire suppression system.
D) an uninterrupted power supply with 10 minutes of backup power.
C) a carbon dioxide-based fire suppression system.
A carbon dioxide (CO2)-based fire suppression system is correct. CO2 systems should not be used in areas where people are present, because their function will cause suffocation in the event of a fire. Controls should consider personnel safety first.
43
What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning payroll system that is replacing an existing legacy system?
A) Prototype testing
B) Parallel testing
C) Multiple testing
D) Integration testing
B) Parallel testing
Parallel testing is correct. This is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system.
44
An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?
A) Variable
B) Attribute
C) Stop-or-go
D) Judgment
B) Attribute
Attribute is correct. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.
45
Which of the following types of transmission media provide the BEST security against unauthorized access?
A) Fiber-optic cables
B) Copper wire
C) Shielded twisted pair
D) Coaxial cables
A) Fiber-optic cables
Fiber-optic cables is correct. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media.
46
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic?
A) End users having access to software tools such as packet sniffer applications
B) Corruption of the Address Resolution Protocol cache in Ethernet switches
C) Use of a default administrator password on the analog phone switch
D) Deploying virtual local area networks without enabling encryption
B) Corruption of the Address Resolution Protocol cache in Ethernet switches
Corruption of the Address Resolution Protocol (ARP) cache in Ethernet switches is correct. On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic.
47
Web and email filtering tools are valuable to an organization PRIMARILY because they:
A) assist the organization in preventing legal issues
B) maximize employee performance.
C) protect the organization from viruses and non-business materials.
D) safeguard the organization's image.
C) protect the organization from viruses and non-business materials.
Protect the organization from viruses and non-business materials is correct. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email.
48
The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?
A) Discovery
B) Stop-or-go
C) Classical variable
D) Probability-proportional-to- size
A) Discovery
Discovery sampling is correct. This is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.
49
When using public key encryption to secure data being transmitted across a network:
A) both the key used to encrypt and decrypt the data are public.
B) the key used to encrypt is private, but the key used to decrypt the data is public.
C) both the key used to encrypt and decrypt the data are private.
D) the key used to encrypt is public, but the key used to decrypt the data is private.
D) the key used to encrypt is public, but the key used to decrypt the data is private.
The key used to encrypt is public, but the key used to decrypt the data is private is correct. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.
50
The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:
A) the internal lab testing phase.
B) the implementation phase.
C) testing and prior to user acceptance.
D) the requirements gathering process.
C) testing and prior to user acceptance.
The requirements gathering process is correct. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues.
51
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet?
A) The CA has several data processing subcenters to administer certificates.
B) Customers can make their transactions from any computer or mobile device.
C) Customers are widely dispersed geographically, but the certificate authorities (CAs) are not.
D) The organization is the owner of the CA.
D) The organization is the owner of the CA.
The organization is the owner of the certificate authority( CA)is correct. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.
52
Which of the following situations could impair the independence of an IS auditor? The IS auditor -
A) implemented specific functionality during the development of an application.
B) provided consulting advice concerning application good practices.
C) designed an embedded audit module for auditing an application.
D) participated as a member of an application project team and did not have operational responsibilities.
A) implemented specific functionality during the development of an application.
Implemented specific functionality during the development of an application is correct. Independence may be impaired if an IS auditor is or has been, actively involved in the development, acquisition, and implementation of the application system.
53
Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?
A) Stateful inspection firewalls B) Intrusion detection systems C) Packet filtering routers
D) Data mining techniques
D) Data mining techniques
Data mining techniques is correct. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.
54
Which of the following will BEST ensure the successful offshore development of business applications?
A) Stringent contract management practices
B) Detailed and correctly applied specifications
C) Post-implementation review
D) Awareness of cultural and political differences
B) Detailed and correctly applied specifications
Detailed and correctly applied specifications is correct. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.
55
The rate of change in technology increases the importance of:
A) outsourcing the IT function.
B) meeting user requirements.
C) implementing and enforcing sound processes.
D) hiring qualified personnel.
C) implementing and enforcing sound processes.
Implementing and enforcing sound processes is correct. Change control requires that good change management processes be implemented and enforced.
56
Email message authenticity and confidentiality is BEST achieved by signing the message using the:
A) receiver's private key and encrypting the message using the sender's public key.
B) sender's private key and encrypting the message using the receiver's public key.
C) sender's public key and encrypting the message using the receiver's private key.
D) receiver's public key and encrypting the message using the sender's private key.
B) sender's private key and encrypting the message using the receiver's public key.
Sender's private key and encrypting the message using the receiver's public key is correct. By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality.
57
Which of the following would be the BEST access control procedure?
A) The data owner and an IS manager jointly create and update the user authorization tables.
B) The data owner formally authorizes access and an administrator implements the user authorization tables.
C) The data owner creates and updates the user authorization tables.
D) Authorized staff implements the user authorization tables and the data owner approves them.
B) The data owner formally authorizes access and an administrator implements the user authorization tables.
The data owner formally authorizes access and an administrator implements the user authorization tables is correct. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner.
58
An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take?
A) Recommend that all password configuration settings be identical.
B) Document the observation as an exception.
C) Determine whether this is a policy violation and document it
D) Recommend that logs of IT developer access are reviewed periodically.
C) Determine whether this is a policy violation and document it
Determine whether this is a policy violation and document it is correct. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed.
59
Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?
A) Identify all IT systems and controls that are relevant to audit objectives.
B) List all controls from the audit program to select ones matching with audit objectives.
C) Understand the business, its operating model and key processes.
D) Review the results of a risk self-assessment.
D) Review the results of a risk self-assessment.
Understand the business, its operating model and key processes is correct. Risk-based auditing must be based on the understanding of the business, operating model and environment. This is the first step in an IT risk assessment for a risk-based audit. Identify all
60
Which control is the BEST way to ensure that the data in a file have not been changed during transmission?
A) Hash values
B) Reasonableness check
C) Check digits
D) Parity bits
A) Hash values
Hash values is correct. These are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.
61
An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred.. The IS auditor's report should recommend that:
A) a manager coordinates the creation of a new or revised plan within a defined time limit.
B) the deputy chief executive officer (CEO) be censured for failure to approve the plan.
C) a board of senior managers is set up to review the existing plan.
D) the existing plan is approved and circulated to all key management and staff.
A) a manager coordinates the creation of a new or revised plan within a defined time limit.
A manager coordinates the creation of a new or revised plan within a defined time limit is correct. The primary concern is to establish a workable disaster recovery plan (DRP) that reflects current processing volumes to protect the organization from any disruptive incident.
62
Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters?
A) Recovery point objective
B) Recovery time objective
C) Available data backup technologies
D) Volume of data to be backed up
A) Recovery point objective
Recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the acceptable amount of data loss in the case of interruption. Based on the RPO, one can design the data backup strategy for potential disasters using various technologies.
63
What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management?
A) IT project metrics are reported accurately.
B) Projects are aligned with the organization's strategy.
C) Identified project risk is monitored and mitigated.
D) Controls related to project planning and budgeting are appropriate.
B) Projects are aligned with the organization's strategy.
Projects are aligned with the organization's strategy is correct. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment.
64
A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident?
A) Operating system patching B) A firewall
C) A network-based intrusion detection system
D) A host-based intrusion prevention system
D) A host-based intrusion prevention system
A host-based intrusion prevention system (IPS) is correct. This prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator.
65
The final decision to include a material finding in an audit report should be made by the:
A) IS auditor.
B) chief executive officer of the organization.
C) auditee's manager.
D) audit committee.
A) IS auditor.
The IS auditor is correct. The IS auditor should make the final decision about what to include or exclude from the audit report.
66
Which of the following should be included in a feasibility study for a project to implement an electronic data interchange process?
A) The proposed trusted third-party agreement
B) The necessary communication protocols
C) The encryption algorithm format
D) The detailed internal control procedures
C) The encryption algorithm format
The necessary communication protocols is correct. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.
67
Which of the following is the MOST important action in recovering from a cyberattack?
A) Activating an incident response team
B) Hiring cyberforensic investigators
C) Executing a business continuity plan
D) Preserving evidence
A) Activating an incident response team
Activating an incident response team is correct. Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational.
68
An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor?
A) Cancel the audit.
B) Postpone the audit until the systems are added to the DRP.
C) Alert management and evaluate the impact of not covering all systems.
D) Complete the audit of the systems covered by the existing DRP.
C) Alert management and evaluate the impact of not covering all systems.
Alert management and evaluate the impact of not covering all systems is correct. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP.
69
An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?
A) IT projects are not following the system development life cycle process.
B) The IT department may not be working toward a common goal.
C) IT projects are not consistently formally approved.
D) The IT department's projects will not be adequately funded.
B) The IT department may not be working toward a common goal.
The IT department may not be working toward a common goal is correct. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals.
70
An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review?
A) User spool and database limit controls
B) Read/write access log controls
C) Permanent table- space allocation
D) Commitment and rollback controls
A) User spool and database limit controls
User spool and database limit controls is correct. User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data volume stored and the physical device capacity. Additionally, it prevents users from consuming excessive resources in ad hoc table builds (as opposed to scheduled production loads that often can run overnight and are optimized for performance purposes). In a data warehouse, because you are not running online transactions, commitment and rollback does not have an impact on performance.
71
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
A) alignment of the IT activities with IS audit recommendations.
B) reduction of the cost for IT security.
C) implementation of the chief information security officer's recommendations.
D) enforcement of the management of security risk.
D) enforcement of the management of security risk.
Enforcement of the management of security risk is correct. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk.
72
An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution?
A) Implement additional logging controls.
B) Redesign the controls related to data authorization.
C) Review policy to see if a formal exception process is required.
D) Implement additional segregation of duties controls.
C) Review policy to see if a formal exception process is required.
Review policy to see if a formal exception process is required is correct. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary
access, then one should be designed to ensure no unauthorized changes are made.
73
An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor?
A) Due diligence should be performed on the software vendor.
B) There should be a source code escrow agreement in place.
C) A quarterly audit of the vendor facilities should be performed.
D) A high penalty clause should be included in the contract. Explanation
B) There should be a source code escrow agreement in place.
There should be a source code escrow agreement in place is correct. A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software, because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business.
74
An IS auditor is reviewing an organization's controls related to email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public key infrastructure implementation properly configured to provide confidentiality. email is:
A) encrypted with the recipient's private key and decrypted with the sender's private key.
B) encrypted with the sender's private key and decrypted with the recipient's private key.
C) encrypted with the recipient's public key and decrypted with the recipient's private key.
D) encrypted with the sender's private key and decrypted with the sender's public key.
C) encrypted with the recipient's public key and decrypted with the recipient's private key.
Encrypted with the recipient's public key and decrypted with the recipient's private key is correct. Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality, because only the intended recipient has the correct private key to decrypt the message.
75
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:
A) message authentication.
B) encryption.
C) callback modems.
D) dedicated leased lines.
B) encryption.
Encryption is correct. Encryption of data is the most secure method of protecting confidential data from exposure.
76
An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation?
A) The test environment may produce inaccurate results due to use of production data.
B) The test environment may not have adequate access controls implemented to ensure data confidentiality.
C) Hardware in the test environment may not be identical to the production environment.
D) The test environment may not have adequate controls to ensure data accuracy.
B) The test environment may not have adequate access controls implemented to ensure data confidentiality.
The test environment may not have adequate access controls implemented to ensure data confidentiality is correct. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.
77
An organization's IT director has approved the installation of a wireless local area network access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that:
A) the conference room network is on a separate virtual local area network.
B) antivirus signatures and patch levels are current on the consultants' laptops.
C) encryption is enabled on the access point.
D) default user IDs are disabled and strong passwords are set on the corporate servers.
A) the conference room network is on a separate virtual local area network.
The conference room network is on a separate virtual local area network (VLAN) is correct. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.
78
During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for:
A) reviewing existing user access.
B) updating group metadata.
C) approval of user access.
D) removing terminated users.
C) approval of user access.
Approval of user access is correct. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group.
79
Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator?
A) Targeted testing
B) Double-blind testing
C) Internal testing
D) External testing
B) Double-blind testing
Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator.
80
An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that:
A) the drivers for the photo frame may be incompatible and crash the user's PC.
B) the photo frame could be infected with malware.
C) the photo frame storage media could be used to steal corporate data.
D) the employee may bring inappropriate photographs into the office.
B) the photo frame could be infected with malware.
The photo frame could be infected with malware is correct. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.
81
An IS auditor discovers a potential material finding. The BEST course of action is to:
A) increase the scope of the audit.
B) perform additional testing.
C) discuss the potential finding with the audit committee.
D) report the potential finding to business management.
B) perform additional testing.
Perform additional testing is correct. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can quickly lose credibility if it is later discovered the finding was not justified or accurate.
82
An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern?
A) Antivirus software is in place to protect the corporate network.
B) A single sign-on has been implemented in the corporate network.
C) This part of the network is isolated from the corporate network.
D) The corporate network is using an intrusion prevention system.
C) This part of the network is isolated from the corporate network.
This part of the network is isolated from the corporate network is correct. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.
83
Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data?
A) Virtual private network
B) Secure Sockets Layer
C) Intrusion detection system
D) Public key infrastructure
B) Secure Sockets Layer
Secure Sockets Layer (SSL) is correct. This is used for many e- commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code.
84
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?
A) Risk mitigation
B) Risk avoidance
C) Risk transfer
D) Risk reduction
C) Risk transfer
Risk transfer is correct. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.
85
A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern?
A) The employee's knowledge of business risk may be limited.
B) Audit points may largely shift to technical aspects.
C) The work may be construed as a self-audit.
D) The employee may not have sufficient control assessment skills.
C) The work may be construed as a self-audit.
The work may be construed as a self-audit is correct. Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interests.
86
Regression testing is undertaken PRIMARILY to ensure that:
A) a new system can operate in the target environment.
B) system functionality meets customer requirements.
C) applied changes have not introduced new errors.
D) applicable development standards have been maintained.
C) applied changes have not introduced new errors.
Applied changes have not introduced new errors is correct. Regression testing is used to test for the introduction of new errors in the system after changes have been applied.
87
A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?
A) Work is being completed in TCP services.
B) A digital signature with RSA has been implemented.
C) Work is completed in tunnel mode with IP security.
D) Digital certificates with RSA are being used.
C) Work is completed in tunnel mode with IP security.
Work is completed in tunnel mode with IP security is correct. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.
88
An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined?
A) The service delivery objective
B) The recovery time objective C) The recovery point objective
D) The interruption window
C) The recovery point objective
The recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption.
89
A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST?
A) Change the database password.
B) Send a report to the IS audit department.
C) Suspend the DBA account.
D) Change the name of the DBA account.
A) Change the database password.
Change the database password is correct. The password should be changed immediately because there is no way to know whether it has been compromised.
90
An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue?
A) Project time management
B) Project risk management
C) Project scope management
D) Project procurement management
C) Project scope management
Project scope management is correct. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project.
91
Which of the following choices would MOST likely ensure that a disaster recovery effort is successful?
A) Appropriate staff resources are committed.
B) Data restoration was completed.
C) Recovery procedures are approved.
D) The tabletop test was performed.
B) Data restoration was completed.
Data restoration was completed is correct. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly.
92
An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:
A) correlation of semantic characteristics of the data migrated between the two systems.
B) relative efficiency of the processes between the two systems.
C) correlation of arithmetic characteristics of the data migrated between the two systems.
D) correlation of functional characteristics of the processes between the two systems.
A) correlation of semantic characteristics of the data migrated between the two systems.
Correlation of semantic characteristics of the data migrated between the two systems is correct. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system.
93
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
A) Calculation of the expected end date based on current resources and remaining available project budget
B) Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables
C) Extrapolation of the overall end date based on completed work packages and current resources
D Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports
C) Extrapolation of the overall end date based on completed work packages and current resources
Extrapolation of the overall end date based on completed work packages and current resources is correct. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule).
94
An IS auditor is reviewing an IT security risk management program. Measures of security risk should:
A) be tracked over time against the IT strategic plan.
B) consider the entire IT environment.
C) address all of the network risk.
D) result in the identification of vulnerability tolerances
B) consider the entire IT environment.
Consider the entire IT environment is correct. When assessing IT security risk, it is important to consider the entire IT environment.
95
When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the:
A) hardware is protected against long- term power fluctuations.
B) integrity is maintained if the main power is interrupted.
C) immediate power will be available if the main power is lost.
D) hardware is protected against power surges.
D) hardware is protected against power surges.
Hardware is protected against power surges is correct. A voltage regulator protects against short-term power fluctuations.
96
An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the:
A) security policy be updated to include the specific language regarding unauthorized software.
B) IT department implement control mechanisms to prevent unauthorized software installation.
C) users obtain approval from an IS manager before installing nonstandard software.
D) IT department prohibit the download of unauthorized software.
A) security policy be updated to include the specific language regarding unauthorized software.
Security policy be updated to include the specific language regarding unauthorized software is correct. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls.
97
The risk associated with electronic evidence gathering is MOST likely reduced by an email:
A) destruction policy.
B) audit policy.
C) security policy.
D) archive policy.
D) archive policy.
Archive policy is correct. With a policy of well- archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.
98
When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify?
A) Due to licensing issues, the list does not contain open source software.
B) The latest version of software is listed for each product.
C) The risk associated with the use of the products is periodically assessed.
D) After-hours support is offered.
C) The risk associated with the use of the products is periodically assessed.
The risk associated with the use of the products is periodically assessed is correct. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process.
99
A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice?
A) Not all functionality will be tested.
B) Specialized training is required.
C) The project may run over budget.
D) Production data are introduced into the test environment.
A) Not all functionality will be tested.
Not all functionality will be tested is correct. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.
100
An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?
A) A list of accounts with access levels generated by the system
B) A spreadsheet provided by the system administrator
C) Observations performed onsite in the presence of a system administrator
D) Human resources access documents signed by employees' managers.
A) A list of accounts with access levels generated by the system
A list of accounts with access levels generated by the system is correct. The access list generated by the system is the most reliable, because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective, because it was generated by the system rather than by an individual.
101
Which of the following is responsible for the approval of an information security policy?
A) Board of directors
B) IT department
C) Security administrator
D) Security committee
A) Board of directors
Board of directors is correct. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.
102
Which of the following features of a public key infrastructure is MOST closely associated with proving that an online transaction was authorized by a specific customer?
A) Authentication
B) Integrity
C) Encryption
D) Nonrepudiation
D) Nonrepudiation
Nonrepudiation is correct. This, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.
103
An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor?
A) Document the issue in the audit report.
B) Recommend an update to the procedures.
C) Discuss the issue with senior management.
D) Determine whether compensating controls are in place.
D) Determine whether compensating controls are in place.
Determine whether compensating controls are in place is correct. An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place.
104
An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval.
The IS auditor should FIRST:
A) evaluate the impact of the undocumented devices on the audit scope.
B) expand the scope of the IS audit to include the devices that are not on the network diagram.
C) plan follow-up audits of the undocumented devices.
D) note a control deficiency because the network diagram has not been approved.
A) evaluate the impact of the undocumented devices on the audit scope.
Evaluate the impact of the undocumented devices on the audit scope is correct. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross-connections, etc.
105
When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor?
A) Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization.
B) All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.
C) The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded.
D) Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization.
B) All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.
All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization is correct. Deleting and formatting only marks the sectors that contained files as being free. Publicly available tools are sufficient for someone to reconstruct data from hard drives prepared this way.
106
From a control perspective, the PRIMARY objective of classifying information assets is to:
A) ensure access controls are assigned to all information assets.
B) assist management and auditors in risk assessment.
C) identify which assets need to be insured against losses.
D) establish guidelines for the level of access controls that should be assigned.
D) Establish guidelines for the level of access controls that should be assigned.
Establish guidelines for the level of access controls that should be assigned is correct. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
107
An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?
A) Test plans and procedures exist and are closely followed.
B) Changes are authorized by IT managers at all times.
C) User acceptance testing is performed and properly documented.
D) Capacity planning is performed as part of each development project.
A) Test plans and procedures exist and are closely followed.
Test plans and procedures exist and are closely followed is correct. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.
108
Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day?
A) Making a full backup to tape weekly and an incremental backup nightly
B) Creating a duplicate storage area network (SAN) and replicating the data to a second SAN
C) Implementing a fault- tolerant disk-to-disk backup solution
D) Creating identical server and storage infrastructure at a hot site
C) Implementing a fault- tolerant disk-to-disk backup solution
Implementing a fault-tolerant disk-to-disk backup solution is correct. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set.
109
An IS auditor performing detailed network assessments and access control reviews should FIRST:
A) assess users' identification and authorization.
B) evaluate users' access authorization.
C) determine the points of entry into the network.
D) evaluate the domain-controlling server configuration.
C) determine the points of entry into the network.
Determine the points of entry into the network is correct. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls.
110
When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:
A) strike a balance between business and security requirements.
B) provide direction for implementing security procedures.
C) are approved by the board of directors and senior management.
D) are aligned with globally accepted industry good practices.
A) Strike a balance between business and security requirements.
Strike a balance between business and security requirements is correct. Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.
111
An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?
A) Standard report with configuration values retrieved from the system by the IS auditor
B) System configuration values imported to a spreadsheet by the system administrator
C) Annual review of approved system configuration values by the business owner
D) Dated screenshot of the system configuration settings made available by the system administrator
A) Standard report with configuration values retrieved from the system by the IS auditor
Standard report with configuration values that are retrieved from the system by the IS auditor is correct. Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.
112
Which of the following types of firewalls would BEST protect a network from an Internet attack?
A) Screened subnet firewall
B) Packet filtering router
C) Circuit-level gateway
D) Application filtering gateway
A) Screened subnet firewall
Screened subnet firewall is correct. This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network.
113
When reviewing system parameters, an IS auditor's PRIMARY concern should be that:
A) access to parameters in the system is restricted.
B) changes are recorded in an audit trail and periodically reviewed.
C) changes are authorized and supported by appropriate documents.
D) they are set to meet both security and performance requirements.
D) they are set to meet both security and performance requirements.
They are set to meet both security and performance requirements is correct. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.
114
What an IS auditor would evaluate while performing a review of application controls?
A) impact of any exposures discovered.
B) application's optimization.
C) efficiency of the application in meeting the business processes.
D) business processes served by the application
A) impact of any exposures discovered.
Impact of any exposures discovered is correct. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses.
115
An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy:
A) checks should be compared to input forms.
B) payroll reports should be compared to input forms.
C) gross payroll should be recalculated manually.
D) checks should be reconciled with output reports.
B) Payroll reports should be compared to input forms.
Payroll reports should be compared to input forms is correct. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports.
116
Which of the following is a network diagnostic tool that monitors and records network information?
A) Online monitor
B) Help desk report
C) Protocol analyzer
D) Downtime report
C) Protocol analyzer
Protocol analyzer is correct. These are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.
117
While conducting an audit on the customer relationship management application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend?
A) Users should be provided with detailed manuals to use the system properly.
B) IT should increase the network bandwidth to improve performance.
C) Establish performance measurement criteria for the authentication servers.
D) No action should be taken because the system meets current business requirements.
C) Establish performance measurement criteria for the authentication servers.
Establish performance measurement criteria for the authentication servers is correct. Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.
118
Which of the following components is responsible for the collection of data in an intrusion detection system?
A) Sensor
B) User interface
C) Analyzer
D) Administration console
A) Sensor
Sensor is correct. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.
119
Which of the following functions is performed by a virtual private network?
A) Enforcing security policies
B) Detecting misuse or mistakes
C) Regulating access
D) Hiding information from sniffers on the net
D) Hiding information from sniffers on the net
Hiding information from sniffers on the net is correct. A virtual private network (VPN) hides information from sniffers on the Internet using tunneling. It works based on encapsulation and encryption of sensitive traffic.
120
Which of the following is the GREATEST risk to the effectiveness of application system controls?
A) Unresolved regulatory compliance issues
B) Inadequate procedure manuals
C) Removal of manual processing steps
D) Collusion between employees
D) Collusion between employees
Collusion between employees is correct. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented.
121
An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?
A) To ensure that data entered are within reasonable limits
B) To ensure that transactions do not exceed predetermined amounts
C) To ensure that data entered are within a predetermined range of values
D) To detect data transposition errors
D) To detect data transposition errors
To detect data transposition errors is correct. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.
122
An IS auditor is auditing an IT disaster recovery plan. The IS auditor should PRIMARILY ensure that the plan covers:
A) a resilient IT infrastructure.
B) documented disaster recovery test results.
C) alternate site information.
D) analysis and prioritization of business functions
D) analysis and prioritization of business functions
Analysis and prioritization of business functions is correct. The disaster recovery plan (DRP) must primarily focus on recovering critical business functions in the event of disaster within predefined recovery time objectives (RTOs); thus, it is necessary to align the recovery of IT services based on the criticality of business functions.
123
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:
A) check to ensure that the type of transaction is valid for the card type.
B) confirm that the card is not shown as lost or stolen on the master file.
C) verify the format of the number entered, then locate it on the database.
D) ensure that the transaction entered is within the cardholder's credit limit.
C) verify the format of the number entered, then locate it on the database.
Verify the format of the number entered, then locate it on the database is correct. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number entered by the user.
124
A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:
A) the amount of progress achieved compared to the project schedule.
B) if the project could be brought in ahead of schedule.
C) if the project budget can be reduced.
D) if the budget savings can be applied to increase the project scope.
A) the amount of progress achieved compared to the project schedule.
The amount of progress achieved compared to the project schedule is correct. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project.
125
A hacker could obtain passwords without the use of computer tools or programs through the technique of:
A) social engineering.
B) sniffers.
C) back doors.
D) Trojan horses.
A) social engineering.
Social engineering is correct. This is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data.
126
An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:
A) accept the project manager's position because the project manager is accountable for the outcome of the project.
B) inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.
C) offer to work with the risk manager when one is appointed.
D) stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans.
D) stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans.
Stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans is correct. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk.
127
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that:
A) the site credentials were sent to the financial services company via email.
B) the users may not remember to manually encrypt the data before transmission.
C) the use of a shared user ID to the FTP site does not allow for user accountability.
D) personnel at the consulting firm may obtain access to sensitive data.
B) the users may not remember to manually encrypt the data before transmission.
The users may not remember to manually encrypt the data before transmission is correct. If the data is not encrypted, an unauthorized external party may download sensitive company data.
128
Which of the following would impair the independence of a quality assurance team?
A) Checking the test assumptions
B) Correcting coding errors during the testing process
C) Ensuring compliance with development methods
D) Checking the code to ensure proper documentation.
B) Correcting coding errors during the testing process
Correcting coding errors during the testing process is correct. Correction of code should not be a responsibility of the quality assurance team, because it would not ensure segregation of duties and would impair the team's independence.
129
Responsibility and reporting lines cannot always be established when auditing automated systems because:
A) ownership is difficult to establish where resources are shared.
B) duties change frequently in the rapid development of technology.
C) diversified control makes ownership irrelevant.
D) staff traditionally changes jobs with greater frequency.
A) ownership is difficult to establish where resources are shared.
Ownership is difficult to establish where resources are shared is correct. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department.
130
Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when:
A) the host web site is part of the organization.
B) a secure web connection is used.
C) a firewall exists.
D) the source of the executable file is certain.
The source of the executable file is certain is correct. Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. A firewall exists is incorrect. There should always be a firewall on an Internet connection; however, whether to allow active models is a decision made depending on the source of the module. A secure web connection is used is incorrect. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. The host web site is part of the organization is incorrect. Hosting the web site as part of the organization is impractical. The client will accept the program if the parameters are established to do so.
131
Which of the following is of MOST interest to an IS auditor reviewing an organization's risk strategy?
A) The organization uses an established risk framework.
B) Residual risk is zero after control implementation.
C) All risk is mitigated effectively.
D) All likely risk is identified and ranked.
A) The organization uses an established risk framework.
All likely risk is identified and ranked is correct. Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy.
132
The PRIMARY objective of service- level management is to:
A) monitor and report any legal noncompliance to business management.
B) ensure that services are managed to deliver the highest achievable level of availability.
C) define, agree on, record and manage the required levels of service.
D) keep the costs associated with any service at a minimum.
C) define, agree on, record and manage the required levels of service.
Define, agree on, record and manage the required levels of service is correct. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services.
133
While designing the business continuity plan for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:
A) electronic vaulting.
B) hard-disk mirroring.
C) hot-site provisioning.
D) shadow file processing.
D) shadow file processing.
In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems.
134
The MAIN purpose of a transaction audit trail is to:
A) reduce the use of storage media.
B) determine accountability and responsibility for processed transactions.
C) provide useful information for capacity planning.
D) help an IS auditor trace transactions.
B) determine accountability and responsibility for processed transactions.
Determine accountability and responsibility for processed transactions is correct. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system.
135
During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result?
A) A man-in-the-middle attack B) Spoofing
C) A denial-of-service attack D) Port scanning
B) Spoofing
Spoofing is correct. This is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.
136
An IS auditor is reviewing the software development process for an organization. Which of the following functions are appropriate for the end users to perform?
A) Program logic specification B) Performance tuning
C) Program output testing
D) System configuration
C) Program output testing
Program output testing is correct. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user.
137
An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?
A) Equal-error rate
B) False-acceptance rate
C) False-identification rate
D) False-rejection rate
B) False-acceptance rate
False-acceptance rate (FAR) is correct. This is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important that the impact on the false reject rate.
138
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced?
A) Approving (production supervisor) orders prior to production
B) Logging all customer orders in the ERP system
C) Verifying production of customer orders
D) Using hash totals in the order transmitting process
D) Using hash totals in the order transmitting process
Verifying production of customer orders is correct. Verification of the products produced will ensure that the produced products match the orders in the order system.
139
When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor?
A) Unencrypted passwords are used.
B) Passwords are shared.
C) Redundant logon IDs exist.
D) Third-party users possess administrator access.
A) Unencrypted passwords are used.
Unencrypted passwords are used is correct. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.
140
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
A) Directive
B) Preventive
C) Corrective
D) Detective
B) Preventive
Preventive is correct. Having a manager approve transactions more than a certain amount is considered a preventive control.
141
The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when:
A) connecting points are available in the facility to connect laptops to the network.
B) terminals are located within the facility in small clusters under the supervision of an administrator.
C) terminals with password protection are located in insecure locations.
D) users take precautions to keep their passwords confidential.
A) connecting points are available in the facility to connect laptops to the network.
Connecting points are available in the facility to connect laptops to the network is correct. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access.
142
When an employee is terminated from service, the MOST important action is to:
A) disable the employee's logical access.
B) hand over all of the employee's files to another designated employee.
C) notify other employees of the termination.
D) complete a backup of the employee's work.
A) disable the employee's logical access.
Disable the employee's logical access is correct. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take.
143
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?
A) Cyclic redundancy check
B) Block sum check
C) Echo check
D) Parity check
A) Cyclic redundancy check
Cyclic redundancy check (CRC) is correct. CRC can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.
144
When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:
A) increases in quality are only achieved if resource allocation is increased.
B) decreases in delivery time can only be achieved if quality is decreased.
C) increases in quality can be achieved, if resource allocation is decreased.
D) decreases in delivery time can be achieved, if resource allocation is decreased.
C) increases in quality can be achieved, if resource allocation is decreased.
Increases in quality can be achieved, if resource allocation is decreased is correct. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased, an increase in quality can be achieved if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.
145
An IS auditor is conducting a review of the disaster recovery procedures for a data center. Which of the following indicators BEST shows that the procedures meet the requirements?
A) Documented procedures were approved by management.
B) A tabletop exercise using the procedures was conducted.
C) Procedures were reviewed and compared with industry good practices.
D) Recovery teams and their responsibilities are documented.
B) A tabletop exercise using the procedures was conducted.
A tabletop exercise using the procedures was conducted is correct. Conducting a tabletop exercise (paper-based test) of the procedures with all responsible members, best ensures that the procedures meet the requirements. This type of test can identify missing or incorrect procedures because representatives responsible for performing the tasks are present.
146
Which of the following goals do you expect to find in an organization's strategic plan?
A) Approved suppliers for products offered by the company
B) An evaluation of information technology needs
C) Results of new software testing
D) Short-term project plans for a new planning system
A) Approved suppliers for products offered by the company
Approved suppliers for products offered by the company is correct. Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan.
147
What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should -
A) introduce audit hooks into the company's financial systems to support continuous auditing.
B) be customizable and support inclusion of custom programming to aid in investigative analysis.
C) interface with various types of enterprise resource planning software and databases.
D) accurately capture data from the organization's systems without causing excessive performance problems.
D) accurately capture data from the organization's systems without causing excessive performance problems.
Accurately capture data from the organization's systems without causing excessive performance problems is correct. Although all the requirements that are listed as answer choices are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool works effectively on the systems of the organization being audited.
148
The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it:
A) has been approved by the IT steering committee.
B) is aligned with the business plan.
C) does not exceed the existing IT budget.
D) is aligned with the investment strategy.
B) is aligned with the business plan.
Is aligned with the business plan is correct. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.
149
Which of the following is an example of the defense in-depth security principle?
A) Using two firewalls to consecutively check the incoming network traffic
B) Using two firewalls in parallel to check different types of incoming traffic
C) Using a firewall as well as logical access controls on the hosts to control incoming network traffic
D) Lack of physical signs on the outside of a computer center building
C) Using a firewall as well as logical access controls on the hosts to control incoming network traffic
Using a firewall as well as logical access controls on the hosts to control incoming network traffic is correct. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense.
150
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?
A) Review the device's log file for recent attacks.
B) Interview the firewall administrator.
C) Review the actual procedures.
D) Review the parameter settings.
D) Review the parameter settings.
Review the parameter settings is correct. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.
