Exam 4 Flashcards by Host Mom

An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?

A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan

A. References from other customers

How well did you know this?

Not at all

Perfectly

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

A. control self-assessments.
B. a business impact analysis.
C. an IT balanced scorecard.
D. business process reengineering.

C. an IT balanced scorecard.

How well did you know this?

Not at all

Perfectly

A poor choice of passwords and transmission over unprotected communications lines are examples of:

A. vulnerabilities.
B. threats.
C. probabilities.
D. impacts.

A. vulnerabilities.

How well did you know this?

Not at all

Perfectly

To support an organization’s goals, an IS department should have:

A. a low-cost philosophy.
B. long- and short-range plans.
C .leading-edge technology.
D. plans to acquire new hardware and software.

B. long- and short-range plans.

How well did you know this?

Not at all

Perfectly

A local area network (LAN) administrator normally would be restricted from:

A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.

C. having programming responsibilities.

How well did you know this?

Not at all

Perfectly

To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?

A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics

B. Gain-sharing performance bonuses

How well did you know this?

Not at all

Perfectly

Which of the following is a mechanism for mitigating risks?

A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

A. Security and control practices

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?

A. Security incident summaries
B. Vendor best practices
C. CERT coordination center
D. Significant contracts

D. Significant contracts

How well did you know this?

Not at all

Perfectly

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees

D. Training provided on a regular basis to all current and new employee

How well did you know this?

Not at all

Perfectly

A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:

A. recovery.
B. retention.
C. rebuilding.
D. reuse.

B. retention.

How well did you know this?

Not at all

Perfectly

When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that
has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?

A. There could be a question regarding the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distance.
D. There could be different auditing norms.

A. There could be a question regarding the legal jurisdiction.

How well did you know this?

Not at all

Perfectly

The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:

A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.

C. archive policy.

How well did you know this?

Not at all

Perfectly

Effective IT governance requires organizational structures and processes to ensure that:

A. the organization’s strategies and objectives extend the IT strategy.
B. the business strategy is derived from an IT strategy.
C. IT governance is separate and distinct from the overall governance.
D. the IT strategy extends the organization’s strategies and objectives.

D. the IT strategy extends the organization’s strategies and objectives

How well did you know this?

Not at all

Perfectly

Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it:

A. has been approved by line management.
B. does not vary from the IS department’s preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.

D. supports the business objectives of the organization.

How well did you know this?

Not at all

Perfectly

Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

A. Time zone differences could impede communications between IT teams.
B. Telecommunications cost could be much higher in the first year.
C. Privacy laws could prevent cross-border flow of information.
D. Software development may require more detailed specifications.

C. Privacy laws could prevent cross-border flow of information.

How well did you know this?

Not at all

Perfectly

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations; business objectives by determining if IS:

A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.

B. plans are consistent with management strategy.

How well did you know this?

Not at all

Perfectly

An IS auditor should be concerned when a telecommunication analyst:

A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data transfer rates.
D. recommends network balancing procedures and improvements.

A. monitors systems performance and tracks problems resulting from program changes.

How well did you know this?

Not at all

Perfectly

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:

A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. a strategic information technology planning methodology is in place.
D. the plan correlates business objectives to IS goals and objectives.

A. there is an integration of IS and business staffs within projects.

How well did you know this?

Not at all

Perfectly

Which of the following provides the best evidence of the adequacy of a security awareness program?

A. The number of stakeholders including employees trained at various levels
B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices

D. Periodic reviews and comparison with best practices

The advantage of a bottom-up approach to the development of organizational policies is that the policies:

A. are developed for the organization as a whole.
B. are more likely to be derived as a result of a risk assessment.
C. will not conflict with overall corporate policy.
D. ensure consistency across the organization.

B. are more likely to be derived as a result of a risk assessment.

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their company in implementing a complementary plan.
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the
service bureau and its ability to fulfill the contract.
C. No, because the backup to be provided should be specified adequately in the contract.
D. No, because the service bureaus business continuity plan is proprietary information.

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their company in implementing a complementary plan.

A benefit of open system architecture is that it:

A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for equipment.

A. facilitates interoperability.

The ultimate purpose of IT governance is to:

A. encourage optimal use of IT.
B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT.

A. encourage optimal use of IT.

Establishing the level of acceptable risk is the responsibility of:

A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

B. senior business management.

In the context of effective information security governance, the primary objective of value delivery is to: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.

A. optimize security investments in support of business objectives.

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of- sight reading

A. Issues of privacy

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs

A. Allocating resources

When developing a risk management program, what is the FIRST activity to be performed? A. Threat assessment B. Classification of data C. Inventory of assets D. Criticality analysis

C. Inventory of assets

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A. length of service, since this will help ensure technical competence. B. age, as training in audit techniques may be impractical. C. IS knowledge, since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships.

D. ability, as an IS auditor, to be independent of existing IS relationships.

IT governance is PRIMARILY the responsibility of the: A chief executive officer. B. board of directors. C. IT steering committee. D. audit committee.

B. board of directors.

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.

B. Job descriptions contain clear statements of accountability for information security.

Which of the following is a risk of cross-training? A Increases the dependence on one employee B Does not assist in succession planning C One employee may know all parts of a system D Does not help in achieving a continuity of operations

C One employee may know all parts of a system

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

B. IT balanced scorecard (BSC).

The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.

D. board of directors.

An example of a direct benefit to be derived from a proposed IT-related business investment is: A. enhanced reputation. B. enhanced staff morale. C. the use of new technology. D. increased market penetration.

D. increased market penetration.

Which of the following should be considered FIRST when implementing a risk management program? A. An understanding of the organization's threat, vulnerability and risk profile B. An understanding of the risk exposures and the potential consequences of compromise C. A determination of risk management priorities based on potential consequences D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

A. An understanding of the organization's threat, vulnerability and risk profile

Which of the following is a function of an IS steering committee? A. Monitoring vendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring major projects, the status of IS plans and budgets D. Liaising between the IS department and the end users

C. Approving and monitoring major projects, the status of IS plans and budgets

Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods

B. Identification of network applications to be externally accessed

Which of the following should be included in an organization's IS security policy? A. A list of key IT resources to be secured B. The basis for access authorization C. Identity of sensitive security features D. Relevant software security features

B. The basis for access authorization

When an employee is terminated from service, the MOST important action is to: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access.

D. disable the employee's logical access.

The PRIMARY objective of an audit of IT security policies is to ensure that: A. they are distributed and available to all staff. B. security and control policies support business and IT objectives. C. there is a published organizational chart with functional descriptions. D. duties are appropriately segregated.

B. security and control policies support business and IT objectives.

A top-down approach to the development of operational policies will help ensure: A. that they are consistent across the organization. B. that they are implemented as a part of risk assessment. C. compliance with all policies. D. that they are reviewed periodically.

A. that they are consistent across the organization.

Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered.

D. Become the supplier of choice for the product offered.

The MOST likely effect of the lack of senior management commitment to IT strategic planning is: A a lack of investment in technology. B a lack of a methodology for systems development. C technology not aligning with the organization's objectives. D an absence of control over technology contracts.

C technology not aligning with the organization's objectives.

An IS steering committee should: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. have formal terms of reference and maintain minutes of its meetings. D. be briefed about new trends and products at each meeting by a vendor.

C. have formal terms of reference and maintain minutes of its meetings.