ISACA 901-1000 Flashcards
(99 cards)
Assignment of process ownership is essential in system development projects because it:
A. enables the tracking of the development completion percentage.
B. optimizes the design cost of user acceptance test (UAT) cases.
C. minimizes the gaps between requirements and functionalities.
D. ensures that system design is based on business needs.
D. ensures that system design is based on business needs.
A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future?
A. Improve regression test cases.
B. Activate audit trails for a limited period after release.
C. Conduct an application user access review.
D. Ensure that developers do not have access to code after testing.
D. Ensure that developers do not have access to code after testing.
A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:
A. the security controls of the application may not meet requirements.
B. the application may not meet the requirements of the business users.
C. the application technology may be inconsistent with the enterprise architecture (EA).
D. the application may create unanticipated support issues for IT.
C. the application technology may be inconsistent with the enterprise architecture (EA).
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A. directive control.
B. corrective control.
C. compensating control.
D. detective control.
B. corrective control.
Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review?
A. The code was missed during the initial implementation.
B. The change did not have management approval.
C. The error was discovered during the postimplementation review.
D. The release team used the same change order number.
B. The change did not have management approval.
A company determined that its web site was compromised and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident?
A. A host-based intrusion prevention system (IPS)
B. A network-based intrusion detection system (IDS)
C. A firewall
D. Operating system (OS) patching
A. A host-based intrusion prevention system (IPS)
A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
C. In the demilitarized zone (DMZ)
A company with a limited budget has a recovery time objective (RTO) of 72 hours and a recovery point objective (RPO) of 24 hours. Which of the following would BEST meet the requirements of the business?
A. A hot site
B. A cold site
C. A mirrored site
D. A warm site
D. A warm site
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ?
A. Secret key encryption
B. Dynamic Internet protocol (IP) address and port
C. Hash functions
D. Virtual private network (VPN) tunnel
D. Virtual private network (VPN) tunnel
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?
A. Single sign-on authentication
B. Password complexity requirements
C. Two-factor authentication
D. Internet protocol (IP) address restrictions
C. Two-factor authentication
Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production?
A. Provide and monitor separate login IDs that the developer will use for programming and for production support.
B. Capture activities of the developer in the production environment by enabling audit trails.
C. Back up all affected records before allowing the developer to make production changes.
D. Ensure that all changes are approved by the change manager.
A. Provide and monitor separate login IDs that the developer will use for programming and for production support.
Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?
A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.
C. Focus on auditing high-risk areas.
During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software?
A. The client did not pay for the open source software components.
B. The organization and client must comply with open source software license terms.
C. Open source software has security vulnerabilities.
D. Open source software is unreliable for commercial use.
B. The organization and client must comply with open source software license terms.
During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern?
A. The support model was not approved by senior management.
B. The incident resolution time specified in the SLA is not realistic.
C. There are inadequate resources to support the applications.
D. The support model was not properly developed and implemented.
D. The support model was not properly developed and implemented.
During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?
A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.
A. Discuss it with the IT managers.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A. include a review of the database controls in the scope.
B. document for future review.
C. work with database administrators to correct the issue.
D. report the weaknesses as observed.
D. report the weaknesses as observed.
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?
A. Maximum acceptable downtime metrics have not been defined in the contract.
B. The IT department does not manage the relationship with the cloud vendor.
C. The help desk call center is in a different country, with different privacy requirements.
D. Company-defined security policies are not applied to the cloud application.
D. Company-defined security policies are not applied to the cloud application.
During the requirements definition stage of a proposed enterprise resource planning (ERP) system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform?
A. Unit testing
B. Integration testing
C. Sociability testing
D. Quality assurance (QA) testing
B. Integration testing
A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?
A.Detective
B. Preventive
C. Corrective
D. Directive
B. Preventive
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:
A. is cost-effective.
B. is future thinking and innovative.
C. is aligned with the business strategy.
D. has the appropriate priority level assigned.
C. is aligned with the business strategy.
The GREATEST benefit of having well- defined data classification policies and procedures is:
A. a more accurate inventory of information assets.
B. a decreased cost of controls.
C. a reduced risk of inappropriate system access.
D. an improved regulatory compliance.
C. a reduced risk of inappropriate system access.
In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:
A. stop-or-go sampling.
B. substantive testing.
C. compliance testing.
D. discovery sampling.
B. substantive testing.
An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?
A. System unavailability
B. Exposure to malware
C. Unauthorized access
D. System integrity
C. Unauthorized access
An IS auditor discovers that several IT-based projects were implemented that were not approved by the steering committee. What is the GREATEST concern for the IS auditor?
A. IT projects will not be adequately funded.
B. IT projects are not following the system development life cycle (SDLC) process.
C. IT projects are not consistently formally approved.
D. The IT department may not be working toward a common goal.
D. The IT department may not be working toward a common goal.