ISACA.CISA.v2024-02-20.q418

Question 1

An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:
A. some of the identified threats are unlikely to occur.
B. all identified threats relate to external entities.
C. the exercise was completed by local management.
D. neighboring organizations operations have been included.

Answer 1

C. the exercise was completed by local management.

An IS auditor reviewing the threat assessment for a data center would be most concerned if the exercise was completed by local management, because this could introduce bias, conflict of interest, or lack of expertise in the assessment process. A threat assessment is a systematic method of identifying and evaluating the potential threats that could affect the availability, integrity, or confidentiality of the data center and its assets. A threat assessment should be conducted by an independent and qualified team that has the necessary skills, knowledge, and experience to perform a comprehensive and objective analysis of the data center’s environment, vulnerabilities, and risks.

Question 2

A database administrator (DBA) should be prevented from:
A. having end user responsibilities.
B. accessing sensitive information.
C. having access to production files.
D. using an emergency user ID.

Answer 2

A. having end user responsibilities.

A database administrator (DBA) should be prevented from having end user responsibilities to avoid a conflict of interest and violation of the segregation of duties principal. End user responsibilities may include initiating transactions, authorizing transactions, recording transactions or reconciling transactions. A DBA who has end user responsibilities may compromise the integrity, confidentiality and availability of the data and the database systems. Accessing sensitive information, having access to production files and using an emergency user ID are not end user responsibilities, but rather potential risks or controls associated with the DBA role.

Question 3

A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually. Which of the following is the MOST significant benefit of this approach?
A. Compliance costs are reduced.
B. Risks are detected earlier.
C. Business owners can focus more on their core roles.
D. Line management is more motivated to avoid control exceptions.

Answer 3

B. Risks are detected earlier.

The most significant benefit of implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually, is that risks are detected earlier. A CSA program is a process that enables business owners and managers to assess and improve their own internal controls on a regular basis, without relying on external auditors or consultants. A CSA program can help identify and mitigate risks, enhance performance, increase accountability, and foster a culture of control within the organization. By leveraging the internal audit function to test its internal controls annually, a small business unit can also obtain independent assurance and validation of its CSA results, as well as recommendations for improvement. This approach can help reduce compliance costs, as external audits may be less frequent or extensive.

Question 4

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
A. Data ownership.
B. Applicable laws and regulations.
C. Business requirements and data flows.
D. End-user access rights.

Answer 4

B. Applicable laws and regulations.

When assessing the scope of privacy concerns for an IT project, the most important factor to consider is the applicable laws and regulations. These laws and regulations define the legal requirements for data privacy and protection that the project must comply with. They can vary greatly depending on the jurisdiction and the type of data being processed, and non-compliance can result in significant penalties. While data ownership, business requirements and data flows, and end-user access rights are also important considerations, they are typically guided by these legal requirements.

Question 5

Which of the following information security requirements BEST enables the tracking of organizational data in a bring your own device (BYOD) environment?
A. Employees must immediately report lost or stolen mobile devices containing organizational data.
B. Employees must sign acknowledgment of the organization’s mobile device acceptable use policy.
C. Employees must enroll their personal devices in the organization’s mobile device management program.

Answer 5

C. Employees must enroll their personal devices in the organization’s mobile device management program.

The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization’s mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data.

Question 6

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
A. Regression testing
B. Unit testing
C. Integration testing
D. Acceptance testing

Answer 6

A. Regression testing

Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a change. Regression testing helps to detect any defects or errors that may have been introduced or uncovered due to the change.

Question 7

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy?
A. Reviewing the parameter settings.
B. Reviewing the system log.
C. Interviewing the firewall administrator.
D. Reviewing the actual procedures.

Answer 7

A. Reviewing the parameter settings.

The best audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy is reviewing the parameter settings. Parameter settings are values or options that define how a firewall operates and functions, such as rules, filters, ports, protocols, etc. By reviewing the parameter settings of a firewall, an IS auditor can verify whether they match with the organization’s security policy, which is a document that outlines the security objectives, requirements, and guidelines for an organization’s information systems and resources.

Reviewing the system log is a possible audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy, but it is not the best one, as a system log records events or activities that occur on a firewall, such as connections, requests, responses, errors, alerts, etc., and may not indicate whether they comply with the organization’s security policy.

Interviewing the firewall administrator is a possible audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy, but it is not the best one, as a firewall administrator may not provide accurate or reliable information about the firewall configuration, and may have conflicts of interest or ulterior motives.

Reviewing the actual procedures is a possible audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy, but it is not the best one, as actual procedures describe how a firewall is configured and maintained, such as installation, testing, updating, etc., and may not reflect whether they comply with the organization’s security policy.

Question 8

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor’s NEXT course of action?
A. Note the exception in a new report as the item was not addressed by management.
B. Recommend alternative solutions to address the repeat finding.
C. Conduct a risk assessment of the repeat finding.
D. Interview management to determine why the finding was not addressed.

Answer 8

D. Interview management to determine why the finding was not addressed.

If an IS auditor finds that management did not address a prior period audit finding, the next course of action should be to interview management to determine why the finding was not addressed, as this would help to understand the root cause, the impact, and the risk level of the issue. Noting the exception in a new report, recommending alternative solutions, or conducting a risk assessment are possible subsequent steps, but they should not precede interviewing management.

Question 9

An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices.
B. Partitioning the work environment from personal space on devices.
C. Preventing users from adding applications.
D. Restricting the use of devices for personal purposes during working hours.

Answer 9

B. Partitioning the work environment from personal space on devices.

Partitioning the work environment would best maintain information security without compromising employee privacy by creating a separate and secure area on the personal mobile devices for work-related data and applications. This way, the organization can protect its information from unauthorized access, loss, or leakage, while respecting the employees’ personal data and preferences on their own devices.
The other options are not as effective as Option B in balancing information security and employee privacy. Option A, installing security software on the devices, is good practice, but may not be sufficient to prevent data breaches or comply with regulatory requirements. Option C, preventing users from adding applications, is too restrictive and may interfere with the employees’ personal use of their devices. Option D, restricting the use of devices for personal purposes during working hours, is impractical and difficult to enforce.

Question 10

Which of the following is a concern associated with virtualization?
A. The physical footprint of servers could decrease within the data center.
B. Performance issues with the host could impact the guest operating systems.
C. Processing capacity may be shared across multiple operating systems.
D. One host may have multiple versions of the same operating system.

Answer 10

B. Performance issues with the host could impact the guest operating systems.

A concern associated with virtualization is that performance issues with the host could impact the guest operating systems, which are the operating systems that run on virtual machines within the host. For example, if the host has insufficient memory, CPU, disk space, or network bandwidth, it could affect the performance and availability of the guest operating systems and the applications running on them. The physical footprint of servers could decrease within the data center, processing capacity may be shared across multiple operating systems, and one host may have multiple versions of the same operating system are not concerns associated with virtualization, but rather, are benefits or features of virtualization that can help reduce costs, improve efficiency, and enhance flexibility.

Question 11

An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?
A. Intrusion detection system (IDS).
B. Security information and event management (SIEM) system.
C. Stateful firewall.
D. Load balancer.

Answer 11

C. Stateful firewall.

A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as it monitors and filters packets based on their source, destination and connection state. A stateful firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block incoming traffic that does not match an established connection. An intrusion detection system (IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it. A security information and event management (SIEM) system can collect and analyze logs and events from various sources, but it does not directly control traffic. A load balancer can distribute traffic among multiple servers, but it does not filter or monitor it.

Question 12

An IS auditor conducts a review of a third-party vendor’s reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?
A. KPI data is not being analyzed
B. KPIs are not clearly defined
C. Some KPIs are not documented
D. KPIs have never been updated

Answer 12

B. KPIs are not clearly defined

KPIs that are not clearly defined is the most concerning finding for an IS auditor, because it implies that the third-party vendor does not have a clear understanding of what constitutes success or failure in their performance. This can lead to inaccurate or misleading reporting, poor decision making, and lack of accountability. KPIs should be SMART (specific, measurable, achievable, relevant, and time-bound) and aligned with the business objectives and expectations of the stakeholders.

Question 13

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster.
A. Use an electronic vault for incremental backups.
B. Deploy a fully automated backup maintenance system.
C. Periodically test backups stored in a remote location.
D. Use both tape and disk backup systems.

Answer 13

C. Periodically test backups stored in a remote location.

The best way to ensure that a backup copy is available for restoration of mission critical data after a disaster is to periodically test backups stored in a remote location. Testing backups is essential to verify that the backup copies are valid, complete, and recoverable. Testing backups also helps to identify any issues or errors that may affect the backup process or the restoration of data. Storing backups in a remote location is important to protect the backup copies from physical damage, theft, or unauthorized access that may occur at the primary site. Using an electronic vault for incremental backups, deploying a fully automated backup maintenance system, or using both tape and disk backup systems are not sufficient to ensure that a backup copy is available for restoration of mission critical data after a disaster, as they do not address the need for testing backups or storing them in a remote location.

Question 14

When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?
A. Control requirements.
B. Rollback procedures.
C. Functional requirements documentation.
D. User acceptance test (UAT) results.

Answer 14

D. User acceptance test (UAT) results.

The UAT is a critical phase of the system development life cycle (SDLC) that ensures that the system meets the functional requirements and expectations of the end users. The UAT results provide evidence of the system’s quality, performance, usability, and reliability. Control requirements, rollback procedures, and functional requirements documentation are also important considerations, but they are not as crucial as the UAT results in determining if the system is ready for deployment.

Question 15

What would be an IS auditor’s BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
A. Ensure the open issues are retained in the audit results.
B. Terminate the follow-up because open issues are not resolved.
C. Recommend compensating controls for open issues.
D. Evaluate the residual risk due to open issues.

Answer 15

D. Evaluate the residual risk due to open issues.

Evaluating the residual risk due to open issues can help the IS auditor assess the impact and likelihood of the potential threats and vulnerabilities that have not been addressed by the auditee, as well as the adequacy and effectiveness of the existing controls or mitigating actions. Evaluating the residual risk due to open issues can also help the IS auditor prioritize and communicate the open issues to the auditee and other stakeholders, such as senior management or audit committee, and recommend appropriate actions or escalation procedures.

Question 16

The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they:
A. are recommended by security standards.
B. can limit Telnet and traffic from the open Internet.
C. act as fitters between the world and the network.
D. can detect cyberattacks.

Answer 16

B. can limit Telnet and traffic from the open Internet.

The use of access control lists (ACLs) is the most effective method to mitigate security risk for routers because they can limit Telnet and traffic from the open Internet. Telnet is a protocol that allows remote access to a device, which can pose a security threat if not properly controlled. Traffic from the open Internet can also contain malicious packets that can harm the network or the router itself. ACLs act as filters that can block or allow specific types of traffic based on predefined criteria, such as source and destination addresses, protocols, ports, and flags. By using ACLs, routers can prevent unauthorized access and reduce the exposure to potential attacks.

Question 17

Which of the following would minimize the risk of losing transactions as a result of a disaster?
A. Sending a copy of the transaction logs to offsite storage on a daily basis
B. Storing a copy of the transaction logs onsite in a fireproof vault
C. Encrypting a copy of the transaction logs and store on a local server
D. Signing a copy of the transaction logs and store on a local server

Answer 17

A. Sending a copy of the transaction logs to offsite storage on a daily basis

This is because offsite storage provides a backup of the data that can be recovered in case of a catastrophic event that destroys or damages the onsite data. Storing a copy of the transaction logs onsite in a fireproof vault (B) would not protect the data from other types of disasters, such as floods, earthquakes, or theft. Encrypting or signing (D) a copy of the transaction logs and storing them on a local server would not prevent the loss of data if the server is affected by the disaster. Encryption and digital signatures are security measures that protect the confidentiality and integrity of the data, but not the availability.

Question 18

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
A. Enterprise risk manager
B. Project sponsor
C. Information security officer
D. Project manager

Answer 18

D. Project manager.

The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization’s overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization’s information security policies and standards, but not for managing project risks.

Question 19

Which of the following is MOST important to include in security awareness training?
A. How to respond to various types of suspicious activity.
B. The importance of complex passwords.
C. Descriptions of the organization’s security infrastructure.
D. Contact information for the organization’s security team.

Answer 19

A. How to respond to various types of suspicious activity.

Security awareness training is a program that educates employees about the importance of security and how to avoid common threats and risks. One of the main objectives of security awareness training is to enable employees to recognize and report any signs of malicious or unauthorized activity, such as phishing emails, malware infections, data breaches, or social engineering attempts. By teaching employees how to respond to various types of suspicious activity, security awareness training can help to prevent or mitigate the impact of security incidents, protect the organization’s assets and reputation, and comply with legal and regulatory requirements. The other options are not as important as option A.

Question 20

An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime. This is BEST described as an application of:
A. risk framework.
B. balanced scorecard.
C. value chain analysis.
D. control self-assessment (CSA).

Answer 20

B. balanced scorecard.

A balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The other options are not the primary uses of a balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.

Question 21

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
A. Installing security cameras at the doors.
B. Changing to a biometric access control system.
C. Implementing a monitored mantrap at entrance and exit points.
D. Requiring two-factor authentication at entrance and exit points.

Answer 21

C. Implementing a monitored mantrap at entrance and exit points.

A mantrap is a physical security access control system comprising a small space having two sets of interlocking doors such that the first set of doors must close before the second set opens. By implementing a monitored mantrap, unauthorized access can be prevented and it can ensure that all individuals are logged when they enter and exit the server room.

Question 22

The BEST way to provide assurance that a project is adhering to the project plan is to:
A. require design reviews at appropriate points in the life cycle.
B. have an IS auditor participate on the steering committee.
C. have an IS auditor participate on the quality assurance (QA) team.
D. conduct compliance audits at major system milestones.

Answer 22

D. conduct compliance audits at major system milestones.

A compliance audit is a systematic and independent examination of the project’s activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements. A major system milestone is a significant point or event in the project’s life cycle that marks the completion of a phase, stage, or deliverable.

Question 23

A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger, and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

A. unit testing
B. Network performance
C. User acceptance testing (UAT)
D. Regression testing

Answer 23

D. Regression testing

Regression testing is a type of testing that ensures that the existing functionality of the system is not affected by the changes or upgrades made to the system. Since the project involves upgrading the ERP system hosting the general ledger, which is a critical and complex component of the finance department, it is important to verify that the upgrade does not introduce any errors or defects that could compromise the accuracy, completeness, and reliability of the financial data and reports. Regression testing can help identify and resolve any issues before they affect the users and the business processes.

Question 24

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
A. Quality assurance (OA) review.
B. Ongoing participation by relevant stakeholders.
C. Expected deliverables meeting project deadlines.
D. Sign-off from the IT team.

Answer 24

D. Sign-off from the IT team.

Question 25

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country. What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
A. Financial regulations affecting the organization.
B. Data center physical access controls where the application is hosted.
C. Privacy regulations affecting the organization.
D. Per-unit cost charged by the hosting services provider for storage.

Answer 25

C. Privacy regulations affecting the organization.

This is because privacy regulations are laws or rules that protect the personal information of individuals from unauthorized access, use, disclosure, or transfer by third parties. Payroll audit documentation may contain sensitive and confidential data, such as employee names, salaries, benefits, taxes, deductions, and bank accounts. If the audit management application is hosted by a third party in a different country, the organization may need to comply with the privacy regulations of both its own country and the host country, as well as any international or regional agreements or frameworks that apply. Privacy regulations may impose various requirements and obligations on the organization, such as obtaining consent from the data subjects, implementing appropriate security measures, notifying data breaches, and ensuring data quality and accuracy.

Question 26

Which of the following is an IS auditor’s BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?
A. Enforce a secure tunnel connection.
B. Enhance internal firewalls.
C. Set up a demilitarized zone (DMZ).
D. Implement a secure protocol.

Answer 26

C. Set up a demilitarized zone (DMZ).

A demilitarized zone (DMZ) is a network segment that is separated from the internal network and the external network, such as the internet, by firewalls or other security devices. A DMZ provides an extra layer of security for the organization’s internal network by isolating the servers and services that need to be accessible to external users, such as a file server, from the rest of the network. A DMZ also prevents external users from accessing the internal network directly, as they have to go through two firewalls to reach it. Therefore, setting up a DMZ is an IS auditor’s best recommendation to protect an organization from attacks when its file server needs to be accessible to external users.

Question 27

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization’s incident management processes?
A. Service management standards are not followed.
B. Expected time to resolve incidents is not specified.
C. Metrics are not reported to senior management.
D. Prioritization criteria are not defined.

Answer 27

D. Prioritization criteria are not defined.

The design of an incident management process should include prioritization criteria to ensure that incidents are handled according to their impact and urgency. Without prioritization criteria, the organization may not be able to allocate resources effectively and respond to incidents in a timely manner. Expected time to resolve incidents, service management standards, and metrics reporting are important aspects of incident management, but they are not as critical as prioritization criteria for the design of the process.

Question 28

An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?
A. Software developers may adopt inappropriate technology.
B. Project managers may accept technology risks exceeding the organization’s risk appetite.
C. Key decision-making entities for technology risk have not been identified
D. There is no clear approval entity for organizational security standards.

Answer 28

C. Key decision-making entities for technology risk have not been identified

Technology risk governance is the process of establishing and maintaining the policies, roles, responsibilities, and accountabilities for managing technology risks within an organization. Technology risk governance requires a clear organizational structure that defines who has the authority and responsibility to make decisions, set objectives, allocate resources, monitor performance, and ensure compliance for technology risk management. Without such a structure, an organization may face the following challenges:
* Lack of alignment and integration between technology and business strategies, leading to suboptimal outcomes and missed opportunities.
* Lack of clarity and consistency in technology risk identification, assessment, mitigation, and reporting, leading to gaps and overlaps in risk coverage and exposure.
* Lack of communication and collaboration among different stakeholders involved in technology risk management, leading to conflicts and inefficiencies.
* Lack of oversight and accountability for technology risk management activities and results, leading to poor quality and reliability.

Question 29

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
A. The vendor’s process appropriately sanitizes the media before disposal.
B. The contract includes issuance of a certificate of destruction by the vendor.
C. The vendor has not experienced security incidents in the past.
D. The disposal transportation vehicle is fully secure.

Answer 29

A. The vendor’s process appropriately sanitizes the media before disposal.

Storage media may contain sensitive or confidential information that needs to be protected from unauthorized access, disclosure, or misuse. The IS auditor should verify that the vendor has a process that appropriately sanitizes the media before disposal, such as wiping, degaussing, shredding, or incinerating, and that the process is effective and compliant with the organization’s policies and standards. The other options are not as important as verifying the vendor’s process, because they either do not ensure the security and privacy of the information on the media, or they are secondary to the vendor’s process.

Question 30

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
A. Degaussing.
B. Random character overwrite.
C. Physical destruction.
D. Low-level formatting.

Answer 30

C. Physical destruction.

The most effective method of destroying sensitive data stored on electronic media is physical destruction, which involves breaking, shredding, melting, or incinerating the media to make it unreadable and unrecoverable. Degaussing, random character overwrite, and low-level formatting are methods of sanitizing or erasing data from electronic media, but they do not guarantee complete destruction of data and may leave some traces that can be recovered by advanced techniques. Therefore, physical destruction is the most secure and reliable method of data disposal for sensitive data.

Question 31

A credit card company has decided to outsource the printing of customer statements. It Is MOST important for the company to verify whether:
A. the provider has alternate service locations.
B. the contract includes compensation for deficient service levels.
C. the provider’s information security controls are aligned with the company’s.
D. the provider adheres to the company’s data retention policies.

Answer 31

C. the provider’s information security controls are aligned with the company’s.

This is because customer statements contain sensitive personal and financial information that need to be protected from unauthorized access, disclosure, modification or destruction. The provider’s information security controls should be consistent with the company’s policies, standards and regulations, and should be audited periodically to ensure compliance. The other options are also relevant, but not as critical as information security.

Question 32

An IS auditor determines that the vendor’s deliverables do not include the source code for a newly acquired product. To address this issue, which of the following should the auditor recommend be included in the contract?
A. Confidentiality and data protection clauses.
B. Service level agreement (SLA).
C. Software escrow agreement.
D. Right-to-audit clause.

Answer 32

C. Software escrow agreement.

A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software’s source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor’s bankruptcy, insolvency, or failure to provide support or maintenance. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor.

Question 33

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
A. adequate measurement of key risk indicators (KRIS).
B. Inadequate alignment of IT plans and business objectives.
C. Inadequate business impact analysis (BIA) results and predictions.
D. Inadequate measurement of key performance indicators (KPls).

Answer 33

B. Inadequate alignment of IT plans and business objectives.

IT governance is a framework for the governance and management of enterprise information and technology (I&T) that supports enterprise goal achievement. IT governance helps to ensure that IT investments and activities are aligned with the business strategy, vision, and values of the organization. IT governance also helps to optimize the value of IT, manage IT-related risks, and measure and monitor IT performance.

Question 34

Which of the following presents the GREATEST risk of data leakage in the cloud environment?
A. Lack of data retention policy.
B. Multi-tenancy within the same database.
C. Lack of role-based access.
D. Expiration of security certificate.

Answer 34

B. Multi-tenancy within the same database.

Multi-tenancy within the same database presents the greatest risk of data leakage in the cloud environment, because it means that multiple customers share the same physical database and resources. This can lead to data isolation and security issues, such as unauthorized access, cross-tenant attacks, or data leakage due to misconfiguration or human error. To prevent data leakage in a multi-tenant database, cloud providers need to implement strict access control policies, encryption, isolation mechanisms, and auditing tools.

Question 35

An organization’s security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
A. To collect digital evidence of cyberattacks.
B. To attract attackers in order to study their behavior.
C. To provide training to security managers.
D. To test the intrusion detection system (IDS).

Answer 35

B. To attract attackers in order to study their behavior.

This is a technique known as honeypotting, which is a form of deception security that lures attackers into a fake system or network that mimics the real one, but is isolated and monitored. Honeypotting can help security teams to learn about the attackers’ methods, tools, motives, and targets, and to collect valuable intelligence that can be used to improve the security posture of the organization. Honeypotting can also help to divert the attackers’ attention from the real assets and to waste their time and resources.

Question 36

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
A. the implementation plan meets user requirements.
B. a full, visible audit trail will be Included.
C. a clear business case has been established.
D. the new hardware meets established security standards.

Answer 36

C. a clear business case has been established.

A business case is a document that justifies the need, feasibility, and benefits of a proposed project or investment. A clear business case can help to ensure that the acquisition of new computer hardware is aligned with the organization’s goals, objectives, and requirements, and that it provides value for money and return on investment. The other options are not as important as establishing a clear business case, as they do not address the rationale or justification for acquiring new computer hardware.

Question 37

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
A. Computer-assisted technique.
B. Stratified sampling.
C. Statistical sampling.
D. Process walk-through.

Answer 37

A. Computer-assisted technique.

A computer-assisted technique is a tool or procedure that can be used to perform audit tests or procedures on data stored in electronic form. Examples of computer-assisted techniques include data analysis software, query tools, scripting languages, and specialized audit software. A computer-assisted technique can help an IS auditor to identify and extract duplicate payments from a large data set, perform calculations and comparisons, and generate reports and summaries. A computer-assisted technique can also provide more accuracy, efficiency, and coverage than manual methods.

Question 38

Capacity management enables organizations to:
A. forecast technology trends.
B. establish the capacity of network communication links.
C. identify the extent to which components need to be upgraded.
D. determine business transaction volumes.

Answer 38

C. identify the extent to which components need to be upgraded.

Capacity management is a process that ensures that the IT resources of an organization are sufficient to meet the current and future demands of the business. Capacity management enables organizations to identify the extent to which components need to be upgraded, by monitoring and analyzing the performance, utilization, and availability of the IT components, such as servers, networks, storage, applications, etc., and identifying any bottlenecks, gaps, or risks that may affect the service level agreements (SLAs) or quality of service (QoS). Capacity management also helps organizations to plan and optimize the use of IT resources, by forecasting the future demand and growth of the business, and aligning the IT capacity with the business needs and objectives.

Question 39

An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the following would BEST support the organization’s objectives?
A. Cryptographic hashes.
B. Virtual local area network (VLAN).
C. Encryption.
D. Dedicated lines.

Answer 39

C. Encryption.

The best option to support the organization’s objectives of protecting data confidentiality while transporting data is encryption. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm, so that only authorized parties can access the original data. Encryption protects the confidentiality of data in transit by preventing unauthorized interception, modification, or disclosure of the data. Encryption can also help comply with data privacy and security regulations, such as the GDPR and HIPAA. The other options are not as effective as encryption in protecting data confidentiality while transporting data.

Question 40

During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been Included.
B. Discuss potential regulatory issues with the legal department.
C. Report the missing regulatory updates to the chief information officer (CIO).
D. Exclude recent regulatory changes from the audit scope.

Answer 40

A. Ask management why the regulatory changes have not been Included.

An IS auditor should inquire about the reasons for not updating the inventory of compliance requirements with recent regulatory changes related to managing data risk. This will help the IS auditor to understand whether there is a gap in awareness, communication, or implementation of compliance obligations within the organization. The other options are not the first things that an IS auditor should do, but rather possible subsequent actions that may depend on management’s response.

Question 41

Which of the following is the BEST indication that there are potential problems within an organization’s IT service desk function?
A. Undocumented operating procedures.
B. Lack of segregation of duties.
C. An excessive backlog of user requests.
D. Lack of key performance indicators (KPIs).

Answer 41

C. An excessive backlog of user requests.

A backlog is a list of user requests that have not been resolved or completed by the IT service desk within a specified time frame. An excessive backlog means that the IT service desk is unable to meet the demand or expectations of the users, and that the users are experiencing delays, dissatisfaction, or frustration with the IT service desk. An excessive backlog of user requests can indicate various problems within the IT service desk function, such as: Insufficient staff, resources, or capacity to handle the volume or complexity of user requests Ineffective processes, procedures, or tools for managing, prioritizing, or resolving user requests Lack of skills, knowledge, or training among the IT service desk staff to deal with different types of user requests Poor communication, collaboration, or coordination among the IT service desk staff or with other IT functions or stakeholders Low quality, performance, or security of the IT systems or services that cause frequent or recurring user issues Therefore, an excessive backlog of user requests is the best indication that there are potential problems within an organization’s IT service desk function.

Question 42

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority. Which of the following is the BEST recommendation to help prevent this situation in the future?
A. Introduce escalation protocols.
B. Develop a competency matrix.
C. Implement fallback options.
D. Enable an emergency access ID.

Answer 42

A. Introduce escalation protocols.

Escalation protocols are policies and procedures that define who should be notified, involved, or consulted when an incident occurs, how the communication and handover should take place, and what criteria or triggers should be used to escalate the incident to a higher level of authority or expertise. Escalation protocols help to ensure that: Incidents are handled by the appropriate staff with the required skills, knowledge, and experience Incidents are resolved in a timely and effective manner Incidents are escalated to senior management or specialized teams when necessary Incidents are documented and reported accurately and transparently Incidents are analyzed and learned from to prevent recurrence or mitigate impact Therefore, by introducing escalation protocols, an organization can improve its incident management process and avoid putting IT support staff in a position to make decisions beyond their level of authority.

Question 43

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
A. To ensure that older versions are available for reference.
B. To ensure that only the latest approved version of the application is used.
C. To ensure compatibility different versions of the application.
D. To ensure that only authorized users can access the application.

Answer 43

B. To ensure that only the latest approved version of the application is used.

Version control is a process of managing changes to an application or a document. It ensures that only the latest approved version of the application is used by end-users, which reduces the risk of errors, inconsistencies, and unauthorized modifications. Version control also allows tracking the history of changes and restoring previous versions if needed.

Question 44

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?
A. Virtual firewall
B. Proxy server
C. Load balancer
D. Virtual private network (VPN)

Answer 44

C. Load balancer

A load balancer is a tool or application that distributes incoming network traffic among multiple servers in a server farm, so that no server is overwhelmed and the performance of the system is optimized. A load balancer can help the agency to handle the large influx of traffic to a regional office by balancing the workload among the available servers and preventing service disruptions. A load balancer can also provide high availability and fault tolerance by rerouting traffic to online servers if a server becomes unavailable.

Question 45

Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the MOST transactions were recovered successfully?
A. Review transaction recovery logs to ensure no errors were recorded.
B. Recount the transaction records to ensure no records are missing.
C. Rerun the process on a backup machine to verify the results are the same.
D. Compare transaction values against external statements to verify accuracy.

Answer 45

B. Recount the transaction records to ensure no records are missing.

This is because recounting the transaction records can verify that the number of records in the restored database matches the number of records in the snapshot copy, which represents the state of the database before the deletion occurred. Recounting the transaction records can also detect any data corruption or inconsistency that may have occurred during the restore process.

Reviewing transaction recovery logs to ensure no errors were recorded is not the best answer, because transaction recovery logs may not capture all the details or issues that may affect the data quality or integrity. Transaction recovery logs are mainly used to monitor and troubleshoot the restore process, but they may not reflect the actual content or accuracy of the restored data.

Rerunning the process on a backup machine to verify the results are the same is not the best answer, because rerunning the process may introduce additional errors or inconsistencies that may affect the data quality or integrity. Rerunning the process may also consume more time and resources than necessary, and it may not guarantee that the results are identical to the original data.

Comparing transaction values against external statements to verify accuracy is not the best answer, because external statements may not be available or reliable for all transactions. External statements are documents or reports that provide information about transactions from a third-party source, such as a bank, a vendor, or a customer. However, external statements may not cover all transactions, or they may have different formats, standards, or timeliness than the internal data.

Question 46

Which of the following represents the HIGHEST level of maturity of an information security program?
A. A training program is in place to promote information security awareness.
B. A framework is in place to measure risks and track effectiveness.
C. Information security policies and procedures are established.
D. The program meets regulatory and compliance requirements.

Answer 46

B. A framework is in place to measure risks and track effectiveness.

According to the ISACA’s Information Security Governance Guidance for Boards of Directors and Executive Management, the highest level of maturity of an information security program is Level 5: Optimized, which means that the program is aligned with the business objectives and strategy, and continuously monitors and improves its performance and effectiveness. A framework is in place to measure risks and track effectiveness, and the program is proactive, adaptive, and innovative. The other options represent lower levels of maturity:
A training program is in place to promote information security awareness. This is Level 2: Repeatable, which means that the program has some basic policies and procedures, and provides awareness training to employees.
Information security policies and procedures are established. This is Level 3: Defined, which means that the program has formalized policies and procedures, and assigns roles and responsibilities for information security.
The program meets regulatory and compliance requirements. This is Level 4: Managed, which means that the program has established metrics and reporting mechanisms, and complies with relevant laws and regulations.

Question 47

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
A. Server room access history.
B. Emergency change records.
C. IT security incidents.
D. Penetration test results.

Answer 47

D. Penetration test results.

The IS auditor should ensure that penetration test results are classified at the highest level of sensitivity, because they contain detailed information about the vulnerabilities and weaknesses of the IT systems and networks, as well as the methods and tools used by the testers to exploit them. Penetration test results can be used by malicious actors to launch cyberattacks or cause damage to the organization if they are disclosed or accessed without authorization. Therefore, they should be protected with the highest level of confidentiality, integrity and availability. The other options are not as sensitive as penetration test results, because they either do not reveal as much information about the IT security posture, or they are already known or reported by the organization.

Question 48

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
A. Detective control
B. Preventive control
C. Directive control
D. Corrective control

Answer 48

B. Preventive control

An acceptable use policy (AUP) is a preventive control that sets out rules and guidelines for using an organization’s IT resources, including networks, devices, and software. It defines acceptable and prohibited behaviors, aiming to protect assets, ensure security, and maintain a productive work environment. By agreeing to and documenting an AUP for the equipment, both organizations can prevent potential misuse of IT resources.

Question 49

Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?
A. Security policies are not applicable across all business units.
B. End users are not required to acknowledge security policy training.
C. The security policy has not been reviewed within the past year.
D. Security policy documents are available on a public domain website.

Answer 49

D. Security policy documents are available on a public domain website.

The auditor should be most concerned about the security policy documents being available on a public domain website. This is because this exposes the organization’s security posture and strategy to potential attackers, who can exploit the information to launch targeted attacks or bypass the security controls. The security policy documents should be classified as confidential and protected from unauthorized access or disclosure. The other options are less severe than exposing the security policy documents to the public, although they may also indicate some gaps or weaknesses in the security policy development, implementation, or maintenance process.

Question 50

Audit observations should be FIRST communicated with the auditee:
A. when drafting the report.
B. during fieldwork.
C. at the end of fieldwork.
D. within the audit report

Answer 50

B. during fieldwork.

Audit observations are the findings and recommendations that result from an audit engagement. Audit observations should be first communicated with the auditee during fieldwork, which is the stage of the audit process where the auditor collects and analyzes evidence to evaluate the audit objectives. Communicating audit observations during fieldwork has several benefits, such as:
It allows the auditor to verify the accuracy and completeness of the observations, and to obtain additional information or clarification from the auditee if needed.
It enables the auditor to discuss the root causes, impacts, and risks of the observations, and to solicit the auditee’s input on possible corrective actions and implementation timelines.
It helps to build rapport and trust between the auditor and the auditee, and to avoid surprises or disagreements at the end of the audit.
It facilitates timely resolution of audit observations, and reduces the risk of audit delays or disputes.