Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

CISA EXAM 1|132 Questions with Verified Answers,100% CORRECT, Exams of Information and Communications Technology (ICT)

CISA EXAM 1|132 Questions with Verified Answers

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

2.7

(3)

3.2K documents

1 / 103

Toggle sidebar

Related documents


Partial preview of the text

Download CISA EXAM 1|132 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA EXAM 1|132 Questions with Verified Answers Q3) During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: A) manager approves a change request and then reviews it in production. B) programmer codes a change in the development environment and tests it in the test environment. C) manager initiates a change request and subsequently approves it. D) user raises a change request and tests it in the test environment. - CORRECT ANSWER C) Manager initiates a change request and subsequently approves it is correct. Initiating and subsequently approving a change request violates the principle of segregation of duties. D) A person should not be able to approve their own requests. User raises a change request and tests it in the test environment is incorrect. Having a user involved in testing changes is common practice. B) Programmer codes a change in the development environment and tests it in the test environment is incorrect. Having a programmer code a change in development and then separately test the change in a test environment is a good practice and preferable over testing in production. A) Manager approves a change request and then reviews it in production is incorrect. C) Having a manager review a change to make sure it was done correctly is an acceptable practice. Q1) When installing an intrusion detection system, which of the following is MOST important? A) Identifying messages that need to be quarantined B) Properly locating it in the network architecture C) Preventing denial-of-service attacks D) Minimizing the rejection errors - CORRECT ANSWER B) Properly locating it in the network architecture is correct. Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. C) Preventing denial-of-service attacks is incorrect. A network IDS will monitor network traffic and a host-based IDS will monitor activity on the host, but it has no capability of preventing a denial-of-service (DoS) attack. A) Identifying messages that need to be quarantined is incorrect. Configuring an IDS can be a challenge because it may require the IDS to "learn" what normal activity is, but the most important part of the installation is to install it in the right places. D) Minimizing the rejection errors is incorrect. An IDS is only a monitoring device and does not reject traffic. Rejection errors would apply to a biometric device. Q2) An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? A) Implement the Simple Network Management Protocol to allow active monitoring. B) Use service set identifiers that clearly identify the organization. C) Encrypt traffic using the Wired Equivalent Privacy mechanism. D) Physically secure wireless access points to prevent tampering. - CORRECT ANSWER D) Physically secure wireless access points to prevent tampering is correct. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to B) Use query software to analyze all change tickets for missing fields is incorrect. This does not identify program changes that were made without supporting change tickets. Q6) Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? A) Hash functions B) Secret key encryption C) Dynamic Internet protocol address and port D) Virtual private network tunnel - CORRECT ANSWER D) Virtual private network tunnel is correct. As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network tunnel would best ensure that the transmission of information was secure. B) Secret key encryption is incorrect. This would require sharing of the same key at the source and destination and involve an additional step for encrypting and decrypting data at each end. This is not a feasible solution given the scenario. C) Dynamic Internet Protocol address and port is incorrect. This is not an effective control because an attacker could easily find the new address using the domain name system. A) Hash functions is incorrect. While the use of a cryptographic hash function may be helpful to validate the integrity of data files, in this case it would not be useful for a production support team connecting remotely. Q7) A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and - A) age, because training in audit techniques may be impractical. B) length of service, because this will help ensure technical competence. C) IT knowledge, because this will bring enhanced credibility to the audit function. D) ability, as an IS auditor, to be independent of existing IT relationships. - CORRECT ANSWER D) Ability, as an IS auditor, to be independent of existing IT relationships is correct. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. B) Length of service is incorrect and does not ensure technical competency. A) Evaluating an individual's qualifications based on the age of the individual is incorrect and is illegal in many parts of the world. C) IT knowledge is incorrect. The fact that the employee has worked in IT for many years may not ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements. Q8) An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A) encrypt electronic orders. B) perform reasonableness checks on quantities ordered before filling orders. C) acknowledge receipt of electronic orders with a confirmation message. D) verify the identity of senders and determine if orders correspond to contract terms. - CORRECT ANSWER D Verify the identity of senders and determine if orders correspond to contract terms is correct. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. C) Acknowledging the receipt of electronic orders with a confirming message is incorrect. This is good practice but will not authenticate orders from customers. B) Performing reasonableness checks on quantities ordered before filling orders is incorrect. This is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. A) Encrypt electronic orders is incorrect. This is an appropriate step but does not prove authenticity of messages received. Q9) An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A) Unauthorized access B) System unavailability C) Exposure to malware D) System integrity - CORRECT ANSWER A) Unauthorized access is correct. Untested common gateway interfaces (CGIs) can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. B) System unavailability is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. C) Exposure to malware is incorrect. Untested CGI scripts do not inherently lead to malware exposures. D) Development of an audit program is incorrect. The results of the risk assessment are used for the input for the audit program. C) Define the audit scope is incorrect. The output of the risk assessment helps define the scope. A) Identification of key information owners is incorrect. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. Q13) The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A) authentication. B) data integrity. C) nonrepudiation. D) replay protection. - CORRECT ANSWER C) Nonrepudiation is correct. Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. B) Data integrity is incorrect. This refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. A) Authentication is incorrect. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. D) Replay protection is incorrect. This is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed). Q14) Which of the following is the initial step in creating a firewall policy? A) A cost-benefit analysis of methods for securing the applications B) Identification of vulnerabilities associated with network applications to be externally accessed C) Identification of network applications to be externally accessed D) Creation of an application traffic matrix showing protection methods Explanation - CORRECT ANSWER C) Identification of network applications to be externally accessed is correct. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. A) A cost-benefit analysis of methods for securing the applications is incorrect. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B) Identification of vulnerabilities associated with network applications to be externally is incorrect. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D) Creation of an application traffic matrix showing protection methods is incorrect. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected. Q15) The Secure Sockets Layer protocol ensures the confidentiality of a message by using: A) message authentication codes. B) symmetric encryption. C) hash function. D) digital signature certificates. - CORRECT ANSWER B) Symmetric encryption is correct. Secure Sockets Layer (SSL) uses a symmetric key for message encryption. A) Message authentication codes is incorrect. These are used for ensuring data integrity. C) Hash function is incorrect. This is used for generating a message digest which can provide message integrity; it is not used for message encryption. D) Digital signature certificates is incorrect. These are used by SSL for server authentication. Q16) An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? A) Retest the control to confirm the finding. B) Discuss the finding with the IT auditor's manager. C) Elevate the risk associated with the control. D) Discuss the finding with the auditee's manager. - CORRECT ANSWER B) Discuss the finding with the IT auditor's manager is correct. Discussing the disagreement with the auditor's manager is the best course of action because other actions can weaken relationships with the auditee and auditor A) Retest the control to confirm the finding is incorrect. This may unnecessarily expend human and time resources. The audit manager should determine if controls need to be retested. C) Elevate the risk associated with the control is incorrect. Elevating the risk will not address the disagreement. D) Discuss the finding with the auditee's manager is incorrect. It is usually best to consult the audit manager prior to escalating the issue the auditee's manager. This could prove to be an adversarial action. related function, are primarily used to establish job requirements and accountability. A) Are current, documented and readily available to the employee is incorrect. It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability. D) Communicate management's specific job performance expectations is incorrect. Communication of management's specific expectations for job performance would not necessarily be included in job descriptions. Q20) What is the PRIMARY control purpose of required vacations or job rotations? A) allow cross-training for development. B) provide a competitive employee benefit. C) detect improper or illegal employee acts. D) help preserve employee morale. - CORRECT ANSWER C) Detect improper or illegal employee acts is correct. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. A) Allow cross-training for development is incorrect. Although cross-training is a good practice for business continuity, it is not achieved through mandatory vacations. D) Help preserve employee morale is incorrect. It is a good practice to maintain good employee morale, but this is not a primary reason to have a required vacation policy. B) Provide a competitive employee benefit is incorrect. Vacation time is a competitive benefit, but that is not a control. Q21) An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A) Network cabling is disorganized and not properly labeled. B) The telephones are using the same cable used for LAN connections. C) wiring closet also contains power lines and breaker panels. D) The local area network (LAN) switches are not connected to uninterruptible power supply units. - CORRECT ANSWER D) The local area network (LAN) switches are not connected to uninterruptible power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. A) Network cabling is disorganized and not properly labeled is incorrect. While improper cabling can create reliability issues, the more critical issue in this case would be the lack of power protection. B) The telephones are using the same cable used for LAN connections is incorrect. An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. C) The wiring closet also contains power lines and breaker panels is incorrect. As long as the power and telephone equipment are separated, this would not be a significant risk. Q22) An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? A) Review the results of stress tests during user acceptance testing. B) Request vendor technical support to resolve performance issues. C) Request additional IS audit resources. D) Review the implementation of selected integrated controls. . - CORRECT ANSWER A) The appropriate recommendation is to review the results of stress tests during user acceptance testing that demonstrated the performance issues. D) Reviewing the implementation of selected integrated controls is incorrect. This validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning application. C) Request additional IS audit resources is incorrect. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. B) Request vendor technical support to resolve performance issues is incorrect. This is a good option, but not the first recommendation Q23) An IS auditor reviewing an organization that uses cross-training practices should assess the risk of - A) dependency on a single person. B) one person knowing all parts of a system. Q26) Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: A) continuous improvement and monitoring plans. B) post-BPR process flowcharts. C) pre-BPR process flowcharts. D) BPR project plans. - CORRECT ANSWER B) Post-BPR process flowcharts is correct. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. C) Pre-BPR process flowcharts is incorrect. An IS auditor must review the process as it is today, not as it was in the past. D) BPR project plans is incorrect. Business process reengineering (BPR) project plans are a step within a BPR project. A) Continuous improvement and monitoring plans is incorrect. These are steps within a BPR project. Q27) An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered - A) can support the organization in the long term. B) can deliver on the immediate contract. C) has significant financial obligations that can impose liability to the organization. D) is of similar financial standing as the organization. - CORRECT ANSWER A) Can support the organization in the long term is correct. The long-term financial viability of a vendor is essential for deriving maximum value for the organization —it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. B) Can deliver on the immediate contract is incorrect. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract but should be to provide assurance of sustainability over a longer time frame. Is of similar financial standing as the organization is incorrect. D) Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. C) Has significant financial obligations that can impose liability to the organization is incorrect. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor. Q28) Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization? A) Post-implementation functional testing B) User acceptance testing C) Validation of user requirements D) Registration and review of changes - CORRECT ANSWER D) Registration and review of changes is correct. An independent review of the changes to the program in production could identify potential unauthorized changes, versions or functionality that the programmer had put into production. A) Post-implementation functional testing is incorrect. This would not be as effective because the system could be accepted by the end user without detecting the undocumented functionality. C) Validation of user requirements is incorrect. This would not be as effective because the system could meet user requirements and still include undocumented functionalities. B) User acceptance testing is incorrect. This would not be as effective because the system could be accepted by the end users, and the undocumented functionalities could remain undetected. Q29) The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? A) Disabling of unused ports presents a potential risk. B) Soft zoning presents a potential risk. C) There is no significant potential risk. D) The SAN administrator presents a potential risk. - CORRECT ANSWER D) The SAN administrator presents a potential risk is correct. The potential risk in this scenario is posed by the SAN administrator. One concern is having a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. The organization currently relies entirely on the SAN administrator to implement, maintain, and validate all security controls; this means that the SAN administrator could modify or remove those controls without detection. the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary. A) Collect sufficient evidence is incorrect. The IS auditor does not collect evidence in the planning stage of an audit. C) Specify appropriate tests is incorrect. This is not the primary goal of audit planning. B) Minimize audit resources is incorrect. Effective use of audit resources is a goal of audit planning, not minimizing audit resources. Q33) Electromagnetic emissions from a terminal represent a risk because they: A) could damage or erase nearby storage media. B) could have adverse health effects on personnel. C) can disrupt processor functions. D) can be detected and displayed. - CORRECT ANSWER D) Can be detected and displayed is correct. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents. A) Could damage or erase nearby storage media is incorrect. While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern. C) Can disrupt processor functions is incorrect. Electromagnetic emissions should not cause disruption of central processing units. B) Could have adverse health effects on personnel is incorrect. Most electromagnetic emissions are low level and do not pose a significant health risk. Q34) To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet: A) allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled). B) specifies the route that a packet should take through the network (the source routing field is enabled). C) puts multiple destination hosts (the destination field has a broadcast address in the destination field). D) indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on). - CORRECT ANSWER B) Specifies the route that a packet should take through the network (the source routing field is enabled) is correct. Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. C) Puts multiple destination hosts (the destination field has a broadcast address) is incorrect. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. D) Indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on) is incorrect. Turning on the reset flag is part of the normal procedure to end a Transmission Control Protocol connection. A) Allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled) is incorrect. The use of dynamic or static routing will not represent a spoofing attack. Q35) Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? A) Asymmetric cryptography B) Message authentication code C) Digital certificates D) Digital signatures - CORRECT ANSWER C) Digital certificates is correct. These are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D) Digital signatures is incorrect. These are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. A) Asymmetric cryptography is incorrect. This appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. B) Message authentication code is incorrect. This is used for message integrity verification. Q36) In what capacity would an IS auditor MOST likely see a hash function applied? A) Authorization B) Identification C) Authentication D) Encryption - CORRECT ANSWER C) Authentication is correct. The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources. B) Identification is incorrect. Hash functions are not used for identification. They are used to validate the authenticity of the identity. C) determining whether bar code readers are installed. D) conducting a physical count of the tape inventory - CORRECT ANSWER D) Conducting a physical count of the tape inventory is correct. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy and validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. C) Determining whether bar code readers are installed is incorrect. This is a compliance test. B) Determining whether the movement of tapes is authorized is incorrect. This is a compliance test. A) Checking whether receipts and issues of tapes are accurately recorded is incorrect. This is a compliance test. Q40) Which of the following is the responsibility of information asset owners? A) Implementation of access rules to data and programs B) Implementation of information security within applications C) Provision of physical and logical security for data D) Assignment of criticality levels to data - CORRECT ANSWER D) Assignment of criticality levels to data is correct. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. B) Implementation of information security within applications incorrect. This is the responsibility of the data custodians based on the requirements set by the data owner. A) Implementation of access rules to data and programs is incorrect. This is a responsibility of data custodians based on the requirements set by the data owner. C) Provision of physical and logical security for data is incorrect. This is the responsibility of the security administrator. Q41) An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern? A) Voice communication uses the same equipment that is used for data communication. B) The team that supports the data network also is responsible for the telephone system. C) Voice communication is not encrypted on the local network. D) Ethernet switches are not protected by uninterrupted power supply units. - CORRECT ANSWER D) Ethernet switches are not protected by uninterrupted power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center. A) Voice communication uses the same equipment that is used for data communication is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, which can save on wiring cost and simplify both the installation and support of the telephone system. This use of shared infrastructure is a benefit of VoIP and therefore is not a concern. C) Voice communication is not encrypted on the local network is incorrect. VoIP devices do not normally encrypt the voice traffic on the local network, so this is not a concern. Typically, a VoIP phone system connects to a telephone company voice circuit, which would not normally be encrypted. If the system uses the Internet for connectivity, then encryption is required. B) The team that supports the data network also is responsible for the telephone system is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, so the personnel who support and maintain that infrastructure are now responsible for both the data and voice network by default. Therefore, this would not be a concern. Q42) Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting? A) Findings are clearly tracked back to evidence. B) Recommendations address root causes of findings. C) Remediation plans are provided by responsible parties. D) Risk statement includes an explanation of a business impact. - CORRECT ANSWER A) Findings are clearly tracked back to evidence is correct. Without adequate evidence, the findings hold no ground; therefore, this must be verified before communicating the findings. D) Risk statement includes an explanation of a business impact is incorrect. It is important to have a well-elaborated risk statement; however, it might not be relevant if findings are not accurate. B) Recommendations address root causes of findings is incorrect. It is important to address the root causes of findings, and it may be not included in the report. However, it might not be relevant if findings are not accurate. C) Remediation plans are provided by responsible parties is incorrect. In some cases, top-management might expect to see remediation plans during debriefing of the findings; however, the accuracy of findings should be proved first. Q43) Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? D) Layer 2 switches is incorrect. Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. B) Virtual local area networks is incorrect. A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic. Q46) Assignment of process ownership is essential in system development projects because it: A) enables the tracking of the development completion percentage. B) ensures that system design is based on business needs. C) minimizes the gaps between requirements and functionalities. D) optimizes the design cost of user acceptance test cases. - CORRECT ANSWER B) Ensures that system design is based on business needs is correct. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins. A) Enables the tracking of the development completion percentage is incorrect. Process ownership assignment does not have a feature to track the completion percentage of deliverables. D) Optimizes the design cost of user acceptance test cases is incorrect. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C) Minimizes the gaps between requirements and functionalities is incorrect. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as- built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing. Process ownership alone does not have the capability to minimize requirement gaps. Q47) Which of the following presents an inherent risk with no distinct identifiable preventive controls? A) Unauthorized application shutdown B) Viruses C) Piggybacking D) Data diddling - CORRECT ANSWER D) Data diddling is correct. This involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. C) Piggybacking is incorrect. This is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B) Viruses is incorrect. These are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. A) Unauthorized application shutdown is incorrect. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls. Q48) Confidentiality of transmitted data can best be delivered by encrypting the: A) session key with the sender's public key. B) messages with the receiver's private key. C) message digest with the sender's private key. D) session key with the receiver's public key. - CORRECT ANSWER D) Session key with the receiver's public key is correct. This will ensure that the session key can only be obtained using the receiver's private key, retained by the receiver. C) Message digest with the sender's private key is incorrect. This will ensure authentication and nonrepudiation. A) Session key with the sender's public key is incorrect. This will make the message accessible to only the sender. B) Messages with the receiver's private key is incorrect. A message encrypted with a receiver's private key could be decrypted by anyone using the receiver's public key. Q49) An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: A) software development teams continually re-plan each step of their major projects. B) application features and development processes are not extensively documented. administrative console would grant him/her the ability to do this, which would be a significant risk. A) Developers could gain elevated access to production servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. C) Developers can affect the performance of production servers with their applications is incorrect. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de- provision VMs. D) Developers could install unapproved applications to any servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid. Q52) When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? A) Discuss a single solution. B) Demonstrate feasibility. C) Consider security controls. D) Consult the audit department. - CORRECT ANSWER B) Demonstrate feasibility is correct. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost- benefit analysis, management can make an informed decision. A) Discuss a single solution is incorrect. A business case should discuss all possible solutions to a given problem, which would enable management to select the best option. This may include the option not to undertake the project. C) Consider security controls is incorrect. It may be important to include security considerations in the business case if security is important to the solution and will address the problem; however, the feasibility study is more important and is necessary regardless of the type of problem. D) Consult the audit department is incorrect. While the person preparing the business case may consult with the organization's audit department, this would be situational and is not necessary to include in the business case. Q53) The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should: A) take no action, because the IT processes related to patch management appear to be adequate. B) review the patch management policy and determine the risk associated with this condition. C) recommend that IT systems personnel test and then install the patches immediately. D) recommend that patches be applied every month or immediately upon release. - CORRECT ANSWER B) Review the patch management policy and determine the risk associated with this condition is correct. Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices. C) Recommend that IT systems personnel test and then install the patches immediately is incorrect. While there may be instances in which the patch is an urgent fix for a serious security issue, IT may have made the determination that the risk to system stability is greater than the risk identified by the software vendor who issued the patch. Therefore, the time frame selected by IT may be appropriate. D) Recommend that patches be applied every month or immediately upon release is incorrect. While keeping critical systems properly patched helps to ensure that they are secure, the requirement for a precise timetable to patch systems may create other issues if patches are improperly tested prior to implementation. Therefore, this is not the correct answer. A) Take no action, because the IT processes related to patch management appear to be adequate is incorrect. Even if the IS auditor concludes that the patch management process is adequate, the observation related to the time delay in applying patches should be reported. Q54) This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the: A) web server and the firewall. B) Internet and the firewall. C) Internet and the web server. D) firewall and the organization's network. - CORRECT ANSWER D) Firewall and the organization's network is correct. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network. B) Internet and the firewall is incorrect. A network-based IDS placed between the Internet and the firewall will detect attack attempts, whether they are or are not noticed by the firewall. C) Internet and the web server is incorrect. Placing an IDS outside of the web server will identify attacks directed at the web server but will not detect attacks missed by the firewall. C) A single factor authentication technique is used to grant access. D) The guest network is not segregated from the production network. - CORRECT ANSWER D) The guest network is not segregated from the production network is correct. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. B) A login screen is not displayed for guest users is incorrect. Using a web captive portal, which displays a login screen in the user's web browser, is a good practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. A) Guest users who are logged in are not isolated from each other is incorrect. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. C) A single factor authentication technique is used to grant access is incorrect. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented. Q58) An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A) the environmental impact of the data center has not been considered. B) it has not been determined how the project fits into the overall project portfolio. C) the organizational impact of the project has not been assessed. D) not all IT stakeholders have been given an opportunity to provide input. - CORRECT ANSWER C) The organizational impact of the project has not been assessed is correct. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. B) It has not been determined how the project fits into the overall project portfolio is incorrect. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. D) Not all IT stakeholders have been given an opportunity to provide input is incorrect. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. A) The environmental impact of the data center has not been considered is incorrect. The environmental impact should be part of the feasibility study however the organizational impact is more important. Q59) When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A) improper transaction authorization. B) application interface failure. C) excessive transaction turnaround time. D) nonvalidated batch totals. - CORRECT ANSWER A) Improper transaction authorization is correct. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss. C) Excessive transaction turnaround time is incorrect. An excessive turnaround time is an inconvenience, but not a serious risk. B) Application interface failure is incorrect. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. D) Nonvalidated batch totals is incorrect. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions Q60) The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? A) The IS auditor should gather more information about the specific implementation. B) Digital signatures are not adequate to protect confidentiality. C) The IS auditor should recommend implementation of digital watermarking for secure email. D) Digital signatures are adequate to protect confidentiality. - CORRECT ANSWER B) Digital signatures are not adequate to protect confidentiality is correct. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding. D) Digital signatures are adequate to protect confidentiality is incorrect. Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plaintext. A) The IS auditor should gather more information about the specific implementation is incorrect. Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality. Q64) An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: A) card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. B) the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure. C) non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. D) access cards are not labeled with the organization's name and address to facilitate easy return of a lost card. - CORRECT ANSWER C) Non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity is correct. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license). D) Access cards are not labeled with the organization's name and address to facilitate easy return of a lost card is incorrect. Having the name and address of the organization on the card may be a concern because a malicious finder could use a lost or stolen card to enter the organization's premises. A) Card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards is incorrect. Separating card issuance from technical rights management is a method to ensure the proper segregation of duties so that no single person can produce a functioning card for a restricted area within the organization's premises. The long lead time is an inconvenience but not a serious audit risk. B) The computer system used for programming the cards can only be replaced after three weeks in the event of a system failure is incorrect. System failure of the card programming device would normally not mean that the readers do not function anymore. It simply means that no new cards can be issued, so this option is minor compared to the threat of improper identification. Q65) An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A) Project risk assessment B) Post-implementation review C) User acceptance testing D) Management approval of the system - CORRECT ANSWER B) Post- implementation review is correct. The purpose of a post-implementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The post-implementation review also evaluates how effective the project management practices were in keeping the project on track. C) User acceptance testing (UAT) is incorrect. This verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT would be performed on a subset of system functionality. The UAT review is a part of the post-implementation review. A) Project risk assessment is incorrect. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. D) Management approval of the system is incorrect. This could be based on reduced functionality and does not verify that the system is operating as designed. Management approval is a part of post-implementation review. Q66) An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A) Have periodic meetings with the client IT manager. B) Require the vendor to provide monthly status reports. C) Require that performance parameters be stated within the contract. D) Conduct periodic audit reviews of the vendor. - CORRECT ANSWER D) Conduct periodic audit reviews of the vendor is correct. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with which they want to continue to work. B) Require the vendor to provide monthly status reports is incorrect. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. A) Have periodic meetings with the client IT manager is incorrect. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C) Require that performance parameters be stated within the contract is incorrect. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met. Q67) What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? A) To check that the project meets expectations B) To make sure that users are appropriately trained C) To determine whether proper controls were implemented data integrity controls. Which of the following choices should the auditor perform FIRST? A) Review the data flow diagram. B) Evaluate the change request process. C) Evaluate the reconciliation controls. D) Review user access. - CORRECT ANSWER A) Review the data flow diagram is correct. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls. D) Review user access is incorrect. The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. B) Evaluate the change request process is incorrect. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. C) Evaluating the reconciliation controls is incorrect. This would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place. Q71) When reviewing the configuration of network devices, an IS auditor should FIRST identify: A) whether components of the network are missing. B) the good practices for the type of network devices deployed. C) the importance of the network devices in the topology. D) whether subcomponents of the network are being used appropriately. - CORRECT ANSWER C) The importance of the network devices in the topology is correct. The first step is to understand the importance and role of the network device within the organization's network topology. B) The good practices for the type of network devices deployed is incorrect. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. A) Whether components of the network are missing is incorrect. Identification of which component is missing can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. D) Whether subcomponents of the network are being used appropriately is incorrect. Identification of which subcomponent is being used inappropriately can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. Q72) Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: A) review subsequent program change requests. B) assess whether the planned cost benefits are being measured, analyzed and reported. C) review controls built into the system to assure that they are operating as designed. D) determine user feedback on the system has been documented. - CORRECT ANSWER C) Review controls built into the system to assure that they are operating as designed is correct. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D) Determine whether user feedback on the system has been documented is incorrect. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B) Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. A) Review subsequent program change requests is incorrect. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem. Q73) When two or more systems are integrated, the IS auditor must review input/output controls in the: A) systems sending and receiving data. B) systems sending output to other systems. C) systems receiving the output of other systems. D) interfaces between the two systems. - CORRECT ANSWER A) Systems sending and receiving data is correct. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. C) Systems receiving the output of other systems is incorrect. A responsible control is to protect downstream systems from contamination from an upstream system. This requires a system that sends data to review its output and the receiving system to review its input. organization. Then the IS auditor will ensure that it is implemented and measure compliance. B) Compliance is incorrect. This cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C) Documentation is incorrect. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. Q77) Question 77: Correct Assessing IT risk is BEST achieved by - A) reviewing IT control weaknesses identified in audit reports. B) using the organization's past actual loss experience to determine current exposure. C) evaluating threats and vulnerabilities associated with existing IT assets and IT projects. D) reviewing published loss statistics from comparable organizations. - CORRECT ANSWER C) Evaluating threats and vulnerabilities associated with existing IT assets and IT projects is correct. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. B) Using the organization's past actual loss experience to determine current exposure is incorrect. Basing an assessment on past losses will not adequately reflect new threats or inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. D) Reviewing published loss statistics from comparable organizations is incorrect. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. A) Reviewing it control weaknesses identified in audit reports is incorrect. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk. Q78) Which of the following is the BEST method of controlling scope creep in a system development project? A) Adopting a matrix project management structure B) Identifying the critical path of the project C) Establishing a software baseline D) Defining penalties for changes in requirements - CORRECT ANSWER C) Establishing a software baseline is correct. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. D) Defining penalties for changes in requirements is incorrect. While this may help to prevent scope creep, software baselining is a better way to accomplish this goal. A) Adopting a matrix project management structure is incorrect. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. B) Identifying the critical path of the project is incorrect. Although the critical path is important, it will change over time and will not control scope creep. Q80) Inadequate programming and coding practices increase the risk of: A) synchronize flood. B) buffer overflow exploitation. C) brute force attacks. D) social engineering. - CORRECT ANSWER B) Buffer overflow exploitation is correct. This may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and overwrite part of the program with arbitrary code, which will then be executed with the privileges of the program. The countermeasure is proper programming and good coding practices. D) Social engineering is incorrect. This attempts to gather sensitive information from people and primarily relies on human behavior. This is not a programming or coding problem. A) A Synchronize (SYN) flood is incorrect. This is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. C) Brute force attacks is incorrect. These are used against passwords and are not related to programming and coding practices. Q80) Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? A) Process walk-through B) Observation C) Documentation review D) Re-performance - CORRECT ANSWER D) Re-performance is correct. To ensure the effectiveness of controls, it is most effective to conduct re-performance. D) finding all weaknesses on the system. - CORRECT ANSWER B) Restoring systems to the original state is correct. After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created, or false files uploaded. These must all be cleaned up before the test is completed. C) The confidentiality of the report is incorrect. A penetration test report is a sensitive document because it lists the vulnerabilities of the target system. However, the main requirement for the penetration test team is to restore the system to its original condition. D) Finding all weaknesses on the system is incorrect. Finding all possible weaknesses is not possible in complex information systems. A) Logging changes made to production systems is incorrect. All changes made should be recorded, but the most important concern is to ensure that the changes are reversed at the end of the test. Q84) Which of the following is MOST directly affected by network performance monitoring tools? A) Confidentiality B) Availability C) Integrity D) Completeness - CORRECT ANSWER B) Availability is correct. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability. C) Integrity is incorrect. Network monitoring tools can be used to detect errors that are propagating through a network, but their primary focus is on network reliability so that the network is available when required. D) Completeness is incorrect. Network monitoring tools will not measure completeness of the communication. This is measured by the end points in the communication. A) Confidentiality is incorrect. A network monitoring tool can violate confidentiality by allowing a network administrator to observe non-encrypted traffic. This requires careful protection and policies regarding the use of network monitoring tools. Q85) In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? A) Preventing the release manager from making program modifications B) Hiring additional staff to provide segregation of duties C) Verifying that only approved program changes are implemented D) Logging of changes to development libraries - CORRECT ANSWER C) Verifying that only approved program changes are implemented is correct. Compensating controls are used to mitigate risk when proper controls are not feasible or practical. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. Verifying program changes has roughly the same effect as intended by full segregation of duties. B) Hiring additional staff to provide segregation of duties is incorrect. Establishing segregation of duties is not a compensating control; it is a preventive control. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. A) Preventing the release manager from making program modifications is incorrect Since the release manager is performing dual roles, preventing them from making program modifications is not feasible, and, in a small organization, segregation of duties may not be possible. D) Logging of changes to development libraries is incorrect. Logging changes to development libraries does not detect changes to production libraries. Q86) The project steering committee is ultimately responsible for: A) ensuring that system controls are in place. B) project deliverables, costs and timetables. C) allocating the funding for the project. D) day-to-day management and leadership of the project. - CORRECT ANSWER B) Project deliverables, costs and timetables is correct. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D) Day-to-day management and leadership of the project is incorrect. This is the function of the project manager. C) Providing the funding for the project is incorrect. This is the function of the project sponsor. A) Ensuring that system controls are in place is incorrect. This is the function of the project security officer. Q87) During an audit, an IS auditor notices that the IT department of a medium- sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A) No recommendation is necessary because the current approach is appropriate for a medium-sized organization. B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. CISA EXAM 1|132 Questions with Verified Answers Q3) During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: A) manager approves a change request and then reviews it in production. B) programmer codes a change in the development environment and tests it in the test environment. C) manager initiates a change request and subsequently approves it. D) user raises a change request and tests it in the test environment. - CORRECT ANSWER C) Manager initiates a change request and subsequently approves it is correct. Initiating and subsequently approving a change request violates the principle of segregation of duties. D) A person should not be able to approve their own requests. User raises a change request and tests it in the test environment is incorrect. Having a user involved in testing changes is common practice. B) Programmer codes a change in the development environment and tests it in the test environment is incorrect. Having a programmer code a change in development and then separately test the change in a test environment is a good practice and preferable over testing in production. A) Manager approves a change request and then reviews it in production is incorrect. C) Having a manager review a change to make sure it was done correctly is an acceptable practice. Q1) When installing an intrusion detection system, which of the following is MOST important? A) Identifying messages that need to be quarantined B) Properly locating it in the network architecture C) Preventing denial-of-service attacks D) Minimizing the rejection errors - CORRECT ANSWER B) Properly locating it in the network architecture is correct. Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. C) Preventing denial-of-service attacks is incorrect. A network IDS will monitor network traffic and a host-based IDS will monitor activity on the host, but it has no capability of preventing a denial-of-service (DoS) attack. A) Identifying messages that need to be quarantined is incorrect. Configuring an IDS can be a challenge because it may require the IDS to "learn" what normal activity is, but the most important part of the installation is to install it in the right places. D) Minimizing the rejection errors is incorrect. An IDS is only a monitoring device and does not reject traffic. Rejection errors would apply to a biometric device. Q2) An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? A) Implement the Simple Network Management Protocol to allow active monitoring. B) Use service set identifiers that clearly identify the organization. C) Encrypt traffic using the Wired Equivalent Privacy mechanism. D) Physically secure wireless access points to prevent tampering. - CORRECT ANSWER D) Physically secure wireless access points to prevent tampering is correct. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to B) Use query software to analyze all change tickets for missing fields is incorrect. This does not identify program changes that were made without supporting change tickets. Q6) Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? A) Hash functions B) Secret key encryption C) Dynamic Internet protocol address and port D) Virtual private network tunnel - CORRECT ANSWER D) Virtual private network tunnel is correct. As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network tunnel would best ensure that the transmission of information was secure. B) Secret key encryption is incorrect. This would require sharing of the same key at the source and destination and involve an additional step for encrypting and decrypting data at each end. This is not a feasible solution given the scenario. C) Dynamic Internet Protocol address and port is incorrect. This is not an effective control because an attacker could easily find the new address using the domain name system. A) Hash functions is incorrect. While the use of a cryptographic hash function may be helpful to validate the integrity of data files, in this case it would not be useful for a production support team connecting remotely. Q7) A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and - A) age, because training in audit techniques may be impractical. B) length of service, because this will help ensure technical competence. C) IT knowledge, because this will bring enhanced credibility to the audit function. D) ability, as an IS auditor, to be independent of existing IT relationships. - CORRECT ANSWER D) Ability, as an IS auditor, to be independent of existing IT relationships is correct. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. B) Length of service is incorrect and does not ensure technical competency. A) Evaluating an individual's qualifications based on the age of the individual is incorrect and is illegal in many parts of the world. C) IT knowledge is incorrect. The fact that the employee has worked in IT for many years may not ensure credibility. The IS audit department's needs should be defined, and any candidate should be evaluated against those requirements. Q8) An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A) encrypt electronic orders. B) perform reasonableness checks on quantities ordered before filling orders. C) acknowledge receipt of electronic orders with a confirmation message. D) verify the identity of senders and determine if orders correspond to contract terms. - CORRECT ANSWER D Verify the identity of senders and determine if orders correspond to contract terms is correct. An electronic data interchange system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. C) Acknowledging the receipt of electronic orders with a confirming message is incorrect. This is good practice but will not authenticate orders from customers. B) Performing reasonableness checks on quantities ordered before filling orders is incorrect. This is a control for ensuring the correctness of the organization's orders, not the authenticity of its customers' orders. A) Encrypt electronic orders is incorrect. This is an appropriate step but does not prove authenticity of messages received. Q9) An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A) Unauthorized access B) System unavailability C) Exposure to malware D) System integrity - CORRECT ANSWER A) Unauthorized access is correct. Untested common gateway interfaces (CGIs) can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. B) System unavailability is incorrect. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. C) Exposure to malware is incorrect. Untested CGI scripts do not inherently lead to malware exposures. D) Development of an audit program is incorrect. The results of the risk assessment are used for the input for the audit program. C) Define the audit scope is incorrect. The output of the risk assessment helps define the scope. A) Identification of key information owners is incorrect. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. Q13) The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A) authentication. B) data integrity. C) nonrepudiation. D) replay protection. - CORRECT ANSWER C) Nonrepudiation is correct. Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. B) Data integrity is incorrect. This refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. A) Authentication is incorrect. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. D) Replay protection is incorrect. This is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed). Q14) Which of the following is the initial step in creating a firewall policy? A) A cost-benefit analysis of methods for securing the applications B) Identification of vulnerabilities associated with network applications to be externally accessed C) Identification of network applications to be externally accessed D) Creation of an application traffic matrix showing protection methods Explanation - CORRECT ANSWER C) Identification of network applications to be externally accessed is correct. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. A) A cost-benefit analysis of methods for securing the applications is incorrect. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B) Identification of vulnerabilities associated with network applications to be externally is incorrect. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications. D) Creation of an application traffic matrix showing protection methods is incorrect. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected. Q15) The Secure Sockets Layer protocol ensures the confidentiality of a message by using: A) message authentication codes. B) symmetric encryption. C) hash function. D) digital signature certificates. - CORRECT ANSWER B) Symmetric encryption is correct. Secure Sockets Layer (SSL) uses a symmetric key for message encryption. A) Message authentication codes is incorrect. These are used for ensuring data integrity. C) Hash function is incorrect. This is used for generating a message digest which can provide message integrity; it is not used for message encryption. D) Digital signature certificates is incorrect. These are used by SSL for server authentication. Q16) An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? A) Retest the control to confirm the finding. B) Discuss the finding with the IT auditor's manager. C) Elevate the risk associated with the control. D) Discuss the finding with the auditee's manager. - CORRECT ANSWER B) Discuss the finding with the IT auditor's manager is correct. Discussing the disagreement with the auditor's manager is the best course of action because other actions can weaken relationships with the auditee and auditor A) Retest the control to confirm the finding is incorrect. This may unnecessarily expend human and time resources. The audit manager should determine if controls need to be retested. C) Elevate the risk associated with the control is incorrect. Elevating the risk will not address the disagreement. D) Discuss the finding with the auditee's manager is incorrect. It is usually best to consult the audit manager prior to escalating the issue the auditee's manager. This could prove to be an adversarial action. related function, are primarily used to establish job requirements and accountability. A) Are current, documented and readily available to the employee is incorrect. It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability. D) Communicate management's specific job performance expectations is incorrect. Communication of management's specific expectations for job performance would not necessarily be included in job descriptions. Q20) What is the PRIMARY control purpose of required vacations or job rotations? A) allow cross-training for development. B) provide a competitive employee benefit. C) detect improper or illegal employee acts. D) help preserve employee morale. - CORRECT ANSWER C) Detect improper or illegal employee acts is correct. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. A) Allow cross-training for development is incorrect. Although cross-training is a good practice for business continuity, it is not achieved through mandatory vacations. D) Help preserve employee morale is incorrect. It is a good practice to maintain good employee morale, but this is not a primary reason to have a required vacation policy. B) Provide a competitive employee benefit is incorrect. Vacation time is a competitive benefit, but that is not a control. Q21) An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A) Network cabling is disorganized and not properly labeled. B) The telephones are using the same cable used for LAN connections. C) wiring closet also contains power lines and breaker panels. D) The local area network (LAN) switches are not connected to uninterruptible power supply units. - CORRECT ANSWER D) The local area network (LAN) switches are not connected to uninterruptible power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. A) Network cabling is disorganized and not properly labeled is incorrect. While improper cabling can create reliability issues, the more critical issue in this case would be the lack of power protection. B) The telephones are using the same cable used for LAN connections is incorrect. An advantage of VoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. C) The wiring closet also contains power lines and breaker panels is incorrect. As long as the power and telephone equipment are separated, this would not be a significant risk. Q22) An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? A) Review the results of stress tests during user acceptance testing. B) Request vendor technical support to resolve performance issues. C) Request additional IS audit resources. D) Review the implementation of selected integrated controls. . - CORRECT ANSWER A) The appropriate recommendation is to review the results of stress tests during user acceptance testing that demonstrated the performance issues. D) Reviewing the implementation of selected integrated controls is incorrect. This validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning application. C) Request additional IS audit resources is incorrect. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. B) Request vendor technical support to resolve performance issues is incorrect. This is a good option, but not the first recommendation Q23) An IS auditor reviewing an organization that uses cross-training practices should assess the risk of - A) dependency on a single person. B) one person knowing all parts of a system. Q26) Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: A) continuous improvement and monitoring plans. B) post-BPR process flowcharts. C) pre-BPR process flowcharts. D) BPR project plans. - CORRECT ANSWER B) Post-BPR process flowcharts is correct. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. C) Pre-BPR process flowcharts is incorrect. An IS auditor must review the process as it is today, not as it was in the past. D) BPR project plans is incorrect. Business process reengineering (BPR) project plans are a step within a BPR project. A) Continuous improvement and monitoring plans is incorrect. These are steps within a BPR project. Q27) An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered - A) can support the organization in the long term. B) can deliver on the immediate contract. C) has significant financial obligations that can impose liability to the organization. D) is of similar financial standing as the organization. - CORRECT ANSWER A) Can support the organization in the long term is correct. The long-term financial viability of a vendor is essential for deriving maximum value for the organization —it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. B) Can deliver on the immediate contract is incorrect. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract but should be to provide assurance of sustainability over a longer time frame. Is of similar financial standing as the organization is incorrect. D) Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. C) Has significant financial obligations that can impose liability to the organization is incorrect. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor. Q28) Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization? A) Post-implementation functional testing B) User acceptance testing C) Validation of user requirements D) Registration and review of changes - CORRECT ANSWER D) Registration and review of changes is correct. An independent review of the changes to the program in production could identify potential unauthorized changes, versions or functionality that the programmer had put into production. A) Post-implementation functional testing is incorrect. This would not be as effective because the system could be accepted by the end user without detecting the undocumented functionality. C) Validation of user requirements is incorrect. This would not be as effective because the system could meet user requirements and still include undocumented functionalities. B) User acceptance testing is incorrect. This would not be as effective because the system could be accepted by the end users, and the undocumented functionalities could remain undetected. Q29) The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? A) Disabling of unused ports presents a potential risk. B) Soft zoning presents a potential risk. C) There is no significant potential risk. D) The SAN administrator presents a potential risk. - CORRECT ANSWER D) The SAN administrator presents a potential risk is correct. The potential risk in this scenario is posed by the SAN administrator. One concern is having a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. The organization currently relies entirely on the SAN administrator to implement, maintain, and validate all security controls; this means that the SAN administrator could modify or remove those controls without detection. the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary. A) Collect sufficient evidence is incorrect. The IS auditor does not collect evidence in the planning stage of an audit. C) Specify appropriate tests is incorrect. This is not the primary goal of audit planning. B) Minimize audit resources is incorrect. Effective use of audit resources is a goal of audit planning, not minimizing audit resources. Q33) Electromagnetic emissions from a terminal represent a risk because they: A) could damage or erase nearby storage media. B) could have adverse health effects on personnel. C) can disrupt processor functions. D) can be detected and displayed. - CORRECT ANSWER D) Can be detected and displayed is correct. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents. A) Could damage or erase nearby storage media is incorrect. While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern. C) Can disrupt processor functions is incorrect. Electromagnetic emissions should not cause disruption of central processing units. B) Could have adverse health effects on personnel is incorrect. Most electromagnetic emissions are low level and do not pose a significant health risk. Q34) To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet: A) allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled). B) specifies the route that a packet should take through the network (the source routing field is enabled). C) puts multiple destination hosts (the destination field has a broadcast address in the destination field). D) indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on). - CORRECT ANSWER B) Specifies the route that a packet should take through the network (the source routing field is enabled) is correct. Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. C) Puts multiple destination hosts (the destination field has a broadcast address) is incorrect. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. D) Indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on) is incorrect. Turning on the reset flag is part of the normal procedure to end a Transmission Control Protocol connection. A) Allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled) is incorrect. The use of dynamic or static routing will not represent a spoofing attack. Q35) Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? A) Asymmetric cryptography B) Message authentication code C) Digital certificates D) Digital signatures - CORRECT ANSWER C) Digital certificates is correct. These are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D) Digital signatures is incorrect. These are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. A) Asymmetric cryptography is incorrect. This appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. B) Message authentication code is incorrect. This is used for message integrity verification. Q36) In what capacity would an IS auditor MOST likely see a hash function applied? A) Authorization B) Identification C) Authentication D) Encryption - CORRECT ANSWER C) Authentication is correct. The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources. B) Identification is incorrect. Hash functions are not used for identification. They are used to validate the authenticity of the identity. C) determining whether bar code readers are installed. D) conducting a physical count of the tape inventory - CORRECT ANSWER D) Conducting a physical count of the tape inventory is correct. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy and validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. C) Determining whether bar code readers are installed is incorrect. This is a compliance test. B) Determining whether the movement of tapes is authorized is incorrect. This is a compliance test. A) Checking whether receipts and issues of tapes are accurately recorded is incorrect. This is a compliance test. Q40) Which of the following is the responsibility of information asset owners? A) Implementation of access rules to data and programs B) Implementation of information security within applications C) Provision of physical and logical security for data D) Assignment of criticality levels to data - CORRECT ANSWER D) Assignment of criticality levels to data is correct. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. B) Implementation of information security within applications incorrect. This is the responsibility of the data custodians based on the requirements set by the data owner. A) Implementation of access rules to data and programs is incorrect. This is a responsibility of data custodians based on the requirements set by the data owner. C) Provision of physical and logical security for data is incorrect. This is the responsibility of the security administrator. Q41) An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern? A) Voice communication uses the same equipment that is used for data communication. B) The team that supports the data network also is responsible for the telephone system. C) Voice communication is not encrypted on the local network. D) Ethernet switches are not protected by uninterrupted power supply units. - CORRECT ANSWER D) Ethernet switches are not protected by uninterrupted power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center. A) Voice communication uses the same equipment that is used for data communication is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, which can save on wiring cost and simplify both the installation and support of the telephone system. This use of shared infrastructure is a benefit of VoIP and therefore is not a concern. C) Voice communication is not encrypted on the local network is incorrect. VoIP devices do not normally encrypt the voice traffic on the local network, so this is not a concern. Typically, a VoIP phone system connects to a telephone company voice circuit, which would not normally be encrypted. If the system uses the Internet for connectivity, then encryption is required. B) The team that supports the data network also is responsible for the telephone system is incorrect. VoIP telephone systems use the LAN infrastructure of a company for communication, so the personnel who support and maintain that infrastructure are now responsible for both the data and voice network by default. Therefore, this would not be a concern. Q42) Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting? A) Findings are clearly tracked back to evidence. B) Recommendations address root causes of findings. C) Remediation plans are provided by responsible parties. D) Risk statement includes an explanation of a business impact. - CORRECT ANSWER A) Findings are clearly tracked back to evidence is correct. Without adequate evidence, the findings hold no ground; therefore, this must be verified before communicating the findings. D) Risk statement includes an explanation of a business impact is incorrect. It is important to have a well-elaborated risk statement; however, it might not be relevant if findings are not accurate. B) Recommendations address root causes of findings is incorrect. It is important to address the root causes of findings, and it may be not included in the report. However, it might not be relevant if findings are not accurate. C) Remediation plans are provided by responsible parties is incorrect. In some cases, top-management might expect to see remediation plans during debriefing of the findings; however, the accuracy of findings should be proved first. Q43) Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? D) Layer 2 switches is incorrect. Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. B) Virtual local area networks is incorrect. A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic. Q46) Assignment of process ownership is essential in system development projects because it: A) enables the tracking of the development completion percentage. B) ensures that system design is based on business needs. C) minimizes the gaps between requirements and functionalities. D) optimizes the design cost of user acceptance test cases. - CORRECT ANSWER B) Ensures that system design is based on business needs is correct. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins. A) Enables the tracking of the development completion percentage is incorrect. Process ownership assignment does not have a feature to track the completion percentage of deliverables. D) Optimizes the design cost of user acceptance test cases is incorrect. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C) Minimizes the gaps between requirements and functionalities is incorrect. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as- built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing. Process ownership alone does not have the capability to minimize requirement gaps. Q47) Which of the following presents an inherent risk with no distinct identifiable preventive controls? A) Unauthorized application shutdown B) Viruses C) Piggybacking D) Data diddling - CORRECT ANSWER D) Data diddling is correct. This involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. C) Piggybacking is incorrect. This is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B) Viruses is incorrect. These are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. A) Unauthorized application shutdown is incorrect. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls. Q48) Confidentiality of transmitted data can best be delivered by encrypting the: A) session key with the sender's public key. B) messages with the receiver's private key. C) message digest with the sender's private key. D) session key with the receiver's public key. - CORRECT ANSWER D) Session key with the receiver's public key is correct. This will ensure that the session key can only be obtained using the receiver's private key, retained by the receiver. C) Message digest with the sender's private key is incorrect. This will ensure authentication and nonrepudiation. A) Session key with the sender's public key is incorrect. This will make the message accessible to only the sender. B) Messages with the receiver's private key is incorrect. A message encrypted with a receiver's private key could be decrypted by anyone using the receiver's public key. Q49) An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: A) software development teams continually re-plan each step of their major projects. B) application features and development processes are not extensively documented. administrative console would grant him/her the ability to do this, which would be a significant risk. A) Developers could gain elevated access to production servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. C) Developers can affect the performance of production servers with their applications is incorrect. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de- provision VMs. D) Developers could install unapproved applications to any servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid. Q52) When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? A) Discuss a single solution. B) Demonstrate feasibility. C) Consider security controls. D) Consult the audit department. - CORRECT ANSWER B) Demonstrate feasibility is correct. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost- benefit analysis, management can make an informed decision. A) Discuss a single solution is incorrect. A business case should discuss all possible solutions to a given problem, which would enable management to select the best option. This may include the option not to undertake the project. C) Consider security controls is incorrect. It may be important to include security considerations in the business case if security is important to the solution and will address the problem; however, the feasibility study is more important and is necessary regardless of the type of problem. D) Consult the audit department is incorrect. While the person preparing the business case may consult with the organization's audit department, this would be situational and is not necessary to include in the business case. Q53) The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should: A) take no action, because the IT processes related to patch management appear to be adequate. B) review the patch management policy and determine the risk associated with this condition. C) recommend that IT systems personnel test and then install the patches immediately. D) recommend that patches be applied every month or immediately upon release. - CORRECT ANSWER B) Review the patch management policy and determine the risk associated with this condition is correct. Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices. C) Recommend that IT systems personnel test and then install the patches immediately is incorrect. While there may be instances in which the patch is an urgent fix for a serious security issue, IT may have made the determination that the risk to system stability is greater than the risk identified by the software vendor who issued the patch. Therefore, the time frame selected by IT may be appropriate. D) Recommend that patches be applied every month or immediately upon release is incorrect. While keeping critical systems properly patched helps to ensure that they are secure, the requirement for a precise timetable to patch systems may create other issues if patches are improperly tested prior to implementation. Therefore, this is not the correct answer. A) Take no action, because the IT processes related to patch management appear to be adequate is incorrect. Even if the IS auditor concludes that the patch management process is adequate, the observation related to the time delay in applying patches should be reported. Q54) This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the: A) web server and the firewall. B) Internet and the firewall. C) Internet and the web server. D) firewall and the organization's network. - CORRECT ANSWER D) Firewall and the organization's network is correct. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network. B) Internet and the firewall is incorrect. A network-based IDS placed between the Internet and the firewall will detect attack attempts, whether they are or are not noticed by the firewall. C) Internet and the web server is incorrect. Placing an IDS outside of the web server will identify attacks directed at the web server but will not detect attacks missed by the firewall. C) A single factor authentication technique is used to grant access. D) The guest network is not segregated from the production network. - CORRECT ANSWER D) The guest network is not segregated from the production network is correct. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information. B) A login screen is not displayed for guest users is incorrect. Using a web captive portal, which displays a login screen in the user's web browser, is a good practice to authenticate guests. However, if the guest network is not segregated from the production network, users could introduce malware and potentially gain inappropriate access to systems and information. A) Guest users who are logged in are not isolated from each other is incorrect. There are certain platforms in which it is allowable for guests to interact with one another. Also, guests could be warned to use only secured systems and a policy covering interaction among guests could be created. C) A single factor authentication technique is used to grant access is incorrect. Although a multifactor authentication technique is preferred, a single-factor authentication method should be adequate if properly implemented. Q58) An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A) the environmental impact of the data center has not been considered. B) it has not been determined how the project fits into the overall project portfolio. C) the organizational impact of the project has not been assessed. D) not all IT stakeholders have been given an opportunity to provide input. - CORRECT ANSWER C) The organizational impact of the project has not been assessed is correct. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. B) It has not been determined how the project fits into the overall project portfolio is incorrect. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. D) Not all IT stakeholders have been given an opportunity to provide input is incorrect. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. A) The environmental impact of the data center has not been considered is incorrect. The environmental impact should be part of the feasibility study however the organizational impact is more important. Q59) When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A) improper transaction authorization. B) application interface failure. C) excessive transaction turnaround time. D) nonvalidated batch totals. - CORRECT ANSWER A) Improper transaction authorization is correct. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication poses a serious risk of financial loss. C) Excessive transaction turnaround time is incorrect. An excessive turnaround time is an inconvenience, but not a serious risk. B) Application interface failure is incorrect. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. D) Nonvalidated batch totals is incorrect. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions Q60) The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? A) The IS auditor should gather more information about the specific implementation. B) Digital signatures are not adequate to protect confidentiality. C) The IS auditor should recommend implementation of digital watermarking for secure email. D) Digital signatures are adequate to protect confidentiality. - CORRECT ANSWER B) Digital signatures are not adequate to protect confidentiality is correct. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding. D) Digital signatures are adequate to protect confidentiality is incorrect. Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plaintext. A) The IS auditor should gather more information about the specific implementation is incorrect. Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality. Q64) An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: A) card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. B) the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure. C) non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. D) access cards are not labeled with the organization's name and address to facilitate easy return of a lost card. - CORRECT ANSWER C) Non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity is correct. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license). D) Access cards are not labeled with the organization's name and address to facilitate easy return of a lost card is incorrect. Having the name and address of the organization on the card may be a concern because a malicious finder could use a lost or stolen card to enter the organization's premises. A) Card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards is incorrect. Separating card issuance from technical rights management is a method to ensure the proper segregation of duties so that no single person can produce a functioning card for a restricted area within the organization's premises. The long lead time is an inconvenience but not a serious audit risk. B) The computer system used for programming the cards can only be replaced after three weeks in the event of a system failure is incorrect. System failure of the card programming device would normally not mean that the readers do not function anymore. It simply means that no new cards can be issued, so this option is minor compared to the threat of improper identification. Q65) An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A) Project risk assessment B) Post-implementation review C) User acceptance testing D) Management approval of the system - CORRECT ANSWER B) Post- implementation review is correct. The purpose of a post-implementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The post-implementation review also evaluates how effective the project management practices were in keeping the project on track. C) User acceptance testing (UAT) is incorrect. This verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT would be performed on a subset of system functionality. The UAT review is a part of the post-implementation review. A) Project risk assessment is incorrect. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. D) Management approval of the system is incorrect. This could be based on reduced functionality and does not verify that the system is operating as designed. Management approval is a part of post-implementation review. Q66) An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A) Have periodic meetings with the client IT manager. B) Require the vendor to provide monthly status reports. C) Require that performance parameters be stated within the contract. D) Conduct periodic audit reviews of the vendor. - CORRECT ANSWER D) Conduct periodic audit reviews of the vendor is correct. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client's requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to take a look at the vendor's current state to ensure that the vendor is one with which they want to continue to work. B) Require the vendor to provide monthly status reports is incorrect. Although providing monthly status reports may show that the vendor is meeting contract terms, without independent verification these data may not be reliable. A) Have periodic meetings with the client IT manager is incorrect. Having periodic meetings with the client IT manager will assist with understanding the current relationship with the vendor, but meetings may not include vendor audit reports, status reports and other information that a periodic audit review would take into consideration. C) Require that performance parameters be stated within the contract is incorrect. Requiring that performance parameters be stated within the contract is important, but only if periodic reviews are performed to determine that performance parameters are met. Q67) What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? A) To check that the project meets expectations B) To make sure that users are appropriately trained C) To determine whether proper controls were implemented data integrity controls. Which of the following choices should the auditor perform FIRST? A) Review the data flow diagram. B) Evaluate the change request process. C) Evaluate the reconciliation controls. D) Review user access. - CORRECT ANSWER A) Review the data flow diagram is correct. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls. D) Review user access is incorrect. The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. B) Evaluate the change request process is incorrect. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. C) Evaluating the reconciliation controls is incorrect. This would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place. Q71) When reviewing the configuration of network devices, an IS auditor should FIRST identify: A) whether components of the network are missing. B) the good practices for the type of network devices deployed. C) the importance of the network devices in the topology. D) whether subcomponents of the network are being used appropriately. - CORRECT ANSWER C) The importance of the network devices in the topology is correct. The first step is to understand the importance and role of the network device within the organization's network topology. B) The good practices for the type of network devices deployed is incorrect. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. A) Whether components of the network are missing is incorrect. Identification of which component is missing can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. D) Whether subcomponents of the network are being used appropriately is incorrect. Identification of which subcomponent is being used inappropriately can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. Q72) Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: A) review subsequent program change requests. B) assess whether the planned cost benefits are being measured, analyzed and reported. C) review controls built into the system to assure that they are operating as designed. D) determine user feedback on the system has been documented. - CORRECT ANSWER C) Review controls built into the system to assure that they are operating as designed is correct. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D) Determine whether user feedback on the system has been documented is incorrect. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B) Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. A) Review subsequent program change requests is incorrect. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem. Q73) When two or more systems are integrated, the IS auditor must review input/output controls in the: A) systems sending and receiving data. B) systems sending output to other systems. C) systems receiving the output of other systems. D) interfaces between the two systems. - CORRECT ANSWER A) Systems sending and receiving data is correct. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. C) Systems receiving the output of other systems is incorrect. A responsible control is to protect downstream systems from contamination from an upstream system. This requires a system that sends data to review its output and the receiving system to review its input. organization. Then the IS auditor will ensure that it is implemented and measure compliance. B) Compliance is incorrect. This cannot be measured until the baseline has been implemented, but the IS auditor must first ensure that the correct baseline is being implemented. C) Documentation is incorrect. After the baseline has been defined, it must be documented, and the IS auditor will check that the baseline is appropriate before checking for implementation. Q77) Question 77: Correct Assessing IT risk is BEST achieved by - A) reviewing IT control weaknesses identified in audit reports. B) using the organization's past actual loss experience to determine current exposure. C) evaluating threats and vulnerabilities associated with existing IT assets and IT projects. D) reviewing published loss statistics from comparable organizations. - CORRECT ANSWER C) Evaluating threats and vulnerabilities associated with existing IT assets and IT projects is correct. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. B) Using the organization's past actual loss experience to determine current exposure is incorrect. Basing an assessment on past losses will not adequately reflect new threats or inevitable changes to the firm's IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. D) Reviewing published loss statistics from comparable organizations is incorrect. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. A) Reviewing it control weaknesses identified in audit reports is incorrect. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risk. Q78) Which of the following is the BEST method of controlling scope creep in a system development project? A) Adopting a matrix project management structure B) Identifying the critical path of the project C) Establishing a software baseline D) Defining penalties for changes in requirements - CORRECT ANSWER C) Establishing a software baseline is correct. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. D) Defining penalties for changes in requirements is incorrect. While this may help to prevent scope creep, software baselining is a better way to accomplish this goal. A) Adopting a matrix project management structure is incorrect. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. B) Identifying the critical path of the project is incorrect. Although the critical path is important, it will change over time and will not control scope creep. Q80) Inadequate programming and coding practices increase the risk of: A) synchronize flood. B) buffer overflow exploitation. C) brute force attacks. D) social engineering. - CORRECT ANSWER B) Buffer overflow exploitation is correct. This may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and overwrite part of the program with arbitrary code, which will then be executed with the privileges of the program. The countermeasure is proper programming and good coding practices. D) Social engineering is incorrect. This attempts to gather sensitive information from people and primarily relies on human behavior. This is not a programming or coding problem. A) A Synchronize (SYN) flood is incorrect. This is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. C) Brute force attacks is incorrect. These are used against passwords and are not related to programming and coding practices. Q80) Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? A) Process walk-through B) Observation C) Documentation review D) Re-performance - CORRECT ANSWER D) Re-performance is correct. To ensure the effectiveness of controls, it is most effective to conduct re-performance. D) finding all weaknesses on the system. - CORRECT ANSWER B) Restoring systems to the original state is correct. After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created, or false files uploaded. These must all be cleaned up before the test is completed. C) The confidentiality of the report is incorrect. A penetration test report is a sensitive document because it lists the vulnerabilities of the target system. However, the main requirement for the penetration test team is to restore the system to its original condition. D) Finding all weaknesses on the system is incorrect. Finding all possible weaknesses is not possible in complex information systems. A) Logging changes made to production systems is incorrect. All changes made should be recorded, but the most important concern is to ensure that the changes are reversed at the end of the test. Q84) Which of the following is MOST directly affected by network performance monitoring tools? A) Confidentiality B) Availability C) Integrity D) Completeness - CORRECT ANSWER B) Availability is correct. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability. C) Integrity is incorrect. Network monitoring tools can be used to detect errors that are propagating through a network, but their primary focus is on network reliability so that the network is available when required. D) Completeness is incorrect. Network monitoring tools will not measure completeness of the communication. This is measured by the end points in the communication. A) Confidentiality is incorrect. A network monitoring tool can violate confidentiality by allowing a network administrator to observe non-encrypted traffic. This requires careful protection and policies regarding the use of network monitoring tools. Q85) In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? A) Preventing the release manager from making program modifications B) Hiring additional staff to provide segregation of duties C) Verifying that only approved program changes are implemented D) Logging of changes to development libraries - CORRECT ANSWER C) Verifying that only approved program changes are implemented is correct. Compensating controls are used to mitigate risk when proper controls are not feasible or practical. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. Verifying program changes has roughly the same effect as intended by full segregation of duties. B) Hiring additional staff to provide segregation of duties is incorrect. Establishing segregation of duties is not a compensating control; it is a preventive control. In a small organization, it may not be feasible to hire new staff, which is why a compensating control may be necessary. A) Preventing the release manager from making program modifications is incorrect Since the release manager is performing dual roles, preventing them from making program modifications is not feasible, and, in a small organization, segregation of duties may not be possible. D) Logging of changes to development libraries is incorrect. Logging changes to development libraries does not detect changes to production libraries. Q86) The project steering committee is ultimately responsible for: A) ensuring that system controls are in place. B) project deliverables, costs and timetables. C) allocating the funding for the project. D) day-to-day management and leadership of the project. - CORRECT ANSWER B) Project deliverables, costs and timetables is correct. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D) Day-to-day management and leadership of the project is incorrect. This is the function of the project manager. C) Providing the funding for the project is incorrect. This is the function of the project sponsor. A) Ensuring that system controls are in place is incorrect. This is the function of the project security officer. Q87) During an audit, an IS auditor notices that the IT department of a medium- sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A) No recommendation is necessary because the current approach is appropriate for a medium-sized organization. B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. C) Password is incorrect. These can be shared and, if written down, carry the risk of discovery. D) Photo identification is incorrect. This can be forged or falsified. Q90) Authorizing access to application data is the responsibility of the: A) data owner. B) data custodian. C) security administrator. D) application administrator. - CORRECT ANSWER A) Data owner is correct. These individuals have authority to grant or withhold access to the data and applications for which they are responsible. B) Data custodian is incorrect. These individuals are responsible only for storing and safeguarding the data according to the direction provided by the data owner. D) Application administrator is incorrect. This person is responsible for managing the application itself, not determining who is authorized to access the data that it contains. C) Security administrator is incorrect. This individual may lead investigations and is responsible for implementing and maintaining information security policy, but not for authorizing data access. Q91) An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A) Stateful inspection firewall B) Proxy server C) Web content filter D) Web cache server - CORRECT ANSWER C) Web content filter is correct. This accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator blacklists and classifications for millions of web sites. A) Stateful inspection firewall is incorrect. This is of little help in filtering web traffic because it does not review the content of the web site, nor does it take into consideration the site's classification. D) Web cache server is incorrect. This is designed to improve the speed of retrieving the most common or recently visited web pages. B) Proxy server is incorrect. A proxy server services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities. Q92) Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? A) Service measures were not included in the SLA. B) A service adjustment resulting from an exception report took a day to implement. C) The complexity of application logs used for service monitoring made the review difficult. D) The document is updated on an annual basis. - CORRECT ANSWER A) Service measures were not included in the service level agreement (SLA) is correct. Lack of service measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. B) A service adjustment resulting from an exception report took a day to implement is incorrect. Resolving issues related to exception reports is an operational issue that should be addressed in the SLA; however, a response time of one day may be acceptable depending on the terms of the SLA. C) The complexity of application logs used for service monitoring made the review difficult is incorrect. The complexity of application logs is an operational issue, which is not related to the SLA. D) The document is updated on an annual basis is incorrect. While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually. Q93) In a public key infrastructure, a registration authority: A) digitally signs a message to achieve nonrepudiation of the signed message. B) issues the certificate after the required attributes are verified and the keys are generated. C) registers signed messages to protect them from future repudiation. D) verifies information supplied by the subject requesting a certificate. - CORRECT ANSWER D) Verifies information supplied by the subject requesting a certificate is correct. A registration authority is responsible for verifying information supplied by the subject requesting a certificate and verifies the requestor's right to request a certificate on behalf of themselves or their organization. B) Issues the certificate after the required attributes are verified and the keys are generated is incorrect. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed. A) Digitally signs a message to achieve nonrepudiation of the signed message is incorrect. The sender who has control of his/her private key signs the message, not the registration authority. C) Registers signed messages to protect them from future repudiation is incorrect. This is not a task performed by registration authorities. C) Ensure deletion of the virus is incorrect. An IS auditor should not make changes to the system being audited; ensuring the deletion of the virus is a management responsibility. Q97) Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? A) Volume testing B) Load testing C) Stress testing D) Recovery resting - CORRECT ANSWER B) Load testing is correct. This evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. C) Stress testing is incorrect. This determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. D) Recovery testing is incorrect. This evaluates the ability of a system to recover after a failure. A) Volume testing is incorrect. This evaluates the impact of incremental volume of records (not users) on a system. Q98) Which of the following is the key benefit of a control self-assessment? A) Fraud detection will be improved because internal business staff are engaged in testing controls. B) Internal auditors can shift to a consultative approach by using the results of the assessment. C) Management ownership of the internal controls supporting business objectives is reinforced. D) Audit expenses are reduced when the assessment results are an input to external audit work. - CORRECT ANSWER C) Management ownership of the internal controls supporting business objectives is reinforced is correct. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. D) Audit expenses are reduced when the assessment results are an input to external audit work is incorrect and is not a key benefit of CSA. A) Fraud detection is improved because internal business staff are engaged in testing controls is incorrect. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. B) Internal auditors can shift to a consultative approach by using the results of the assessment is incorrect. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit. Q99) A top-down approach to the development of operational policies helps to ensure - A) that they are implemented as a part of risk assessment. B) that they are reviewed periodically. C) compliance with all policies. D) that they are consistent across the organization. - CORRECT ANSWER D) That they are consistent across the organization is correct. Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. A) That they are implemented as a part of risk assessment is incorrect. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. C) Compliance with all policies is incorrect. A top-down approach, of itself, does not ensure compliance. B) That they are reviewed periodically is incorrect. A top-down approach, of itself, does not ensure that policies are reviewed. Q100) Which of the following would MOST effectively reduce social engineering incidents? A) Email monitoring policy B) Security awareness training C) Increased physical security measures D) Intrusion detection systems - CORRECT ANSWER B) Security awareness training is correct. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. C) Increased physical security measures is incorrect. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident. A) Email monitoring policy is incorrect. An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. D) Intrusion detection systems is incorrect. These are used to detect irregular or abnormal traffic patterns. capability and performance). Transparency is primarily achieved through performance measurement, because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. A) Strategic alignment is incorrect. This primarily focuses on ensuring linkage of business and IT plans, not on transparency. D) Value delivery is incorrect. This is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values but does not ensure transparency of investment. B) Resource management is incorrect. This is about the optimal investment in and proper management of critical IT resources but does not ensure transparency of IT investments. Q104) When developing a formal enterprise security program, the MOST critical success factor is the - A) selection of a security process owner. B) creation of a security unit. C) establishment of a review board. D) effective support of an executive sponsor. - CORRECT ANSWER D) Effective support of an executive sponsor is correct. The executive sponsor is in charge of supporting the organization's strategic security program and aids in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor. C) Establishment of a review board is incorrect. This is not effective without visible sponsorship of top management. B) Creation of a security unit is incorrect. This is not effective without visible sponsorship of top management. A) Selection of a security process owner is incorrect. This is not effective without visible sponsorship of top management. Q105) As an outcome of information security governance, strategic alignment provides - A) baseline security following good practices. B) institutionalized and commoditized solutions. C) security requirements driven by enterprise requirements. D) an understanding of risk exposure. - CORRECT ANSWER C) Security requirements driven by enterprise requirements is correct. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. A) Baseline security following good practices is incorrect. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices (i.e., baseline security following good practices or institutionalized and commoditized solutions) is a part of value delivery. B) Institutionalized and commoditized solutions is incorrect. Value delivery addresses the effectiveness and efficiency of solutions but is not a result of strategic alignment. D) An understanding of risk exposure is incorrect. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure. Q106) As an IS auditor, you have identified that reports on product profitability produced by an organization's finance and marketing departments give different results. Your further investigation reveals that the product definition being used by the two departments is different. As an IS auditor, what should you recommend? A) Management signs-off on requirements for new reports B) Standard software tools are used for report development C) Organizational data governance practices are put in place D) User acceptance testing occurs for all reports before release into production - CORRECT ANSWER C) Organizational data governance practices are put in place is correct. This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. D) User acceptance testing occurs for all reports before release into production is incorrect. Recommending that user acceptance testing occur for all reports before release into production does not address the root cause of the problem described. B) Standard software tools are used for report development is incorrect. Recommending standard software tools be used for report development does not address the root cause of the problem described. Management signs off on requirements for new reports is incorrect. A) Recommending that management sign off on requirements for new reports does not address the root cause of the problem described. Q107) An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? A) The VM server is included in the disaster recovery plan. B) Allocated physical resources are available. C) System administrators are trained to use the VM architecture. the development process for new application systems, and not to subsequent internal audits. D) To identify and report fraudulent transactions is incorrect. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. C) To increase efficiency of the audit function is incorrect. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective. Q110) Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A) Automated tests should be performed through the use of scripting. B) Test coverage should be restricted to functional requirements. C) Requirements should be tested in terms of importance and frequency of use. D) The number of required test runs should be reduced by retesting only defect fixes. - CORRECT ANSWER C) Requirements should be tested in terms of importance and frequency of use is correct. Maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects. B) Test coverage should be restricted to functional requirements is incorrect. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. A) Automated tests should be performed through the use of scripting is incorrect. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D) The number of required test runs should be reduced by retesting only defect fixes is incorrect. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented. Q111) An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: A) the configuration management database is not maintained. B) the test environment is installed on the production server. C) change management records are paper based. D) test systems run different configurations than do production systems. - CORRECT ANSWER A) The configuration management database is not maintained is correct. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained or leave out critical dependencies during the test phase. D) Test systems run different configurations than do production systems is incorrect. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. C) Change management records are paper based is incorrect. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. B) The test environment is installed on the production server is incorrect. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s). Q112) What is the PRIMARY purpose of an IT forensic audit? A) to preserve evidence of criminal activity. B) the systematic collection and analysis of evidence after a system irregularity. C) to participate in investigations related to corporate fraud. D) to assess the correctness of an organization's financial statements. - CORRECT ANSWER B) The systematic collection and analysis of evidence after a system irregularity is correct. This best describes a forensic audit. The evidence collected can then be analyzed and used in judicial proceedings. C) To participate in investigations related to corporate fraud is incorrect. Forensic audits are not limited to corporate fraud. D) To assess the correctness of an organization's financial statements is incorrect. Assessing the correctness of an organization's financial statements is not the primary purpose of most forensic audits. A) To preserve evidence of criminal activity is incorrect. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose. Q113) A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future? A) Ensure that developers do not have access to code after testing. B) Improve regression test cases. C) Block external systems from accessing internal resources is incorrect. Controlling what external systems can access internal resources is the function of a firewall rather than a DLP system. Q116) Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience? A) Internal quality requirements B) The audit guidelines C) The audit methodology D) Professional standards - CORRECT ANSWER D) Professional standards is correct. Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more. A) Internal quality requirements is incorrect. They may exist but are superseded by the requirement of supervision to comply with professional standards. B) Audit guidelines is incorrect. These exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C) The audit methodology is incorrect. This is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards. Q117) After identifying the findings, the IS auditor should FIRST: A) determine mitigation measures for the findings. B) obtain remediation deadlines to close the findings. C) inform senior management of the findings. D) gain agreement on the findings. - CORRECT ANSWER D) Gain agreement on the findings is correct. If findings are not agreed upon and confirmed by both parties, then there may be an issue during sign-off on the final audit report or while discussing findings with management. When agreement is obtained with the auditee, it implies the finding is understood and a clear plan of action can be determined. A) Determine mitigation measures for the findings is incorrect. Although the auditor may recommend mitigation measures, the organization ultimately decides and implements the mitigation strategies as a function of risk management. C) Inform senior management of the findings is incorrect. Before senior management is informed, it is imperative that the auditor informs the auditee and gains agreement on the audit findings to correctly communicate the risk. B) Obtaining remediation deadlines to close the findings is incorrect and is not the first step in communicating the audit findings. Q118) Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review? A) The code was missed during the initial implementation. B) The error was discovered during the postimplementation review. C) The release team used the same change order number. D) The change did not have change management approval. - CORRECT ANSWER D) The change did not have change management approval is correct. Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval. A) The code was missed during the initial implementation is incorrect. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. B) The error was discovered during the post-implementation review is incorrect. Most release/change control errors are discovered during post-implementation review. It is of greater concern that the change was promoted without management approval after it was discovered. C) The release team used the same change order number is incorrect. Using the same change order number is not a relevant concern. Q119) A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response? A) Revision of the OS baseline configuration B) Assessment of the risk and identification of compensating controls C) Approval of the exception to policy to meet business needs D) Initial rejection of the request because it is against the security policy - CORRECT ANSWER B) Assessment of the risk and identification of compensating controls is correct. Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation. D) Initial rejection of the request because it is against the security policy is incorrect. The security policy may be waived with management approval to meet business requirements; it is not up to the security manager to refuse the deviation. A) Has all the personnel and equipment it needs is incorrect. Having personnel and equipment is an important requirement to meet the IT strategy but will not ensure that the IT strategy supports business objectives. C) Uses its equipment and personnel efficiently and effectively is incorrect. Using equipment and personnel efficiently and effectively is an effective method for determining the proper management of the IT function but does not ensure that the IT strategy is aligned with business objectives. D) Has sufficient excess capacity to respond to changing directions is incorrect. This important to show flexibility to meet organizational changes but is not in itself a way to ensure that IT is aligned with business goals. Q123) An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? A) Implement a source code version control tool. B) Schedule user testing to occur at a given time each day. C) Only retest high-priority defects. D) Consider the feasibility of a separate user acceptance environment. - CORRECT ANSWER D) Consider the feasibility of a separate user acceptance environment is correct. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. B) Schedule user testing to occur at a given time each day is incorrect. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. A) Implement a source code version control tool is incorrect. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. C) Only retest high-priority defects is incorrect. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage. Q124) A cyclic redundancy check is commonly used to determine the: A)integrity of a downloaded program. B) adequacy of encryption. C) accuracy of data input. D) validity of data transfer. - CORRECT ANSWER D) Validity of data transfer is correct. The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check. C) Accuracy of data input is incorrect. This can be enforced by data validation controls, such as picklists, cross checks, reasonableness checks, control totals and allowed character checks. A) Integrity of a downloaded program is incorrect. A checksum or digital signature is commonly used to validate the integrity of a downloaded program or other transferred data. B) Adequacy of encryption is incorrect. Encryption adequacy is driven by the sensitivity of the data to be protected and algorithms that determine how long it will take to break a specific encryption method. Q125) An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? A) Run-to-run totals B) Reconciliations C) Recalculations D) Limit checks - CORRECT ANSWER D) Limit checks is correct. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. C) Recalculations is incorrect. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. A) Run-to-run totals is incorrect. These provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. B) Reconciliations is incorrect. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.