Download CISA EXAM 2|150 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA EXAM 2|150 Questions with Verified Answers Q1) Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process? A) Interview personnel in charge of the change control process B) Perform an end-to-end walk-through of the process C) Test a sample of authorized changes D) Test a sample population of change requests - CORRECT ANSWER B) Perform an end-to-end walk-through of the process is correct. Observation is the best and most effective method to test changes to ensure that the process is effectively designed. D) Test a sample population of change requests is incorrect. Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. C) Test a sample of authorized changes is incorrect. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. A) Interview personnel in charge of the change control process is incorrect. This is not as effective as a walk-through of the change controls process because people may know the process but not follow it. Q2) An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall. C) The firewall is placed on top of the commercial operating system with all default instillation options. D) Firewall policies are updated on the basis of changing requirements - CORRECT ANSWER C) The firewall is placed on top of the commercial operating system with all default installation options is correct. The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached, that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risk of vulnerabilities and exploits. B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall is incorrect. Using Secure Sockets Layer for firewall administration is important because changes in user and supply chain partners' roles and profiles will be dynamic. D) Firewall policies are updated on the basis of changing requirements is incorrect. It is appropriate to maintain the firewall policies as needed. A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted is incorrect. It is prudent to block all inbound traffic to an extranet unless permitted. Q3) Which of the following choices would be the BEST source of information when developing a risk-based audit plan? A) System custodians identify vulnerabilities. B)Process owners identify key controls. factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Password-only based authentication may not provide adequate security. B) Password complexity rules is incorrect. While controls regarding password complexity are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Q6) Which of the following should be included in an organization's information security policy? A) The basis for access control authorization B) Relevant software security features C) A list of key IT resources to be secured D) Identity of sensitive security assests - CORRECT ANSWER A) The basis for access control authorization is correct. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C) A list of key IT resources to be secured is incorrect. This is more detail than should be included in a policy. D) Identity of sensitive security assets is incorrect. The identity of sensitive security assets is more detailed than that which should be included in a policy. B) Relevant software security features is incorrect. A list of the relevant software security features is more detailed than that which should be included in a policy. Q7) Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A) Parallel testing B) Interface/integration testing C) Sociability testing D) Pilot testing - CORRECT ANSWER C) Sociability testing is correct. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. A) Parallel testing is incorrect. This is the process of feeding data into two systems —the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. This allows a new system to be tested without affecting existing systems. D) Pilot testing is incorrect. This takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. In most cases the cutover to the new system will disable existing systems. B) Interface/integration testing is incorrect. This is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. This will not test in a true production environment. Q8) An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A) Information security is not critical to all functions. B) IS audit should provide security training to the employees. C) this lack of knowledge may read to unintentional disclosure of sensitive information. D) The audit finding will cause management to provide continuous training to staff. - CORRECT ANSWER C) This lack of knowledge may lead to unintentional disclosure of sensitive information is correct. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. A) Information security is not critical to all functions is incorrect. Information security is everybody's business, and all staff should be trained in how to handle information correctly. B) IS audit should provide security training to the employees is incorrect. Providing security awareness training is not an IS audit function. D) The audit finding will cause management to provide continuous training to staff is incorrect. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness. Q9) The PRIMARY objective of performing a post incident review is that it presents an opportunity to A) improve internal control procedures. B) highlight the importance of incident response management to management. C) improve employee awareness of the incident response process. D) harden the network to industry good practices. - CORRECT ANSWER A) Improve internal control procedures is correct. A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security D) Senior management is aware of critical information assets and demonstrates an adequate concern for their protection is incorrect. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but it is not as meaningful as having job descriptions that require all staff to be responsible for information security. C) In accordance with the degree of risk and business impact, there is adequate funding for security efforts is incorrect. Funding is important but having funding does not ensure that the security program is effective or adequate. A) No actual incidents have occurred that have caused a loss or a public embarrassment is incorrect. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but it is not a criterion for evaluating a security program. Q12) As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? A) Revise compliance enforcement processes. B) Request that senior management accepts the risk. C) Use cloud providers for low-risk operations. D) Postpone low-priority security procedures. - CORRECT ANSWER B) Request that senior management accept the risk is correct. Senior management determines resource allocations. Having established that the level of security is inadequate, it is imperative that senior management accept the risk resulting from their decisions. C) Use cloud providers for low-risk operations is incorrect. The use of cloud providers may or may not provide cost savings or lower risk. A) Revise compliance enforcement processes is incorrect. Compliance enforcement processes that identify high levels of residual risk are working as intended and should not be revised. D) Postpone low-priority security procedures is incorrect. The IS auditor should not recommend postponing any procedures. This is a management decision, and management should first accept the risk. Q13) During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: A) document for future review. B) work with database administrators to correct the issue. C) report the weaknesses as observed. D) include a review of the database controls in the scope. - CORRECT ANSWER C) Report the weaknesses as observed is correct. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during an application software review need to be reported to management. D) Include a review of the database controls in the scope is incorrect. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time. A) Document for future review is incorrect. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. B) Work with database administrators to correct the issue is incorrect. It is not appropriate for the IS auditor to work with database administrators to correct the issue. Q14) For the annual internal IS audit plan, which of the following is the FIRST step performed prior to creating a risk ranking? A) Prioritize the identified risk. B) Identify the critical controls. C) Determine the testing approach. D) Define the audit universe. - CORRECT ANSWER C) Define the audit universe is correct. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. A) Prioritize the identified risk is incorrect. After the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B) Identify the critical controls is incorrect. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. C) Determine the testing approach is incorrect. The testing approach is based on the risk ranking Q15) An Internet-based attack using password sniffing can: A) be used to gain access to systems containing proprietary information. B) enable one party to act as if they are another party. C) result in major problems with billing systems and transaction processing agreements. B) directive control. C) compensating control. D)detective control. - CORRECT ANSWER A) Corrective control is correct. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions, when they are detected. This provides a mechanism to detect when malicious events have happened and correct the situation. B) Directive control is incorrect. Directive controls, such as IT policies and procedures, do not apply in this case because this is an automated control. C) Compensating control is incorrect. A compensating control is used where other controls are not sufficient to protect the system. In this case, the corrective control in place will effectively protect the system from access via an unpatched device. D) Detective control is incorrect. Detective controls exist to detect and report when errors, omissions and unauthorized uses or entries occur. Q19) Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal? A) Initializing the tape labels B) Erasing the tapes C) Overwriting the tapes D)Degaussing the tapes - CORRECT ANSWER D) Degaussing the tapes is correct. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes. C) Overwriting the tapes is incorrect. This is a good practice, but if the tapes have contained sensitive information then it is necessary to degauss them. A) Initializing the tape labels is incorrect. This would not remove the data on the tape and could lead to compromise of the data on the tape. B) Erasing the tapes is incorrect. This will make the data unreadable except for sophisticated attacks; therefore, tapes containing sensitive data should be degaussed Q20) An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: A) passwords can be reused by employees within a defined time frame. B) user accounts are not locked out after five failed attempts. C) system administrators use shared login credentials. D) password expiration is not automated. - CORRECT ANSWER C) System administrators use shared login credentials is correct. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts. B) User accounts are not locked out after five failed attempts is incorrect. If user accounts are not locked after multiple failed attempts, a brute force attack could be used to gain access to the system. While this is a risk, a typical user would have limited system access compared to an administrator. A) Passwords can be reused by employees within a defined time frame is incorrect. The reuse of passwords is a risk. However, the use of shared login credentials by administrators is a more severe risk. D) Password expiration is not automated is incorrect. If password expiration is not automated, it is most likely that employees will not change their passwords regularly. However, this is not as serious as passwords being shared, and the use of shared login credentials by administrators is a more severe risk. Q21) During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: A) identification B) storage C) verification D) enrollment - CORRECT ANSWER D) Enrollment is correct. The users of a biometric device must first be enrolled in the device. A) Identification is incorrect. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes. C) Verification is incorrect. A user applying for access will be verified against the stored enrolled value. B) Storage is incorrect. The biometric stores sensitive personal information, so the storage must be secure. Q22) A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? A) Set up an exit interview with human resources. B) Ensure that management signs off on the termination paperwork. C) Terminate the developer's logical access to IT resources. D)Initiate the handover process to ensure continuity of the project. - CORRECT ANSWER C) Terminate the developer's logical access to IT resources is correct. To protect IT assets, terminating logical access to IT resources is the first and most Q25) Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? A) System builders B) System designers C) System users D) System owners - CORRECT ANSWER D) System owners is correct. These are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. C) System users is incorrect. These are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. B) System designers is incorrect. They translate business requirements and constraints into technical solutions. A) System builders is incorrect. They construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same Q26) An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: A) backout procedures. B) problem management procedures. C) incident management procedures. D) software development procedures. - CORRECT ANSWER A) Backout procedures is correct. These are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state. B) Problem management procedures is incorrect. These are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. D) Software development procedures is incorrect. These procedures such as the software development life cycle (SDLC) are used to manage the creation or acquisition of new or modified software. C) Incident management procedures is incorrect. These are used to manage errors or problems with system operation. They are usually used by a help desk. One of the incident management procedures may be how to follow a fallback plan. Q27) An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of - A) variable sampling. B) stop-or-go sampling. C) compliance testing. D) substantive testing. - CORRECT ANSWER C) Compliance testing is correct. This determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. A) Variable sampling is incorrect. It is used to estimate numerical values such as dollar values. D) Substantive testing is incorrect. This substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. B) Stop-or-go sampling is incorrect. This allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. Q28) The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed? A) Means of authentication B) Privacy of voice transmissions C) Reliability and quality of service D) Confidentiality of data transmissions - CORRECT ANSWER C) Reliability and quality of service (QoS) is correct. These are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls. A) Means of authentication is incorrect. The company currently has a virtual private network (VPN); authentication has been implemented by the VPN using tunneling. B) Privacy of voice transmissions is incorrect. This is provided by the VPN protocol. D) Confidentiality of data transmissions is incorrect. The company currently has a VPN; confidentiality of both data and Voice-over Internet Protocol traffic has been implemented by the VPN using tunneling. Q29) While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change B) Only thoroughly tested programs are released is incorrect. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. A) Modified programs are automatically moved to production is incorrect. Programs should not be moved automatically into production without proper authorization. D) Source and executable code integrity is maintained is incorrect. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized. Q32) The PRIMARY benefit of an IT manager monitoring technical capacity is to: A) identify the need for new hardware and storage procurement. B) ensure that the service level requirements are met. C) determine the future capacity need based on usage. D) ensure that systems operate at optimal capacity. - CORRECT ANSWER B) Ensure that the service level requirements are met is correct. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT. A) Identify the need for new hardware and storage procurement is incorrect. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. C) Determine the future capacity need based on usage is incorrect. Determining future capacity is one definite benefit of technical capability monitoring. D) Ensure that systems operate at optimal capacity is incorrect. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business. Q33) Which of the following is the MOST effective control over visitor access to a data center? A) Visitors sign in. B) Visitor badges are required. C) Visitors are spot-checked by operators. D) Visitors are escorted. - CORRECT ANSWER D) Visitors are escorted is correct. Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility. B) Visitor badges are required is incorrect. This is a good practice, but not a reliable control. A) Visitors sign in is incorrect. This is good practice, but not a reliable control. After visitors are in the building, the sign-in process will not prevent them from accessing unauthorized areas. C) Visitors are spot-checked by operators incorrect. Visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility. Q34) An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee: A) reports the status of IT projects to the board of directors. B) is responsible for project approval and prioritization. C) is responsible for determining business goals. D) is responsible for developing the long-term IT plan. - CORRECT ANSWER C) Is responsible for determining business goals is correct. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around. B) Is responsible for project approval and prioritization is incorrect. The IT steering committee is responsible for project approval and prioritization. D) Is responsible for developing the long-term it plan is incorrect. The IT steering committee is responsible for oversight of the development of the long-term IT plan. A) Reports the status of it projects to the board of directors is incorrect. The IT steering committee advises the board of directors on the status of developments in IT. Q35) Which of the following should be considered FIRST when implementing a risk management program? A) An understanding of the organization's threat, vulnerability and risk profile B) A determination of risk management priorities that are based on potential consequences C) A risk mitigation strategy sufficient to keep risk consequences at an acceptable level D) An understanding of the risk exposures and the potential consequences of compromise - CORRECT ANSWER A) An understanding of the organization's threat, vulnerability and risk profile is correct. Implementing risk management, as one of the outcomes of effective information security governance, requires a collective understanding of the organization's threat, vulnerability and risk profile as a first step. B) Cryptographic C) Replay D) Brute force - CORRECT ANSWER C) Replay is correct. Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. D) Brute force is incorrect. This involves feeding the biometric capture device numerous different biometric samples. B) Cryptographic is incorrect. This targets the algorithm or the encrypted data. A) Mimic is incorrect. In this attack, the attacker reproduces characteristics similar to those of the enrolled user such as forging a signature or imitating a voice. Q39) Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity? A) Host-based B) Signature-based C) Neural network D) Statistical-based - CORRECT ANSWER B) Statistical-based is correct. A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. B) Signature-based is incorrect. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. Signature-based systems traditionally have low levels of false positives but may be weak at detecting new attacks. C) Neural network is incorrect. A neural network combines the statistical- and signature-based IDSs to create a hybrid and better system. A) Host-based is incorrect. This is another type of IDS, but it would not be used to monitor network activity. Q40) Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? A) Unauthorized report copies might be printed. B) Sensitive data might be read by operators. C) Output might be lost in the event of system failure. D) Data might be amended without authorization. - CORRECT ANSWER A) Unauthorized report copies might be printed is correct. Spooling for offline printing may enable additional copies to be printed unless adequate safeguards exist as compensating controls. B) Sensitive data might be read by operators is incorrect. Operators often have high-level access as a necessity to perform their job duties. To the extent that this is a risk, it exists for any form of non-local printing and is not specifically tied to spooled reports. D) Data might be amended without authorization is incorrect. Data on spool files are no easier to amend without authority than any other file. C) Output might be lost in the event of system failure is incorrect. Loss of data at the spooler level would only require reprinting. Q41) An organization allows for the use of universal serial bus drives to transfer operational data between offices. Which of the following is the GREATEST risk associated with the use of these devices? A) Files are not backed up B) Use of the devices for personal purposes C) Theft of the devices D) Introduction of malware into the network - CORRECT ANSWER C) Theft of the devices is correct. Because universal serial bus (USB) drives tend to be small, they are susceptible to theft or loss. This represents the greatest risk to the organization. A) Files are not backed up is incorrect. While this is a risk, theft of an unencrypted device is a greater risk. B) Use of the devices for personal purposes is incorrect. Use of USB drives for personal purposes is a violation of company policy; however, this is not the greatest risk. D) Introduction of malware into the network is incorrect. Good general IT controls will include the scanning of USB drives for malware once they are inserted in a computer. The risk of malware in an otherwise robust environment is not as great as the risk of loss or theft. Q42) Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? A) Back up all affected records before allowing the developer to make production changes. B) Provide and monitor separate developer login IDs for programming and for production support. C) Capture activities of the developer in the production environment by enabling detailed audit trails. D) Ensure that all changes are approved by the change manager prior to implementation. - CORRECT ANSWER B) Provide and monitor separate developer A) To identify potential errors or inconsistencies in business processes B) To be used as a cost-saving measure C) To ensure that employees are properly cross-trained in multiple functions D) To improve employee morale - CORRECT ANSWER A) To identify potential errors or inconsistencies in business processes is correct. Mandatory vacations help uncover potential fraud or inconsistencies. Ensuring that people who have access to sensitive internal controls or processes take a mandatory vacation annually is often a regulatory requirement and, most importantly, a good way to uncover fraud. C) To ensure that employees are properly cross-trained in multiple functions is incorrect. Ensuring that employees are properly cross-trained in multiple functions improves the skills of employees and provides for succession planning but is not the primary purpose of mandatory vacations. D) To improve employee morale is incorrect. Improving employee morale helps in reducing employee burnout but is not the primary reason for mandatory vacations. B) To be used as a cost-saving measure is incorrect. Mandatory vacations may or may not be a cost-saving measure, depending on the enterprise. Q46) During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor? A) Report the identified condition. B) Analyze the quality assurance dashboards. C) Recommend compensating controls. D) Review the code created by the developer. - CORRECT ANSWER A) Report the identified condition is correct. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified. C) Recommend compensating controls is incorrect. Although compensating controls may be a good idea, the primary response in this case should be to report the condition, because the risk associated with this should be reported to the users of the audit report. D) Review the code created by the developer is incorrect. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. B) Analyze the quality assurance dashboards is incorrect. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties but does not address the underlying risk. The primary response should be to report the condition. Q47) Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? A) User acceptance test specifications B) Detailed test plans C) Test data covering critical applications D) Quality assurance test specifications - CORRECT ANSWER A) User acceptance test specifications is correct. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. C) Test data covering critical applications is incorrect. Test data will usually be created during the system testing phase. B) Detailed test plans is incorrect. These are created during system testing. D) Quality assurance test specifications is incorrect. These are set out later in the development process. Q48) An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? A) The information security policy is not periodically reviewed by senior management. B) The audit committee did not review the organizations's global mission statement. C) A policy ensuring systems are patched in a timely manner does not exist. D) An organizational policy related to information asset protection does not exist. - CORRECT ANSWER A) The information security policy is not periodically reviewed by senior management is correct. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern. C) A policy ensuring systems are patched in a timely manner does not exist is incorrect. While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management. B)The audit committee did not review the organization's mission statement is incorrect. Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not A) Enforce standard compliance by adopting punitive measures against violators. B) Achieve standards alignment through an increase of resources devoted to the project. C) Delay the project until compliance with standards can be achieved. D) Align the data definition standards after completion of the project. - CORRECT ANSWER B) Achieve standards alignment through an increase of resources devoted to the project is correct. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. D) Align the data definition standards after completion of the project is incorrect. The usage of nonstandard data definitions would lower the efficiency of the new development and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C) Delay the project until compliance with standards can be achieved is incorrect. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. A) Enforce standard compliance by adopting punitive measures against violators is incorrect. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined. Q52) A characteristic of User Datagram Protocol in network communications is: A) incompatibility with packet broadcast. B) packets may arrive out of order. C) increased communication latency. D) error correction may slow down processing. - CORRECT ANSWER B) Packets may arrive out of order is correct. User Datagram Protocol (UDP) uses a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped. C) Increased communication latency is incorrect. The advantage of UDP is that the lack of error checking allows for reduced latency. Time-sensitive applications, such as online video or audio, often use UDP because of the reduced latency of this protocol. A) Incompatibility with packet broadcast is incorrect. UDP is compatible with packet broadcast (sending to all on the local network) and multicasting (sending to all subscribers). D) Error correction may slow down processing is incorrect. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. Q53) When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following? A) Default detection settings B) Network performance downgrade C) High number of false-positive alarms D) Low coverage of network traffic - CORRECT ANSWER D) Low coverage of network traffic is correct. The cybersecurity attacks might not be timely identified if only small portion of network traffic is analyzed. C) High number of false-positive alarms is incorrect. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. B) Network performance downgrade is incorrect. Intrusion detection system might decrease an overall network performance, however it is a secondary risk in this case. A) Default detection settings is incorrect. It is a good practice to customize intrusion detection system settings to specific network perimeter, however there is a higher likelihood to miss the attacks due to insufficient network coverage. Q54) An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: A) a signature-based IDS is weak against new types of attacks. B) IDS sensors are placed outside of the firewall. C) the IDS is used to detect encrypted traffic. D) a behavior-based IDS is causing many false alarms. - CORRECT ANSWER C) The IDS is used to detect encrypted traffic is correct. An IDS cannot detect attacks within encrypted traffic, but there may be good reason to detect the presence of encrypted traffic, such as when a next-generation firewall is configured to terminate encrypted connections at the perimeter. In such cases, detecting encrypted packets flowing past the firewall could indicate improper configuration or even a compromise of the firewall itself. B) IDS sensors are placed outside of the firewall is incorrect. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. D) A behavior-based IDS is causing many false alarms is incorrect. An excessive number of false alarms from a behavior-based intrusion detection system (IDS) indicates that additional tuning is needed. False positives cannot be eliminated entirely, but ignoring this warning sign may negate the value of the system by causing those responsible for monitoring its warnings to become convinced that anything reported is false. A) Resolved incidents are closed without reference to end users. B) A dedicated line is not assigned to the help desk team. C) Certain calls could not be resolved by the help desk team. D) The help desk instant messaging has been down for over six months. - CORRECT ANSWER A) Resolved incidents are closed without reference to end users is correct. The help desk function is a service-oriented unit. The end users must be advised before an incident can be regarded as closed. C) Certain calls could not be resolved by the help desk team is incorrect. Although this is of concern, it should be expected. A problem escalation procedure should be developed to handle such scenarios. B) A dedicated line is not assigned to the help desk team is incorrect. Ideally, a help desk team should have dedicated lines, but this exception is not as serious as the technical team unilaterally closing an incident. D) The help desk instant messaging has been down for more than six months is incorrect. Instant messaging is an add-on to improve the effectiveness of the help desk team. Its absence cannot be seen as a major concern as long as calls can still be made. Q58) During the system testing phase of an application development project the IS auditor should review the: A) error reports. B) vendor contract. C) program change requests. D) conceptual design specifications. - CORRECT ANSWER A) Error reports is correct. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. D) A conceptual design specifications is incorrect. This is a document prepared during the requirements definition phase. The system testing will be based on a test plan. B) A vendor contract is incorrect. This is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports. C) Program change requests is incorrect. These would be reviewed normally as a part of the post-implementation phase. Q59) Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds? A) An integrated test facility B) Regression tests C) Transaction snapshots D) Generalized audit software - CORRECT ANSWER D) Generalized audit software (GAS) is correct. This is a data analytic tool that can be used to filter large amounts of data. A) An integrated test facility is incorrect. Integrated test facilities test the processing of the data and cannot be used to monitor real-time transactions. B) Regression tests is incorrect. These are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes. C) Transaction snapshots is incorrect. Gathering information through snapshots alone is not sufficient. GAS will assist with an analysis of the data. Q60) Which of the following does an IS auditor consider to be MOST important when evaluating an organization's IT strategy? That it: A) supports the business objectives of the organization. B) does not vary from the IT department's preliminary budget. C) was approved by line management. D) complies with procurement procedures. - CORRECT ANSWER A) Supports the business objectives of the organization is correct. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. C) Was approved by line management is incorrect. A strategic plan is a senior management responsibility and would receive input from line managers but would not be approved by them. B) Does not vary from the IT department's preliminary budget is incorrect. The budget should not vary from the plan. D) Complies with procurement procedures is incorrect. Procurement procedures are organizational controls, but not a part of strategic planning. Q61) A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? A) The business analyst writes the requirements and performs functional testing. B) The IT manager also performs systems administration. C) The developers promote code into the production environment. D) The database administrator (DBA) also performs data backups. - CORRECT ANSWER C) The developers promote code into the production environment is C) purpose and scope of the audit being done. D) auditor's familiarity with the circumstances. - CORRECT ANSWER C) Purpose and scope of the audit being done is correct. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope. A) Availability of critical and required information is incorrect. The extent to which data will be collected during an IS audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor's familiarity with the area being audited. D) Auditor's familiarity with the circumstances is incorrect. An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited. B) Auditee's ability to find relevant evidence is incorrect. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. If evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area that is subject to audit. Q65) In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit? A) Wireless intrusion detection and intrusion prevention systems B) Device authentication and data origin authentication C) Packet headers and trailers D) The use of cryptographic hashes - CORRECT ANSWER D) The use of cryptographic hashes is correct. Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks. B) Device authentication and data origin authentication is incorrect. These allow wireless endpoints to authenticate each other to prevent man-in-the-middle attacks and masquerading. A) Wireless intrusion detection and intrusion prevention systems is incorrect. These have the ability to detect misconfigured devices and rogue devices and detect and possibly stop certain types of attacks. C) Packet headers and trailers is incorrect. These alone do not ensure that the content has not been altered because an attacker could alter both the data and the trailer. Q66) Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is: A) initiated from devices that have encrypted storage. B) restricted to predefined media access control addresses. C) encrypted using dynamic keys. D) encrypted using static keys. - CORRECT ANSWER C) Encrypted using dynamic keys is correct. When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. B) Restricted to predefined media access control addresses is incorrect. Limiting the number of devices that can access the network via media access control address filtering is an inefficient control and does not address the issue of encrypting the session. D) Encrypted using static keys is incorrect. Encryption with static keys—using the same key for a long period of time—carries a risk that the key would be compromised. A) Initiated from devices that have encrypted storage is incorrect. Encryption of the data on the connected device (laptop, smart phone, etc.) addresses the confidentiality of the data on the device, not the wireless session. Q67) Which of the following is the BEST enabler for strategic alignment between business and IT? A) Goals and metrics B) A maturity model C) A responsible, accountable, consulted and informed (RACI) chart D) Control objectives - CORRECT ANSWER A) Goals and metrics is correct. These ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment. B) A maturity model is incorrect. Maturity models enable assessment of current process capability and could be used for process improvement and measuring the maturity of the alignment process, but they do not directly enable strategic alignment. D) Control objectives is incorrect. These facilitate the implementation of controls in the related processes according to business requirements. C) A responsible, accountable, consulted and informed (RACI) chart is incorrect. RACI charts enable the assignment of responsibility to key functionaries but do not ensure strategic alignment. Q68) When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? A) Wiring and schematic diagram B) Users' lists and responsibilities B) Inputting validation checks on web forms C) Transaction monitoring D) Enforcing password complexity for authentication - CORRECT ANSWER C) Transaction monitoring is correct. An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. Protecting web sessions using Secure A) Sockets Layer is incorrect. Using Secure Sockets Layer would help to ensure the secure transmission of data to and from the user's web browser and help to ensure that the end user has reached the correct web site, but this would not prevent fraudulent transactions. D) Enforcing password complexity for authentication is incorrect. Online transactions are not necessarily protected by passwords; for example, credit card transactions are not necessarily protected. The use of strong authentication would help to protect users of the system from fraud by attackers guessing passwords, but transaction monitoring would be the better control. B) Inputting validation checks on web forms is incorrect. This is important to ensure that attackers do not compromise the web site, but transaction monitoring would be the best control. Q72) An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: A) analytical testing. B) substantive testing. C) control testing. D) compliance testing. - CORRECT ANSWER B) Substantive testing is correct. This obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. D) Compliance testing is incorrect. This is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. A) Analytical testing is incorrect. This evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. C) Control testing is incorrect. This is the same as compliance testing. Q73) The MAIN reason for requiring that all computer clocks across an organization are synchronized is to: A) support the incident investigation process. B) ensure that email messages have accurate time stamps. C) prevent omission or duplication of transactions. D) ensure smooth data transition from client machines to servers. - CORRECT ANSWER A) Support the incident investigation process is correct. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult, because a time line of events occurring on different systems might not be easily established. C) Prevent omission or duplication of transactions is incorrect. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization. D) Ensure smooth data transition from client machines to servers is incorrect. Data transfer has nothing to do with the time stamp. B) Ensure that email messages have accurate time stamps is incorrect. Although the time stamp on an email may not be accurate, this is not a significant issue. Q74) A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST? A) Dump the volatile storage data to a disk. B) Run the server in a fail-safe mode. C) Disconnect the web server from the network. D) Shut down the web server. - CORRECT ANSWER C) Disconnect the web server from the network is correct. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker. A) Dump the volatile storage data to a disk is incorrect. This may be used at the investigation stage but does not contain an attack in progress. B) Run the server in a fail-safe mode is incorrect. In order to do this, the server needs to be shut down. D) Shut down the web server is incorrect. This could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks. Q75) Which of the following BEST encrypts data on mobile devices? A) Data encryption standard B) Elliptical curve cryptography C) Advanced encryption standard D) The users not devoting reasonable time to define the functionalities of the solution - CORRECT ANSWER A) Technical skills and knowledge within the organization related to sourcing and software development is correct. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. C) Privacy requirements as applied to the data processed by the application is incorrect. Privacy regulations would apply to both solutions. B) Whether the legacy system being replaced was developed in-house is incorrect. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make versus buy decision. D) The users not devoting reasonable time to define the functionalities of the solution is incorrect. Unclear business requirements (functionalities) will similarly affect either development process but are not the primary factor influencing the make versus buy decision. Q79) The implementation of access controls FIRST requires: A) the creation of an access control list. B) a classification of IS resources. C) an inventory of IS resources. D) the labeling of IS resources. - CORRECT ANSWER C) An inventory of IS resources is correct. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification. B) A classification of IS resources is incorrect. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. D) The labeling of IS resources is incorrect. Labeling resources cannot be done without first determining the resources' classifications. A) The creation of an access control list is incorrect. The access control list would not be done without a meaningful classification of resources. Q80) An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A) The contractual warranties of the providers support the business needs of the organization. B) The service level agreement of each contract is substantiated by appropriate key performance indicators. C) At contract termination, support is guaranteed by each outsourcer for new outsourcers. D) An audit clause is present in all contracts. - CORRECT ANSWER A) The contractual warranties of the providers support the business needs of the organization is correct. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. D) An audit clause is present in all contracts is incorrect. All other choices are important, but the first step is to ensure that the contracts support the business— only then can an audit process be valuable. B) The service level agreement of each contract is substantiated by appropriate key performance indicators is incorrect. All service level agreements should be measurable and reinforced through key performance indicators—but the first step is to ensure that the SLAs are aligned with business requirements. C) At contract termination, support is guaranteed by each outsourcer for new outsourcers is incorrect. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs. Q81) An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? A) Make sure that only the IP addresses of existing customers are allowed through the firewall. B) Inspect file and access permissions on all servers to ensure that all files have read-only access. C) Ensure that ports 80 and 443 are blocked at the firewall. D) Perform a web application security review. - CORRECT ANSWER D) Performing a web application security review is correct. This is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. C) Ensure that ports 80 and 443 are blocked at the firewall is incorrect. Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol to operate. B) Inspect file and access permissions on all servers to ensure that all files have read-only access is incorrect. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. A) Make sure that only the IP addresses of existing customers are allowed through the firewall is incorrect. Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect. Q82) Which of the following is an attribute of the control self-assessment approach? A) Auditors are the primary control analysts B) Broad stakeholder involvement A) Message digest 5 B) Secure Shell C) Advanced Encryption Standard D) Data Encryption Standard - CORRECT ANSWER C) Advanced Encryption Standard (AES) is correct. This provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. D) Data Encryption Standard (DES) is incorrect. This is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. A) Message digest 5 (MD5) is incorrect. This is an algorithm used to generate a one-way hash of data (a fixed- length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive. B) Secure Shell (SSH) is incorrect. This is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario. Q86) A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft? A) Web browser cookies are not automatically deleted. B) System updates have not been applied on the computer. C) The computer is improperly configured. D) Session time out is not activated. - CORRECT ANSWER D) Session time out is not activated is correct. If an authenticated session is inactive and unattended, it can be hijacked and used for illegal purposes. It might then be difficult to establish the intruder because a legitimate session was used. A) Web browser cookies are not automatically deleted is incorrect. If web browser cookies are not automatically deleted, it might be possible to determine the web sites that a user has accessed. However, if sessions do not time out, it is easier for identity theft to occur. C) The computer is improperly configured is incorrect. If the PC is not configured properly and does not have antivirus software installed, there could be a risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur. B) System updates have not been applied on the computer is incorrect. If system updates have not been applied, there could be a greater risk of virus or malware infection. This could cause identity theft. However, if sessions do not time out, it is easier for identity theft to occur. Q87) Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: A) assess whether the planned cost benefits are being measured, analyzed and reported. B) determine whether the system's objectives were achieved. C) review the impact of program changes made during the first phase on the remainder of the project. D) review control balances and verify that the system is processing data accurately. - CORRECT ANSWER C) Review the impact of program changes made during the first phase on the remainder of the project is correct. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. A) Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. While all choices are valid, the post-implementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. D) Review control balances and verify that the system is processing data accurately is incorrect. The review should assess whether the control is working correctly but should focus on the problems that led to project overruns in budget and time. B) Determine whether the system's objectives were achieved is incorrect. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure. Q88) A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor? A) Duplex communication links B) Reciprocal agreement with another organization C) Alternate processor in the same location D) Alternate processor at another network node - CORRECT ANSWER D) Alternate processor at another network node is correct. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. B) An individual's computer screen saver function is disabled is incorrect. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. C) Server configuration requires the user to change the password annually is incorrect. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization. Q91) Following good practices, formal plans for implementation of new information systems are developed during the: A) testing phase. B) development phase. C) design phase. D) deployment phase. - CORRECT ANSWER C) Design phase is correct. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses. B) Development phase is incorrect. The implementation plans are updated during the development of the system, but the plans were already addressed during the design phase. A) Testing phase is incorrect. The testing phase focuses on testing the system and is not concerned with implementation planning. D) Deployment phase is incorrect. The deployment phase implements the system according to the plans set out earlier in the design phase. Q92) An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? A) Configuration as a virtual private network endpoint. B) Rules permitting or denying access to systems or networks. C) An implicit deny rule as the last rule in the rule base D) Installation on an operating system configured with default settings. - CORRECT ANSWER D) Installation on an operating system configured with default settings is correct. Default settings of most equipment—including operating systems—are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. C) An implicit deny rule as the last rule in the rule base is incorrect. Configuring a firewall with an implicit deny rule is common practice. B) Rules permitting or denying access to systems or networks is incorrect. A firewall configuration should have rules allowing or denying access according to policy. A) Configuration as a virtual private network endpoint is incorrect. A firewall is often set up as the endpoint for a virtual private network. Q93) An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A) IT risk is presented in business terms. B) The risk management framework is based on global standards. C) Controls are implemented based on cost-benefit analysis. D) The approval process for risk response is in place. - CORRECT ANSWER A) IT risk is presented in business terms is correct. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms. C) Controls are implemented based on cost-benefit analysis is incorrect. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B) The risk management framework is based on global standards is incorrect. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. D) The approval process for risk response is in place is incorrect. Approvals for risk response come later in the process. Q94) An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor? A) The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. B) The service level agreement (SLA) ensures strict limits for uptime and performance. C) The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider. D) The cloud provider's data centers are in multiple cities and countries. - CORRECT ANSWER D) The cloud provider's physical data centers are in multiple cities and countries is correct. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information. There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. B) Acceptance testing C) Integration testing D) System testing - CORRECT ANSWER C) Integration testing is correct. This evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design. B) Acceptance testing is incorrect. This determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing and user acceptance testing, although not combined. D) System testing is incorrect. This relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. A) Unit testing is incorrect. This references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification. Q98) An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A) Commands typed on the command line are logged. B) Access to the operating system command line is granted through an access restriction tool with preapproved rights. C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. D) Software development tools and compilers have been removed from the production environment. - CORRECT ANSWER C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs is correct. The matching of hash keys over time would allow detection of changes to files. A) Commands typed on the command line are logged is incorrect. Having a log is not a control; reviewing the log is a control. B) Access to the operating system command line is granted through an access restriction tool with preapproved rights is incorrect. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D) Software development tools and compilers have been removed from the production environment is incorrect. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers. Q99) Which of the following is the MOST effective control when granting temporary access to vendors? A) Administrator access is provided for a limited period. B) User IDs are deleted when the work is completed. C) Vendor access corresponds to the service level agreement. D) User accounts are created with expiration dates and are based on services provided. - CORRECT ANSWER D) User accounts are created with expiration dates and are based on services provided is correct. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ID. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities. C) Vendor access corresponds to the service level agreement is incorrect. The service level agreement may have a provision for providing access, but this is not a control; it would merely define the need for access. A) Administrator access is provided for a limited period is incorrect. Vendors may require administrator access for a limited period during the time of service. However, it is important to ensure that the level of access granted is set according to least privilege and that access during this period is monitored. B) User IDs are deleted when the work is completed is incorrect. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. The access should only be granted at the level of work required. Q100) When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? A) The audit department does not have a consulting role in the BPR effort. B) Controls are eliminated as part of the streamlining BPR effort. C) Resources are not adequate to support the BPR process. D) The BPR effort includes employees with limited knowledge of the process area. - CORRECT ANSWER B) Controls are eliminated as part of the streamlining business process reengineering (BPR) effort is correct. A primary risk of BPR is that controls are eliminated as part of the reengineering effort. This is the primary concern. C) Resources are not adequate to support the BPR process is incorrect. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. A) The audit department does not have a consulting role in the BPR effort is incorrect. Although BPR efforts often involve many different business functions, it is not a significant concern if audit is not involved, and, in most cases, it is not appropriate for audit to be involved in such an effort. C) Masquerading is incorrect. This is an active attack in which the intruder presents an identity other than the original identity. D) Denial-of-service is incorrect. This occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed. This is an active attack. Q104) Before implementing an IT balanced scorecard, an organization must: A) deliver effective and efficient services. B) provide business value to IT projects. C) define key performance indicators. D) control IT expenses. - CORRECT ANSWER C) Define key performance indicators is correct. Because a balanced scorecard (BSC) is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. A) Deliver effective and efficient services is incorrect. A BSC is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B) Provide business value to it projects is incorrect. A BSC will measure the value of IT to business, not the other way around. D) Control IT expenses is incorrect. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC. Q105) When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? A) Acceptance B) Avoidance C) Transfer D) Mitigation - CORRECT ANSWER D) Mitigation is correct. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. C) Transfer is incorrect. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B) Avoidance is incorrect. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. A) Acceptance is incorrect. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it. Q106) An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization's procedures. Which of the following is the auditor's BEST course of action? A) Recommend regular physical inventory counts. B) Do not report the lack of reconciliation. C) Report the lack of daily reconciliations. D) Recommend the implementation of a more secure access system. - CORRECT ANSWER C) Report the lack of daily reconciliations is correct. The IS auditor should report the lack of daily reconciliation as an exception, because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management's mandated activity. B) Do not report the lack of reconciliation is incorrect. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed. A) Recommend regular physical inventory counts is incorrect. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. D) Recommend the implementation of a more secure access system is incorrect. While the IS auditor may in some cases recommend a more secure solution, the primary goal is to observe and report when the current process is deficient. Q107) While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: A) perform an access review. B) perform a risk assessment. C) discuss the issue with the service provider. D) report the issue to IT management. - CORRECT ANSWER D) Report the issue to IT management is correct. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report. C) Discuss the issue with the service provider is incorrect. The IS auditor may discuss the issue with the service provider; however, the appropriate response is to report the issue to IT management because they are ultimately responsible. B) Perform a risk assessment is incorrect. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes there is a significant risk. C) Review monthly performance reports generated by the Internet service provider (ISP) is incorrect. The reports from the ISP are indirect evidence that may require further review to ensure accuracy and completeness. B) Research other clients of the ISP is incorrect. The services provided to other clients of the ISP are irrelevant to the IS auditor. Q111)The BEST audit procedure to determine if unauthorized changes have been made to production code is to: A) examine the change control system records and trace them forward to object code files. B) review access control permissions operating within the production program libraries. C) examine object code to find instances of changes and trace them back to change control records. D) review change approved designations established within the change control system. - CORRECT ANSWER C) Examine object code to find instances and trace them back to change control records is correct. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. A) Examine the change control system records and trace them forward to object code files is incorrect. Checking the change control system will not detect changes that were not recorded in the control system. B) Reviewing access control permissions will not identify unauthorized changes made previously. D) Review change approved designations established within the change control system is incorrect. Reviewing change approved designations will not identify unauthorized changes. Q112) Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A) Have the current configuration approved by operations management. B) Ensure that there is an audit trail for all existing accounts. C) Amend the IT policy to allow shared accounts. D) Implement individual user accounts for all staff. - CORRECT ANSWER D) Implement individual user accounts for all staff is correct. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. A) Have the current configuration approved by operations management is incorrect. Having the current configuration approved is a recommendation that is not in compliance with the enterprise's own policy and would violate good practice. B) Ensure that there is an audit trail for all existing accounts is incorrect. Having an audit trail for existing shared accounts would not provide accountability or resolve the problem of noncompliance with policy. C) Amend the IT policy to allow shared accounts is incorrect. Shared user IDs do not allow for accountability of transactions and would not reflect good practice. Q113) After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools? A) False-positive B) Less-detail C) Differential D) False-negative - CORRECT ANSWER D) False-negative is correct. This type of reporting on weaknesses means the control weaknesses in the network are not identified and, therefore, may not be addressed, leaving the network vulnerable to attack. C) Differential is incorrect This reporting function provided by this tool compares scan results over a period of time. A) False-positive is incorrect. This type of reporting is one in which the system falsely reports a vulnerability. Controls may be in place, but are evaluated as weak, which should prompt a rechecking of the controls. B) Less-detail is incorrect. This type of reporting would require additional tools or analysis to determine the existence and severity of vulnerabilities. Q114) Information for detecting unauthorized input from a user workstation would be BEST provided by the: A) user error report. B) transaction journal. C) automated suspense file listing. D) console log printout. - CORRECT ANSWER B) Transaction journal is correct. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input. D) A console log printout is incorrect. This is not the best because it does not record activity from a specific terminal. C) An automated suspense file listing is incorrect. This lists only transaction activity where an edit error occurred. A) The user error report is incorrect. This lists only input that resulted in an edit error and does not record improper user input. C) Reduction of human resources needed to support the audit is incorrect. Although the burden on human resources to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B) Reduction in the time to have access to the information is incorrect. This will not necessarily reduce the time to have access to the information because time will need to be scheduled for training and granting access. A) Greater flexibility for the audit department is incorrect. There may be more flexibility for the IS auditor to adjust the data extracts to meet various audit requirements; however, this is not the main advantage. Q118) Which of the following does a lack of adequate security controls represent? A) Threat B) Asset C) Vulnerability D) Impact - CORRECT ANSWER C) Vulnerability is correct. The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This can result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability. A) Threat is incorrect. A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A threat exists regardless of controls or a lack of controls. B) Asset is incorrect. An asset is something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation. The asset value is not affected by a lack of controls. D) Impact is incorrect. Impact represents the outcome or result of a threat exploiting a vulnerability. A lack of controls would lead to a higher impact, but the lack of controls is defined as a vulnerability, not an impact. Q119) Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit? A) Insurance coverage is adequate and premiums are current. B) A hot site is contracted for and available as needed. C) Data backups are performed timely and stored offsite. D) A business continuity manual is available and current. - CORRECT ANSWER C) Data backups are performed timely and stored offsite is correct. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process. B) A hot site is contracted for and available as needed is incorrect. A hot site is important, but it is of no use if there are no data backups for it. D) A business continuity manual is available and current is incorrect. A business continuity manual is advisable but not most important in a disaster recovery audit. A) Insurance coverage is adequate and premiums are current is incorrect. Insurance coverage should be adequate to cover costs but is not as important as having the data backup. Q120) During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? A) The policy for data backup and retention has not been reviewed by the business owner for the past three years. B) Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator. C) Restoration testing for backup media is not performed; however, all data restore requests have been successful. D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. - CORRECT ANSWER D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually is correct. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. C) Restoration testing for backup media is not performed; however, all data restore requests have been successful is incorrect. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful. A) The policy for data backup and retention has not been reviewed by the business owner for the past three years is incorrect. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information. this time off, it may be possible to discover any fraudulent activity that was taking place. B) Ensure that the employee maintains a good quality of life, which will lead to greater productivity is incorrect. Maintaining a good quality of life is important, but the primary reason for a mandatory vacation is to catch fraud or errors. A) Provide proper cross-training for another employee is incorrect. Providing cross-training is an important management function, but the primary reason for mandatory vacations is to detect fraud or errors. C) Eliminate the potential disruption caused when an employee takes vacation one day at a time is incorrect. Enforcing a rule that all vacations must be taken a week at a time is a management decision but not related to a mandatory vacation policy. The primary reason for mandatory vacations is to detect fraud or errors. Q124) Which of the following is BEST suited for secure communications within a small group? A) Key distribution center B) Web of trust C) Kerberos Authentication System D) Certificate authority - CORRECT ANSWER B) Web of trust is correct. This is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy and distributes the public keys of users within a group. A) Key distribution center is incorrect. This is a part of a Kerberos implementation suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. D) Certificate authority is incorrect. This is a trusted third party that ensures the authenticity of the owner of the certificate. C) This is necessary for large groups and formal communication. Kerberos Authentication System is incorrect. This extends the function of a key distribution center by generating "tickets" to define the facilities on networked machines, which are accessible to each user. Q125) Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor? A) Process owners have not been identified. B) Multiple application owners exist. C) The billing cost allocation method has not been determined. D) A training program does not exist. - CORRECT ANSWER A) Process owners have not been identified is correct. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. The absence of a defined process owner, may cause issues with monitoring or authorization controls. C) The billing cost allocation method has not been determined is incorrect. The allocation method of application usage cost is of less importance. B) Multiple application owners exist is incorrect. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified. D) A training program does not exist is incorrect. The fact that a training program does not exist is only be a minor concern for the IS auditor. Q126) During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: A) only systems administrators perform the patch process. B) the client's change management process is adequate. C) patches are validated using parallel testing in production. D) an approval process of the patch, including a risk assessment, is developed. - CORRECT ANSWER B) The client's change management process is adequate is correct. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. A) Only systems administrators perform the patch process is incorrect. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. C) Patches are validated using parallel testing in production is incorrect. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. D) An approval process of the patch, including a risk assessment, is developed is incorrect. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval. Q127) An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk? A) Self-signed digital certificates B) Expired digital certificates C) Using the same digital certificate for multiple web sites