Download CISA Exam 388 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA Exam 388 Questions with Verified Answers Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? a. Parity check b. Echo check c. Block sum check d. Cyclic redundancy check - CORRECT ANSWER d. Cyclic redundancy check Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor? A. CCTV recordings are not regularly reviewed. B. CCTV records are deleted after one year. C. CCTV footage is not recorded 24 x 7. D. CCTV cameras are not installed in break rooms. - CORRECT ANSWER A. CCTV recordings are not regularly reviewed. An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that: A. a clear business case has been established. B. the new hardware meets established security standards. C. a full, visible audit trail will be included. D. the implementation plan meets user requirements. - CORRECT ANSWER A. a clear business case has been established. An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime? A. Cutover B. Phased C. Pilot D. Parallel - CORRECT ANSWER C. Pilot Which of the following is the BEST way to ensure that an application is performing according to its specifications? A. Pilot testing B. System testing C. Integration testing D. Unit testing - CORRECT ANSWER C. Integration testing An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage? A. Data encryption on the mobile device B. The triggering of remote data wipe capabilities C. Awareness training for mobile device users D. Complex password policy for mobile devices - CORRECT ANSWER A. Data encryption on the mobile device During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate: A. cost-benefit analysis. B. acceptance testing. C. application test cases. D. project plans. - CORRECT ANSWER C. application test cases. Upon completion of audit work, an IS auditor should: A. provide a report to the auditee stating the initial findings. B. provide a report to senior management prior to discussion with the auditee. C. distribute a summary of general findings to the members of the auditing team. D. review the working papers with the auditee. - CORRECT ANSWER A. provide a report to the auditee stating the initial findings. During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same areas simultaneously, which of the following is the BEST approach to optimize resources? A. Leverage the work performed by external audit for the internal audit testing. B. Ensure both the internal and external auditors perform the work simultaneously. C. Roll forward the general controls audit to the subsequent audit year. Which of the following is the BEST indicator of the effectiveness of an organization's incident response program? A. Number of successful penetration tests B. Percentage of protected business applications C. Number of security vulnerability patches D. Financial impact per security event - CORRECT ANSWER B. Percentage of protected business applications An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern? A. Mobile devices are not encrypted. B. Users are not required to sign updated acceptable use agreements. C. The business continuity plan (BCP) was not updated. D. Users have not been trained on the new system. - CORRECT ANSWER C. The business continuity plan (BCP) was not updated. Which of the following security measures will reduce the risk of propagation when a cyberattack occurs? A. Data loss prevention (DLP) system B. Perimeter firewall C. Network segmentation D. Web application firewall - CORRECT ANSWER C. Network segmentation When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery: A. channel access only through the public-facing firewall. B. channel access through authentication. C. communicate via Transport Layer Security (TLS). D. block authorized users from unauthorized activities. - CORRECT ANSWER C. communicate via Transport Layer Security (TLS). During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditorBEST validate that appropriate security controls are in place to prevent data loss? A. Verify the data loss prevention (DLP) tool is properly configured by the organization. B. Review compliance with data loss and applicable mobile device user acceptance policies. C. Verify employees have received appropriate mobile device security awareness training. D. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data. - CORRECT ANSWER B. Review compliance with data loss and applicable mobile device user acceptance policies. Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed? A. Implementation methodology B. Test results C. Purchasing guidelines and policies D. Results of live processing - CORRECT ANSWER D. Results of live processing Which of the following is an advantage of using agile software development methodology over the waterfall methodology? A. Quicker end user acceptance B. Clearly defined business expectations C. Quicker deliverables D. Less funding required overall - CORRECT ANSWER C. Quicker deliverables In an online application, which of the following would provide the MOST information about the transaction audit trail? A. File layouts B. Data architecture C. System/process flowchart D. Source code documentation - CORRECT ANSWER B. Data architecture On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else? A. Send a certificate that can be verified by a certification authority with the public key. B. Encrypt the message containing the sender's public key, using the recipient's public key. C. Send the public key to the recipient prior to establishing the connection. D. Encrypt the message containing the sender's public key, using a private-key cryptosystem. - CORRECT ANSWER A. Send a certificate that can be verified by a certification authority with the public key. Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program? A. Results of a risk assessment B. Policies including BYOD acceptable use statements C. Findings from prior audits D. An inventory of personal devices to be connected to the corporate network - CORRECT ANSWER A. Results of a risk assessment Which audit approach is MOST helpful in optimizing the use of IS audit resources? A. Agile auditing B. Continuous auditing C. Risk-based auditing D. Outsourced auditing - CORRECT ANSWER C. Risk-based auditing An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future? A. Failover power B. Clustering C. Parallel testing D. Redundant pathways - CORRECT ANSWER B. Clustering During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action? A. Request management wait until a final report is ready for discussion. B. Request the auditee provide management responses. C. Review working papers with the auditee. C. Examine the computer to search for evidence supporting the suspicions. D. Notify local law enforcement of the potential crime before further investigation. - CORRECT ANSWER A. Contact the incident response team to conduct an investigation. Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center? A. Knowledge of the IT staff regarding data protection requirements B. Complete and accurate list of information assets that have been deployed C. Segregation of duties between staff ordering and staff receiving information assets D. Availability and testing of onsite backup generators - CORRECT ANSWER B. Complete and accurate list of information assets that have been deployed Providing security certification for a new system should include which of the following prior to the system's implementation? A. End-user authorization to use the system in production B. Testing of the system within the production environment C. An evaluation of the configuration management practices D. External audit sign-off on financial controls - CORRECT ANSWER C. An evaluation of the configuration management practices Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization? A. Create the DLP policies and templates. B. Conduct a threat analysis against sensitive data usage. C. Conduct a data inventory and classification exercise. D. Identify approved data workflows across the enterprise. - CORRECT ANSWER C. Conduct a data inventory and classification exercise. The success of control self-assessment depends highly on: a. line managers assuming a portion of the responsibility for control monitoring. b. assigning staff managers, the responsibility for building controls. c. the implementation of a stringent control policy and rule-driven controls. d. the implementation of supervision and monitoring of controls of assigned duties. - CORRECT ANSWER a. line managers assuming a portion of the responsibility for control monitoring. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: a. address audit objectives. b. collect sufficient evidence. c. specify appropriate tests. d. minimize audit resources. - CORRECT ANSWER a. address audit objectives. A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? a. Key verification b. One-for-one checking c. Manual recalculations d. Functional acknowledgements - CORRECT ANSWER d. Functional acknowledgements When developing a risk management program, what is the FIRST activity to be performed? a. Threat assessment b. Classification of data c. Inventory of assets d. Criticality analysis - CORRECT ANSWER c. Inventory of assets Which of the following situations could impair the independence of an IS auditor? The IS auditor: a. implemented specific functionality during the development of an application. b. designed an embedded audit module for auditing an application. c. participated as a member of an application project team and did not have operational responsibilities. d. provided consulting advice concerning application good practices. - CORRECT ANSWER a. implemented specific functionality during the development of an application. When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? a. The point at which controls are exercised as data flow through the system b. Only preventive and detective controls are relevant c. Corrective controls are regarded as compensating d. Classification allows an IS auditor to determine which controls are missing - CORRECT ANSWER a. The point at which controls are exercised as data flow through the system During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: a. ask the auditee to sign a release form accepting full legal responsibility. b. elaborate on the significance of the finding and the risk of not correcting it. c. report the disagreement to the audit committee for resolution. d. accept the auditee's position because they are the process owners. - CORRECT ANSWER b. elaborate on the significance of the finding and the risk of not correcting it. During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: a. create the procedures document based on the practices. b. issue an opinion of the current state and end the audit. c. conduct compliance testing on available data. d. identify and evaluate existing practices. - CORRECT ANSWER d. identify and evaluate existing practices. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? a. Overlapping controls b. Boundary controls c. Access controls d. Compensating controls - CORRECT ANSWER d. Compensating controls For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? a. Use of computer-assisted audit techniques b. Quarterly risk assessments c. Sampling of transaction logs d. Continuous auditing - CORRECT ANSWER d. Continuous auditing b. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. d. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the - CORRECT ANSWER c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? a. Participating in the design of the risk management framework b. Advising on different implementation techniques c. Facilitating risk awareness training d. Performing due diligence of the risk management processes - CORRECT ANSWER a. Participating in the design of the risk management framework While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: a. effectiveness of the QA function because it should interact between project management and user management. b. efficiency of the QA function because it should interact with the project implementation team. c. effectiveness of the project manager because the project manager should interact with the QA function. d. efficiency of the project manager because the QA function needs to communicate with the project implementation team. - CORRECT ANSWER a. effectiveness of the QA function because it should interact between project management and user management. Which of the following choices would be the BEST source of information when developing a risk-based audit plan? a. Process owners identify key controls. b. System custodians identify vulnerabilities. c. Peer auditors understand previous audit results. d. Senior management identify key business processes. - CORRECT ANSWER d. Senior management identify key business processes. Which of the following is in the BEST position to approve changes to the audit charter? a. Board of directors b. Audit committee c. Executive management d. Director of internal audit - CORRECT ANSWER b. Audit committee A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: a. directive control. b. corrective control. c. compensating control. d. detective control. - CORRECT ANSWER b. corrective control. A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this? a. Detective b. Preventive c. Corrective d. Directive - CORRECT ANSWER b. Preventive Which of the following is the PRIMARY purpose of a risk-based audit? a. High-impact areas are addressed first. b. Audit resources are allocated efficiently. c. Material areas are addressed first. d. Management concerns are prioritized. - CORRECT ANSWER c. Material areas are addressed first. In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? a. Hiring additional staff to provide segregation of duties b. Preventing the release manager from making program modifications c. Logging of changes to development libraries d. Verifying that only approved program changes are implemented - CORRECT ANSWER d. Verifying that only approved program changes are implemented Which of the following is MOST likely to be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation? a. Delivering cybersecurity awareness training b. Designing the cybersecurity controls c. Advising on the cybersecurity framework d. Conducting the vulnerability assessment - CORRECT ANSWER b. Designing the cybersecurity controls Which of the following is MOST important for an IS auditor to understand when auditing an e-commerce environment? a. The technology architecture of the e-commerce environment b. The policies, procedures and practices forming the control environment c. The nature and criticality of the business process supported by the application d. Continuous monitoring of control measures for system availability and reliability - CORRECT ANSWER c. The nature and criticality of the business process supported by the application An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following? a. Privileged access to the wire transfer system b. Wire transfer procedures c. Fraud monitoring controls d. Employee background checks - CORRECT ANSWER b. Wire transfer procedures An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: a. an effective preventive control. b. a valid detective control. c. not an adequate control. d. a corrective control. - CORRECT ANSWER c. not an adequate control. d. the tolerable error rate cannot be determined. - CORRECT ANSWER a. the probability of error must be objectively quantified. The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? a. Stop-or-go b. Classical variable c. Discovery d. Probability-proportional-to-size - CORRECT ANSWER c. Discovery An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. b. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. c. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. d. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. - CORRECT ANSWER a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings? a. System configuration values imported to a spreadsheet by the system administrator b. Standard report with configuration values retrieved from the system by the IS auditor c. Dated screenshot of the system configuration settings made available by the system administrator d. Annual review of approved system configuration values by the business owner - CORRECT ANSWER b. Standard report with configuration values retrieved from the system by the IS auditor Which of the following will MOST successfully identify overlapping key controls in business application systems? a. Reviewing system functionalities that are attached to complex business processes b. Submitting test transactions through an integrated test facility c. Replacing manual monitoring with an automated auditing solution d. Testing controls to validate that they are effective - CORRECT ANSWER c. Replacing manual monitoring with an automated auditing solution Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings? a. Retest the control to validate the finding. b. Engage a third party to validate the finding. c. Include the finding in the report with the department manager's comments. d. Revalidate the supporting evidence for the finding. - CORRECT ANSWER An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? a. Issue an audit finding. b. Seek an explanation from IS management. c. Review the classifications of data held on the server. d. Expand the sample of logs reviewed. - CORRECT ANSWER d. Expand the sample of logs reviewed. An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? a. Walk-through with the reviewer of the operation of the control b. System-generated exception reports for the review period with the reviewer's sign-off c. A sample system-generated exception report for the review period, with follow- up action items noted by the reviewer d. Management's confirmation of the effectiveness of the control for the review period - CORRECT ANSWER c. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? a. Managing audit staff b. Allocating resources c. Project management d. Attention to detail - CORRECT ANSWER c. Project management An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? a. Discuss the finding with the IT auditor's manager. b. Retest the control to confirm the finding. c. Elevate the risk associated with the control. d. Discuss the finding with the auditee's manager. - CORRECT ANSWER a. Discuss the finding with the IT auditor's manager. Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? a. To collect evidence while transactions are processed b. To reduce requirements for periodic internal audits c. To identify and report fraudulent transactions d. To increase efficiency of the audit function - CORRECT ANSWER a. To collect evidence while transactions are processed Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? a. Variable sampling b. Judgmental sampling c. Stratified random sampling d. Systematic sampling - CORRECT ANSWER b. investigating various communication channels. c. understanding the responsibilities and authority of individuals. d. investigating the network connected to different employees. - CORRECT ANSWER c. understanding the responsibilities and authority of individuals. The PRIMARY objective of implementing corporate governance is to: a. provide strategic direction. b. control business operations. c. align IT with business. d. implement good practices. - CORRECT ANSWER a. provide strategic direction. Which of the following is the MOST important element for the successful implementation of IT governance? a. Implementing an IT scorecard b. Identifying organizational strategies c. Performing a risk assessment d. Creating a formal security policy - CORRECT ANSWER b. Identifying organizational strategies A benefit of open system architecture is that it: a. facilitates interoperability within different systems. b. facilitates the integration of proprietary components. c. will be a basis for volume discounts from equipment vendors. d. allows for the achievement of more economies of scale for equipment. - CORRECT ANSWER a. facilitates interoperability within different systems. Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? a. Three users with the ability to capture and verify their own messages b. Five users with the ability to capture and send their own messages c. Five users with the ability to verify other users and to send their own messages c. Three users with the ability to capture and verify the messages of other users and to send their own messages - CORRECT ANSWER a. Three users with the ability to capture and verify their own messages As a driver of IT governance, transparency of IT's cost, value, and risk is primarily achieved through: a. performance measurement. b. strategic alignment. c. value delivery. d. resource management. - CORRECT ANSWER a. performance measurement. Which of the following IT governance good practices improves strategic alignment? a. Supplier and partner risk is managed. b. A knowledge base on customers, products, markets and processes is in place. c. A structure is provided that facilitates the creation and sharing of business information. d. Top management mediates between the imperatives of business and technology - CORRECT ANSWER d. Top management mediates between the imperatives of business and technology To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: a. control self-assessments. b. a business impact analysis. c. an IT balanced scorecard. d. business process reengineering. - CORRECT ANSWER c. an IT balanced scorecard. An IS auditor is reviewing an IT security risk management program. Measures of security risk should: a. address all of the network risk. b. be tracked over time against the IT strategic plan. c. consider the entire IT environment. d. result in the identification of vulnerability tolerances. - CORRECT ANSWER c. consider the entire IT environment. When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: a. incorporates state of the art technology. b. addresses the required operational controls. c. articulates the IT mission and vision. d. specifies project management practices. - CORRECT ANSWER c. articulates the IT mission and vision. An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: a. recommend that this separate project be completed as soon as possible. b. report this issue as a finding in the audit report. c. recommend the adoption of the Zachmann framework. d. re-scope the audit to include the separate project as part of the current audit. - CORRECT ANSWER b. report this issue as a finding in the audit report. After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? a. A cost-benefit analysis b. An annual loss expectancy calculation c. A comparison of the cost of the IPS and firewall and the cost of the business systems d. A business impact analysis - CORRECT ANSWER a. A cost-benefit analysis When developing a formal enterprise security program, the MOST critical success factor is the: a. establishment of a review board. b. creation of a security unit. c. effective support of an executive sponsor. d. selection of a security process owner. - CORRECT ANSWER c. effective support of an executive sponsor. Which of the following is normally a responsibility of the chief information security officer? a. Periodically reviewing and evaluating the security policy b. Executing user application and software testing and evaluation c. Granting and revoking user access to IT resources a. Minimizing costs for the services provided b. Prohibiting the provider from subcontracting services c. Evaluating the process for transferring knowledge to the IT department d. Determining if the services were provided as contracted - CORRECT ANSWER d. Determining if the services were provided as contracted Which of the following is the PRIMARY objective of an IT performance measurement process? a. Minimize errors b. Gather performance data c. Establish performance baselines d. Optimize performance - CORRECT ANSWER d. Optimize performance Which of the following goals do you expect to find in an organization's strategic plan? a. Results of new software testing b. An evaluation of information technology needs c. Short-term project plans for a new planning system d. Approved suppliers for products offered by the company - CORRECT ANSWER d. Approved suppliers for products offered by the company In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: a. there is an integration of IT and business personnel within projects. b. there is a clear definition of the IT mission and vision. c. a strategic information technology planning scorecard is in place. d. the plan correlates business objectives to IT goals and objectives. - CORRECT ANSWER a. there is an integration of IT and business personnel within projects. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: a. a backup server is available to run ETCS operations with up-to-date data. b. a backup server is loaded with all relevant software and data. c. the systems staff of the organization is trained to handle any event. d. source code of the ETCS application is placed in escrow. - CORRECT ANSWER d. source code of the ETCS application is placed in escrow. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: a. claims to meet or exceed industry security standards. b. agrees to be subject to external security reviews. c. has a good market reputation for service and experience. d. complies with security policies of the organization. - CORRECT ANSWER b. agrees to be subject to external security reviews. Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? a. Core activities that provide a differentiated advantage to the organization have been outsourced. b. Periodic renegotiation is not specified in the outsourcing contract. c. The outsourcing contract fails to cover every action required by the business. d. Similar activities are outsourced to more than one vendor. - CORRECT ANSWER a. Core activities that provide a differentiated advantage to the organization have been outsourced. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: a. dependency on a single person. b. inadequate succession planning. c. one person knowing all parts of a system. d. a disruption of operations. - CORRECT ANSWER c. one person knowing all parts of a system. A decision support system is used to help high-level management: a. solve highly structured problems. b. combine the use of decision models with predetermined criteria. c. make decisions based on data analysis and interactive models. d. support only structured decision-making tasks. - CORRECT ANSWER c. make decisions based on data analysis and interactive models. An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? a. The vendor provides the latest third-party audit report for verification. b. The vendor provides the latest internal audit report for verification. c. The vendor agrees to implement controls in alignment with the enterprise. d. The vendor agrees to provide annual external audit reports in the contract. - CORRECT ANSWER d. The vendor agrees to provide annual external audit reports in the contract. During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network? a. The contract does not contain a right-to-audit clause for the third party. b. The contract was not reviewed by an information security subject matter expert prior to signing. c. The IS outsourcing guidelines are not approved by the board of directors. d. There is a lack of well-defined IS performance evaluation procedures. - CORRECT ANSWER a. The contract does not contain a right-to-audit clause for the third party. Which of the following does an IS auditor FIRST reference when performing an IS audit? a. Implemented procedures b. Approved policies c. Internal standards d. Documented practices - CORRECT ANSWER b. Approved policies While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? a. Monthly committee meetings include the subcontractor's IS manager b. Management reviews weekly reports from the subcontractor c. Permission is obtained from the government agent regarding the contract An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: a. check to ensure that the type of transaction is valid for the card type. b. verify the format of the number entered, then locate it on the database. c. ensure that the transaction entered is within the cardholder's credit limit. d. confirm that the card is not shown as lost or stolen on the master file. - CORRECT ANSWER b. verify the format of the number entered, then locate it on the database. The most common reason for the failure of information systems to meet the needs of users is that: a. user needs are constantly changing. b. the growth of system requirements was forecast inaccurately. c. the hardware system limits the number of concurrent users. d. user participation in defining the system's requirements was inadequate. - CORRECT ANSWER d. user participation in defining the system's requirements was inadequate. The use of object-oriented design and development techniques would MOST likely: a. facilitate the ability to reuse modules. b. improve system performance. c. enhance control effectiveness. d. speed up the system development life cycle. - CORRECT ANSWER a. facilitate the ability to reuse modules. Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? a. User management b. Project steering committee c. Senior management d. Quality assurance staff - CORRECT ANSWER a. User management Which of the following BEST helps to prioritize project activities and determine the time line for a project? a. A Gantt chart b. Earned value analysis c. Program evaluation review technique d. Function point analysis - CORRECT ANSWER c. Program evaluation review technique An IS auditor who is auditing the software acquisition process will ensure that the: a. contract is reviewed and approved by the legal counsel before it is signed. b. requirements cannot be met with the systems already in place. c. requirements are found to be critical for the business. d. user participation is adequate in the process. - CORRECT ANSWER a. contract is reviewed and approved by the legal counsel before it is signed. An organization is implementing an enterprise resource planning application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? a. Project sponsor b. System development project team c. Project steering committee d. User project team - CORRECT ANSWER c. Project steering committee An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? a. Advise on the adoption of application controls to the new database software. b. Provide future estimates of the licensing expenses to the project team. c. Recommend to the project manager how to improve the efficiency of the migration. d. Review the acceptance test case documentation - CORRECT ANSWER d. Review the acceptance test case documentation before the tests are carried out. When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: a. project be discontinued. b. business case be updated and possible corrective actions be identified. c. project be returned to the project sponsor for reapproval. d. project be completed and the business case be updated later. - CORRECT ANSWER b. business case be updated and possible corrective actions be identified. An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: a. conclude that the project is progressing as planned because dates are being met. b. question the project manager further to identify whether overtime costs are being tracked accurately. c. conclude that the programmers are intentionally working slowly to earn ex - CORRECT ANSWER d. investigate further to determine whether the project plan may not be accurate. Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? a. System owners b. System users c. System designers d. System builders - CORRECT ANSWER a. System owners An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: a. certain project iterations produce proof-of-concept deliverables and unfinished code. b. application features and development processes are not extensively documented. c. software development teams continually re-plan each step of their major projects. d. project managers do not manage project resources, leaving that to proj - CORRECT ANSWER a. certain project iterations produce proof-of-concept deliverables and unfinished code. Which of the following is the PRIMARY purpose for conducting parallel testing? a. To determine whether the system is cost-effective b. To enable comprehensive unit and system testing c. To highlight errors in the program interfaces with files d. To ensure the new system meets user requirements - CORRECT ANSWER d. To ensure the new system meets user requirements At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: a. report the error as a finding and leave further exploration to the auditee's discretion. b. attempt to resolve the error. c. recommend that problem resolution be escalated. d. ignore the error because it is not possible to get objective evidence for the software error. - CORRECT ANSWER c. recommend that problem resolution be escalated. The GREATEST advantage of rapid application development over the traditional system development life cycle is that it: a. facilitates user involvement. b. allows early testing of technical features. c. facilitates conversion to the new system. d. shortens the development time frame. - CORRECT ANSWER d. shortens the development time frame. The editing/validation of data entered at a remote site is performed MOST effectively at the: a. central processing site after running the application system. b. central processing site during the running of the application system. c. remote processing site after transmission of the data to the central processing site. d. remote processing site prior to transmission of the data to the central processing site. - CORRECT ANSWER d. remote processing site prior to transmission of the data to the central processing site. When implementing an application software package, which of the following presents the GREATEST risk? a. Uncontrolled multiple software versions b. Source programs that are not synchronized with object code c. Incorrectly set parameters d. Programming errors - CORRECT ANSWER c. Incorrectly set parameters Which of the following is an advantage of an integrated test facility (ITF)? a. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. b. Periodic testing does not require separate test processes. c. It validates application systems and ensures the correct operation of the system. d. The need to prepare test data is eliminated. - CORRECT ANSWER b. Periodic testing does not require separate test processes. During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: a. increased maintenance. b. improper documentation of testing. c. improper acceptance of a program. d. delays in problem resolution. - CORRECT ANSWER c. improper acceptance of a program. Which of the following is the most important element in the design of a data warehouse? a. Quality of the metadata b. Speed of the transactions c. Volatility of the data d. Vulnerability of the system - CORRECT ANSWER a. Quality of the metadata A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: a. validation controls. b. internal credibility checks. c. clerical control procedures. d. automated systems balancing. - CORRECT ANSWER d. automated systems balancing. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? a. Parallel testing b. Pilot testing c. Interface/integration testing d. Sociability testing - CORRECT ANSWER d. Sociability testing In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: a. isolation. b. consistency. c. atomicity. d. durability. - CORRECT ANSWER c. atomicity. A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? a. System testing b. Acceptance testing c. Integration testing d. Unit testing - CORRECT ANSWER b. Acceptance testing When two or more systems are integrated, the IS auditor must review input/output controls in the: a. systems receiving the output of other systems. b. systems sending output to other systems. c. systems sending and receiving data. d. interfaces between the two systems. - CORRECT ANSWER c. systems sending and receiving data. An advantage in using a bottom-up vs. a top-down approach to software testing is that: An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: a. correlation of semantic characteristics of the data migrated between the two systems. b. correlation of arithmetic characteristics of the data migrated between the two systems. c. correlation of functional characteristics of the processes between the two systems. d. relative effi - CORRECT ANSWER a. correlation of semantic characteristics of the data migrated between the two systems. During a postimplementation review, which of the following activities should be performed? a. User acceptance testing b. Return on investment analysis c. Activation of audit trails d. Updates of the state of enterprise architecture diagram - CORRECT ANSWER b. Return on investment analysis The specific advantage of white box testing is that it: a. verifies a program can operate successfully with other parts of the system. b. ensures a program's functional operating effectiveness without regard to the internal program structure. c. determines procedural accuracy or conditions of a program's specific logic paths. d. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system. - CORRECT ANSWER c. determines procedural accuracy or conditions of a program's specific logic paths. Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? a. A snapshot b. Tracing and tagging c. Logging d. Mapping - CORRECT ANSWER d. Mapping A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved into production is the same? a. Release management software b. Manual code comparison c. Regression testing in preproduction d. Management approval of changes - CORRECT ANSWER a. Release management software Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? a. The reporting of the mean time between failures over time b. The overall mean time to repair failures c. The first report of the mean time between failures d. The overall response time to correct failures - CORRECT ANSWER c. The first report of the mean time between failures Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? a. Load testing b. Stress testing c. Recovery testing d. Volume testing - CORRECT ANSWER a. Load testing An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? a. User acceptance testing b. Project risk assessment c. Post-implementation review d. Management approval of the system - CORRECT ANSWER c. Post- implementation review Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system? a. Review of business requirements b. System certification c. Post-implementation review d. System accreditation - CORRECT ANSWER c. Post-implementation review An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? a. Review the implementation of selected integrated controls. b. Request additional IS audit resources. c. Request vendor technical support to resolve performance issues. d. Review the results of stress tests during user acceptance - CORRECT ANSWER d. Review the results of stress tests during user acceptance testing. Regression testing is undertaken PRIMARILY to ensure that: a. system functionality meets customer requirements. b. a new system can operate in the target environment. c. applicable development standards have been maintained. d. applied changes have not introduced new errors. - CORRECT ANSWER d. applied changes have not introduced new errors. An IS auditor has been asked to review the implementation of a customer relationship management system for a large organization. The IS auditor discovered the project incurred significant over-budget expenses and scope creep caused the project to miss key dates. Which of the following should the IS auditor recommend for future projects? a. Project management training b. A software baseline c. A balanced scorecard d. Automated requirements software - CORRECT ANSWER b. A software baseline An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? a. Recalculations a. authorization of program changes. b. creation date of a current object module. c. number of program changes actually made. d. creation date of a current source program. - CORRECT ANSWER a. authorization of program changes. Which of the following would help to ensure the portability of an application connected to a database? a. Verification of database import and export procedures b. Usage of a Structured Query Language c. Analysis of stored procedures/triggers d. Synchronization of the entity-relation model with the database physical schema - CORRECT ANSWER b. Usage of a Structured Query Language An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? a. Log all table update transactions. b. Implement before-and-after image reporting. c. Use tracing and tagging. d. Implement integrity constraints in the database. - CORRECT ANSWER d. Implement integrity constraints in the database. Which of the following reports should an IS auditor use to check compliance with a service level agreement's requirement for uptime? a. Utilization reports b. Hardware error reports c. System logs d. Availability reports - CORRECT ANSWER d. Availability reports Which of the following is a prevalent risk in the development of end-user computing applications? a. Applications may not be subject to testing and IT general controls. b. Development and maintenance costs may be increased. c. Application development time may be increased. d. Decision-making may be impaired due to diminished responsiveness to requests for information. - CORRECT ANSWER a. Applications may not be subject to testing and IT general controls. An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: a. apply the patch according to the patch's release notes. b. ensure that a good change management process is in place. c. thoroughly test the patch before sending it to production. d. approve the patch after doing a risk assessment. - CORRECT ANSWER b. ensure that a good change management process is in place. An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should: a. accept the DBA access as a common practice. b. assess the controls relevant to the DBA function. c. recommend the immediate revocation of the DBA access to production data. d. review user access authorizations approved by the DBA. - CORRECT ANSWER b. assess the controls relevant to the DBA function. Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST: a. include the statement from management in the audit report. b. verify the software is in use through testing. c. include the item in the audit report. d. discuss the issue with senior management because it could have a negative impact on the organization. - CORRECT ANSWER b. verify the software is in use through testing. In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table? a. Foreign key b. Primary key c. Secondary key d. Public key - CORRECT ANSWER a. Foreign key An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? a. Commands typed on the command line are logged. b. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. c. Access to the operating syste - CORRECT ANSWER b. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Doing which of the following during peak production hours could result in unexpected downtime? a. Performing data migration or tape backup b. Performing preventive maintenance on electrical systems c. Promoting applications from development to the staging environment d. Reconfiguring a standby router in the data center - CORRECT ANSWER b. Performing preventive maintenance on electrical systems An IS auditor analyzing the audit log of a database management system finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? a. Consistency b. Isolation c. Durability d. Atomicity - CORRECT ANSWER d. Atomicity Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? a. System log analysis b. Compliance testing c. Forensic analysis d. Analytical review - CORRECT ANSWER b. Compliance testing An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: a. transition clauses from the old supplier to a new supplier or back to internal in the case of expiration or termination. b. late payment clause between the customer and the supplier. c. contractual commitment for service improvement. d. dis - CORRECT ANSWER a. transition clauses from the old supplier to a new supplier or back to internal in the case of expiration or termination. What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? a. Implement a log management process. b. Implement a two-factor authentication. c. Use table views to access sensitive data. d. Separate database and application servers. - CORRECT ANSWER a. Implement a log management process. An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? a. There are a growing number of emergency changes. b. There were instances when some jobs were not completed on time. c. There were instances when some jobs were overridden by computer operators. d. Evidence shows that only scheduled jobs were run. - CORRECT ANSWER c. There were instances when some jobs were overridden by computer operators. A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? a. Confidentiality of the information stored in the database b. The hardware being used to run the database - CORRECT ANSWER b. The hardware being used to run the database application An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor? a. Disaster recovery plans may be invalid and need to be revised. b. Transactional business data may be lost in th - CORRECT ANSWER d. Application owners were not informed of the change. Which of the following is a MAJOR concern during a review of help desk activities? a. Certain calls could not be resolved by the help desk team. b. A dedicated line is not assigned to the help desk team. c. Resolved incidents are closed without reference to end users. d. The help desk instant messaging has been down for over six months. - CORRECT ANSWER c. Resolved incidents are closed without reference to end users. An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST: a. draft an audit finding and discuss it with the auditor in charge. b. determine the sensitivity of the information on the hard drives. c. discuss with the IT manager the good practices in data disposal. d. develop an appropr - CORRECT ANSWER b. determine the sensitivity of the information on the hard drives. An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? a. Ask the SaaS vendor to provide a weekly report on application uptime. b. Implement an online polling tool to monitor the application and record outages. c. - CORRECT ANSWER b. Implement an online polling tool to monitor the application and record outages. During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? a. Implement a properly documented process for application role change requests. b. Hire additional staff to provide a segregation of duties for application role changes. c. Implement an automated process for changing applicati - CORRECT ANSWER a. Implement a properly documented process for application role change requests. An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? a. Select a sample of change tickets and review them for authorization. b. Perform a walk-through by tracing a program change from start to finish. c. Trace a sample of modified programs to supporting change tickets. d. Use query software to analyze all change tickets for missing fields. - CORRECT ANSWER c. Trace a sample of modified programs to supporting change tickets. During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? a. Restoration testing for backup media is not performed; however, all data restore requests have been successful. b. The policy for data backup and retention has not been reviewed by the business owner for the past three years. c. The company stores transcription backup t - CORRECT ANSWER c. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. The FIRST step in the execution of a problem management mechanism should be: a. issue analysis. b. exception ranking. c. exception reporting. d. root cause analysis. - CORRECT ANSWER c. exception reporting. a. Data ownership is retained by the customer organization. b. The third-party provider reserves the right to access data to perform certain operations. c. Bulk data withdrawal mechanisms are undefined. d. The customer organiza - CORRECT ANSWER b. The third-party provider reserves the right to access data to perform certain operations. Which of the following is MOST important when an operating system patch is to be applied to a production environment? a. Successful regression testing by the developer b. Approval from the information asset owner c. Approval from the security officer d. Patch installation at alternate sites - CORRECT ANSWER b. Approval from the information asset owner An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? a. Change permissions to prevent DBAs from purging logs. b. Forward database logs to a centralized log server to which the DBAs do not have access. c. Require that critical changes to the database are formally approved. d. Back up database logs to ta - CORRECT ANSWER b. Forward database logs to a centralized log server to which the DBAs do not have access. Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? a. Draft and publish a clear practice for enterprise-level incident response. b. Establish a cross-departmental working group to share perspectives. c. Develop a scenario and perform a structured walk-through. d. Develop a project plan for end-to-end testing of disaster recovery. - CORRECT ANSWER c. Develop a scenario and perform a structured walk-through. An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? a. Production access is granted to the individual support ID when needed. b. Developers use a firefighter ID to promote code to production. c. A dedicated user promotes emergency changes to production. d. Emergency changes are authorized prior to promotion. - CORRECT ANSWER a. Production access is granted to the individual support ID when needed. An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is required for smooth functioning of business operations, but this practice may not be addressed in the enterprise's access management policy. Which of the following controls would the IS auditor MOST likely recommend FIRST for long-term resolution? a. Redesign of the controls related to data authorization. b. Implementation of additional segregation of duties controls - CORRECT ANSWER c. Amendment of the access management policy to document a formal exception process. While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: a. adequately monitoring service levels of IT resources and services. b. providing data to enable timely planning for capacity and performance requirements. c. providing accurate feedback on IT resource capacity. d. properly forecasting performance, capacity and throughput of IT resources. - CORRECT ANSWER c. providing accurate feedback on IT resource capacity. Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? a. Provide and monitor separate developer login IDs for programming and for production support. b. Capture activities of the developer in the production environment by enabling detailed audit trails. c. Back up all affected records before al - CORRECT ANSWER a. Provide and monitor separate developer login IDs for programming and for production support. During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? a. The client did not pay for the open source software components. b. The organization and client must comply with open source software license terms. c. Open source software has security vulnerabilities. d. Open source software is unreliable fo - CORRECT ANSWER b. The organization and client must comply with open source software license terms. A disaster recovery plan for an organization's financial system specifies that the recovery point objective is zero and the recovery time objective is 72 hours. Which of the following is the MOST cost-effective solution? A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs B. Distributed database systems in multiple locations updated asynchronously C. Synchronous updates of the data and standby active systems in a hot site D. Synchronous remote co - CORRECT ANSWER D. Synchronous remote copy of the data in a warm site that can be operational in 48 hours In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? a. Maintaining system software parameters b. Ensuring periodic dumps of transaction logs c. Ensuring grandfather-father-son file backups d. Maintaining important data at an offsite location - CORRECT ANSWER b. Ensuring periodic dumps of transaction logs Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? a. Developments may result in hardware and software incompatibility. b. Resources may not be available when needed. c. The plan is approved by senior management. d. An audit is performed by an external IS auditor. - CORRECT ANSWER b. Planning involves all user departments. While designing the business continuity plan for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: a. shadow file processing. b. electronic vaulting. c. hard-disk mirroring. d. hot-site provisioning. - CORRECT ANSWER a. shadow file processing. Which of the following is an appropriate test method to apply to a business continuity plan? a. Pilot b. Paper c. Unit d. System - CORRECT ANSWER b. Paper Which of the following provides the BEST evidence of an organization's disaster recovery capability readiness? a. A disaster recovery plan (DRP) b. Customer references for the alternate site provider c. Processes for maintaining the DRP d. Results of tests and exercises - CORRECT ANSWER d. Results of tests and exercises Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? a. Catastrophic service interruption b. High consumption of resources c. Total cost of the recovery may not be minimized d. Users and recovery teams may face severe difficulties when activating the plan - CORRECT ANSWER a. Catastrophic service interruption Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? a. The disaster levels are based on scopes of damaged functions but not on duration. b. The difference between low-level disaster and software incidents is not clear. c. The overall BCP is documented, but detailed recovery steps are not specified. d. The responsibility for declaring a disaster is not identified. - CORRECT ANSWER d. The responsibility for declaring a disaster is not identified. After completing the business impact analysis, what is the NEXT step in the business continuity planning process? a. Test and maintain the plan. b. Develop a specific plan. c. Develop recovery strategies. d. Implement the plan. - CORRECT ANSWER c. Develop recovery strategies. While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should: a. recommend the use of disk mirroring. b. review the adequacy of offsite storage. c. review the capacity management process. d. recommend the use of a compression algorithm. - CORRECT ANSWER c. review the capacity management process. Which of the following is the BEST method for determining the criticality of each application system in the production environment? a. Interview the application programmers. b. Perform a gap analysis. c. Review the most recent application audits. d. Perform a business impact analysis. - CORRECT ANSWER d. Perform a business impact analysis. As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? a. Risk such as single point-of-failure and infrastructure risk b. Threats to critical business processes c. Critical business processes for ascertaining the priority for recovery d. Resources required for resumption of business - CORRECT ANSWER c. Critical business processes for ascertaining the priority for recovery The MAIN criterion for determining the severity level of a service disruption incident is: a. cost of recovery. b. negative public opinion. c. geographic location. d. downtime. - CORRECT ANSWER d. downtime. During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: a. event error log generated at the disaster recovery site. b. disaster recovery test plan. c. disaster recovery plan. d. configurations and alignment of the primary and disaster recovery sites. - CORRECT ANSWER d. configurations and alignment of the primary and disaster recovery sites. An organization has a business process with a recovery time objective equal to zero and a recovery point objective close to one minute. This implies that the process can tolerate: a. a data loss of up to one minute, but the processing must be continuous. b. a one-minute processing interruption but cannot tolerate any data loss. c. a processing interruption of one minute or more. d. both a data loss and a processing interruption longer than one minute. - CORRECT ANSWER a. a data loss of up to one minute, but the processing must be continuous. Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective? a. Virtual tape libraries b. Disk-based snapshots c. Continuous data backup d. Disk-to-tape backup - CORRECT ANSWER c. Continuous data backup b. results from previous tests. c. emergency procedures and employee training. d. offsite storage and environmental controls. - CORRECT ANSWER b. results from previous tests. A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: a. system and the IT operations team can sustain operations in the emergency environment. b. resources and the environment could sustain the transaction load. c. connectivity to the applications at the remote site meets response time requirements. d. workflow of actual business - CORRECT ANSWER a. system and the IT operations team can sustain operations in the emergency environment. To optimize an organization's business continuity plan, an IS auditor should recommend a business impact analysis to determine: a. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. b. the priorities and order for recovery to ensure alignment with the organization's business strategy. c. the business processes that must be recovered following a disaster to ensure the organization's survival. d. the priorities and order of - CORRECT ANSWER c. the business processes that must be recovered following a disaster to ensure the organization's survival. To ensure structured disaster recovery, it is MOST important that the business continuity plan and disaster recovery plan are: a. stored at an alternate location. b. communicated to all users. c. tested regularly. d. updated regularly. - CORRECT ANSWER c. tested regularly. When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? a. Transfer b. Mitigation c. Avoidance d. Acceptance - CORRECT ANSWER b. Mitigation Which of the following business continuity plan tests involves participation of relevant members of the crisis management/response team to practice proper coordination? a. Tabletop b. Functional c. Full-scale d. Deskcheck - CORRECT ANSWER a. Tabletop To address an organization's disaster recovery requirements, backup intervals should not exceed the: a. service level objective. b. recovery time objective. c. recovery point objective. d. maximum acceptable outage. - CORRECT ANSWER c. recovery point objective. An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern? a. System administrators use shared accounts which never expire at the hot site. b. Disk space utilization data are not kept current. c. Physical security controls at the hot site are less robust than at the main site. d. Servers at the hot site do not have the same specifications as at the main site. - CORRECT ANSWER b. Disk space utilization data are not kept current. Which of the following is the MOST critical element to effectively execute a disaster recovery plan? a. Offsite storage of backup data b. Up-to-date list of key disaster recovery contacts c. Availability of a replacement data center d. Clearly defined recovery time objective (RTO) - CORRECT ANSWER a. Offsite storage of backup data Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan? a. Preparedness tests b. Paper tests c. Full operational tests d. Actual service disruption - CORRECT ANSWER a. Preparedness tests When reviewing a disaster recovery plan, an IS auditor should be MOST concerned with the lack of: a. process owner involvement. b. well-documented testing procedures. c. an alternate processing facility. d. a well-documented data classification scheme. - CORRECT ANSWER a. process owner involvement. After a disaster declaration, the media creation date at a warm recovery site is based on the: a. recovery point objective. b. recovery time objective. c. service delivery objective. d. maximum tolerable outage. - CORRECT ANSWER a. recovery point objective. Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? a. Perform disaster recovery exercises annually. b. Ensure that partnering organizations are separated geographically. c. Regularly perform a business impact analysis. d. Select a partnering organization with similar systems - CORRECT ANSWER b. Ensure that partnering organizations are separated geographically. Which of the following is the PRIMARY objective of the business continuity plan process? a. To provide assurance to stakeholders that business operations will continue in the event of disaster b. To establish an alternate site for IT services to meet predefined recovery time objectives c. To manage risk while recovering from an event that adversely affected operations c. Application gateway d. Circuit gateway - CORRECT ANSWER c. Application gateway A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? a. Most employees use laptops. b. A packet filtering firewall is used. c. The IP address space is smaller than the number of PCs. d. Access to a network port is not restricted. - CORRECT ANSWER d. Access to a network port is not restricted. The FIRST step in data classification is to: a. establish ownership. b. perform a criticality analysis. c. define access rules. d. create a data dictionary. - CORRECT ANSWER a. establish ownership. Which of the following types of transmission media provide the BEST security against unauthorized access? a. Copper wire b. Shielded twisted pair c. Fiber-optic cables d. Coaxial cables - CORRECT ANSWER c. Fiber-optic cables Security administration procedures require read-only access to: a. access control tables. b. security log files. c. logging options. d. user profiles. - CORRECT ANSWER b. security log files. When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor? a. Passwords are shared. b. Unencrypted passwords are used. c. Redundant logon IDs exist. d. Third-party users possess administrator access. - CORRECT ANSWER b. Unencrypted passwords are used. Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? a. Inheritance b. Dynamic warehousing c. Encapsulation d. Polymorphism - CORRECT ANSWER c. Encapsulation In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? a. Automated logging of changes to development libraries b. Additional staff to provide separation of duties c. Procedures that verify that only approved program changes are implemented d. Access controls to prevent the operator from making program modifications - CORRECT ANSWER c. Procedures that verify that only approved program changes are implemented Which of the following line media would provide the BEST security for a telecommunication network? a. Broadband network digital transmission b. Baseband network c. Dial-up d. Dedicated lines - CORRECT ANSWER d. Dedicated lines Which of the following would be the BEST access control procedure? a. The data owner formally authorizes access and an administrator implements the user authorization tables. b. Authorized staff implements the user authorization tables and the data owner approves them. c. The data owner and an IS manager jointly create and update the user authorization tables. d. The data owner creates and updates the user authorization table - CORRECT ANSWER a. The data owner formally authorizes access and an administrator implements the user authorization tables. The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? a. Piggybacking b. Shoulder surfing c. Dumpster diving d. Impersonation - CORRECT ANSWER a. Piggybacking Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when: a. a firewall exists. b. a secure web connection is used. c. the source of the executable file is certain. d. the host web site is part of the organization. - CORRECT ANSWER c. the source of the executable file is certain. Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? a. Review the parameter settings. b. Interview the firewall administrator. c. Review the actual procedures. d. Review the device's log file for recent attacks. - CORRECT ANSWER a. Review the parameter settings. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? a. Sensitive data might be read by operators. b. Data might be amended without authorization. c. Unauthorized report copies might be printed. d. Output might be lost in the event of system failure. - CORRECT ANSWER c. Unauthorized report copies might be printed. Which of the following types of firewalls would BEST protect a network from an Internet attack? a. Screened subnet firewall b. Application filtering gateway c. Packet filtering router d. both the key used to encrypt and decrypt the data are private. - CORRECT ANSWER c. the key used to encrypt is public, but the key used to decrypt the data is private. Which of the following components is responsible for the collection of data in an intrusion detection system? a. Analyzer b. Administration console c. User interface d. Sensor - CORRECT ANSWER d. Sensor During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: a. encryption. b. callback modems. c. message authentication. d. dedicated leased lines. - CORRECT ANSWER a. encryption. Which of the following is an advantage of elliptic curve encryption over RSA encryption? a. Computation speed b. Ability to support digital signatures c. Simpler key distribution d. Message integrity controls - CORRECT ANSWER a. Computation speed An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? a. An application-level gateway b. A remote access server c. A proxy server d. Port scanning - CORRECT ANSWER a. An application-level gateway Which of the following is BEST suited for secure communications within a small group? a. Key distribution center b. Certificate authority c. Web of trust d. Kerberos Authentication System - CORRECT ANSWER c. Web of trust An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? a. False-acceptance rate b. Equal-error rate c. False-rejection rate d. False-identification rate - CORRECT ANSWER a. False-acceptance rate The Secure Sockets Layer protocol ensures the confidentiality of a message by using: a. symmetric encryption. b. message authentication codes. c. hash function. d. digital signature certificates. - CORRECT ANSWER a. symmetric encryption. In transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides: a. connectionless integrity. b. data origin authentication. c. antireplay service. d. confidentiality. - CORRECT ANSWER d. confidentiality. Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? a. Digital signatures b. Asymmetric cryptography c. Digital certificates d. Message authentication code - CORRECT ANSWER c. Digital certificates Which of the following provides the MOST relevant information for proactively strengthening security settings? a. Bastion host b. Intrusion detection system c. Honeypot d. Intrusion prevention system - CORRECT ANSWER c. Honeypot A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that: a. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. b. WAN capacity is adequate for the maximum traffic demands because saturation has not been reached. c. the line should immediately be replaced - CORRECT ANSWER a. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. In a public key infrastructure, a registration authority: a. verifies information supplied by the subject requesting a certificate. b. issues the certificate after the required attributes are verified and the keys are generated. c. digitally signs a message to achieve nonrepudiation of the signed message. d. registers signed messages to protect them from future repudiation. - CORRECT ANSWER a. verifies information supplied by the subject requesting a certificate. Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? a. Power line conditioners b. Surge protective devices c. Alternative power supplies d. Interruptible power supplies - CORRECT ANSWER a. Power line conditioners IS management recently replaced its existing wired local area network with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? a. Port scanning b. Back door c. Man-in-the-middle c. Databa - CORRECT ANSWER d. Database initialization parameters are appropriate. When using a digital signature, the message digest is computed by the: a. sender only. b. receiver only. c. sender and receiver both. d. certificate authority. - CORRECT ANSWER c. sender and receiver both. An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? a. Data Encryption Standard b. Message digest 5 c. Advanced Encryption Standard d. Secure Shell - CORRECT ANSWER c. Advanced Encryption Standard When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? a. There is no registration authority for reporting key compromises. b. The certificate revocation list is not current. c. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. d. Subscribers report key compromises to the certificate authority. - CORRECT ANSWER b. The certificate revocation list is not current. An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? a. Corruption of the Address Resolution Protocol cache in Ethernet switches b. Use of a default administrator password on the analog phone switch c. Deploying virtual local area networks without enabling encryption d. End users having access t - CORRECT ANSWER a. Corruption of the Address Resolution Protocol cache in Ethernet switches An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? a. Implement Wired Equivalent Privacy. b. Permit access to only authorized media access control addresses. c. Disable open broadcast of service set identifiers. d. Implement Wi-Fi Protected Access 2. - CORRECT ANSWER d. Implement Wi-Fi Protected Access 2. Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? a. Routing outbound Internet traffic through a content-filtering proxy server b. Routing inbound Internet traffic through a reverse proxy server c. Implementing a firewall with appropriate access rules d. Deploying client software utilities that block inappropriate content - CORRECT ANSWER a. Routing outbound Internet traffic through a content-filtering proxy server The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? a. There is no sign - CORRECT ANSWER d. The SAN administrator presents a potential risk. An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the cloud service contract? a. Availability b. Portability c. Agility d. Scalability - CORRECT ANSWER b. Portability An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? a. Data retention, backup and recovery b. Return or destruction of information c. Network and intrusion detection d. A patch management process - CORRECT ANSWER b. Return or destruction of information A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed? a. On the local network b. Outside the firewall c. In the demilitarized zone d. On the server that hosts the web site - CORRECT ANSWER c. In the demilitarized zone The GREATEST benefit of having well-defined data classification policies and procedures is: a. a more accurate inventory of information assets. b. a decreased cost of controls. c. a reduced risk of inappropriate system access. d. an improved regulatory compliance. - CORRECT ANSWER b. a decreased cost of controls. An IS auditor reviewing digital rights management applications should expect to find an extensive use for which of the following technologies? a. Digitalized signatures b. Hashing c. Parsing d. Steganography - CORRECT ANSWER d. Steganography Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? a. Server-based antivirus software b. Enterprise-based antivirus software c. Workstation-based antivirus software