Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

CISA EXAM 3|150 Questions with Verified Answers,100% CORRECT, Exams of Information and Communications Technology (ICT)

CISA EXAM 3|150 Questions with Verified Answers

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

2.7

(3)

3.2K documents

1 / 125

Toggle sidebar

Related documents


Partial preview of the text

Download CISA EXAM 3|150 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA EXAM 3|150 Questions with Verified Answers Q01) The success of control self-assessment depends highly on: A) assigning staff managers, the responsibility for building controls. B) the implementation of a stringent control policy and rule-driven controls. C) line managers assuming a portion of the responsibility for control monitoring. D) the implementation of supervision and monitoring of controls of assigned duties. - CORRECT ANSWER C) CORRECT. Line managers assuming a portion of the responsibility for control monitoring is correct. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. A) INCORRECT. Assigning staff managers, the responsibility for building controls is incorrect. CSA requires managers to participate in the monitoring of controls. B) INCORRECT. The implementation of a stringent control policy and rule-driven controls is incorrect. The implementation of stringent controls will not ensure controls are working correctly. D) INCORRECT The implementation of supervision and monitoring of controls of assigned duties is incorrect. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness but would work best when used in a formal process such as CSA. Q02) An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? A) The vendor agrees to implement controls in alignment with the enterprise. B) The vendor agrees to provide annual external audit reports in the contract. C) The vendor provides the latest internal audit report for verification. D) The vendor provides the latest third-party audit report for verification. - CORRECT ANSWER B) CORRECT. The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits. D) INCORRECT. The vendor provides the latest third-party audit report for verification is incorrect. Although the vendor is providing the most recent third- party audit report for review, there is no agreement contractually that would require the vendor to continue to provide annual reports for verification and review. C) INCORRECT. The vendor provides the latest internal audit report for verification is incorrect. Although the vendor is providing the most recent internal audit report for review, there is no agreement contractually that would require the vendor to continue to provide annual reports for verification and review. A) INCORRECT. The vendor agrees to implement controls in alignment with the enterprise is incorrect. Without a clause in the contract, an agreement to implement controls does not provide assurance that controls will continue to be implemented in alignment with the enterprise. Q03) What is the purpose of using data flow diagrams, used by the IS auditors? A) identify key controls. D) INCORRECT. The project is implemented while minor issues are open from user acceptance testing is incorrect. User acceptance testing is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C) INCORRECT. Program documentation is inadequate is incorrect. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project. Q06) Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? A) Allocating resources B) Attention to detail C) Managing audit staff D) Project management - CORRECT ANSWER D) IS CORRECT. Project management is correct. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices. C) INCORRECT. Managing audit staff is incorrect. This is not the only aspect of conducting an audit. A) Allocating resources is incorrect. These resources, including time and personnel, are needed for overall project management skills. B) Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits. Q07) Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster? A) Business impact analysis B) Incident response plan C) Recovery time objective D) Threat and risk analysis - CORRECT ANSWER A) IS CORRECT. Business impact analysis is correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business. B) INCORRECT. Incident response plan is incorrect. An incident response plan is an organized approach to addressing and managing a security breach or attack. The plan defines what constitutes an incident and the process to follow when an incident occurs. It does not prioritize recovery during a disaster. D) INCORRECT. Threat and risk analysis is incorrect. Identifying threats and analyzing risk to the business is an important part of disaster planning, but it does not determine the priority of recovery. C) INCORRECT. Recovery time objective is incorrect. The recovery time objective is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. This is included as part of the BIA and used to represent the prioritization of recovery. Q08) An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the: A) hardware configuration. B) ownership of intellectual property. C) application development methodology. D) access control software. - CORRECT ANSWER B) IS CORRECT. Ownership of intellectual property is correct. The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract. A) INCORRECT. Hardware configuration is incorrect. The hardware configuration is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. D) INCORRECT. Access control software is incorrect. The access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. C) INCORRECT. Application development methodology is incorrect. The development methodology should be of no real concern in an outsourcing contract. Q09) A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A) Project manager B) Data owner C) IS auditor D) Database administrator - CORRECT ANSWER B) IS CORRECT. Data owner is correct. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. C) INCORRECT. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. An IS auditor is incorrect. They should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. Q12) An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when: A) the service level agreement does not address the responsibility of the vendor in the case of a security breach. B) the organization is not permitted to assess the controls in the participating vendor's site. C) the organization is using an older version of a browser and is vulnerable to certain types of security risk. D) laws and regulations are different in the countries of the organization and the vendor. - CORRECT ANSWER A) IS CORRECT. The service level agreement does not address the responsibility of the vendor in the case of a security breach is correct. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. B) INCORRECT. The organization is not permitted to assess the controls in the participating vendor's site is incorrect. The IS auditor has no role to play if the contract between the parties does not provide for assessment of controls in the other vendor's site. D) INCORRECT. Laws and regulations are different in the countries of the organization and the vendor is incorrect. The IS auditor should ensure that the contract addresses the differing laws and regulations in the countries of the organization and the vendor, but having different laws and regulations is not a problem. C) INCORRECT. The organization is using an older version of a browser and is vulnerable to certain types of security risk is incorrect. The IS auditor can make suggestions to the audited entity to use appropriate patches or switch over to safer browsers, and then the IS auditor can follow up on the action taken. Q13) The ultimate purpose of IT governance is to: A) reduce IT costs. B) encourage optimal use of IT. C) centralize control of IT. D) decentralize IT resources across the organization. - CORRECT ANSWER B) IS CORRECT. Encourage optimal use of IT is correct. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. A) INCORRECT. Reduce IT costs is incorrect as it may not be the best IT governance outcome for an enterprise. D) INCORRECT. Decentralize IT resources across the organization is incorrect. This is not always desired, although it may be desired in a decentralized environment. C) INCORRECT. Centralize control of IT is incorrect. This is not always desired. An example of where it might be desired is an enterprise wanting a single point of customer contact. Q14) Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? A) Three users with the ability to capture and verify the messages of other users and to send their own messages B) Five users with the ability to verify other users and to send their own messages C) Five users with the ability to capture and send their own messages D) Three users with the ability to capture and verify their own messages - CORRECT ANSWER D) IS CORRECT. Three users with the ability to capture and verify their own messages is correct. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message. C) INCORRECT. Five users with the ability to capture and send their own messages is incorrect. Users may have the ability to send messages but should not be able to verify their own messages. B) INCORRECT. Five users with the ability to verify other users and to send their own messages is incorrect. This is an example of separation of duties. A person can send their own message but only verify the messages of other users. A) INCORRECT. Three users with the ability to capture and verify the messages of other users and to send their own messages is incorrect. The ability to capture and verify the messages of others but only send their own messages is acceptable. Q15) The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? A) Significant cost savings over other testing approaches B) Assurance that new, faster hardware is compatible with the new system C) Assurance that the new system meets functional requirements is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted. D) INCORRECT. Targeted testing is incorrect. This is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point. C) INCORRECT. External testing is incorrect. This refers to a test where an external penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet). Q18 A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is: A) use of the user's electronic signature by another person if the password is compromised. B) impersonation of a user by substitution of the user's public key with another person's public key. C) forgery by using another user's private key to sign a message with an electronic signature. D) forgery by substitution of another person's private key on the computer. - CORRECT ANSWER A) IS CORRECT. Use of the user's electronic signature by another person if the password is compromised is correct. The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. C) INCORRECT. Forgery by using another user's private key to sign a message with an electronic signature is incorrect. Creating a digital signature with another user's private key would indicate that the message came from a different person, and therefore, the true user's credentials would not be forged. B) INCORRECT. Impersonation of a user by substitution of the user's public key with another person's public key is incorrect. This would require the modification of the certificate issued by the certificate authority. This is very difficult and least likely. D) INCORRECT. Forgery by substitution of another person's private key on the computer is incorrect. The substitution of another person's private key would not work because the digital signature would be validated with the original user's public key. Q19) Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy? A) Users should never write down their PIN B) Users must never keep the token in the same bag as their laptop computer. C) Users should select a PIN that is completely random, with no repeating digits. D) Users should not leave tokens where they could be stolen. - CORRECT ANSWER A) IS CORRECT. Users should never write down their personal identification number (PIN) is correct. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. D) INCORRECT. Users should not leave tokens where they could be stolen is incorrect. Access to the token is of no value without the personal identification number (PIN); one cannot work without the other. B) INCORRECT. Users must never keep the token in the same bag as their laptop computer is incorrect. Access to the token is of no value without the PIN; one cannot work without the other. C) INCORRECT. Users should select a PIN that is completely random, with no repeating digits is incorrect. The PIN does not need to be random as long as it is secret. Q20) The purpose of code signing is to provide assurance that: A) the private key of the signer has not been compromised. B) the signer of the application is trusted. C) the application can safely interface with another signed application. D) the software has not been subsequently modified. - CORRECT ANSWER D) IS CORRECT. The software has not been subsequently modified is correct. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed. C) INCORRECT. The application can safely interface with another signed application is incorrect. The signing of code will not ensure that it will integrate with other applications. B) IS INCORRECT. The signer of the application is trusted is incorrect. Code signing will provide assurance of the source but will not ensure that the source is trusted. The code signing will, however, ensure that the code has not been modified. A) IS INCORRECT. The private key of the signer has not been compromised is incorrect. The compromise of the sender's private key would result in a loss of trust and is not the purpose of code signing. Q21) B) INCORRECT. A security guard stationed at the server room door is incorrect. A security guard stationed at the server room door is a deterrent control. A) INCORRECT. An intrusion detection system is incorrect. An intrusion detection system is a detective control. D) INCORRECT. A fire suppression system in the server room is incorrect. A fire suppression system is a corrective control. Q24) The PRIMARY objective of conducting a post-implementation review for a business process automation project is to: A) confirm compliance with regulatory requirements. B) evaluate the adequacy of controls. C) ensure that the project meets the intended business requirements. D) confirm compliance with technological standards. - CORRECT ANSWER C) IS CORRECT. Ensure that the project meets the intended business requirements is correct. This is the primary objective of a post-implementation review. B) INCORRECT. Evaluate the adequacy of controls is incorrect. This may be part of the review but is not the primary objective. A) INCORRECT. Confirm compliance with technological standards is incorrect. This is normally not part of the post-implementation review because this should be addressed during the design and development phase. D) INCORRECT. Confirm compliance with regulatory requirements is incorrect. This is normally not part of the post-implementation review because this should be addressed during the design and development phase. Q25) During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely: A) evaluate system testing. B) review access control configuration. C) review detailed design documentation. D) evaluate interface testing. - CORRECT ANSWER B) IS CORRECT. Review access control configuration is correct. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. D) INCORRECT. Evaluate interface testing is incorrect. Because a post- implementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. C) IS INCORRECT. Review detailed design documentation is incorrect. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. A) IS INCORRECT. Evaluate system testing is incorrect. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests post-implementation. Q26) A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A) apply a qualitative approach. B) calculate a return on investment. C) compute the amortization of the related assets. D) spend the time needed to define the loss amount exactly. - CORRECT ANSWER A) IS CORRECT. Apply a qualitative approach is correct. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). C) INCORRECT. Compute the amortization of the related assets is incorrect. Amortization is used in a profit and loss statement, not in computing potential losses. B) INCORRECT. Calculate a return on investment (ROI) is incorrect. A ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. D) INCORRECT. Spend the time needed to define the loss amount exactly is incorrect. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and the result will be a not well-supported evaluation. Q27) While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project: A) cannot be evaluated until the activity is completed. B) is on schedule. C) is ahead of schedule. B) INCORRECT. Restoration at the facility is incorrect. Restoration ensures that the affected systems or services are restored to a condition specified in the restore point objective. This action will be possible only after containment of the damage. A) INCORRECT. Documentation of the facility is incorrect. This should be prepared to inform management of the incident; however, damage must be contained first. C) INCORRECT. Monitoring of the facility is incorrect. This is important, although containment must take priority to avoid spread of the damage. Q30) An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? A) Ensure that audit trails are accurate and specific. B) Ensure that personnel background checks are performed for critical personnel. C) Ensure that personnel have adequate training. D) Ensure that supervisory approval and review are performed for critical changes. - CORRECT ANSWER D) IS CORRECT. Ensure that supervisory approval and review are performed for critical changes is correct. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee. A) INCORRECT. Ensure that audit trails are accurate and specific is incorrect. Audit trails are a detective control and, in many cases, can be altered by those with privileged access. C) INCORRECT. Ensure that personnel have adequate training is incorrect. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. B) INCORRECT. Ensure that personnel background checks are performed for critical personnel is incorrect. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance. Q31) Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? A) Decline to deal with these vendors in the future. B) Assess the impact of patches prior to installation. C) Install the security patch immediately. D) Ask the vendors for a new software version with all fixes included. - CORRECT ANSWER B) IS CORRECT. Assess the impact of patches prior to installation is correct. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization. D) INCORRECT. Ask the vendors for a new software version with all fixes included is incorrect. New software versions with all fixes included are not always available and a full installation could be time consuming. C) INCORRECT. Install the security patch immediately is incorrect. To install the patch without knowing what it might affect could easily cause problems. The installation of a patch may also affect system availability; therefore, the patch should be rolled out at a time that is acceptable to the business. A) INCORRECT. Decline to deal with these vendors in the future is incorrect. Declining to deal with vendors does not take care of the flaw and may severely limit service options. Q32) An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should: A) inform management of the possible conflict of interest after completing the audit assignment. B) communicate the possibility of conflict of interest to audit management prior to starting the assignment. C) inform the BCP team of the possible conflict of interest prior to beginning the assignment. D) decline the assignment. - CORRECT ANSWER B) IS CORRECT. Communicate the possibility of conflict of interest to audit management prior to starting the assignment is correct. A possible conflict of interest, likely to affect the IS auditor's independence, should be brought to the attention of management prior to starting the assignment. D) INCORRECT. Decline the assignment is incorrect. Declining the assignment could be acceptable only after obtaining management approval or it is appropriately disclosed to management, audit management and other stakeholders. A) INCORRECT. Inform management of the possible conflict of interest after completing the audit assignment is incorrect. Approval should be obtained prior to commencement and not after the completion of the assignment. C) INCORRECT. Informing the BCP team of the possible conflict of interest prior to starting the assignment is not the correct answer because the BCP team does not have the authority to decide on this issue. Q33) IT governance is PRIMARILY the responsibility of the: A) IT steering committee. B) board of directors. B) Configuration and change management C) Application of monitoring tools D) Topological mappings - CORRECT ANSWER B) IS CORRECT. Configuration and change management is correct. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services. D) INCORRECT. Topological mappings is incorrect. These provide outlines of the components of the network and its connectivity. This is important to address issues such as single points of failure and proper network isolation but is not the most critical component of network management. C) INCORRECT. Application of monitoring tools is incorrect and is not a critical part of network management. A) INCORRECT. Proxy server troubleshooting is incorrect. This is used for troubleshooting purposes, and managing a proxy is only a small part of network management. Q37) An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? A) System-generated exception reports for the review period with the reviewer's sign-off B) Management's confirmation of the effectiveness of the control for the review period C) Walk-through with the reviewer of the operation of the control D) A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer - CORRECT ANSWER D) IS CORRECT. A sample system-generated exception report for the review period, with follow- up action items noted by the reviewer is correct. This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report. C) INCORRECT. Walk-through with the reviewer of the operation of the control is incorrect. A walk-through highlights how a control is designed to work, but it seldom highlights the effectiveness of the control, or exceptions or constraints in the process. A) INCORRECT. System-generated exception reports for the review period with the reviewer's sign-off is incorrect. Reviewer sign-off does not demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified. B) INCORRECT. Management's confirmation of the effectiveness of the control for the review period is incorrect and suffers from lack of independence— management might be biased toward the effectiveness of the controls put in place. Q38) Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? A) Dedicated line B) Leased line C) Virtual private network D) Integrated services digital network - CORRECT ANSWER C) IS CORRECT. Virtual private network is correct. The most secure method is a virtual private network, using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. A) INCORRECT. Dedicated line is incorrect. This is quite expensive and only needed when there are specific confidentiality and availability needs. B) INCORRECT. Leased line is incorrect. This is an expensive but private option, but rarely a good option today. D) INCORRECT. Integrated services digital network is incorrect. This is not encrypted and would need additional security to be a valid option. Q39) An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A) accountability system and the ability to identify any terminal accessing system resources. B) maintenance of access logs of usage of various system resources. C) authorization and authentication of the user prior to granting access to system resources. D) adequate protection of stored data on servers by encryption or other means. - CORRECT ANSWER C) IS CORRECT. Authorization and authentication of the user prior to granting access to system resources is correct. This is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security. B) INCORRECT. Maintenance of access logs of usage of various system resources is incorrect. This is a detective control. A preventive control should be used first. D) INCORRECT. Adequate protection of stored data on servers by encryption or other means is incorrect. This is a method of protecting stored information and is not a network access issue. D) INCORRECT. Request a copy of the DRP from the cloud vendor is incorrect. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services. Q42) An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of: A) a rented rack space in the NOC. B) a wet pipe-based fire suppression system. C) a carbon dioxide-based fire suppression system. D) an uninterrupted power supply with 10 minutes of backup power. - CORRECT ANSWER C) IS CORRECT. A carbon dioxide (CO2)-based fire suppression system is correct. CO2 systems should not be used in areas where people are present, because their function will cause suffocation in the event of a fire. Controls should consider personnel safety first. B) INCORRECT. A wet pipe-based fire suppression system is incorrect. Wet pipe systems may damage computer equipment, but they are safe for humans and not as damaging as CO2 systems. A) INCORRECT. A rented rack space in the NOC is incorrect. Rented rack space is not a concern as long as security controls are maintained. Most organizations rent server rack space. D) INCORRECT. An uninterrupted power supply with 10 minutes of backup power is incorrect. Depending on the system, a few minutes might be all that is needed for a graceful shutdown. However, a CO2 system is dangerous for personnel. Q43) What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning payroll system that is replacing an existing legacy system? A) Prototype testing B) Parallel testing C) Multiple testing D) Integration testing - CORRECT ANSWER B) IS CORRECT. Parallel testing is correct. This is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system. C) INCORRECT. Multiple testing is incorrect. This will not compare results from the old and new systems. D) Integration testing is incorrect. This refers to how the system interacts with other systems, and it is not performed by end users. A) INCORRECT. Prototype testing is incorrect. This is used during design and development to ensure that user input is received; however, this method is not used for acquired systems or during user acceptance testing. Q44) An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? A) Variable B) Attribute C) Stop-or-go D) Judgment - CORRECT ANSWER B) IS CORRECT. Attribute is correct. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval. A) INCORRECT Variable is incorrect. Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary values and weights. C) INCORRECT. Stop-or-go is incorrect. Stop-or-go sampling is used when the expected occurrence rate is extremely low. D) INCORRECT. Judgment is incorrect. It refers to a subjective approach of determining sample size and selection criteria of elements of the sample. Q45) Which of the following types of transmission media provide the BEST security against unauthorized access? A) Fiber-optic cables B) Copper wire C) Shielded twisted pair D) Coaxial cables - CORRECT ANSWER A) IS CORRECT. Fiber-optic cables is correct. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media. B) INCORRECT. Copper wire is incorrect. Twisted pair, coaxial and copper wire traffic can be monitored with inexpensive equipment. C) INCORRECT. Shielded twisted pair is incorrect. Twisted pair cabling is a form of copper wire, and while shielding affords some degree of protection from interference, it does not improve security against unauthorized access. D) INCORRECT. Coaxial cables is incorrect. These can be monitored with relative ease. Q46) D) Probability-proportional-to-size - CORRECT ANSWER A) IS CORRECT. Discovery sampling is correct. This is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. B) INCORRECT. Stop-or-go is incorrect. This is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment. C) INCORRECT. Classical variable sampling is incorrect. This is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud. D) INCORRECT. Probability-proportional-to-size sampling is incorrect. This is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud. Q49) When using public key encryption to secure data being transmitted across a network: A) both the key used to encrypt and decrypt the data are public. B) the key used to encrypt is private, but the key used to decrypt the data is public. C) both the key used to encrypt and decrypt the data are private. D) the key used to encrypt is public, but the key used to decrypt the data is private. - CORRECT ANSWER D) IS CORRECT. The key used to encrypt is public, but the key used to decrypt the data is private is correct. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. C) INCORRECT. Both the key used to encrypt and decrypt the data are public is incorrect. The public and private keys always work as a pair—if a public key is used to encrypt a message, the corresponding private key MUST be used to decrypt the message. B) INCORRECT. The key used to encrypt is private, but the key used to decrypt the data is public is incorrect. If the message is encrypted with a private key, that will provide proof of origin but not message security or confidentiality. A) INCORRECT. Both the key used to encrypt and decrypt the data are private is incorrect. Using two private keys would not be possible with asymmetric encryption. Q50) The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: A) the internal lab testing phase. B) the implementation phase. C) testing and prior to user acceptance. D) the requirements gathering process. - CORRECT ANSWER C) IS CORRECT. The requirements gathering process is correct. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. A) INCORRECT. The internal lab testing phase is incorrect. During testing, the IS auditor will ensure that the security requirements are met. This is not the time to assess the control specifications. C) INCORRECT. Testing and prior to user acceptance is incorrect. The control specifications will drive the security requirements that are built into the contract and should be assessed before the product is acquired and tested. B) INCORRECT. The implementation phase is incorrect. During the implementation phase, the IS auditor may check whether the controls have been enabled; however, this is not the time to assess the control requirements. Q51) Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A) The CA has several data processing subcenters to administer certificates. B) Customers can make their transactions from any computer or mobile device. C) Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. D) The organization is the owner of the CA. - CORRECT ANSWER D) IS CORRECT. The organization is the owner of the certificate authority (CA) is correct. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust. C) INCORRECT. Customers are widely dispersed geographically, but the CAs are not is incorrect. It is common to use a single CA. They do not need to be geographically dispersed. B) INCORRECT. Customers can make their transactions from any computer or mobile device is incorrect. The use of public key infrastructure and certificates allows flexible secure communications from many devices. D) Awareness of cultural and political differences - CORRECT ANSWER B) IS CORRECT. Detailed and correctly applied specifications is correct. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. A) INCORRECT. Stringent contract management practices is incorrect. Contract management practices, although important, will not ensure successful development if the specifications are incorrect. D) INCORRECT. Awareness of cultural and political differences is incorrect. Cultural and political differences, although important, should not affect the delivery of a good product. C) INCORRECT. Post-implementation review is incorrect. This, although important, is too late in the process to ensure successful project delivery and is not as pivotal to the success of the project. Q55) The rate of change in technology increases the importance of: A) outsourcing the IT function. B) meeting user requirements. C) implementing and enforcing sound processes. D) hiring qualified personnel. - CORRECT ANSWER C) IS CORRECT. Implementing and enforcing sound processes is correct. Change control requires that good change management processes be implemented and enforced. A) INCORRECT. Outsourcing the IT function is incorrect. This is a business decision and not directly related to the rate of technological change, nor does the rate of change increase the importance of outsourcing. D) INCORRECT. Hiring qualified personnel is incorrect. Personnel in a typical IT department can often be trained in new technologies to meet organizational requirements. B) INCORRECT. Meeting user requirement is incorrect. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IT environment. Q56) Email message authenticity and confidentiality is BEST achieved by signing the message using the: A) receiver's private key and encrypting the message using the sender's public key. B) sender's private key and encrypting the message using the receiver's public key. C) sender's public key and encrypting the message using the receiver's private key. D) receiver's public key and encrypting the message using the sender's private key. - CORRECT ANSWER B) IS CORRECT. Sender's private key and encrypting the message using the receiver's public key is correct. By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality. C) INCORRECT. Sender's public key and encrypting the message using the receiver's private key is incorrect. Signing can only occur using the sender's private key. A) INCORRECT. Receiver's private key and encrypting the message using the sender's public key is incorrect. The sender would not have access to the receiver's private key. D) INCORRECT. Receiver's public key and encrypting the message using the sender's private key is incorrect. By encrypting the message with the receiver's public key, only the receiver can decrypt the message using their own private key. The receiver's private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender's private key can be read by anyone with the sender's public key. Q57) Which of the following would be the BEST access control procedure? A) The data owner and an IS manager jointly create and update the user authorization tables. B) The data owner formally authorizes access and an administrator implements the user authorization tables. C) The data owner creates and updates the user authorization tables. D) Authorized staff implements the user authorization tables and the data owner approves them. Explanation - CORRECT ANSWER B) IS CORRECT. The data owner formally authorizes access and an administrator implements the user authorization tables is correct. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. D) INCORRECT. Authorized staff implements the user authorization tables and the data owner approves them is incorrect. The owner sets the rules and conditions for access. It is best to obtain approval before implementing the tables. A) INCORRECT. The data owner and an IS manager jointly create and update the user authorization tables is incorrect. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner. The IT department should set up the access control tables at the direction of the owner. C) INCORRECT. The data owner creates and updates the user authorization tables is incorrect. The data owner would not usually manage updates to the authorization tables. B) INCORRECT. Reasonableness check is incorrect. This is used to ensure that input data is within expected values, not to ensure integrity of data transmission. Data can be changed and still pass a reasonableness test. D) INCORRECT. Parity bits is incorrect. These are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C) INCORRECT. Check digits is incorrect. These are used to detect an error in a numeric field such as an account number and is usually related to a transposition or transcribing error. Q61) An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred.. The IS auditor's report should recommend that: A) a manager coordinates the creation of a new or revised plan within a defined time limit. B) the deputy chief executive officer (CEO) be censured for failure to approve the plan. C) a board of senior managers is set up to rev - CORRECT ANSWER A) IS CORRECT. A manager coordinates the creation of a new or revised plan within a defined time limit is correct. The primary concern is to establish a workable disaster recovery plan (DRP) that reflects current processing volumes to protect the organization from any disruptive incident. B) INCORRECT. The deputy chief executive officer (CEO) is censured for failure to approve the plan is incorrect. Censuring the deputy CEO will not improve the current situation and is generally not within the scope of an IS auditor to recommend. C) INCORRECT. A board of senior managers is set up to review the existing plan is incorrect. Establishing a board to review the DRP, which is two years out of date, may achieve an updated DRP but is not likely to be a speedy operation; issuing the existing DRP would be imprudent without first ensuring that it is workable. D) INCORRECT. The existing plan is approved and circulated to all key management and staff is incorrect. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit. Q62) Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters? A) Recovery point objective B) Recovery time objective C) Available data backup technologies D) Volume of data to be backed up - CORRECT ANSWER A) IS CORRECT. Recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the acceptable amount of data loss in the case of interruption. Based on the RPO, one can design the data backup strategy for potential disasters using various technologies. D) INCORRECT. Volume of data to be backed up is incorrect. While the amount of data to be stored is critical in terms of planning for adequate capacity, the speed of recovery required by the business is the most important factor. C) INCORRECT. Available data backup technologies is incorrect. While a solid understanding of the capabilities of all types of advanced data backup technologies is necessary, without the knowledge of the RPO one cannot design a backup strategy using these technologies. B) INCORRECT. Recovery time objective is incorrect. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. This will help in designing disaster site options, but not the data backup strategy in the case of impacting disasters. Q63) What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management? A) IT project metrics are reported accurately. B) Projects are aligned with the organization's strategy. C) Identified project risk is monitored and mitigated. D) Controls related to project planning and budgeting are appropriate. - CORRECT ANSWER B) IS CORRECT. Projects are aligned with the organization's strategy is correct. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment. C) INCORRECT. Identified project risk is monitored and mitigated is incorrect. An adequate process for monitoring and mitigating identified project risk is important; however, strategic alignment helps in assessing identified risk in business terms. D) INCORRECT. Controls related to project planning and budgeting are appropriate is incorrect. Completion of projects within a predefined time and budget is important; however, the focus of project management should be on achieving the desired outcome of the project, which is aligned with the business strategy. B) The necessary communication protocols C) The encryption algorithm format D) The detailed internal control procedures - CORRECT ANSWER C) IS CORRECT. The necessary communication protocols is correct. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. C) INCORRECT. The encryption algorithm format is incorrect. Encryption algorithms are too detailed for this phase. They would only be outlined, and any cost or performance implications shown. D) INCORRECT The detailed internal control procedures is incorrect. Internal control procedures are too detailed for this phase. They would only be outlined, and any cost or performance implications shown. A) INCORRECT. The proposed trusted third-party agreement is incorrect. Third- party agreements are too detailed for this phase. They would only be outlined, and any cost or performance implications shown. Q67) Which of the following is the MOST important action in recovering from a cyberattack? A) Activating an incident response team B) Hiring cyberforensic investigators C) Executing a business continuity plan D) Preserving evidence - CORRECT ANSWER A) IS CORRECT. Activating an incident response team is correct. Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational. B) INCORRECT. Hiring cyberforensic investigators is incorrect. When a cyberattack is suspected, cyberforensic investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. The use of cyberforensic experts is only done after the incident has been identified. C) INCORRECT. Executing a business continuity plan is incorrect. The most important objective in recovering from a cyberattack is to keep the business operational, but most attacks will not require the activation or use of the business continuity plan. D) INCORRECT. Preserving evidence is incorrect. The primary objective for the business is to stay in business. In a noncriminal investigation this may even mean that some evidence is lost. Q68) An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor? A) Cancel the audit. B) Postpone the audit until the systems are added to the DRP. C) Alert management and evaluate the impact of not covering all systems. D) Complete the audit of the systems covered by the existing DRP. - CORRECT ANSWER C) IS CORRECT. Alert management and evaluate the impact of not covering all systems is correct. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. A) INCORRECT. Cancel the audit is incorrect. Canceling the audit is an inappropriate action. D) INCORRECT. Complete the audit of the systems covered by the existing DRP is incorrect. Ignoring the fact that some systems are not covered would violate audit standards that require reporting all material findings and is an inappropriate action. B) INCORRECT. Postponing the audit is an inappropriate action. The audit should be completed according to the initial scope with identification to management of the risk of systems not being covered. Q69) An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor? A) IT projects are not following the system development life cycle process. B) The IT department may not be working toward a common goal. C) IT projects are not consistently formally approved. D) The IT department's projects will not be adequately funded. - CORRECT ANSWER B) IS CORRECT. The IT department may not be working toward a common goal is correct. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals. D) INCORRECT. The IT department's projects will not be adequately funded is incorrect. Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company. A) INCORRECT. IT projects are not following the system development life cycle process is incorrect. Although requiring steering committee approval may be part of the system development life cycle process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals. C) Review policy to see if a formal exception process is required. D) Implement additional segregation of duties controls. - CORRECT ANSWER C) IS CORRECT. Review policy to see if a formal exception process is required is correct. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made. B) INCORRECT. Redesign the controls related to data authorization is incorrect. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. D) INCORRECT. Implement additional segregation of duties controls is incorrect. While adequate segregation of duties is important, the IS auditor must first review policy to see if there is a formal documented process for this type of temporary access controls to enforce segregation of duties. A) INCORRECT. Implement additional logging controls is incorrect. Audit trails are needed whenever temporary elevated access is required. However, but this is not the first step the auditor should take in reviewing the overall process. Q73) An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A) Due diligence should be performed on the software vendor. B) There should be a source code escrow agreement in place. C) A quarterly audit of the vendor facilities should be performed. D) A high penalty clause should be included in the contract. Explanation - CORRECT ANSWER B) IS CORRECT. There should be a source code escrow agreement in place is correct. A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software, because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business. A) INCORRECT. Due diligence should be performed on the software vendor is incorrect. Although due diligence is a good practice, it does not ensure availability of the source code in the event of vendor failure. C) INCORRECT. A quarterly audit of the vendor facilities should be performed is incorrect. Although a quarterly audit of vendor facilities is a good practice, it does not ensure availability of the source code in the event of failure of the start-up vendor. D) INCORRECT. A high penalty clause should be included in the contract is incorrect. Although a penalty clause is a good practice, it does not provide protection or ensure availability of the source code in the event of vendor bankruptcy. Q74) An IS auditor is reviewing an organization's controls related to email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public key infrastructure implementation properly configured to provide confidentiality. email is: A) encrypted with the recipient's private key and decrypted with the sender's private key. B) encrypted with the sender's private key and decrypted with the recipient's private key. C) encrypted with the recipient's public key and decrypted with the recipient's private key. D) encrypted with the sender's private key and decrypted with the sender's public key. - CORRECT ANSWER C) IS CORRECT. Encrypted with the recipient's public key and decrypted with the recipient's private key is correct. Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality, because only the intended recipient has the correct private key to decrypt the message. D) INCORRECT. Encrypted with the sender's private key and decrypted with the sender's public key is incorrect. This ensures that the message came from the sender; however, it does not guarantee message confidentiality. With public key infrastructure, a message encrypted with a private key must be decrypted with the responding public key, and vice versa. A) INCORRECT. Encrypted with the recipient's private key and decrypted with the sender's private key is incorrect. The sender would not have access to the receiver's private key. B) Encrypted with the sender's private key and decrypted with the recipient's private key is incorrect. A message encrypted with the sender's private key could not be decrypted using the recipient's private key. Q75) During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: A) message authentication. B) encryption. C) callback modems. D) dedicated leased lines. - CORRECT ANSWER B) IS CORRECT. Encryption is correct. Encryption of data is the most secure method of protecting confidential data from exposure. authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users. C) INCORRECT. Encryption is enabled on the access point is incorrect. Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network. B) INCORRECT. Antivirus signatures and patch levels are current on the consultants' laptops is incorrect. Antivirus signatures and patch levels are good practices but not as critical as preventing network access via access controls for the corporate servers. D) INCORRECT. Default user IDs are disabled and strong passwords are set on the corporate servers is incorrect. Protecting the organization's servers through good passwords is good practice, but it is still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network, they could use password cracking tools against other corporate machines. Q78) During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for: A) reviewing existing user access. B) updating group metadata. C) approval of user access. D) removing terminated users. - CORRECT ANSWER C) IS CORRECT. Approval of user access is correct. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. B) INCORRECT. Updating group metadata is incorrect. Updating data about the group is not a great concern when compared to unauthorized access. A) INCORRECT. Reviewing existing user access is incorrect. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place. D) INCORRECT. Removing terminated users is incorrect. This is a compensating control for the normal termination process and is also a detective control. Q79) Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? A) Targeted testing B) Double-blind testing C) Internal testing D) External testing - CORRECT ANSWER B) IS CORRECT. Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator. A) INCORRECT. Targeted testing is incorrect. In targeted testing, penetration testers are provided with information related to target and network design and the target's IT team is aware of the testing activities. C C) INCORRECT. Internal testing is incorrect. This refers to attacks and control circumvention attempts on the target from within the perimeter. The system administrator is typically aware of the testing activities. D) INCORRECT. External testing is incorrect. This is a generic term that refers to attacks and control circumvention attempts on the target from outside the target system. The system administrator may or may not be aware of the testing activities, so this is not the correct answer. (Note: Rather than concentrating on specific terms, CISA candidates should understand the differences between various types of penetration testing.) Q80) An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: A) the drivers for the photo frame may be incompatible and crash the user's PC. B) the photo frame could be infected with malware. C) the photo frame storage media could be used to steal corporate data. D) the employee may bring inappropriate photographs into the office. - CORRECT ANSWER B) IS CORRECT. The photo frame could be infected with malware is correct. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs. C) INCORRECT. The photo frame storage media could be used to steal corporate data is incorrect. Although any storage device could be used to steal data, the damage caused by malware could be widespread and severe for the enterprise, which is the more significant risk. A) INCORRECT. The drivers for the photo frame may be incompatible and crash the user's PC is incorrect. Although device drivers may be incompatible and crash the user's PC, the damage caused by malware could be widespread and severe for the enterprise. D) INCORRECT. The employee may bring inappropriate photographs into the office is incorrect. Although inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise. combination of public and symmetric key encryption and integrity through hash message authentication code. C) INCORRECT. Intrusion detection system is incorrect. This will log network activity but is not used for protecting traffic over the Internet. D) INCORRECT. Public key infrastructure is incorrect. This is used in conjunction with SSL or for securing communications such as e-commerce and email. A) INCORRECT. Virtual private network (VPN) is incorrect. This is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability). A VPN can operate at different levels of the Open Systems Interconnection stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN. Q84) An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A) Risk mitigation B) Risk avoidance C) Risk transfer D) Risk reduction - CORRECT ANSWER C) IS CORRECT. Risk transfer is correct. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. D) INCORRECT. Risk reduction is incorrect. This is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. B) INCORRECT. Risk avoidance is incorrect. This does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. A) INCORRECT. Risk mitigation is incorrect. This will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk. Q85) A system developer transfers to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern? A) The employee's knowledge of business risk may be limited. B) Audit points may largely shift to technical aspects. C) The work may be construed as a self-audit. D) The employee may not have sufficient control assessment skills. - CORRECT ANSWER C) IS CORRECT. The work may be construed as a self-audit is correct. Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interests. B) INCORRECT. Audit points may largely shift to technical aspects is incorrect. Because the employee has a technical background, it is possible that the audit findings tend to focus on technical matters. However, this is normally corrected in the review process before it is carried out in production. D) INCORRECT. The employee may not have sufficient control assessment skills is incorrect. Because auditing is a new role for this employee, they may not have adequate control assessment skills. However, this can be addressed by on-the-job training and is not be as big of a concern as a potential conflict of interest. A) INCORRECT. The employee's knowledge of business risk may be limited is incorrect. Because this employee was previously employed in the organization's IT department, it is possible to build upon the employee's current understanding of the business to address any gaps in knowledge. Q86) Regression testing is undertaken PRIMARILY to ensure that: A) a new system can operate in the target environment. B) system functionality meets customer requirements. C) applied changes have not introduced new errors. D) applicable development standards have been maintained. - CORRECT ANSWER C) IS CORRECT. Applied changes have not introduced new errors is correct. Regression testing is used to test for the introduction of new errors in the system after changes have been applied. B) INCORRECT. System functionality meets customer requirements is incorrect. Validation testing is used to test the functionality of the system against detailed requirements to ensure that software construction is traceable to customer requirements. A) INCORRECT. A new system can operate in the target environment is incorrect. Sociability testing is used to see whether the system can operate in the target environment without adverse impacts on the existing systems. D) INCORRECT. Applicable development standards have been maintained is incorrect. Software quality assurance and code reviews are used to determine whether development standards are maintained. Q87) A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? D) INCORRECT. Change the name of the database administrator (DBA) account is incorrect. This could impact production database servers and thus would not be a good idea. C) INCORRECT. Suspend the DBA account is incorrect. This could impact the production database servers and may not be effective if there is more than one DBA account sharing the same database password. The thief may guess the account names of the other DBAs. Q90) An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? A) Project time management B) Project risk management C) Project scope management D) Project procurement management - CORRECT ANSWER C) IS CORRECT. Project scope management is correct. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. A) INCORRECT. Project time management is incorrect. This is defined as the processes required to ensure timely completion of the project. The issue noted in the question does not mention whether projects were completed on time, so this is not the most likely cause. B) INCORRECT. Project risk management is incorrect. This is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. D) INCORRECT. Project procurement management is incorrect. This is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope. Q91) Which of the following choices would MOST likely ensure that a disaster recovery effort is successful? A) Appropriate staff resources are committed. B) Data restoration was completed. C) Recovery procedures are approved. D) The tabletop test was performed. - CORRECT ANSWER B) IS CORRECT. Data restoration was completed is correct. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly. D) INCORRECT. The tabletop test was performed is incorrect. Performing a tabletop test is extremely helpful but does not ensure that the recovery process is working properly. C) INCORRECT. Recovery procedures are approved is incorrect. This will not ensure that data can be successfully restored. A) INCORRECT. Appropriate staff resources are committed is incorrect. While this is appropriate, without data the recovery would not be successful. Q92) An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: A) correlation of semantic characteristics of the data migrated between the two systems. B) relative efficiency of the processes between the two systems. C) correlation of arithmetic characteristics of the data migrated between the two systems. D) correlation of functional characteristics of the processes between the two systems. - CORRECT ANSWER A) IS CORRECT. Correlation of semantic characteristics of the data migrated between the two systems is correct. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. C) INCORRECT. Correlation of arithmetic characteristics of the data migrated between the two systems is incorrect. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. D) INCORRECT. Correlation of functional characteristics of the processes between the two systems is incorrect. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. B) INCORRECT. Relative efficiency of the processes between the two systems is incorrect. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review. Q93) Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? D) hardware is protected against power surges. - CORRECT ANSWER D) IS CORRECT. Hardware is protected against power surges is correct. A voltage regulator protects against short-term power fluctuations. B) INCORRECT. Integrity is maintained if the main power is interrupted is incorrect. A voltage regulator does not maintain the integrity if power is interrupted or lost. C) INCORRECT. Immediate power will be available if the main power is lost is incorrect. An uninterruptible power supply (UPS) is used to provide constant power even if main power is lost. A) INCORRECT. Hardware is protected against long-term power fluctuations is incorrect. A voltage regulator protects against short-term power fluctuations. Q96) An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A) security policy be updated to include the specific language regarding unauthorized software. B) IT department implement control mechanisms to prevent unauthorized software installation. C) users obtain approval from an IS manager before installing nonstandard software. C) IT department prohibit the download of unauthorized software. - CORRECT ANSWER A) IS CORRECT. Security policy be updated to include the specific language regarding unauthorized software is correct. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls. B) INCORRECT. IT department implement control mechanisms to prevent unauthorized software installation is incorrect. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. D) INCORRECT. IT department prohibit the download of unauthorized software is incorrect. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. C) INCORRECT. Users obtain approval from an IS manager before installing nonstandard software is incorrect. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first. Q97) The risk associated with electronic evidence gathering is MOST likely reduced by an email: A) destruction policy. B) audit policy. C) security policy. D) archive policy. - CORRECT ANSWER D) IS CORRECT. Archive policy is correct. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible. A) INCORRECT. Destruction policy is incorrect. The email retention policy would include the destruction or deletion of emails. This must be compliant with legal requirements to retain emails. C) INCORRECT. Security policy is incorrect. A security policy is too high level and would not address the risk of inadequate retention of emails or the ability to provide access to emails when required. B) incorrect. Audit policy is incorrect. An audit policy would not address the legal requirement to provide emails as electronic evidence. Q98) When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? A) Due to licensing issues, the list does not contain open source software. B) The latest version of software is listed for each product. C) The risk associated with the use of the products is periodically assessed. D) After-hours support is offered. - CORRECT ANSWER C) IS CORRECT. The risk associated with the use of the products is periodically assessed is correct. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process. B) INCORRECT. The latest version of software is listed for each product is incorrect. The organization may not be using the latest version of a product. A) INCORRECT. Due to licensing issues, the list does not contain open source software is incorrect. The list may contain open source software depending on the business requirements and associated risk. D) INCORRECT. After-hours support is offered is incorrect. Support may be provided internally or externally, and technical support should be arranged depending on the criticality of the software. Q99) A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into B) INCORRECT. The IT department is incorrect. This department is responsible for the execution of the policy, having no authority in framing the policy. D) INCORRECT. The security committee is incorrect. This group also functions within the broad security policy framed by the board of directors. C) INCORRECT. The security administrator is incorrect. This role is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. Q102) Which of the following features of a public key infrastructure is MOST closely associated with proving that an online transaction was authorized by a specific customer? A) Authentication B) Integrity C) Encryption D) Nonrepudiation - CORRECT ANSWER D) IS CORRECT. Nonrepudiation is correct. This, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. C) INCORRECT. Encryption is incorrect. This plays a role in creating digital signatures, which are used to provide nonrepudiation, but encryption is also used for other purposes, whereas nonrepudiation is entirely concerned with ensuring that specific actions can be traced to specific actors in a manner beyond reasonable doubt. A) INCORRECT Authentication is incorrect. This is necessary to establish the identification of all parties to a communication but does not play a central role in the scenario described. B) INCORRECT. Integrity is incorrect. This ensures that transactions are accurate but does not provide the identification of the customer. Q103) An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor? A) Document the issue in the audit report. B) Recommend an update to the procedures. C) Discuss the issue with senior management. D) Determine whether compensating controls are in place. - CORRECT ANSWER D) IS CORRECT. Determine whether compensating controls are in place is correct. An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place. A) Document the issue in the audit report is incorrect. An IS auditor should gather additional information before presenting the situation in the report. B) INCORRECT. Recommend an update to the procedures is incorrect. An update to procedures would not address a potential weakness in logical security and may not be feasible if individuals are required to have this access to perform their jobs. C) INCORRECT. Discuss the issue with senior management is incorrect. The IS auditor should gather additional information before reporting the item to senior management. Q104) An IS auditor discovers that devices connected to the network are not included in a network diagram that had been used to develop the scope of the audit. The chief information officer explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: A) evaluate the impact of the undocumented devices on the audit scope. B) expand the scope of the IS audit to include the devices that are not on the network diagram. C) plan follow-up audits of the undocumented devices. D) note a control deficiency because the network diagram has not been approved. - CORRECT ANSWER A) IS CORRECT. Evaluate the impact of the undocumented devices on the audit scope is correct. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross-connections, etc. B) INCORRECT. Expand the scope of the IS audit to include the devices that are not on the network diagram is incorrect. It is important that the IS auditor does not immediately assume that everything on the network diagram provides information about the risk affecting a network/system. There is a process in place for documenting and updating the network diagram. D) INCORRECT. Note a control deficiency because the network diagram has not been approved is incorrect. In this case, there is simply a mismatch in timing between the completion of the approval process, and when the IS audit began. There is no control deficiency to be reported. C) INCORRECT. Plan follow-up audits of the undocumented devices is incorrect. Planning for follow-up audits of the undocumented devices is contingent on the risk that the undocumented devices have on the ability of the entity to meet the audit scope. Q105) When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? A) Test plans and procedures exist and are closely followed. B) Changes are authorized by IT managers at all times. C) User acceptance testing is performed and properly documented. D) Capacity planning is performed as part of each development project. - CORRECT ANSWER A) IS CORRECT. Test plans and procedures exist and are closely followed is correct. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. B) INCORRECT Changes are authorized by IT managers at all times is incorrect. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. C) INCORRECT. User acceptance testing is performed and properly documented is incorrect. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. D) INCORRECT. Capacity planning is performed as part of each development project is incorrect. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process. Q108) Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? A) Making a full backup to tape weekly and an incremental backup nightly B) Creating a duplicate storage area network (SAN) and replicating the data to a second SAN C) Implementing a fault-tolerant disk-to-disk backup solution D) Creating identical server and storage infrastructure at a hot site - CORRECT ANSWER C) IS CORRECT. Implementing a fault-tolerant disk-to-disk backup solution is correct. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault- tolerant system can transfer immediately to the other disk set. A) INCORRECT. Making a full backup to tape weekly and an incremental backup nightly is incorrect. While a backup strategy involving tape drives is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. This would not enable the system to be available 24/7. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to tape, or deploy a disk-to-disk solution, which is effectively the same thing. B) INCORRECT. Creating a duplicate storage area network (SAN) and replicating the data to a second SAN is incorrect. While creating a duplicate SAN and replicating the data to a second SAN provides some redundancy and data protection, this is not really a backup solution. If the two systems are at the same site, there is a risk that an incident such as a fire or flood in the data center could lead to data loss. D) INCORRECT. Creating identical server and storage infrastructure at a hot site is incorrect. While creating an identical server and storage infrastructure at a hot site provides a great deal of redundancy Q109) An IS auditor performing detailed network assessments and access control reviews should FIRST: A) assess users' identification and authorization. B) evaluate users' access authorization. C) determine the points of entry into the network. D) evaluate the domain-controlling server configuration. - CORRECT ANSWER C) IS CORRECT. Determine the points of entry into the network is correct. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls. B) IS INCORRECT. Evaluate users' access authorization is incorrect. This is an implementation issue for appropriate controls for the points of entry. A) INCORRECT. Assess users' identification and authorization is incorrect. This is an implementation issue for appropriate controls for the points of entry. D) INCORRECT. Evaluate he domain-controlling server configuration is incorrect. This is not the first area to be reviewed. It will be reviewed once the network entry points have been identified. Q110) When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A) strike a balance between business and security requirements. B) provide direction for implementing security procedures. C) are approved by the board of directors and senior management. D) are aligned with globally accepted industry good practices. - CORRECT ANSWER A) IS CORRECT. Strike a balance between business and security requirements is packet level. This would be the best solution to protect an application but not a network. B) INCORRECT. Packet filtering router is incorrect. This examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control. C) INCORRECT. Circuit-level gateway is incorrect. This firewall, such as a Socket Secure server, will protect users by acting as a proxy but is not the best defense for a network. Q113) When reviewing system parameters, an IS auditor's PRIMARY concern should be that: A) access to parameters in the system is restricted. B) changes are recorded in an audit trail and periodically reviewed. C) changes are authorized and supported by appropriate documents. D) they are set to meet both security and performance requirements. - CORRECT ANSWER D) IS CORRECT. They are set to meet both security and performance requirements is correct. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. B) INCORRECT Changes are recorded in an audit trail and periodically reviewed is incorrect. Reviewing changes to ensure that they are supported by appropriate documents is also a detective control. C) INCORRECT. Changes are authorized and supported by appropriate documents is incorrect. If parameters are set incorrectly, the related documentation and the fact that these are authorized does not reduce the impact. A) INCORRECT. Access to parameters in the system is restricted is incorrect. Restriction of access to parameters ensures that only authorized staff can access the parameters; however, if the parameters are set incorrectly, restricting access will still have an adverse impact. Q114) What an IS auditor would evaluate while performing a review of application controls? A) impact of any exposures discovered. B) application's optimization. C) efficiency of the application in meeting the business processes. D) business processes served by the application - CORRECT ANSWER A) IS CORRECT. Impact of any exposures discovered is correct. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. C) Efficiency of the application in meeting the business processes is incorrect. The IS auditor is reviewing the effectiveness of the controls, not the suitability of the application to meet business needs. D) INCORRECT. Business processes served by the application is incorrect. This is not part of an audit restricted to a review of the application controls. B) INCORRECT. Application's optimization is incorrect. One area to be reviewed may be the efficiency and optimization of the application, but this is not the area being reviewed in this audit. Q115) An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy: A) checks should be compared to input forms. B) payroll reports should be compared to input forms. C) gross payroll should be recalculated manually. D) checks should be reconciled with output reports. - CORRECT ANSWER B) IS CORRECT. Payroll reports should be compared to input forms is correct. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. C) INCORRECT. Gross payroll should be recalculated manually is incorrect. Recalculating gross payroll manually only verifies whether the processing is correct and not the data accuracy of inputs. A) INCORRECT. Checks should be compared to input forms is incorrect. Comparing checks to input forms is not feasible because checks contain the processed information and input forms contain the input data. D) INCORRECT. Checks should be reconciled with output reports is incorrect. Reconciling checks with output reports only confirms that checks were issued as stated on output reportS. Q116) Which of the following is a network diagnostic tool that monitors and records network information? A) Online monitor B) Help desk report C) Protocol analyzer D) Downtime report - CORRECT ANSWER C) IS CORRECT. Protocol analyzer is correct. These are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.