Download Importance of Control Self-Assessment and IT Auditing and more Exams Management Fundamentals in PDF only on Docsity! CISA - EXAM 3 questions with correct answers Q01) The success of control self-assessment depends highly on: A) assigning staff managers, the responsibility for building controls. B) the implementation of a stringent control policy and rule-driven controls. C) line managers assuming a portion of the responsibility for control monitoring. D) the implementation of supervision and monitoring of controls of assigned duties. Correct Answer-C) CORRECT. Line managers assuming a portion of the responsibility for control monitoring is correct. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. A) INCORRECT. Assigning staff managers, the responsibility for building controls is incorrect. CSA requires managers to participate in the monitoring of controls. B) INCORRECT. The implementation of a stringent control policy and rule-driven controls is incorrect. The implementation of stringent controls will not ensure controls are working correctly. D) INCORRECT The implementation of supervision and monitoring of controls of assigned duties is incorrect. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness but would work best when used in a formal process such as CSA. Q02) An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? A) The vendor agrees to implement controls in alignment with the enterprise. B) The vendor agrees to provide annual external audit reports in the contract. C) The vendor provides the latest internal audit report for verification. D) The vendor provides the latest third-party audit report for verification. Correct Answer-B) CORRECT. The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits. D) INCORRECT. The vendor provides the latest third-party audit report for verification is incorrect. Although the vendor is providing the most recent third- party audit report for review, there is no agreement contractually that would require the vendor to continue to provide annual reports for verification and review. C) INCORRECT. The vendor provides the latest internal audit report for verification is incorrect. Although the vendor is providing the most recent internal B) INCORRECT. Blocking eligible connections is incorrect. Blocking suspicious connections is a characteristic of intrusion prevention systems, which are different type of network security systems. Q05) A company's development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects? A) Functional verification of the prototypes is assigned to end users. B) Project responsibilities are not formally defined at the beginning of a project. C) Program documentation is inadequate. D) The project is implemented while minor issues are open from user acceptance testing. Correct Answer-B) IS CORRECT. Project responsibilities are not formally defined at the beginning of a project is correct. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. A) INCORRECT. Functional verification of the prototypes is assigned to end users is incorrect. Prototypes are verified by users. D) INCORRECT. The project is implemented while minor issues are open from user acceptance testing is incorrect. User acceptance testing is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C) INCORRECT. Program documentation is inadequate is incorrect. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project. Q06) Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? A) Allocating resources B) Attention to detail C) Managing audit staff D) Project management Correct Answer-D) IS CORRECT. Project management is correct. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices. C) INCORRECT. Managing audit staff is incorrect. This is not the only aspect of conducting an audit. A) Allocating resources is incorrect. These resources, including time and personnel, are needed for overall project management skills. B) Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits. Q07) Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster? A) Business impact analysis B) Incident response plan C) Recovery time objective D) Threat and risk analysis Correct Answer-A) IS CORRECT. Business impact analysis is correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business. B) INCORRECT. Incident response plan is incorrect. An incident response plan is an organized approach to addressing and managing a security breach or attack. The plan defines what constitutes an incident and the process to follow when an incident occurs. It does not prioritize recovery during a disaster. D) INCORRECT. Threat and risk analysis is incorrect. Identifying threats and analyzing risk to the business is an important part of disaster planning, but it does not determine the priority of recovery. C) INCORRECT. Recovery time objective is incorrect. The recovery time objective is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. This is included as part of the BIA and used to represent the prioritization of recovery. Establishing the level of acceptable risk is the responsibility of: A) the chief information officer. B) quality assurance management. C) senior business management. D) the chief security officer. Correct Answer-C) IS CORRECT. Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager. B) INCORRECT. Quality assurance management is incorrect. QA is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. A) INCORRECT. The chief information officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner. D) INCORRECT. The chief security officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager. Q11) An IS auditor reviewing the process of log monitoring wants to evaluate the organization's manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? A) Inquiry B) Walk-through C) Reperformance D) Inspection Correct Answer-B) IS CORRECT. Walk-through is correct. These procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. D) INCORRECT. Inspection is incorrect. This is just one component of a walk- through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. A) INCORRECT. Inquiry is incorrect. This provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control. C) INCORRECT. Reperformance is incorrect. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee. Q12) An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when: A) the service level agreement does not address the responsibility of the vendor in the case of a security breach. B) the organization is not permitted to assess the controls in the participating vendor's site. C) the organization is using an older version of a browser and is vulnerable to certain types of security risk. D) laws and regulations are different in the countries of the organization and the vendor. Correct Answer-A) IS CORRECT. The service level agreement does not address the responsibility of the vendor in the case of a security breach is correct. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. C) INCORRECT. Five users with the ability to capture and send their own messages is incorrect. Users may have the ability to send messages but should not be able to verify their own messages. B) INCORRECT. Five users with the ability to verify other users and to send their own messages is incorrect. This is an example of separation of duties. A person can send their own message but only verify the messages of other users. A) INCORRECT. Three users with the ability to capture and verify the messages of other users and to send their own messages is incorrect. The ability to capture and verify the messages of others but only send their own messages is acceptable. Q15) The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? A) Significant cost savings over other testing approaches B) Assurance that new, faster hardware is compatible with the new system C) Assurance that the new system meets functional requirements D) Increased resiliency during the parallel processing time Correct Answer-C) IS CORRECT. Assurance that the new system meets functional requirements is correct. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system. A) INCORRECT. Significant cost savings over other testing approaches is incorrect. Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and does not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money. B) INCORRECT. Assurance that new, faster hardware is compatible with the new system is incorrect. Hardware compatibility should be determined and tested much earlier in the conversion project and is not an advantage of parallel operation. Compatibility is generally determined based on the application's published specifications and on system testing in a lab environment. Parallel operation is designed to test the application's effectiveness and integrity of application data, not hardware compatibility. In general, hardware compatibility relates more to the operating system level than to a particular application. Although new hardware in a system conversion must be tested under a real production load, this can be done without parallel systems. D) INCORRECT. Increased resiliency during the parallel processing time is incorrect. Increased resiliency during parallel processing is a legitimate outcome from this scenario, but the advantage it provides is temporary and minor, so this is not the correct answer. Q16) Which of the following is normally a responsibility of the chief information security officer? A) Executing user application and software testing and evaluation B) Granting and revoking user access to IT resources C) Approving access to data and applications D) Periodically reviewing and evaluating the security policy Correct Answer-D) IS CORRECT. Periodically reviewing and evaluating the security policy is correct. The role of the chief information security officer is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment. A) INCORRECT. Executing user application and software testing and evaluation is incorrect. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. B) INCORRECT. Granting and revoking user access to IT resources is incorrect. This is usually a function of system, network or database administrators. C) INCORRECT. Approval of access to data and applications is incorrect. This is the duty of the data or application owner. Q17) Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? D) INCORRECT. Forgery by substitution of another person's private key on the computer is incorrect. The substitution of another person's private key would not work because the digital signature would be validated with the original user's public key. Q19) Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy? A) Users should never write down their PIN B) Users must never keep the token in the same bag as their laptop computer. C) Users should select a PIN that is completely random, with no repeating digits. D) Users should not leave tokens where they could be stolen. Correct Answer-A) IS CORRECT. Users should never write down their personal identification number (PIN) is correct. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. D) INCORRECT. Users should not leave tokens where they could be stolen is incorrect. Access to the token is of no value without the personal identification number (PIN); one cannot work without the other. B) INCORRECT. Users must never keep the token in the same bag as their laptop computer is incorrect. Access to the token is of no value without the PIN; one cannot work without the other. C) INCORRECT. Users should select a PIN that is completely random, with no repeating digits is incorrect. The PIN does not need to be random as long as it is secret. Q20) The purpose of code signing is to provide assurance that: A) the private key of the signer has not been compromised. B) the signer of the application is trusted. C) the application can safely interface with another signed application. D) the software has not been subsequently modified. Correct Answer-D) IS CORRECT. The software has not been subsequently modified is correct. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed. C) INCORRECT. The application can safely interface with another signed application is incorrect. The signing of code will not ensure that it will integrate with other applications. B) IS INCORRECT. The signer of the application is trusted is incorrect. Code signing will provide assurance of the source but will not ensure that the source is trusted. The code signing will, however, ensure that the code has not been modified. A) IS INCORRECT. The private key of the signer has not been compromised is incorrect. The compromise of the sender's private key would result in a loss of trust and is not the purpose of code signing. Q21) During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? A) Draft a service level agreement for the two departments. B) Postpone the audit until the agreement is documented. C) Report the existence of the undocumented agreement to senior management. D) Confirm the content of the agreement with both departments. Correct Answer- D) IS CORRECT. Confirm the content of the agreement with both departments is correct. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties agree with the terms of the agreement. B) IS INCORRECT. Postpone the audit until the agreement is documented is incorrect. There is no reason to postpone an audit because a service agreement is not documented, unless that is all that is being audited. The agreement can be documented after it has been established that there is an agreement in place. C) IS INCORRECT. Report the existence of the undocumented agreement to senior management is incorrect. Reporting to senior management is not necessary at this stage of the audit because this is not a serious immediate vulnerability. Q24) The PRIMARY objective of conducting a post-implementation review for a business process automation project is to: A) confirm compliance with regulatory requirements. B) evaluate the adequacy of controls. C) ensure that the project meets the intended business requirements. D) confirm compliance with technological standards. Correct Answer-C) IS CORRECT. Ensure that the project meets the intended business requirements is correct. This is the primary objective of a post-implementation review. B) INCORRECT. Evaluate the adequacy of controls is incorrect. This may be part of the review but is not the primary objective. A) INCORRECT. Confirm compliance with technological standards is incorrect. This is normally not part of the post-implementation review because this should be addressed during the design and development phase. D) INCORRECT. Confirm compliance with regulatory requirements is incorrect. This is normally not part of the post-implementation review because this should be addressed during the design and development phase. Q25) During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely: A) evaluate system testing. B) review access control configuration. C) review detailed design documentation. D) evaluate interface testing. Correct Answer-B) IS CORRECT. Review access control configuration is correct. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. D) INCORRECT. Evaluate interface testing is incorrect. Because a post- implementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. C) IS INCORRECT. Review detailed design documentation is incorrect. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. A) IS INCORRECT. Evaluate system testing is incorrect. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests post-implementation. Q26) A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A) apply a qualitative approach. B) calculate a return on investment. C) compute the amortization of the related assets. D) spend the time needed to define the loss amount exactly. Correct Answer-A) IS CORRECT. Apply a qualitative approach is correct. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). C) INCORRECT. Compute the amortization of the related assets is incorrect. Amortization is used in a profit and loss statement, not in computing potential losses. B) INCORRECT. Calculate a return on investment (ROI) is incorrect. A ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. D) INCORRECT. Spend the time needed to define the loss amount exactly is incorrect. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses A) INCORRECT. The application may not meet the requirements of the business users is incorrect. When selecting an application, the business requirements and the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they are more likely to choose a solution that fits their business process the best with less emphasis on how compatible and supportable the solution will be in the enterprise, and this is not a concern. C) INCORRECT. The application may create unanticipated support issues for it is incorrect. Although any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements. Q29) Which of the following should an incident response team address FIRST after a major incident in an information processing facility? A) Documentation of the facility B) Restoration at the facility C) Monitoring of the facility D) Containment at the facility Correct Answer-D) IS CORRECT. Containment at the facility is correct. The first priority (after addressing life safety) is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation. B) INCORRECT. Restoration at the facility is incorrect. Restoration ensures that the affected systems or services are restored to a condition specified in the restore point objective. This action will be possible only after containment of the damage. A) INCORRECT. Documentation of the facility is incorrect. This should be prepared to inform management of the incident; however, damage must be contained first. C) INCORRECT. Monitoring of the facility is incorrect. This is important, although containment must take priority to avoid spread of the damage. Q30) An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? A) Ensure that audit trails are accurate and specific. B) Ensure that personnel background checks are performed for critical personnel. C) Ensure that personnel have adequate training. D) Ensure that supervisory approval and review are performed for critical changes. Correct Answer-D) IS CORRECT. Ensure that supervisory approval and review are performed for critical changes is correct. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee. A) INCORRECT. Ensure that audit trails are accurate and specific is incorrect. Audit trails are a detective control and, in many cases, can be altered by those with privileged access. C) INCORRECT. Ensure that personnel have adequate training is incorrect. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. B) INCORRECT. Ensure that personnel background checks are performed for critical personnel is incorrect. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance. Q31) Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? A) Decline to deal with these vendors in the future. B) Assess the impact of patches prior to installation. C) Install the security patch immediately. D) Ask the vendors for a new software version with all fixes included. Correct Answer-B) IS CORRECT. Assess the impact of patches prior to installation is correct. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization. D) INCORRECT. The chief executive officer is incorrect. This role is instrumental in implementing IT governance according to the directions of the board of directors. A) INCORRECT. The IT steering committee is incorrect. This group monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. C) The audit committee is incorrect. This group reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations. Q34) Involvement of senior management is MOST important in the development of: A) standards and guidelines. B) strategic plans. C) IT policies. D) IT procedures. Correct Answer-B) IS CORRECT. Strategic plans is correct. These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. C) INCORRECT. IT policies is incorrect. These are created and enforced by IT management and information security. They are structured to support the overall strategic plan. D) INCORRECT. IT procedures is incorrect. These are developed to support IT policies. Senior management is not involved in the development of procedures. Standards and guidelines is incorrect. These are developed to support IT policies. A) INCORRECT. Senior management is not involved in the development of standards, baselines and guidelines. Q35) Which of the following does an IS auditor FIRST reference when performing an IS audit? A) Internal standards B) Approved policies C) Implemented procedures D) Documented practices Correct Answer-B) Approved policies is correct. Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy. C) INCORRECT. Implemented procedures is incorrect. Procedures are implemented in accordance with policy. A) INCORRECT. Internal standards is incorrect. Standards are subordinate to policy. D) INCORRECT. Documented practices is incorrect. Practices are subordinate to policy. Q36) Which of the following is widely accepted as one of the critical components in networking management? A) Proxy server troubleshooting B) Configuration and change management C) Application of monitoring tools D) Topological mappings Correct Answer-B) IS CORRECT. Configuration and change management is correct. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services. D) INCORRECT. Topological mappings is incorrect. These provide outlines of the components of the network and its connectivity. This is important to address issues such as single points of failure and proper network isolation but is not the most critical component of network management. A) INCORRECT. Dedicated line is incorrect. This is quite expensive and only needed when there are specific confidentiality and availability needs. B) INCORRECT. Leased line is incorrect. This is an expensive but private option, but rarely a good option today. D) INCORRECT. Integrated services digital network is incorrect. This is not encrypted and would need additional security to be a valid option. Q39) An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A) accountability system and the ability to identify any terminal accessing system resources. B) maintenance of access logs of usage of various system resources. C) authorization and authentication of the user prior to granting access to system resources. D) adequate protection of stored data on servers by encryption or other means. Correct Answer-C) IS CORRECT. Authorization and authentication of the user prior to granting access to system resources is correct. This is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security. B) INCORRECT. Maintenance of access logs of usage of various system resources is incorrect. This is a detective control. A preventive control should be used first. D) INCORRECT. Adequate protection of stored data on servers by encryption or other means is incorrect. This is a method of protecting stored information and is not a network access issue. A) INCORRECT. Accountability system and the ability to identify any terminal accessing system resources is incorrect. These deal with controlling access through the identification of a terminal or device attempting to connect to the network. This is called node authentication and is not as good as authenticating the user sitting at that node. Q40) During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? A) Hire additional staff to provide a segregation of duties for application role changes. B) Implement a properly documented process for application role change requests. C) Document the current procedure in detail and make it available on the enterprise intranet. D) Implement an automated process for changing application roles. Correct Answer-B) IS CORRECT. Implement a properly documented process for application role change requests is correct. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. A) INCORRECT. Hire additional staff to provide a segregation of duties for application role changes is incorrect. While it is preferred that a strict segregation of duties be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes. D) INCORRECT. Implement an automated process for changing application roles is incorrect. An automated process for managing application roles may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application. C) INCORRECT. Document the current procedure in detail and make it available on the enterprise intranet is incorrect. Making the existing process available on the enterprise intranet would not provide any value to protect the system. Q41) An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A) Plan an audit of the cloud vendor. B) Review an independent auditor's report of the cloud vendor. C) Review the vendor contract to determine its DR capabilities. D) Integration testing Correct Answer-B) IS CORRECT. Parallel testing is correct. This is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system. C) INCORRECT. Multiple testing is incorrect. This will not compare results from the old and new systems. D) Integration testing is incorrect. This refers to how the system interacts with other systems, and it is not performed by end users. A) INCORRECT. Prototype testing is incorrect. This is used during design and development to ensure that user input is received; however, this method is not used for acquired systems or during user acceptance testing. Q44) An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? A) Variable B) Attribute C) Stop-or-go D) Judgment Correct Answer-B) IS CORRECT. Attribute is correct. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval. A) INCORRECT Variable is incorrect. Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary values and weights. C) INCORRECT. Stop-or-go is incorrect. Stop-or-go sampling is used when the expected occurrence rate is extremely low. D) INCORRECT. Judgment is incorrect. It refers to a subjective approach of determining sample size and selection criteria of elements of the sample. Q45) Which of the following types of transmission media provide the BEST security against unauthorized access? A) Fiber-optic cables B) Copper wire C) Shielded twisted pair D) Coaxial cables Correct Answer-A) IS CORRECT. Fiber-optic cables is correct. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media. B) INCORRECT. Copper wire is incorrect. Twisted pair, coaxial and copper wire traffic can be monitored with inexpensive equipment. C) INCORRECT. Shielded twisted pair is incorrect. Twisted pair cabling is a form of copper wire, and while shielding affords some degree of protection from interference, it does not improve security against unauthorized access. D) INCORRECT. Coaxial cables is incorrect. These can be monitored with relative ease. Q46) An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? A) End users having access to software tools such as packet sniffer applications B) Corruption of the Address Resolution Protocol cache in Ethernet switches C) Use of a default administrator password on the analog phone switch D) Deploying virtual local area networks without enabling encryption Correct Answer-B) IS CORRECT. Corruption of the Address Resolution Protocol (ARP) cache in Ethernet switches is correct. On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. B) INCORRECT. Stop-or-go is incorrect. This is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment. C) INCORRECT. Classical variable sampling is incorrect. This is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud. D) INCORRECT. Probability-proportional-to-size sampling is incorrect. This is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud. Q49) When using public key encryption to secure data being transmitted across a network: A) both the key used to encrypt and decrypt the data are public. B) the key used to encrypt is private, but the key used to decrypt the data is public. C) both the key used to encrypt and decrypt the data are private. D) the key used to encrypt is public, but the key used to decrypt the data is private. Correct Answer-D) IS CORRECT. The key used to encrypt is public, but the key used to decrypt the data is private is correct. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. C) INCORRECT. Both the key used to encrypt and decrypt the data are public is incorrect. The public and private keys always work as a pair—if a public key is used to encrypt a message, the corresponding private key MUST be used to decrypt the message. B) INCORRECT. The key used to encrypt is private, but the key used to decrypt the data is public is incorrect. If the message is encrypted with a private key, that will provide proof of origin but not message security or confidentiality. A) INCORRECT. Both the key used to encrypt and decrypt the data are private is incorrect. Using two private keys would not be possible with asymmetric encryption. Q50) The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: A) the internal lab testing phase. B) the implementation phase. C) testing and prior to user acceptance. D) the requirements gathering process. Correct Answer-C) IS CORRECT. The requirements gathering process is correct. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. A) INCORRECT. The internal lab testing phase is incorrect. During testing, the IS auditor will ensure that the security requirements are met. This is not the time to assess the control specifications. C) INCORRECT. Testing and prior to user acceptance is incorrect. The control specifications will drive the security requirements that are built into the contract and should be assessed before the product is acquired and tested. B) INCORRECT. The implementation phase is incorrect. During the implementation phase, the IS auditor may check whether the controls have been enabled; however, this is not the time to assess the control requirements. Q51) Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A) The CA has several data processing subcenters to administer certificates. B) Customers can make their transactions from any computer or mobile device. C) Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. D) Data mining techniques Correct Answer-D) IS CORRECT. Data mining techniques is correct. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. B) INCORRECT. Intrusion detection systems is incorrect. These are effective in detecting network or host-based errors but not effective in measuring fraudulent transactions. A) INCORRECT. Stateful inspection firewalls is incorrect. A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions. C) INCORRECT. Packet filtering routers is incorrect. A packet filtering router operates at a network level and cannot see a transaction. Q54) Which of the following will BEST ensure the successful offshore development of business applications? A) Stringent contract management practices B) Detailed and correctly applied specifications C) Post-implementation review D) Awareness of cultural and political differences Correct Answer-B) IS CORRECT. Detailed and correctly applied specifications is correct. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. A) INCORRECT. Stringent contract management practices is incorrect. Contract management practices, although important, will not ensure successful development if the specifications are incorrect. D) INCORRECT. Awareness of cultural and political differences is incorrect. Cultural and political differences, although important, should not affect the delivery of a good product. C) INCORRECT. Post-implementation review is incorrect. This, although important, is too late in the process to ensure successful project delivery and is not as pivotal to the success of the project. Q55) The rate of change in technology increases the importance of: A) outsourcing the IT function. B) meeting user requirements. C) implementing and enforcing sound processes. D) hiring qualified personnel. Correct Answer-C) IS CORRECT. Implementing and enforcing sound processes is correct. Change control requires that good change management processes be implemented and enforced. A) INCORRECT. Outsourcing the IT function is incorrect. This is a business decision and not directly related to the rate of technological change, nor does the rate of change increase the importance of outsourcing. D) INCORRECT. Hiring qualified personnel is incorrect. Personnel in a typical IT department can often be trained in new technologies to meet organizational requirements. B) INCORRECT. Meeting user requirement is incorrect. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IT environment. Q56) Email message authenticity and confidentiality is BEST achieved by signing the message using the: A) receiver's private key and encrypting the message using the sender's public key. B) sender's private key and encrypting the message using the receiver's public key. C) sender's public key and encrypting the message using the receiver's private key. D) receiver's public key and encrypting the message using the sender's private key. Correct Answer-B) IS CORRECT. Sender's private key and encrypting the message using the receiver's public key is correct. By signing the message with the C) Determine whether this is a policy violation and document it D) Recommend that logs of IT developer access are reviewed periodically. Correct Answer-C) IS CORRECT. Determine whether this is a policy violation and document it is correct. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed. B) INCORRECT. Document the observation as an exception is incorrect. This condition would not be considered an exception if procedures are followed according to approved policies. A) INCORRECT. Recommend that all password configuration settings be identical is incorrect. There may be valid reasons for these settings to be different; therefore, the auditor would not normally recommend changes before researching company policies and procedures. D) INCORRECT. Recommend that logs of IT developer access are reviewed periodically is incorrect. While reviewing logs may be a good compensating control, the more important course of action would be to determine if policies are being followed. Q59) Which of the following is the FIRST step in an IT risk assessment for a risk-based audit? A) Identify all IT systems and controls that are relevant to audit objectives. B) List all controls from the audit program to select ones matching with audit objectives. C) Understand the business, its operating model and key processes. D) Review the results of a risk self-assessment. Correct Answer-D) IS CORRECT. Understand the business, its operating model and key processes is correct. Risk- based auditing must be based on the understanding of the business, operating model and environment. This is the first step in an IT risk assessment for a risk- based audit. Identify all A) INCORRECT. IT systems and controls that are relevant to audit objectives is incorrect. Understanding the business environment comes first; this is followed by understanding the IT environment. B) INCORRECT. List all controls from the audit program to select ones matching with audit objectives is incorrect and is not the first step of risk assessment. This step follows understanding the business environment and the IT systems. D) INCORRECT. Review the results of a risk self-assessment is incorrect. A risk self-assessment is optional and applicable for some types of audit engagements. Q60) Which control is the BEST way to ensure that the data in a file have not been changed during transmission? A) Hash values B) Reasonableness check C) Check digits D) Parity bits Correct Answer-A) IS CORRECT. Hash values is correct. These are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed. B) INCORRECT. Reasonableness check is incorrect. This is used to ensure that input data is within expected values, not to ensure integrity of data transmission. Data can be changed and still pass a reasonableness test. D) INCORRECT. Parity bits is incorrect. These are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C) INCORRECT. Check digits is incorrect. These are used to detect an error in a numeric field such as an account number and is usually related to a transposition or transcribing error. Q61) An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred.. The IS auditor's report should recommend that: This will help in designing disaster site options, but not the data backup strategy in the case of impacting disasters. Q63) What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management? A) IT project metrics are reported accurately. B) Projects are aligned with the organization's strategy. C) Identified project risk is monitored and mitigated. D) Controls related to project planning and budgeting are appropriate. Correct Answer-B) IS CORRECT. Projects are aligned with the organization's strategy is correct. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment. C) INCORRECT. Identified project risk is monitored and mitigated is incorrect. An adequate process for monitoring and mitigating identified project risk is important; however, strategic alignment helps in assessing identified risk in business terms. D) INCORRECT. Controls related to project planning and budgeting are appropriate is incorrect. Completion of projects within a predefined time and budget is important; however, the focus of project management should be on achieving the desired outcome of the project, which is aligned with the business strategy. A) INCORRECT. IT project metrics are reported accurately is incorrect. Adequate reporting of project status is important but may or may not help in providing the strategic perspective of project deliverables. Q64) A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? A) Operating system patching B) A firewall C) A network-based intrusion detection system D) A host-based intrusion prevention system Correct Answer-D) IS CORRECT. A host-based intrusion prevention system (IPS) is correct. This prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator. C) INCORRECT. A network-based intrusion detection system (IDS) is incorrect. This relies on attack signatures based on known exploits and attack patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access to an exploit unknown to the IDS, it will go undetected. A web server exploit performed through the web application itself, such as a Structured Query Language injection attack, would not appear to be an attack to the network- based IDS. B) INCORRECT. A firewall is incorrect. This by itself does not protect a web server because the ports required for users to access the web server must be open in the firewall. Web server attacks are typically performed over the same ports that are open for normal web traffic. Therefore, a firewall does not protect the web server. A) INCORRECT. Operating system (OS) patching is incorrect. This will make exploitation of the server more difficult for the attacker and less likely. However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched server vulnerabilities, and the host-based IPS should detect any attempts to change files on the server, regardless of how access was obtained. Q65) The final decision to include a material finding in an audit report should be made by the: A) IS auditor. B) chief executive officer of the organization. C) auditee's manager. D) audit committee. Correct Answer-A) IS CORRECT. The IS auditor is correct. The IS auditor should make the final decision about what to include or exclude from the audit report. D) INCORRECT. Audit committee is incorrect. The audit committee should not impair the independence, professionalism and objectivity of the IS auditor by influencing what is included in the audit report. C) INCORRECT. Executing a business continuity plan is incorrect. The most important objective in recovering from a cyberattack is to keep the business operational, but most attacks will not require the activation or use of the business continuity plan. D) INCORRECT. Preserving evidence is incorrect. The primary objective for the business is to stay in business. In a noncriminal investigation this may even mean that some evidence is lost. Q68) An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor? A) Cancel the audit. B) Postpone the audit until the systems are added to the DRP. C) Alert management and evaluate the impact of not covering all systems. D) Complete the audit of the systems covered by the existing DRP. Correct Answer-C) IS CORRECT. Alert management and evaluate the impact of not covering all systems is correct. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. A) INCORRECT. Cancel the audit is incorrect. Canceling the audit is an inappropriate action. D) INCORRECT. Complete the audit of the systems covered by the existing DRP is incorrect. Ignoring the fact that some systems are not covered would violate audit standards that require reporting all material findings and is an inappropriate action. B) INCORRECT. Postponing the audit is an inappropriate action. The audit should be completed according to the initial scope with identification to management of the risk of systems not being covered. Q69) An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor? A) IT projects are not following the system development life cycle process. B) The IT department may not be working toward a common goal. C) IT projects are not consistently formally approved. D) The IT department's projects will not be adequately funded. Correct Answer-B) IS CORRECT. The IT department may not be working toward a common goal is correct. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company's goals. D) INCORRECT. The IT department's projects will not be adequately funded is incorrect. Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company. A) INCORRECT. IT projects are not following the system development life cycle process is incorrect. Although requiring steering committee approval may be part of the system development life cycle process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals. C) INCORRECT. IT projects are not consistently formally approved is incorrect. Although having a formal approval process is important, the greatest concern would be for the steering committee to provide corporate direction for the projects. Q70) An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review? A) User spool and database limit controls B) Read/write access log controls C) Permanent table-space allocation D) Commitment and rollback controls Correct Answer-A) IS CORRECT. User spool and database limit controls is correct. User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data correct. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made. B) INCORRECT. Redesign the controls related to data authorization is incorrect. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. D) INCORRECT. Implement additional segregation of duties controls is incorrect. While adequate segregation of duties is important, the IS auditor must first review policy to see if there is a formal documented process for this type of temporary access controls to enforce segregation of duties. A) INCORRECT. Implement additional logging controls is incorrect. Audit trails are needed whenever temporary elevated access is required. However, but this is not the first step the auditor should take in reviewing the overall process. Q73) An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A) Due diligence should be performed on the software vendor. B) There should be a source code escrow agreement in place. C) A quarterly audit of the vendor facilities should be performed. D) A high penalty clause should be included in the contract. Explanation Correct Answer-B) IS CORRECT. There should be a source code escrow agreement in place is correct. A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software, because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business. A) INCORRECT. Due diligence should be performed on the software vendor is incorrect. Although due diligence is a good practice, it does not ensure availability of the source code in the event of vendor failure. C) INCORRECT. A quarterly audit of the vendor facilities should be performed is incorrect. Although a quarterly audit of vendor facilities is a good practice, it does not ensure availability of the source code in the event of failure of the start-up vendor. D) INCORRECT. A high penalty clause should be included in the contract is incorrect. Although a penalty clause is a good practice, it does not provide protection or ensure availability of the source code in the event of vendor bankruptcy. Q74) An IS auditor is reviewing an organization's controls related to email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public key infrastructure implementation properly configured to provide confidentiality. email is: A) encrypted with the recipient's private key and decrypted with the sender's private key. B) encrypted with the sender's private key and decrypted with the recipient's private key. C) encrypted with the recipient's public key and decrypted with the recipient's private key. D) encrypted with the sender's private key and decrypted with the sender's public key. Correct Answer-C) IS CORRECT. Encrypted with the recipient's public key and decrypted with the recipient's private key is correct. Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality, because only the intended recipient has the correct private key to decrypt the message. D) INCORRECT. Encrypted with the sender's private key and decrypted with the sender's public key is incorrect. This ensures that the message came from the sender; however, it does not guarantee message confidentiality. With public key infrastructure, a message encrypted with a private key must be decrypted with the responding public key, and vice versa. A) INCORRECT. Encrypted with the recipient's private key and decrypted with the sender's private key is incorrect. The sender would not have access to the receiver's private key. B) Encrypted with the sender's private key and decrypted with the recipient's private key is incorrect. A message encrypted with the sender's private key could not be decrypted using the recipient's private key. Q75) production environment. In spite of that fact, the risk of data disclosure or unauthorized access in the test environment is still significant and, as a result, production data should not be used in the test environment. This is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data. C) INCORRECT. Hardware in the test environment may not be identical to the production environment is incorrect. Hardware in the test environment should mirror the production environment to ensure that testing is reliable. However, this does not relate to the risk from using live data in a test environment. This is not the correct answer because it does not relate to the risk presented in the scenario. Q77) An organization's IT director has approved the installation of a wireless local area network access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that: A) the conference room network is on a separate virtual local area network. B) antivirus signatures and patch levels are current on the consultants' laptops. C) encryption is enabled on the access point. D) default user IDs are disabled and strong passwords are set on the corporate servers. Correct Answer-A) IS CORRECT. The conference room network is on a separate virtual local area network (VLAN) is correct. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users. C) INCORRECT. Encryption is enabled on the access point is incorrect. Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network. B) INCORRECT. Antivirus signatures and patch levels are current on the consultants' laptops is incorrect. Antivirus signatures and patch levels are good practices but not as critical as preventing network access via access controls for the corporate servers. D) INCORRECT. Default user IDs are disabled and strong passwords are set on the corporate servers is incorrect. Protecting the organization's servers through good passwords is good practice, but it is still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network, they could use password cracking tools against other corporate machines. Q78) During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for: A) reviewing existing user access. B) updating group metadata. C) approval of user access. D) removing terminated users. Correct Answer-C) IS CORRECT. Approval of user access is correct. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. B) INCORRECT. Updating group metadata is incorrect. Updating data about the group is not a great concern when compared to unauthorized access. A) INCORRECT. Reviewing existing user access is incorrect. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place. D) INCORRECT. Removing terminated users is incorrect. This is a compensating control for the normal termination process and is also a detective control. Q79) Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? A) Targeted testing B) Double-blind testing C) Internal testing D) External testing Correct Answer-B) IS CORRECT. Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security C) discuss the potential finding with the audit committee. D) report the potential finding to business management. Correct Answer-B) IS CORRECT. Perform additional testing is correct. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can quickly lose credibility if it is later discovered the finding was not justified or accurate. D) IS INCORRECT. Report the potential finding to business management is incorrect. The item should be confirmed through additional testing before it is reported to management. C) INCORRECT. Discuss the potential finding with the audit committee is incorrect. The item should be confirmed through additional testing before it is discussed with the audit committee. A) INCORRECT. Increase the scope of the audit is incorrect. Additional testing to confirm the potential finding should be within the scope of the engagement. Increasing the scope could demand more needed audit resources and could be subject to risk creep. Q82) An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern? A) Antivirus software is in place to protect the corporate network. B) A single sign-on has been implemented in the corporate network. C) This part of the network is isolated from the corporate network. D) The corporate network is using an intrusion prevention system. Correct Answer-C) IS CORRECT. This part of the network is isolated from the corporate network is correct. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated. D) INCORRECT. The corporate network is using an intrusion prevention system is incorrect. An intrusion prevention system may stop an attack, but it would be far better to restrict the ability of machines in the conference rooms from being able to access the corporate network altogether. B) INCORRECT. A single sign-on has been implemented in the corporate network is incorrect. A single sign-on solution is used for access control but would not still leave a risk when unauthorized people have physical access to the corporate network. A) INCORRECT. Antivirus software is in place to protect the corporate network is incorrect. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk. Q83) Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? A) Virtual private network B) Secure Sockets Layer C) Intrusion detection system D) Public key infrastructure Correct Answer-B) IS CORRECT. Secure Sockets Layer (SSL) is correct. This is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code. C) INCORRECT. Intrusion detection system is incorrect. This will log network activity but is not used for protecting traffic over the Internet. D) INCORRECT. Public key infrastructure is incorrect. This is used in conjunction with SSL or for securing communications such as e-commerce and email. A) INCORRECT. Virtual private network (VPN) is incorrect. This is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability). A VPN can operate at different levels of the Open Systems Interconnection stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN. Q84) An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A) Risk mitigation B) Risk avoidance C) applied changes have not introduced new errors. D) applicable development standards have been maintained. Correct Answer-C) IS CORRECT. Applied changes have not introduced new errors is correct. Regression testing is used to test for the introduction of new errors in the system after changes have been applied. B) INCORRECT. System functionality meets customer requirements is incorrect. Validation testing is used to test the functionality of the system against detailed requirements to ensure that software construction is traceable to customer requirements. A) INCORRECT. A new system can operate in the target environment is incorrect. Sociability testing is used to see whether the system can operate in the target environment without adverse impacts on the existing systems. D) INCORRECT. Applicable development standards have been maintained is incorrect. Software quality assurance and code reviews are used to determine whether development standards are maintained. Q87) A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A) Work is being completed in TCP services. B) A digital signature with RSA has been implemented. C) Work is completed in tunnel mode with IP security. D) Digital certificates with RSA are being used. Correct Answer-C) IS CORRECT. Work is completed in tunnel mode with IP security is correct. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security. B) INCORRECT. A digital signature with RSA has been implemented is incorrect. A digital signature with RSA provides authentication and integrity but not confidentiality. D) INCORRECT. Digital certificates with RSA are being used is incorrect. Digital certificates with RSA provide authentication and integrity but do not provide encryption. A) INCORRECT. Work is being completed in Transmission Control Protocol (TCP) services is incorrect. These do not provide encryption and authentication. Q88) An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A) The service delivery objective B) The recovery time objective C) The recovery point objective D) The interruption window Correct Answer-C) IS CORRECT. The recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption. D) INCORRECT. The interruption window is incorrect. This is defined as the amount of time during which the organization is unable to maintain operations from the point of failure to the time that the critical services/applications are restored. B) INCORRECT. The recovery time objective is incorrect. This is determined based on the acceptable downtime in the case of a disruption of operations. A) INCORRECT. The service delivery objective (SDO) is incorrect. This is directly related to the business needs. SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Q89) A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST? A) Change the database password. B) Send a report to the IS audit department. A) Appropriate staff resources are committed. B) Data restoration was completed. C) Recovery procedures are approved. D) The tabletop test was performed. Correct Answer-B) IS CORRECT. Data restoration was completed is correct. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly. D) INCORRECT. The tabletop test was performed is incorrect. Performing a tabletop test is extremely helpful but does not ensure that the recovery process is working properly. C) INCORRECT. Recovery procedures are approved is incorrect. This will not ensure that data can be successfully restored. A) INCORRECT. Appropriate staff resources are committed is incorrect. While this is appropriate, without data the recovery would not be successful. Q92) An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: A) correlation of semantic characteristics of the data migrated between the two systems. B) relative efficiency of the processes between the two systems. C) correlation of arithmetic characteristics of the data migrated between the two systems. D) correlation of functional characteristics of the processes between the two systems. Correct Answer-A) IS CORRECT. Correlation of semantic characteristics of the data migrated between the two systems is correct. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. C) INCORRECT. Correlation of arithmetic characteristics of the data migrated between the two systems is incorrect. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. D) INCORRECT. Correlation of functional characteristics of the processes between the two systems is incorrect. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. B) INCORRECT. Relative efficiency of the processes between the two systems is incorrect. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review. Q93) Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A) Calculation of the expected end date based on current resources and remaining available project budget B) Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C) Extrapolation of the overall end date based on completed work packages and current resources D Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports Correct Answer-C) IS CORRECT. Extrapolation of the overall end date based on completed work packages and current resources is correct. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). D) INCORRECT. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports is incorrect. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B) INCORRECT. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables is incorrect. Interviews are a valuable source of information but will not necessarily identify any project challenges because the people being interviewed are involved in project.