Chapter 4 Self Assessment

Question 1

Which one of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments?

A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning

Answer 1

C. Benchmarking

Question 2

For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor, in principle, recommends the use of which of the following recovery options?

A. Mobile site
B. Warm site
C. Cold site
D. Hot site

Answer 2

D. Hot site

Question 3

Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?

A. Trace from system-generated information to the change management documentation
B. Examine change management documentation for evidence ofaccuracy
C. Trace from the change management documentation to a system- generated audit trail
D. Examine change management documentation for evidence of
completeness

Answer 3

A. Trace from system-generated information to the change management documentation

Question 4

Which of the following would allow an enterprise to extend its intranet across the Internet to its business partners?

A. Virtual private network
B. Client-server
C. Dial-up access
D. Network service provider

Answer 4

A. Virtual private network

Question 5

The classification based on criticality of a software application as part of an IS business continuity plan is determined by the:

A. nature of the business and the value of the application to the business.
B. replacement cost of the application.
C. vendor support available for the application.
D. associated threats and vulnerabilities of the application

Answer 5

A. nature of the business and the value of the application to the business.

Question 6

When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of:

A. system utilities.
B. application program generators.
C. systems security documentation.
D. access to stored procedures.

Answer 6

A. system utilities.

Question 7

When reviewing a network used for Internet communications, an IS auditor will FIRST examine the:

A. validity of password change occurrences.
B. architecture of the client-server application.
C. network architecture and design.
D. firewall protection and proxy servers.

Answer 7

C. network architecture and design.

Question 8

An IS auditor should be involved in:

A. observing tests of the disaster recovery plan.
B. developing the disaster recovery plan.
C. maintaining the disaster recovery plan.
D. reviewing the disaster recovery requirements of supplier contracts.

Answer 8

A. observing tests of the disaster recovery plan.

Question 9

Data mirroring should be implemented as a recovery strategy when:

A. recovery point objective (RPO) is low.
B. recovery point objective (RPO) is high.
C. recovery time objective (RTO) is high.
D. disaster tolerance is high.

Answer 9

A. recovery point objective (RPO) is low.

Question 10

Which of the following components of a business continuity plan is
PRIMARILY the responsibility of an organization’s IS department?

A. Developing the business continuity plan
B. Selecting and approving the recovery strategies used in the business continuity plan
C. Declaring a disaster
D. Restoring the IT systems and data after a disaster

Answer 10

D. Restoring the IT systems and data after a disaster

Question 11

Which of the following is the highest level of incident classification?

a. Major
b. Minor
c. Defined
d. Crisis

Answer 11

d. Crisis

Question 12

From an audit perspective, what best defines how current the data must be or how much data an organization can afford to lose?

a. RTO
b. RPO
c. MTD
d. WRT

Answer 12

b. RPO

Question 13

Which of the following specifies the maximum elapsed time to recover an ap- plication at an alternate site?

a. RTO
b. RPO
c. MTD
d. WRT

Answer 13

a. RTO

Question 14

Which of the following defines the maximum amount of time the organiza- tion can provide services at the alternate site? This value can be determined by items such as contractual values.

a. SDO
b. SLA
c. MTD
d. WRT

Answer 14

c. MTD

Question 15

Which of the following activities are specifically required for critical processes and produce revenue?

a. Core processing
b. Non-discretionary processes
c. Maximum acceptable outage
d. Supporting processes

Answer 15

a. Core processing

Question 16

Which version of RAID offers no fault tolerance?

a. RAID 0
b. RAID 1
c. RAID 10
d. RAID 15

Answer 16

a. RAID 0

Question 17

This tape-rotation scheme is named after a mathematical puzzle.

a. Grandfather, Father, Son
b. Complex
c. Simple
d. Tower of Hanoi

Answer 17

d. Tower of Hanoi

Question 18

This recovery option is sometimes referred to as a gentleman’s agreement.

a. Hot site
b. Redundant site
c. Reciprocal
d. Grandfather, father, son

Answer 18

c. Reciprocal

Question 19

Which of the following would be used to describe a non-repairable item that has reached end of life?

a. MTTR
b. MTTF
c. MTBF
d. SLA

Answer 19

b. MTTF

Question 20

Which of the following is the lowest level of incident classification?

a. Major
b. Minor
c. Negligible
d. Crisis

Answer 20

c. Negligible