CISA 201 -300 Flashcards by Host Mom

The activation of an enterprise’s business continuity plan should be based on predetermined criteria that address the:

A. duration of the outage.
B. type of outage.
C. probability of the outage.
D. cause of the outage.

A. duration of the outage.

How well did you know this?

Not at all

Perfectly

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?

A. A cost-benefit analysis
B. An annual loss expectancy (ALE) calculation
C. A comparison of the cost of the IPS and firewall and the cost of the business systems
D. A business impact analysis (BIA)

A. A cost-benefit analysis

How well did you know this?

Not at all

Perfectly

After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process?

A. Test and maintain the plan.
B. Develop a specific plan.
C. Develop recovery strategies.
D. Implement the plan.

C. Develop recovery strategies.

How well did you know this?

Not at all

Perfectly

As a driver of IT governance, transparency of IT’s cost, value and risk is primarily achieved through:

A. performance measurement.
B. strategic alignment.
C. value delivery.
D. resource management.

A. performance measurement.

How well did you know this?

Not at all

Perfectly

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)?

A. Risk such as single point-of-failure and infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority for recovery
D. Resources required for resumption of business

C. Critical business processes for ascertaining the priority for recovery

How well did you know this?

Not at all

Perfectly

Assessing IT risk is BEST achieved by:

A. evaluating threats and vulnerabilities associated with existing IT assets and IT projects.
B. using the firm’s past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.

A. evaluating threats and vulnerabilities associated with existing IT assets and IT projects.

How well did you know this?

Not at all

Perfectly

Before implementing an IT balanced scorecard (BSC), an organization must:

A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.

B. define key performance indicators.

How well did you know this?

Not at all

Perfectly

The BEST method for assessing the effectiveness of a business continuity plan is to review the:

A. plans and compare them to appropriate standards.
B. results from previous tests.
C. emergency procedures and employee training.
D. offsite storage and environmental controls.

B. results from previous tests.

How well did you know this?

Not at all

Perfectly

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:

A. reliable products are guaranteed.
B. programmers’ efficiency is improved.
C. security requirements are designed.
D. predictable software processes are followed.

D. predictable software processes are followed.

How well did you know this?

Not at all

Perfectly

Change control for business application systems being developed using prototyping could be complicated by the:

A. iterative nature of prototyping.
B. rapid pace of modifications in requirements and design.
C. emphasis on reports and screens.
D. lack of integrated tools.

B. rapid pace of modifications in requirements and design.

How well did you know this?

Not at all

Perfectly

Depending on the complexity of an organization’s business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that:

A. each plan is consistent with one another.
B. all plans are integrated into a single plan.
C. each plan is dependent on one another.
D. the sequence for implementation of all plans is defined.

A. each plan is consistent with one another.

How well did you know this?

Not at all

Perfectly

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor?

A. The right to audit clause was not included in the contract.
B. The business case was not established.
C. There was no source code escrow agreement.
D. The contract does not cover change management procedures.

B. The business case was not established.

How well did you know this?

Not at all

Perfectly

Disaster recovery planning (DRP) addresses the:

A. technological aspect of business continuity planning (BCP).
B. operational part of business continuity planning.
C. functional aspect of business continuity planning.
D. overall coordination of business continuity planning.

A. technological aspect of business continuity planning (BCP).

How well did you know this?

Not at all

Perfectly

Documentation of a business case used in an IT development project should be retained until:

A. the end of the system’s life cycle.
B. the project is approved.
C. user acceptance of the system.
D. the system is in production.

A. the end of the system’s life cycle.

How well did you know this?

Not at all

Perfectly

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?

A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.
C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization.
D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management.

D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management.

How well did you know this?

Not at all

Perfectly

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST?

A. Evacuation plan
B. Recovery priorities
C. Backup storages
D. Call tree

A. Evacuation plan

How well did you know this?

Not at all

Perfectly

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

A. assessment of the situation may be delayed.
B. execution of the disaster recovery plan could be impacted.
C. notification of the teams might not occur.
D. potential crisis recognition might be delayed.

B. execution of the disaster recovery plan could be impacted.

How well did you know this?

Not at all

Perfectly

During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the:

A. responsibility for maintaining the business continuity plan.
B. criteria for selecting a recovery site provider.
C. recovery strategy.
D. responsibilities of key personnel.

C. recovery strategy.

How well did you know this?

Not at all

Perfectly

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider’s employees adhere to the security policies?

A. Sign-off is required on the enterprise’s security policies for all users.
B. An indemnity clause is included in the contract with the service provider.
C. Mandatory security awareness training is implemented for all users.
D. Security policies should be modified to address compliance by third-party users.

B. An indemnity clause is included in the contract with the service provider.

How well did you know this?

Not at all

Perfectly

Establishing the level of acceptable risk is the responsibility of:

A. quality assurance (QA) management.
B. senior business management.
C. the chief information officer (CIO).
D. the chief security officer (CSO).

B. senior business management.

How well did you know this?

Not at all

Perfectly

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be:

A. stored in a secure, offsite facility.
B. approved by senior management
C. communicated to appropriate personnel.
D. made available through the enterprise’s intranet.

C. communicated to appropriate personnel.

How well did you know this?

Not at all

Perfectly

The GREATEST advantage of using web services for the exchange of information between two systems is:

A. secure communication.
B. improved performance.
C. efficient interfacing.
D. enhanced documentation

C. efficient interfacing.

How well did you know this?

Not at all

Perfectly

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

A. alignment of the IT activities with IS audit recommendations.
B. enforcement of the management of security risk.
C. implementation of the chief information security officer’s (CISO’s) recommendations.
D. reduction of the cost for IT security.

B. enforcement of the management of security risk.

How well did you know this?

Not at all

Perfectly

In determining the acceptable time period for the resumption of critical business processes:

A. only downtime costs need to be considered.
B. recovery operations should be analyzed.
C. both downtime costs and recovery costs need to be evaluated.
D. indirect downtime costs should be ignored.

C. both downtime costs and recovery costs need to be evaluated.

How well did you know this?

Not at all

Perfectly

Integrating the business continuity plan (BCP) into IT project management aids in: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.

B. the development of a more comprehensive set of requirements.

An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the: A. alignment of the BCP with industry good practices. B. results of business continuity tests performed by IS and end-user personnel. C. offsite facility, its contents, security and environmental controls. D. annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan.

B. results of business continuity tests performed by IS and end-user personnel.

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting their attention. The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for failure to approve the plan. B. a board of senior managers is set up to review the existing plan. C. the existing plan is approved and circulated to all key management and staff. D. a manager coordinates the creation of a new or revised plan within a defined time limit.

D. a manager coordinates the creation of a new or revised plan within a defined time limit.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A. An audit clause is present in all contracts. B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

C. The contractual warranties of the providers support the business needs of the organization.

An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure that all persons in the data center are evacuated. D. Remove all backup tapes from the data center.

C. Ensure that all persons in the data center are evacuated.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: A. can deliver on the immediate contract. B. is of similar financial standing as the organization. C. has significant financial obligations that can impose liability to the organization. D. can support the organization in the long term.

D. can support the organization in the long term.

An IS auditor is reviewing an IT security risk management program. Measures of security risk should: A. address all of the network risk. B. be tracked over time against the IT strategic plan. C. take into account the entire IT environment. D. result in the identification of vulnerability tolerances.

C. take into account the entire IT environment.

An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A. The interruption window B. The recovery time objective (RTO) C. The service delivery objective (SDO) D. The recovery point objective (RPO)

D. The recovery point objective (RPO)

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.

D. IT risk is presented in business terms.

An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects

A. continuous improvement.

An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A. Due diligence should be performed on the software vendor. B. A quarterly audit of the vendor facilities should be performed. C. There should be a source code escrow agreement in place. D. A high penalty clause should be included in the contract.

C. There should be a source code escrow agreement in place.

An IS auditor performing an audit of the risk assessment process should FIRST confirm that: A. reasonable threats to the information assets are identified. B. technical and organizational vulnerabilities have been analyzed. C. assets have been identified and ranked. D. the effects of potential security breaches have been evaluated.

C. assets have been identified and ranked.

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology.

C. ownership of intellectual property.

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? A. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). B. Examine the e-business application in development. C. Identify threats and the likelihood of occurrence. D. Check the budget available for risk management.

C. Identify threats and the likelihood of occurrence.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis (FPA) B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development

B. Program evaluation review technique (PERT) chart

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? A. Full-scale test with relocation of all departments, including IT, to the contingency site B. Walk-through test of a series of predefined scenarios with all critical personnel involved C. IT disaster recovery test with business departments involved in testing the critical applications D. Functional test of a scenario with limited IT involvement

D. Functional test of a scenario with limited IT involvement

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

D. user participation in defining the system's requirements was inadequate.

An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop: A. a business continuity strategy. B. a test and exercise plan. C. a user training program. D. the business continuity plan (BCP).

A. a business continuity strategy.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation

B. Risk transfer

An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? A. Review and evaluate the business continuity plan for adequacy B. Perform a full simulation of the business continuity plan C. Train and educate employees regarding the business continuity plan D. Notify critical contacts in the business continuity plan

A. Review and evaluate the business continuity plan for adequacy

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: A. documentation of staff background checks. B. independent audit reports or full audit access. C. reporting the year-to-year incremental cost reductions. D. reporting staff turnover, development or training.

B. independent audit reports or full audit access.

An organization has purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following would help mitigate the risk relating to continued application support? A. A viability study on the vendor B. A software escrow agreement C. Financial evaluation of the vendor D. A contractual agreement for future enhancements

B. A software escrow agreement

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan? A. Full operational test B. Preparedness test C. Paper test D. Regression test

B. Preparedness test

The output of the risk management process is an input for making: A. business plans. B. audit charters. C. security policy decisions. D. software design decisions.

C. security policy decisions.

Overall quantitative business risk for a particular threat can be expressed as: A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.

A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability.

A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: A. vulnerabilities. B. threats. C. probabilities. D. impacts.

A. vulnerabilities.

The PRIMARY objective of business continuity and disaster recovery plans should be to: A. safeguard critical IS assets. B. provide for continuity of operations. C. minimize the loss to an organization. D. protect human life.

D. protect human life.

The PRIMARY objective of testing a business continuity plan is to: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.

D. identify limitations of the business continuity plan.

The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost- effectiveness. D. provide the project management team with more control over the project design.

C. require that changes after that point be evaluated for cost- effectiveness.

The success of control self- assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties.

A. having line managers assume a portion of the responsibility for control monitoring.

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A. compute the amortization of the related assets. B. calculate a return on investment (ROI). C. apply a qualitative approach. D. spend the time needed to define the loss amount exactly.

C. apply a qualitative approach.

To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: A. avoidance. B. transfer. C. mitigation. D. acceptance.

C. mitigation.

To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

B. IT balanced scorecard (BSC).

To optimize an organization's business continuity plan (BCP), an IS auditor should recommend a business impact analysis (BIA) to determine: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. B. the priorities and order for recovery to ensure alignment with the organization's business strategy. C. the business processes that must be recovered following a disaster to ensure the organization's survival. D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame.

C. the business processes that must be recovered following a disaster to ensure the organization's survival.

The waterfall life cycle model of software development is most appropriately used when: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requirements are well understood and the project is subject to time pressures. C. the project intends to apply an object-oriented design and programming approach. D. the project will involve the use of new technology.

A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate.

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

C. Avoidance

When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor? A. Alert management and evaluate the impact of not covering all systems. B. Cancel the audit. C. Complete the audit of the systems covered by the existing disaster recovery plan (DRP). D. Postpone the audit until the systems are added to the DRP.

A. Alert management and evaluate the impact of not covering all systems.

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality

A. a clear business case has been approved by management.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? A. Ensure that the IT security risk assessment has a clearly defined scope. B. Require the IT security officer to approve each risk rating during the workshop. C. Suggest that the IT security officer accept the business unit risk and rating. D. Select only commonly accepted risk with the highest submitted rating.

A. Ensure that the IT security risk assessment has a clearly defined scope.

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? A. Business continuity self-audit B. Resource recovery analysis C. Risk assessment D. Gap analysis

C. Risk assessment

When developing a risk management program, what is the FIRST activity to be performed? A. Threat assessment B. Classification of data C. Inventory of assets D. Criticality analysis

C. Inventory of assets

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. non-validated batch totals.

C. improper transaction authorization.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

B. The critical path for the project

Which of the following business continuity plan (BCP) tests involves participation of relevant members of the crisis management/response team to practice proper coordination? A. Tabletop B. Functional C. Full-scale D. Deskcheck

A. Tabletop

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment? A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime

D. A determination of acceptable downtime

Which of the following does a lack of adequate security controls represent? A. Threat B. Asset C. Impact D. Vulnerability

D. Vulnerability

Which of the following insurance types provide for a loss arising from fraudulent acts by employees? A. Business interruption B. Fidelity coverage C. Errors and omissions D. Extra expense

B. Fidelity coverage

Which of the following is a characteristic of timebox management? A. Not suitable for prototyping or rapid application development (RAD) B. Eliminates the need for a quality process C. Prevents cost overruns and delivery delays D. Separates system and user acceptance testing

C. Prevents cost overruns and delivery delays

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? Select an answer: A. Pilot B. Paper C. Unit D. System

B. Paper

Which of the following is an attribute of the control self-assessment (CSA) approach? A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven

A. Broad stakeholder involvement

Which of the following is MOST important to ensure that effective application controls are maintained? A. Exception reporting B. Manager involvement C. Control self-assessment (CSA) D. Peer review

C. Control self-assessment (CSA)

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? A. The group walks through the different scenarios of the plan from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in the case of a disaster.

A. The group walks through the different scenarios of the plan from beginning to end.

Which of the following is the key benefit of a control self-assessment (CSA)? A. Management ownership of the internal controls supporting business objectives is reinforced. B. Audit expenses are reduced when the assessment results are an input to external audit work. C. Fraud detection will be improved because internal business staff are engaged in testing controls. D. Internal auditors can shift to a consultative approach by using the results of the assessment.

A. Management ownership of the internal controls supporting business objectives is reinforced.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? A. Payment terms B. Uptime guarantee C. Indemnification clause D. Default resolution

B. Uptime guarantee

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

B. agrees to be subject to external security reviews.

Which of the following is the MOST likely benefit of implementing a standardized infrastructure? A. Improved cost-effectiveness of IT service delivery and operational support B. Increased security of the IT service delivery center C. Reduced level of investment in the IT infrastructure D. Reduced need for testing future application changes

A. Improved cost-effectiveness of IT service delivery and operational support

Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors. B. Gather performance data. C. Establish performance baselines. D. Optimize performance.

D. Optimize performance.

Which of the following is the PRIMARY objective of the business continuity plan (BCP) process? A. To provide assurance to stakeholders that business operations will continue in the event of disaster B. To establish an alternate site for IT services to meet predefined recovery time objectives (RTOs) C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster

C. To manage risk while recovering from an event that adversely affected operations

Which of the following must exist to ensure the viability of a duplicate information processing facility? A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware available. C. The workload of the primary site is monitored to ensure adequate backup is available. D. The hardware is tested when it is installed to ensure it is working properly.

C. The workload of the primary site is monitored to ensure adequate backup is available.

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? A. Project database B. Policy documents C. Project portfolio database D. Program organization

C. Project portfolio database ?

Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a software as a service (SaaS) model with an external provider? A. Workstation upgrades must be performed. B. Long-term software acquisition costs are higher. C. Contract with the provider does not include onsite technical support. D. Incident handling procedures with the provider are not well defined

D. Incident handling procedures with the provider are not well defined

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.

C. Test results are not adequately documented.

Which of the following should be considered FIRST when implementing a risk management program? A. An understanding of the organization's threat, vulnerability and risk profile B. An understanding of the risk exposures and the potential consequences of compromise C. A determination of risk management priorities based on potential consequences D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

A. An understanding of the organization's threat, vulnerability and risk profile

Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? Select an answer: A. The disaster levels are based on scopes of damaged functions but not on duration. B. The difference between low-level disaster and software incidents is not clear. C. The overall BCP is documented, but detailed recovery steps are not specified. D. The responsibility for declaring a disaster is not identified.

D. The responsibility for declaring a disaster is not identified.

Which of the following statements is valid while drafting a disaster recovery plan (DRP)? A. Downtime costs decrease as the recovery point objective (RPO) increases. B. Downtime costs increase with time. C. Recovery costs are independent of time. D. Recovery costs can only be controlled on a short-term basis.

B. Downtime costs increase with time.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)? A. Develop a recovery strategy. B. Perform a business impact analysis (BIA). C. Map software systems, hardware and network components. D. Appoint recovery teams with defined personnel, roles and hierarchy.

B. Perform a business impact analysis (BIA).

Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit? A. Data backups are performed on a timely basis. B. A recovery site is contracted for and available as needed. C. Human safety procedures are in place. D. Insurance coverage is adequate and premiums are current.

C. Human safety procedures are in place.

Which of the following would BEST help to prioritize project activities and determine the time line for a project? A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

C. Program evaluation review technique (PERT)

Which of the following would contribute MOST to an effective business continuity plan (BCP)? A. The document is circulated to all interested parties. B. Planning involves all user departments. C. The plan is approved by senior management. D. An audit is performed by an external IS auditor.

B. Planning involves all user departments.

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A. requirement for protecting confidentiality of information could be compromised. B. contract may be terminated because prior permission from the outsourcer was not obtained. C. other service provider to whom work has been outsourced is not subject to audit. D. outsourcer will approach the other service provider directly for further work.

A. requirement for protecting confidentiality of information could be compromised.

While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? A. Monthly committee meetings include the subcontractor's IS manager B. Management reviews weekly reports from the subcontractor C. Permission is obtained from the government agent regarding the contract D. Periodic independent audit of the work delegated to the subcontractor

D. Periodic independent audit of the work delegated to the subcontractor

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault.

C. redundancies are built into the notification system.

While reviewing the IT governance processes of an organization, an IS auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? A. Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. B. IT projects could suffer from cost overruns. C. Misleading indications of IT performance may be presented to management. D. IT service level agreements (SLAs) may not be accurate.

C. Misleading indications of IT performance may be presented to management.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff

A. User management

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: A. clarity and simplicity of the business continuity plans. B. adequacy of the business continuity plans. C. effectiveness of the business continuity plans. D. ability of IS and end-user personnel to respond effectively in emergencies.

A. clarity and simplicity of the business continuity plans.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.

A. Core activities that provide a differentiated advantage to the organization have been outsourced.