Domain 4: Information Systems Operations and Business Resilience Flashcards
Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment?
A. A.Successful regression testing by the developer
B. B.Approval from the information asset owner
C. C.Approval from the security officer
D. D.Patch installation at alternate sites
B. It is most important that information owners approve any changes to production systems to ensure that no serious business disruption takes place as the result of the patch release.
An information systems (IS) auditor examining the security configuration of an operating system (OS) should review the:
A. A.transaction logs.
B. B.authorization tables.
C. C.parameter settings.
D. D.routing tables.
C. Configuration parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization’s workload and control environment. Improper implementation and/or monitoring of OSs can result in undetected errors and corruption of the data being processed, and lead to unauthorized access and inaccurate logging of system usage.
When reviewing the implementation of a local area network, an information systems (IS) auditor should FIRST review the:
A. A.node list.
B. B.acceptance test report.
C. C.network diagram.
D. D.users list.
C. To properly review a local area network implementation, an information systems (IS) auditor should first verify the network diagram to identify risk or single points of failure.
Which of the following BEST ensures the integrity of a server’s operating system?
A.Protecting the server in a secure location
B.Setting a boot password
C.Hardening the server configuration
D.Implementing activity logging
C. Hardening a system means to configure it in the most secure manner (i.e., install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
A.Firewalls
B.Routers
C.Layer 2 switches
D.Virtual local area networks (VLANs)
A. Firewall systems are the primary tool that enables an enterprise to prevent unauthorized access between networks. An enterprise may choose to deploy one or more systems that function as firewalls.
The GREATEST advantage of using web services for the exchange of information between two systems is:
A.secure communication.
B.improved performance.
C.efficient interfacing.
D.enhanced documentation.
C. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used.
When reviewing an enterprise’s preventive maintenance process for systems at a data center, what is the MOST important practice that should be in place for an information systems (IS) auditor to be able to ensure that adequate maintenance is being performed on all critical computing, power and cooling systems?
A.Proper background checks on all service personnel are conducted.
B.Service personnel are escorted at all times when performing their work.
C.Maintenance is scheduled during noncritical processing times.
D.Verification of maintenance being performed is done independently.
D. Independent verification confirms documented maintenance activities, ensuring their effectiveness in sustaining critical systems. It provides assurance and detects any maintenance process gaps or deficiencies.
When reviewing a hardware maintenance program, an information systems (IS) auditor should assess whether:
A.the schedule of all unplanned maintenance is maintained.
B.it is in line with historical trends.
C.it has been approved by the IS steering committee.
D.the program is validated against vendor specifications.
D. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications.
An information systems (IS) auditor has been tasked by an automated manufacturing facility for the risk-based audit of its distributed control supervisory control and data acquisition (SCADA) systems. Which of the following should be the PRIMARY task for the auditor?
A.Evaluation of communication architecture and connectivity interfaces
B.Evaluation of functioning of monitoring terminals, sensors and actuators
C.Assessment of total cost of ownership (TCO) for the SCADA systems
D.Evaluation of usability of automated controls for enterprise engineers
A. Communication channels over the Internet and even USB interfaces in air-gapped systems increase the risk of malware exposure (e.g., Stuxnet).
When reviewing the desktop software compliance of an organization, the information systems (IS) auditor should be MOST concerned if the installed software:
A.is installed, but not documented in the IT department records.
B.is being used by users not properly trained in its use.
C.is not listed in the approved software standards document.
D.has a license that will expire in the next 15 days.
C. Installing software not allowed by policy is a serious violation and can put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies.
An information systems (IS) auditor discovers that some users installed personal software on their PCs. This is not explicitly forbidden by the security policy. The BEST approach for an IS auditor is to recommend that the:
A.IT department implement control mechanisms to prevent unauthorized software installation.
B.security policy be updated to include the specific language regarding unauthorized software.
C.IT department prohibit the download of unauthorized software.
D.users obtain approval from an IS manager before installing nonstandard software.
B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls.
An information systems (IS) auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
A.Delete all copies of the unauthorized software.
B.Recommend an automated process to monitor for compliance with software licensing.
C.Report the use of the unauthorized software and the need to prevent recurrence.
D.Warn the end users about the risk of using illegal software.
C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.
Which of the following is a MAJOR concern during a review of help desk activities?
A.The help desk team could not resolve certain calls.
B.A dedicated line is not assigned to the help desk team.
C.Resolved incidents are closed without reference to end users.
D.The help desk instant messaging has been down for more than six months.
C. The help desk function is a service-oriented unit. The end users must be advised before an incident can be regarded as closed.
Although management has stated otherwise, an information systems (IS) auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:
A.include the statement from management in the audit report.
B.verify that the software is in use through testing.
C.include the item in the audit report.
D.discuss the issue with senior management because it could have a negative impact on the organization.
B. When there is an indication that an organization might be using unlicensed software, the information systems (IS) auditor should obtain sufficient evidence before including it in the report.
Which of the following is a network diagnostic tool that monitors and records network information?
A.Online monitor
B.Downtime report
C.Help desk report
D.Protocol analyzer
D. Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.
During an assessment of software development practices, an information systems (IS) auditor finds that open-source software components were used in an application designed for a client. What is the GREATEST concern that the auditor has about the use of open-source software?
A.The client did not pay for the open-source software components.
B.The organization and client must comply with open-source software license terms.
C.Open-source software has security vulnerabilities.
D.Open-source software is unreliable for commercial use.
B. There are many types of open-source software licenses and each has different terms and conditions. Some open-source software licensing allows use of the open-source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products can violate licensing terms by selling the product for profit. The information systems (IS) auditor should be most concerned with open-source software licensing compliance to avoid unintended intellectual property risk or legal consequences.
An information systems (IS) auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be the GREATEST concern to the IS auditor?
A.There are a growing number of emergency changes.
B.There were instances when some jobs were not completed on time.
C.There were instances when some jobs were overridden by computer operators.
D.Evidence shows that only scheduled jobs were run.
C. The overriding of computer processing jobs by computer operators can lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical.
Which of the following BEST helps to detect errors in data processing?
A.Programmed edit checks
B.Well-designed data entry screens
C.Separation of duties
D.Hash totals
D. The use of hash totals is an effective method to reliably detect errors in data processing. A hash total indicates an error in data integrity.
A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. What control provides a mitigation for this risk?
A.Improve regression test cases.
B.Activate audit trails for a limited period after release.
C.Conduct an application user access review.
D.Implement a segregation/separation of duties (SoD) policy.
D. To ensure proper segregation/separation of duties (SoD), developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing, the process must be restarted in development.
Which of the following is the BEST method for an information systems (IS) auditor to verify that critical production servers are running the latest security updates released by the vendor?
A.Ensure that automatic updates are enabled on critical production servers.
B.Verify manually that the patches are applied on a sample of production servers.
C.Review the change management log for critical production servers.
D.Run an automated tool to verify the security patches on production servers.
D. An automated tool can immediately provide a report on which patches have been applied and which are missing.
Which of the following allows software systems or applications to access and interact with a cloud-based infrastructure or service provider?
A.Simple Network Management Protocol (SNMP)
B.Remote procedure call
C.Circuit-level gateway
D.Application programming interface (API)
D. An application programming interface (API) allows software systems or applications to access and interact with a cloud-based infrastructure or service provider. APIs provide a set of rules and protocols that enable developers to integrate their applications with cloud services, access resources and perform various operations.
A consulting firm created a file transfer protocol (FTP) site for the purpose of receiving financial data and communicated the site’s address, user ID and password to the financial services enterprise in separate email messages. The enterprise is to transmit its data to the FTP site after manually encrypting the data. The information systems (IS) auditor’s GREATEST concern with this process is that:
A.The users may not remember to manually encrypt the data before transmission.
B.The site credentials were sent to the financial services enterprise via email.
C.Personnel at the consulting firm may obtain access to sensitive data.
D.The use of a shared user ID to the FTP site does not allow for user accountability.
A. If the data is not encrypted, an unauthorized external party may download sensitive enterprise data.
In a distributed system, which of the following BEST allows different components or modules to communicate and coordinate their activities?
A.Message queue interface
B.Application programming interface (API)
C.Remote procedure call
D.Communication infrastructure interface
B. An application programming interface (API) allows components or modules in a distributed system to communicate and coordinate their activities. An API defines a set of rules and protocols that enable the interaction and exchange of data between software components.
Which of the following is a prevalent risk in the development of end-user computing applications?
A.Applications may not be subject to testing and IT general controls.
B.Development and maintenance costs may be increased.
C.Application development time may be increased.
D.Decision-making may be impaired due to diminished responsiveness to requests for information.
A. End-user computing is defined as the ability of end users to design and implement their own information system using computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications.
An information systems (IS) auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation?
A.Malware on servers
B.Firewall misconfiguration
C.Increased spam received by the email server
D.Unauthorized network activities
D. Unauthorized network activities—such as employee use of file or music sharing sites, online gambling or personal email containing large files or photos—can contribute to network performance issues. Because the information systems (IS) auditor found the degraded performance during business hours, this is the most likely cause.
An employee received a digital photo frame as a gift and connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that:
A.the photo frame storage media can be used to steal enterprise data.
B.the drivers for the photo frame may be incompatible and crash the user’s PC.
C.the employee may bring inappropriate photographs into the office.
D.the photo frame can be infected with malware.
D. Any storage device can be a vehicle for infecting other computers with malware. Some devices have been found to be infected in the factory during the manufacturing process. Controls should exist to prohibit employees from connecting any storage media devices to their enterprise-issued PCs.
Business units are concerned about the performance of a newly implemented system. Which of the following should an information systems (IS) auditor recommend?
A.Develop a baseline and monitor system usage.
B.Define alternate processing procedures.
C.Prepare the maintenance manual.
D.Implement the changes users have suggested.
A. An information systems (IS) auditor should recommend the development of a performance baseline and monitor the system’s performance against the baseline to develop empirical data upon which decisions for modifying the system can be made.
While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an information systems (IS) auditor should PRIMARILY ensure that the process is focused on which of the following?
A.Adequately monitoring service levels of IT resources and services
B.Providing data to enable timely planning for capacity and performance requirements
C.Providing accurate feedback on IT resource capacity
D.Properly forecasting performance, capacity and throughput of IT resources
C. Accurate capacity monitoring of IT resources is a critical element of a continuous monitoring process.
Which of the following must exist to ensure the viability of a duplicate information processing facility (IPF)?
A.The site is near the primary site to ensure quick and efficient recovery.
B.The site contains the most advanced hardware available.
C.The workload of the primary site is monitored to ensure adequate backup is available.
D.The hardware is tested when it is installed to ensure it is working properly.
C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient.
Contractual provisions for a hot, warm or cold site should PRIMARILY cover which of the following considerations?
A.Physical security measures
B.Total number of subscribers
C.Number of subscribers permitted to use a site at one time
D.References by other users
C. The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers.
Which of the following is MOST directly affected by network performance monitoring tools?
A.Integrity
B.Availability
C.Completeness
D.Confidentiality
B. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic most directly affected by network monitoring is availability.
While reviewing the IT infrastructure, an information systems (IS) auditor notices that storage resources are continuously being added. The IS auditor should:
A.recommend the use of disk mirroring.
B.review the adequacy of offsite storage.
C.review the capacity management process.
D.recommend the use of a compression algorithm.
C. Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. This looks at capacity from a strategic viewpoint and allows a plan to forecast and purchase additional equipment in a planned manner.
An organization implemented an online customer help desk application using a software as a service (SaaS) operating model. An information systems (IS) auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor regarding availability. What is the BEST recommendation that the IS auditor can provide?
A.Ask the SaaS vendor to provide a weekly report on application uptime.
B.Implement an online polling tool to monitor the application and record outages.
C.Log all application outages reported by users and aggregate the outage time weekly.
D.Contract an independent third party to provide weekly reports on application uptime.
B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor’s service level agreement (SLA) reports ensures that the vendor’s monitoring of the SLA is accurate and that all conflicts are appropriately resolved.
When reviewing system parameters, an information systems (IS) auditor’s PRIMARY concern should be that:
A.they are set to meet both security and performance requirements.
B.changes are recorded in an audit trail and periodically reviewed.
C.changes are authorized and supported by appropriate documents.
D.access to parameters in the system is restricted.
A. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.
Doing which of the following during peak production hours can result in unexpected downtime?
A.Performing data migration
B.Performing preventive maintenance on electrical systems
C.Promoting applications from development to the staging environment
D.Reconfiguring a standby router in the data center
B. Preventive maintenance activities should be scheduled for nonpeak times of the day, and preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker can result in unplanned downtime.
A lower recovery time objective (RTO) results in:
A.higher disaster tolerance.
B.higher cost.
C.reduced system interruptions.
D.more permissive data loss.
B. recovery time objective (RTO) is based on the acceptable down time in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies.
An information systems (IS) auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess the following:
A.Problem management procedures
B.Software development procedures
C.Back-out procedures
D.Incident management procedures
C. Back-out procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process, which specifies what procedures should be followed when software is being upgraded but does not work and requires a fallback to its former state.
Which of the following is widely accepted as one of the critical components in networking management?
A.Configuration and change management
B.Topological mappings
C.Application of monitoring tools
D.Proxy server troubleshooting
A. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network are done properly, including managing changes to the configuration, removing default passwords and possibly hardening the network by disabling unneeded services.
Which of the following BEST limits the impact of server failures in a distributed environment?
A.Redundant pathways
B.Clustering
C.Dial backup lines
D.Standby power
B. Clustering allows two or more servers to work as a unit so that when one of them fails, the other takes over.
While conducting an audit on the customer relationship management application, the information systems (IS) auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. After a user is logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend?
A.No action should be taken because the system meets current business requirements.
B.IT should increase the network bandwidth to improve performance.
C.Users should be provided with detailed manuals to use the system properly.
D.Establish performance measurement criteria for the authentication servers.
D. Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.
Which of the following BEST ensures that users have uninterrupted access to a critical, heavily used web-based application?
A.Disk mirroring
B.redundant array of inexpensive disks (RAID)
C.Dynamic domain name system (DNS)
D.Load balancing
D. Load balancing distributes traffic across multiple servers, ensuring uninterrupted system availability and consistent response time for web applications. It also redirects traffic to functional servers if a server fails.
The PRIMARY benefit of an IT manager monitoring technical capacity is to:
A.identify the need for new hardware and storage procurement.
B.determine the future capacity need based on usage.
C.ensure that the service level requirements are met.
D.ensure that systems operate at optimal capacity.
C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT.
Which of the following should the information systems (IS) auditor review to ensure that servers are optimally configured to support processing requirements?
A.Benchmark test results
B.Server logs
C.Downtime reports
D.Server utilization data
D. Monitoring server utilization identifies underused servers and monitors overall server utilization. Underused servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment.
If the recovery time objective (RTO) increases:
A.the disaster tolerance increases.
B.the cost of recovery increases.
C.a cold site cannot be used.
D.the data backup frequency increases.
A. The longer the recovery time objective (RTO), the higher the disaster tolerance. The disaster tolerance is the amount of time the business can afford to be disrupted before resuming critical operations.
Which of the following is the BEST method to ensure that critical IT system failures do not reoccur?
A.Invest in redundant systems.
B.Conduct a follow-up audit.
C.Monitor system performance.
D.Perform root cause analysis.
D. Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring.
An information systems (IS) auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. Although the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor?
A.Disaster recovery plans (DRPs) may be invalid and need to be revised.
B.Transactional business data may be lost in the event of system failure.
C.The new maintenance vendor is not familiar with the organization’s policies.
D.Application owners were not informed of the change.
D. The greatest risk of making a change to the maintenance of critical systems is that the change can have an adverse impact on a critical business process. Although there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business.
Which of the following is MOST useful for effective security log management?
A.Implementing automated tools to collect, analyze and retain logs
B.Archiving and storing logs indefinitely to ensure historical data availability
C.Collecting all logs from all systems, databases, devices and tools
D.Security manager reviewing logs daily to detect and respond to security incidents
A. Effective security log management involves automated tools and processes to collect, analyze and retain logs from various systems and devices within an organization’s IT infrastructure. Automated log management solutions help streamline the log collection process, centralize logs from different sources, apply real-time analysis techniques to identify security incidents and retain logs for an appropriate period based on regulatory and compliance requirements. Automated tools can process large volumes of log data and identify abnormal patterns or suspicious activities that a human analyst might miss. These tools can also generate alerts in real time when they detect potential security incidents.
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?
A.Warm site
B.Hot site
C.Cold site
D.Mobile recovery site
C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site is the most cost-effective solution for such a system.
During an audit of a small organization that provides medical transcription services, an information systems (IS) auditor observes several issues related to the backup and restore process. Which of the following should be the auditor’s GREATEST concern?
A.Restoration testing for backup media is not performed; however, all data restore requests have been successful.
B.The policy for data backup and retention has not been reviewed by the business owner for the past three years.
C.The organization stores transcription backup media offsite using a third-party service provider that inventories backups annually.
D.Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.
C. Losing a backup medium is a major incident for an organization handling confidential patient data. Privacy laws impose severe penalties, and mandated reporting requirements can harm the organization’s reputation. To ensure proper backup handling, the organization should conduct audit tests, including frequent physical inventories and evaluating controls at the third-party provider.
The FIRST step in the execution of a problem management mechanism should be:
A.issue analysis.
B.exception ranking.
C.exception reporting.
D.root cause analysis.
C. The reporting of operational issues is normally the first step in tracking problems.
An information systems (IS) auditor observed that users are occasionally granted the authority to change system data. This elevated system access yet is required for smooth functioning of business operations. Which of the following controls does the IS auditor MOST likely recommend for long-term resolution?
A.Redesign the controls related to data authorization.
B.Implement additional separation of duties controls.
C.Review policy to see if a formal exception process is required.
D.Implement additional logging controls.
C. If the users are granted access to change data in support of the business requirements, the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure that no unauthorized changes are made.
A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
A.The system will not process the change until the clerk’s manager confirms the change by entering an approval code.
B.The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk’s manager.
C.The system requires the clerk to enter an approval code.
D.The system displays a warning message to the clerk.
A. Requiring an approval code by a manager prevents or detects the use of an unauthorized interest rate.
An information systems (IS) auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?
A.Production access is granted to the individual support ID when needed.
B.Developers use a firefighter ID to promote code to production.
C.A dedicated user promotes emergency changes to production.
D.Emergency changes are authorized prior to promotion.
A. Production access should be controlled and monitored to ensure separation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change.
Which of the following processes should an information systems (IS) auditor recommend to assist in the recording of baselines for software releases?
A.user acceptance testing (UAT)
B.Backup and recovery
C.Incident management
D.Configuration management
D. The configuration management process may include automated tools that provide an automated recording of software release baselines. If the new release fails, the baseline will provide a point to which to return.
In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?
A.Approve and document the emergency changes promptly after release.
B.Implement a segregated environment for production access and restrict developer access outside of specific time frames.
C.Implement a defined emergency change management process that includes secondary approval.
D.Implement strict access controls and permissions on the production machine to prevent unauthorized changes.
A. It may be appropriate to allow programmers to make emergency changes if they are documented and approved after the fact.
An organization recently installed a security patch that crashed the production server. To minimize the probability of this occurring again, an information systems (IS) auditor should:
A.apply the patch according to the patch’s release notes.
B.ensure that a good change management process is in place.
C.thoroughly test the patch before sending it to production.
D.approve the patch after doing a risk assessment.
B. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly.
Recovery procedures for an information processing facility (IPF) are BEST based on:
A.recovery time objective (RTO)
B.recovery point objective (RPO)
C.maximum tolerable outage (MTO)
D.information security policy.
A. The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives.
Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process?
A.Test a sample population of change requests.
B.Test a sample of authorized changes.
C.Interview personnel in charge of the change control process.
D.Perform an end-to-end walk-through of the process.
D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.
The MOST effective audit procedure in determining if unauthorized changes have been made to production code is to:
A.examine the change control system records and trace them forward to object code files.
B.review access control permissions operating within the production program libraries.
C.examine object code to find instances of changes and trace them back to change control records.
D.review change approved designations established within the change control system.
C. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes.
An information systems (IS) auditor is carrying out a system configuration review. Which of the following is the BEST evidence in support of the current system configuration settings?
A.System configuration values that are imported to a spreadsheet by the system administrator
B.Standard report with configuration values that are retrieved from the system by the information systems (IS) auditor
C.Dated screenshot of the system configuration settings that are made available by the system administrator
D.Annual review of approved system configuration values by the business owner
B. Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.
Vendors have released patches fixing security flaws in their software. Which of the following should an information systems (IS) auditor recommend in this situation?
A.Assess the impact of patches prior to installation.
B.Ask the vendors for a new software version with all fixes included.
C.Install the security patch immediately.
D.Decline to deal with these vendors in the future.
A. The effect of installing the patch should be immediately evaluated, and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, testing the patches as much as possible before rolling them out to the entire organization is necessary.
During fieldwork, an information systems (IS) auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:
A.only systems administrators perform the patch process during nonbusiness hours.
B.the client’s change management and patching processes have proper controls.
C.patches are validated using parallel testing in production.
D.an approval process of the patch, including a risk assessment, is developed.
B. The change management process, which includes procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An information systems (IS) auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly.
During an audit of a small enterprise, the information systems (IS) auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?
A.Implement a properly documented process for application role change requests.
B.Hire additional staff to provide a separation of duties for application role changes.
C.Implement an automated process for changing application roles.
D.Document the current procedure in detail and make it available on the enterprise intranet.
A. The information systems (IS) auditor should recommend implementation of a process that can prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application.
Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small enterprise?
A.Post-implementation functional testing
B.Registration and review of changes
C.Validation of user requirements
D.User acceptance testing (UAT)
B. An independent review of the changes to the program in production can identify potential unauthorized changes, versions or functionality that the programmer put into production.
When auditing a database environment, an information systems (IS) auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions?
A.Performing database changes according to change management procedures
B.Installing patches or upgrades to the operating system
C.Sizing table space and consulting on table join limitations
D.Performing backup and recovery procedures
B. Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA is performing this function, there is risk based on inappropriate separation of duties.
A vendor released several critical security patches over the past few months, which put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators asked if they could reduce the testing of the patches. What approach should the organization take?
A.Continue the current process of testing and applying patches.
B.Reduce testing and ensure that an adequate back-out plan is in place.
C.Delay patching until resources for testing are available.
D.Rely on the vendor’s testing of the patches.
A. Applying security software patches promptly is critical to maintaining the security of the servers; further, testing the patches is important because the patches may affect other systems and business operations. Because the vendor recently released several critical patches in a short time, the organization may choose to wait to see if this is a temporary problem before making a revision to policy or procedures.
An information systems (IS) auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend?
A.Apply the patch only after it has been thoroughly tested.
B.Implement a host-based intrusion detection system (IDS).
C.Modify the firewall rules to further protect the application server.
D.Assess the overall risk, then recommend whether to deploy the patch.
D. Although it is important to ensure that systems are properly patched, a risk assessment needs to be performed to determine the likelihood and probability of the vulnerability being exploited. Therefore, the patch is applied only if the risk of circumventing the existing security controls is great enough to warrant it.
An information systems (IS) auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?
A.Commands typed on the command line are logged.
B.Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.
C.Access to the operating system command line is granted through an access restriction tool with preapproved rights.
D.Software development tools and compilers have been removed from the production environment.
B. Periodically matching hash keys enables the detection of changes to files.
An information systems (IS) auditor is asked to audit the change management process for all IT operational systems. Which of the following documents will BEST aid the auditor in defining the scope for the audit project?
A.Enterprise architecture (EA)
B.Control catalog
C.Risk register
D.IT organizational chart
A. The enterprise architecture (EA) document provides the IT-environment information that the information systems (IS) auditor needs to be able to define the scope of the audit on the change management process for all IT systems.
The purpose of code signing is to provide assurance that:
A.the software has not been subsequently modified.
B.the application can safely interface with another signed application.
C.the signer of the application is trusted.
D.the private key of the signer has not been compromised.
A. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed.
Emergency changes that bypass the normal change control process are MOST acceptable if:
A.management reviews and approves the changes after they have occurred.
B.the changes are reviewed by a peer at the time of the change.
C.the changes are documented in the change control system by the operations department.
D.management has preapproved all emergency changes.
A. Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur.
An auditor conducting an audit of controls in an IT environment will perform substantive tests for the controls implemented after:
A.the control is automated using technical tools.
B.the original control design has been changed during implementation.
C.confirming the control is designed to mitigate risk.
D.confirming the control is implemented as designed.
D. Substantive testing is performed after compliance testing that verifies that the control is implemented as designed. If the compliance test fails, the auditor may not perform substantive testing.
Which of the following tests performed by an information systems (IS) auditor is the MOST effective in determining compliance with organizational change control procedures?
A.Review software migration records and verify approvals.
B.Identify changes that have occurred and verify approvals.
C.Review change control documentation and verify approvals.
D.Ensure that only appropriate staff can migrate changes into production.
B. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved.
During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions?
A.One-for-one checking
B.Data file security
C.Transaction logs
D.File updating and maintenance authorization
C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. Transaction logs also help to determine which transactions have been posted to an account—by a particular individual during a particular period.
An information systems (IS) auditor evaluates the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?
A.Changes are authorized by IT managers at all times.
B.User acceptance testing (UAT) is performed and properly documented.
C.Test plans and procedures exist and are closely followed.
D.Capacity planning is performed as part of each development project.
C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.
An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following is the BEST and appropriate control to limit the risk in such a situation?
A.Ensure that audit trails are accurate and specific.
B.Ensure that personnel have adequate training.
C.Ensure that personnel background checks are performed for critical personnel.
D.Ensure that supervisory approval and review are performed for critical changes.
D. Supervisory approval and review of critical changes by accountable managers are necessary to prevent and detect unauthorized changes. They ensure separation of duties and safeguard against unauthorized attempts by employees.
Which of the following is a KEY benefit of using version control systems in configuration and release management?
A.Manages complexity in code management
B.Eases collaboration with multiple developers
C.Limits accessibility for developers
D.Provides ability to track and revert changes
D. Using version control systems enables the tracking of code changes, including who made the changes, when they were made and what modifications were implemented. This functionality allows for easy identification of issues, collaboration among developers and the ability to revert to previous versions if needed, promoting better configuration and release management.
The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following is the MOST secure way of updating open-source software?
A.Rewrite the patches and apply them.
B.Review the code and application of available patches.
C.Develop in-house patches.
D.Identify and test suitable patches before applying them.
D. Suitable patches from the existing developers should be selected and tested before applying them.
During the review of an in-house developed application, the GREATEST concern to an information systems (IS) auditor is if a:
A.user raises a change request and tests it in the test environment.
B.programmer codes a change in the development environment and tests it in the test environment.
C.manager approves a change request and then reviews it in production.
D.manager initiates a change request and subsequently approves it.
D. Initiating and approving a change request by the same person violates the principle of separation of duties, because one should not approve their own requests.
The information systems (IS) auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should:
A.review the patch management policy and determine the risk associated with this condition.
B.recommend that IT systems personnel test and then install the patches immediately.
C.recommend that patches be applied every month or immediately upon release.
D.take no action, because the IT processes related to patch management appear to be adequate.
A. Reviewing the patch management policy and determining whether the IT department is compliant with the policies will detect whether the policies are appropriate and what risk is associated with current practices.
An information systems (IS) auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes?
A.Select a sample of change tickets and review them for authorization.
B.Perform a walk-through by tracing a program change from start to finish.
C.Trace a sample of modified programs to support change tickets.
D.Use query software to analyze all change tickets for missing fields.
C. Tracing modified programs to change tickets is the best way to test change management controls and detect undocumented changes.
Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?
A.The application owner requested new functionality.
B.Changes are developed using an agile methodology.
C.There is a high probability of a significant impact on operations.
D.The operating system vendor has released a security patch
C. Emergency releases are urgent fixes that are implemented to prevent significant user downtime, following specific procedures.
An information systems (IS) auditor reviewing the application change management process for a large multinational organization should be MOST concerned when:
A.test systems run different configurations than production systems.
B.change management records are paper based.
C.the configuration management database is not maintained.
D.the test environment is installed on the production server
C. The configuration management database (CMDB) is used to track configuration item (CI) and the dependencies between them. An out-of-date CMDB in a large multinational organization can result in incorrect approvals being obtained or leave out critical dependencies during the test phase.
Which of the following BEST helps an information systems (IS) auditor in ensuring that automated data conversion from an old system to a new system has been completed successfully?
A.Operator reports
B.Exception reports
C.Control totals
D.Application logs
B. Exception reports are automated reports that identify errors encountered during processing, including transactions that are not converted automatically.
The reliability of an application system’s audit trail may be questionable if:
A.user IDs are recorded in the audit trail.
B.the security administrator has read-only rights to the audit file.
C.date and time stamps are recorded when an action occurs.
D.users can amend audit trail records when correcting system errors.
D. An audit trail is not effective if the details in it can be amended.
Which of the following should the information systems (IS) auditor review to ensure the correct version of a data file is used for a production run?
A.Incident or error reports related to the production run
B.Schedules detailing the tasks performed by operators
C.Logs containing relevant system activity and events
D.Reports documenting the distribution of the produced output
C. System logs and analysis programs can be used by an information systems (IS) auditor to ensure that the correct file version was used for a production run.
Which of the following is a MAJOR challenge in implementing a log management system?
A.Complexity of the IT infrastructure
B.Multiple formats of logs collected
C.Cost of storage due to the volume of logs
D.Addressing false-positive alerts
A. Addressing the complexity of the IT resources that generate logs is a major challenge because the performance of many resources deteriorates when logging is enabled. Therefore, it is necessary to determine the type of logs to be captured from each resource.
Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
A.Deleting database activity logs
B.Implementing database optimization tools
C.Monitoring database usage
D.Defining backup and recovery procedures
A. Because database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate separation of duties and is associated with the DBA’s role.
Which of the following would an information systems (IS) auditor use to determine if unauthorized modifications were made to production programs?
A.System log analysis
B.Compliance testing
C.Forensic analysis
D.Analytical review
B. To determine that only authorized modifications are made to production programs requires the change management process to be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing helps to verify that the change management process has been applied consistently.
Which of the following BEST helps an information systems (IS) auditor to detect the problems encountered by application executions during IT operations?
A.Operating system logs
B.Incident reports
C.Exception reports
D.Computer operator logs
C. Exception reports are automated reports that list the problems encountered by the application during execution.
Which of the following is a MAIN benefit of monitoring operational logs?
A.It provides early warnings of possible risk materialization.
B.It helps information systems (IS) auditors in detecting problems encountered during operations.
C.It gives insight into the health and performance of the IT infrastructure.
D.It provides audit trails for transactions processed during operations.
C. Operational log monitoring primarily helps in providing insight about the IT infrastructure and provides data to build performance metrics for various IT resources (e.g., central processing unit (CPU) performance, storage capacity usage, network bandwidth usage and maximum number of transactions).
An information systems (IS) auditor performing an application maintenance audit would review the log of program changes for the:
A.authorization of program changes.
B.creation date of a current object module.
C.number of program changes actually made.
D.creation date of a current source program.
A. The auditor wants to ensure that only authorized changes have been made to the application. The auditor would therefore review the log of program changes to verify that all changes have been approved.
During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern?
A.The support model was not approved by senior management.
B.The incident resolution of time specified in the SLA is not realistic.
C.There are inadequate resources to support the applications.
D.The support model was poorly developed and implemented contributing to inaccurate prioritization and SLA failures.
D. The greatest concern for the information systems (IS) auditor is that the support model was not developed and implemented correctly to prevent or react to potential outages. Incidents can cost the business a significant amount of money and a support model should be implemented with the project. This should be a step within the system development life cycle (SDLC) and procedures and, if it is missed on one project, it may be a symptom of an overall breakdown in process.
When determining the acceptable time period for the resumption of critical business processes:
A.only downtime costs need to be considered.
B.recovery operations should be analyzed.
C.both downtime costs and recovery costs need to be evaluated.
D.indirect downtime costs should be ignored.
C. Downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis should be a recovery strategy that represents the optimal balance.
An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop:
A.a business continuity strategy.
B.a test and exercise plan.
C.a user training program.
D.the business continuity plan (BCP).
A. A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase.
Which of the following reports is the MOST appropriate source of information for an information systems (IS) auditor to validate that an (internet service provider (ISP)) has been complying with an enterprise service level agreement for the availability of outsourced telecommunication services?
A.Downtime reports on the telecommunication services generated by the ISP
B.A utilization report of automatic failover services generated by the enterprise
C.A bandwidth utilization report provided by the ISP
D.Downtime reports on the telecommunication services generated by the enterprise
D. The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP.
The MAIN purpose of service level management (SLM) is to:
A.set expectations between users and providers.
B.ensure that services are managed to deliver the highest achievable level of availability.
C.keep the costs associated with any service at a minimum.
D.monitor and report any legal noncompliance to business management.
A. The objective of service level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services.
Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative?
A.Perform disaster recovery exercises annually.
B.Ensure that partnering organizations are separated geographically.
C.Regularly perform a business impact analysis (BIA).
D.Select a partnering organization with similar systems.
B. If the two partnering organizations are in close geographic proximity, this can lead to both organizations being subjected to the same environmental disaster, such as an earthquake.
Determining the service delivery objective (SDO) should be based PRIMARILY on:
A.the minimum acceptable operational capability.
B.the cost-effectiveness of the restoration process.
C.meeting the recovery time objectives (RTOs).
D.the allowable interruption window.
A. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.
An information systems (IS) auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?
A.A clause providing a right to audit the service provider
B.A clause defining penalty payments for poor performance
C.Predefined service level report templates
D.A clause regarding supplier limitation of liability
A. The absence of a right to audit clause or other forms of attestation that the supplier is compliant with a certain standard would potentially prevent the information systems (IS) auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance, and adherence to legal requirements. The absence of this clause would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls were implemented.
During an HR audit, an information systems (IS) auditor is informed that there is a verbal agreement between the IT and HR departments about the level of IT services expected. In this situation, what should the IS auditor do FIRST?
A.Postpone the audit until the agreement is documented.
B.Report the existence of the undocumented agreement to senior management.
C.Confirm the content of the agreement with both departments.
D.Draft a service level agreement for the two departments.
C. An information systems (IS) auditor should first confirm and understand the current practice before making any recommendations. Part of this is to ensure that both parties agree with the terms of the agreement.
An information systems (IS) auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms is the GREATEST risk to the customer organization?
A.Data ownership is retained by the customer organization.
B.The third-party provider reserves the right to access data to perform certain operations.
C.Bulk data withdrawal mechanisms are undefined.
D.The customer organization is responsible for backup, archiving and restoration.
B. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must then determine whether the cloud provider provides appropriate controls to ensure data security.
An organization is considering using a new IT service provider. From an audit perspective, which of the following is the MOST important item to review?
A.References from other clients for the service provider
B.The physical security of the service provider site
C.The proposed service level agreement (SLA) with the service provider
D.Background checks of the service provider’s employees
C. An SLA is a guarantee that the provider will deliver the services according to the contract. When contracting with a service provider, it is a good practice to enter into an SLA with the provider. The information systems (IS) auditor will want to ensure that performance and security requirements are clearly stated in the SLA.
Which of the following issues should be a MAJOR concern to an information systems (IS) auditor who is reviewing a service level agreement (SLA)?
A.A service adjustment resulting from an exception report took a day to implement.
B.The complexity of application logs used for service monitoring made the review difficult.
C.Key performance indicators (KPIs) were not included in the SLA.
D.The document is updated on an annual basis.
C. Lack of service measures, such as key performance indicators (KPIs), makes it difficult to gauge the efficiency and effectiveness of the IT services being provided. Although KPIs can vary based on the nature of the service and the agreement between parties, commonly included KPIs in SLAs include response time, uptime, service reliability, etc.
