Exam 2 Flashcards
Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process?
A) Interview personnel in charge of the change control process
B) Perform an end-to-end walk- through of the process
C) Test a sample of authorized changes
D) Test a sample population of change requests
B) Perform an end-to-end walk- through of the process
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?
A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted.
B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall.
C) The firewall is placed on top of the commercial operating system with all default instillation options.
D) Firewall policies are updated on the basis of changing requirements
C) The firewall is placed on top of the commercial operating system with all default instillation options.
Which of the following choices would be the BEST source of information when developing a risk- based audit plan?
A) System custodians identify vulnerabilities.
B) Process owners identify key controls.
C) Senior management identify key business processes.
D) Peer auditors understand previous audit results.
C) Senior management identify key business processes.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
A)The maturity of the project management process
B) The regulatory environment
C) Past audit findings
D) The IT project portfolio analysis
D) The IT project portfolio analysis
The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server?
A) Password expiration and lockout policy
B) Password complexity rules
C) Host intrusion detection software installed on a server
D) Two-factor authentication
D) Two-factor authentication
Which of the following should be included in an organization’s information security policy?
A) The basis for access control authorization
B) Relevant software security features
C) A list of key IT resources to be secured
D) Identity of sensitive security assets
A) The basis for access control authorization
Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
A) Parallel testing
B) Interface/integration testing
C) Sociability testing
D) Pilot testing
C) Sociability testing
An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:
A) Information security is not critical to all functions.
B) IS audit should provide security training to the employees.
C) this lack of knowledge may read to unintentional disclosure of sensitive information.
D) The audit finding will cause management to provide continuous training to staff.
C) this lack of knowledge may read to unintentional disclosure of sensitive information.
The PRIMARY objective of performing a post incident review is that it presents an opportunity to
A) improve internal control procedures.
B) highlight the importance of incident response management to management.
C) improve employee awareness of the incident response process.
D) harden the network to industry good practices.
A) improve internal control procedures.
While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?
A) IT projects could suffer from cost overruns
B) Misleading indications of IT performance may be presented to management.
C) Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC.
D) IT service level agreements may not be accurate.
B) Misleading indications of IT performance may be presented to management.
Which of the following is the BEST criterion for evaluating the adequacy of an organization’s security awareness program?
A) No actual incidents have occurred that have caused a loss or a public embarrassment.
B) Job descriptions contain clear statements of accountability for information security.
C) In accordance with the degree of risk and business impact, there is adequate funding for security efforts.
D) Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.
B) Job descriptions contain clear statements of accountability for information security.
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor?
A) Revise compliance enforcement processes.
B) Request that senior management accepts the risk.
C) Use cloud providers for low-risk operations.
D) Postpone low-priority security procedures.
B) Request that senior management accepts the risk.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A) document for future review.
B) work with database administrators to correct the issue.
C) report the weaknesses as observed.
D) include a review of the database controls in the scope.
C) report the weaknesses as observed.
For the annual internal IS audit plan, which of the following is the FIRST step performed prior to creating a risk ranking?
A) Prioritize the identified risk.
B) Identify the critical controls.
C) Determine the testing approach.
D) Define the audit universe.
C) Determine the testing approach.
An Internet-based attack using password sniffing can:
A) be used to gain access to systems containing proprietary information.
B) enable one party to act as if they are another party.
C) result in major problems with billing systems and transaction processing agreements.
D) cause modification to the contents of certain transactions.
A) be used to gain access to systems containing proprietary information.
Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities?
A) Program coding standards
B) The development environment
C) A version control system
D) The programming language
A) Program coding standards
An IS auditor reviewing access controls for a client-server environment should FIRST:
A) review the application-level access controls.
B) identify the network access points.
C) review the identity management system.
D) evaluate the encryption technique.
B) identify the network access points.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A) corrective control.
B) directive control.
C) compensating control.
D)detective control.
A) corrective control.
Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal?
A) Initializing the tape labels
B) Erasing the tapes
C) Overwriting the tapes
D)Degaussing the tapes
D)Degaussing the tapes
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:
A) passwords can be reused by employees within a defined time frame.
B) user accounts are not locked out after five failed attempts.
C) system administrators use shared login credentials.
D) password expiration is not automated.
C) system administrators use shared login credentials.
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:
A) identification
B) storage
C) verification
D) enrollment
D) enrollment
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?
A) Set up an exit interview with human resources.
B) Ensure that management signs off on the termination paperwork.
C) Terminate the developer’s logical access to IT resources.
D)Initiate the handover process to ensure continuity of the project.
C) Terminate the developer’s logical access to IT resources.
Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?
A) Ask the security administrator.
B) Interview a sample of employees.
C) Review the security training program.
D) Review the security reminders to employees.
B) Interview a sample of employees.
In the planning phase of an IS audit, which of the following is the MAIN reason to perform a risk assessment?
A) To ensure management’s concerns are addressed
B) To develop the audit program and procedures to perform the audit
C) To provide reasonable assurance material items will be addressed
D) To ensure the audit team will perform audits within budget
C) To provide reasonable assurance material items will be addressed