Exam 2 Flashcards
Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process?
A) Interview personnel in charge of the change control process
B) Perform an end-to-end walk- through of the process
C) Test a sample of authorized changes
D) Test a sample population of change requests
B) Perform an end-to-end walk- through of the process
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?
A) Inbound traffic is blocked unless the traffic type and connections have been specifically permitted.
B) A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall.
C) The firewall is placed on top of the commercial operating system with all default instillation options.
D) Firewall policies are updated on the basis of changing requirements
C) The firewall is placed on top of the commercial operating system with all default instillation options.
Which of the following choices would be the BEST source of information when developing a risk- based audit plan?
A) System custodians identify vulnerabilities.
B) Process owners identify key controls.
C) Senior management identify key business processes.
D) Peer auditors understand previous audit results.
C) Senior management identify key business processes.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
A)The maturity of the project management process
B) The regulatory environment
C) Past audit findings
D) The IT project portfolio analysis
D) The IT project portfolio analysis
The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server?
A) Password expiration and lockout policy
B) Password complexity rules
C) Host intrusion detection software installed on a server
D) Two-factor authentication
D) Two-factor authentication
Which of the following should be included in an organization’s information security policy?
A) The basis for access control authorization
B) Relevant software security features
C) A list of key IT resources to be secured
D) Identity of sensitive security assets
A) The basis for access control authorization
Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
A) Parallel testing
B) Interface/integration testing
C) Sociability testing
D) Pilot testing
C) Sociability testing
An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:
A) Information security is not critical to all functions.
B) IS audit should provide security training to the employees.
C) this lack of knowledge may read to unintentional disclosure of sensitive information.
D) The audit finding will cause management to provide continuous training to staff.
C) this lack of knowledge may read to unintentional disclosure of sensitive information.
The PRIMARY objective of performing a post incident review is that it presents an opportunity to
A) improve internal control procedures.
B) highlight the importance of incident response management to management.
C) improve employee awareness of the incident response process.
D) harden the network to industry good practices.
A) improve internal control procedures.
While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation?
A) IT projects could suffer from cost overruns
B) Misleading indications of IT performance may be presented to management.
C) Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC.
D) IT service level agreements may not be accurate.
B) Misleading indications of IT performance may be presented to management.
Which of the following is the BEST criterion for evaluating the adequacy of an organization’s security awareness program?
A) No actual incidents have occurred that have caused a loss or a public embarrassment.
B) Job descriptions contain clear statements of accountability for information security.
C) In accordance with the degree of risk and business impact, there is adequate funding for security efforts.
D) Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.
B) Job descriptions contain clear statements of accountability for information security.
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor?
A) Revise compliance enforcement processes.
B) Request that senior management accepts the risk.
C) Use cloud providers for low-risk operations.
D) Postpone low-priority security procedures.
B) Request that senior management accepts the risk.
During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:
A) document for future review.
B) work with database administrators to correct the issue.
C) report the weaknesses as observed.
D) include a review of the database controls in the scope.
C) report the weaknesses as observed.
For the annual internal IS audit plan, which of the following is the FIRST step performed prior to creating a risk ranking?
A) Prioritize the identified risk.
B) Identify the critical controls.
C) Determine the testing approach.
D) Define the audit universe.
C) Determine the testing approach.
An Internet-based attack using password sniffing can:
A) be used to gain access to systems containing proprietary information.
B) enable one party to act as if they are another party.
C) result in major problems with billing systems and transaction processing agreements.
D) cause modification to the contents of certain transactions.
A) be used to gain access to systems containing proprietary information.
Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities?
A) Program coding standards
B) The development environment
C) A version control system
D) The programming language
A) Program coding standards
An IS auditor reviewing access controls for a client-server environment should FIRST:
A) review the application-level access controls.
B) identify the network access points.
C) review the identity management system.
D) evaluate the encryption technique.
B) identify the network access points.
A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:
A) corrective control.
B) directive control.
C) compensating control.
D)detective control.
A) corrective control.
Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal?
A) Initializing the tape labels
B) Erasing the tapes
C) Overwriting the tapes
D)Degaussing the tapes
D)Degaussing the tapes
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:
A) passwords can be reused by employees within a defined time frame.
B) user accounts are not locked out after five failed attempts.
C) system administrators use shared login credentials.
D) password expiration is not automated.
C) system administrators use shared login credentials.
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:
A) identification
B) storage
C) verification
D) enrollment
D) enrollment
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?
A) Set up an exit interview with human resources.
B) Ensure that management signs off on the termination paperwork.
C) Terminate the developer’s logical access to IT resources.
D)Initiate the handover process to ensure continuity of the project.
C) Terminate the developer’s logical access to IT resources.
Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?
A) Ask the security administrator.
B) Interview a sample of employees.
C) Review the security training program.
D) Review the security reminders to employees.
B) Interview a sample of employees.
In the planning phase of an IS audit, which of the following is the MAIN reason to perform a risk assessment?
A) To ensure management’s concerns are addressed
B) To develop the audit program and procedures to perform the audit
C) To provide reasonable assurance material items will be addressed
D) To ensure the audit team will perform audits within budget
C) To provide reasonable assurance material items will be addressed
Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?
A) System builders
B) System designers
C) System users
D) System owners
D) System owners
An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:
A) backout procedures.
B) problem management procedures.
C) incident management procedures.
D) software development procedures.
A) backout procedures.
An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of -
A) variable sampling.
B) stop-or-go sampling.
C) compliance testing.
D) substantive testing.
C) compliance testing.
The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed?
A) Means of authentication
B) Privacy of voice transmissions
C) Reliability and quality of service
D) Confidentiality of data transmissions
C) Reliability and quality of service
While performing an audit of an accounting application’s internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:
A) continue to test the accounting application controls and include the deficiency in the final report.
B) continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.
C) complete the audit and not report the control deficiency because it is not part of the audit scope.
D) cease all audit activity until the control deficiency is resolved
A) continue to test the accounting application controls and include the deficiency in the final report.
Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend?
A) Implement the changes users have suggested.
B) Develop a baseline and monitor system usage.
C) Prepare the maintenance manual.
D) Define alternate processing procedures.
B) Develop a baseline and monitor system usage.
An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A) modified programs are automatically moved to production.
B) only thoroughly tested programs are released.
C) program changes have been authorized.
D) source and executable code integrity is maintained.
C) program changes have been authorized.
Which of the following is the MOST effective control over visitor access to a data center?
A) Visitors sign in.
B) Visitor badges are required.
C) Visitors are spot-checked by operators.
D) Visitors are escorted.
D) Visitors are escorted
The PRIMARY benefit of an IT manager monitoring technical capacity is to:
A) identify the need for new hardware and storage procurement.
B) ensure that the service level requirements are met.
C) determine the future capacity need based on usage.
D) ensure that systems operate at optimal capacity.
B) ensure that the service level requirements are met
An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:
A) reports the status of IT projects to the board of directors.
B) is responsible for project approval and prioritization.
C) is responsible for determining business goals.
D) is responsible for developing the long-term IT plan.
C) is responsible for determining business goals.
Which of the following should be considered FIRST when implementing a risk management program?
A) An understanding of the organization’s threat, vulnerability and risk profile
B) A determination of risk management priorities that are based on potential consequences
C) A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
D) An understanding of the risk exposures and the potential consequences of compromise
A) An understanding of the organization’s threat, vulnerability and risk profile
During a system development life cycle audit of a human resources and payroll application, the IS auditor notes that the data used for user acceptance testing have been masked. The purpose of masking the data is to ensure the:
A) reliability of the data.
B) accuracy of the data.
C) completeness of the data.
D) confidentiality of the data.
D) confidentiality of the data.
To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:
A) IT organizational structure.
B) historical financial statements.
C) enterprise data model.
D) IT balanced scorecard.
D) IT balanced scorecard.
The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?
A) Mimic
B) Cryptographic
C) Replay
D) Brute force
C) Replay
Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity?
A) Host-based
B) Signature-based
C) Neural network
D) Statistical-based
D) Statistical-based
Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?
A) Unauthorized report copies might be printed.
B) Sensitive data might be read by operators.
C) Output might be lost in the event of system failure.
D) Data might be amended without authorization.
A) Unauthorized report copies might be printed.
An organization allows for the use of universal serial bus drives to transfer operational data between offices. Which of the following is the GREATEST risk associated with the use of these devices?
A) Files are not backed up
B) Use of the devices for personal purposes
C) Theft of the devices
D) Introduction of malware into the network
C) Theft of the devices
Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production?
A) Back up all affected records before allowing the developer to make production changes.
B) Provide and monitor separate developer login IDs for programming and for production support.
C) Capture activities of the developer in the production environment by enabling detailed audit trails.
D) Ensure that all changes are approved by the change manager prior to implementation.
B) Provide and monitor separate developer login IDs for programming and for production support
hich of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program?
A) Regularly scheduled maintenance log
B) A system downtime log
C) Vendors’ reliability figures
D) A written preventive maintenance schedule
B) A system downtime log
The PRIMARY purpose of a post- implementation review is to ascertain that:
A) future enhancements can be identified.
B) the lessons learned have been documented.
C) the project has been delivered on time and budget.
D) project objectives have been met.
D) project objectives have been met.
Which of the following reasons BEST describes the purpose of a mandatory vacation policy?
A) To identify potential errors or inconsistencies in business processes
B) To be used as a cost-saving measure
C) To ensure that employees are properly cross-trained in multiple functions
D) To improve employee morale
A) To identify potential errors or inconsistencies in business processes
During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor?
A) Report the identified condition.
B) Analyze the quality assurance dashboards.
C) Recommend compensating controls.
D) Review the code created by the developer.
A) Report the identified condition.
Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing?
A) User acceptance test specifications
B) Detailed test plans
C) Test data covering critical applications
D) Quality assurance test specifications
A) User acceptance test specifications
An IS auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?
A) The information security policy is not periodically reviewed by senior management.
B) The audit committee did not review the organizations’s global mission statement.
C) A policy ensuring systems are patched in a timely manner does not exist.
D) An organizational policy related to information asset protection does not exist.
A) The information security policy is not periodically reviewed by senior management.
An organization purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following helps to mitigate the risk relating to continued application support?
A) A viability study on the vendor
B) A software escrow agreement
C) A contractual agreement for future enhancements
D) Financial evaluation of the vendor
B) A software escrow agreement
The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:
A) remain the same.
B) decrease.
C) increase.
D) be unpredictable.
C) increase.
An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make?
A) Enforce standard compliance by adopting punitive measures against violators.
B) Achieve standards alignment through an increase of resources devoted to the project.
C) Delay the project until compliance with standards can be achieved.
D) Align the data definition standards after completion of the project.
B) Achieve standards alignment through an increase of resources devoted to the project.
A characteristic of User Datagram Protocol in network communications is:
A) incompatibility with packet broadcast.
B) packets may arrive out of order.
C) increased communication latency.
D) error correction may slow down processing.
B) packets may arrive out of order.
When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following?
A) Default detection settings
B) Network performance downgrade
C) High number of false- positive alarms
D) Low coverage of network traffic
D) Low coverage of network traffic
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:
A) a signature-based IDS is weak against new types of attacks.
B) IDS sensors are placed outside of the firewall.
C) the IDS is used to detect encrypted traffic.
D) a behavior-based IDS is causing many false alarms.
C) the IDS is used to detect encrypted traffic.
An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems?
A) Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled.
B) Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected.
C) Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.
D) System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.
C) Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.
While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met?
A) Monthly committee meetings include the subcontractor’s IS manager
B) Management reviews weekly reports from the subcontractor
C) Permission is obtained from the government agent regarding the contract
D) Periodic independent audit of the work delegated to the subcontractor
D) Periodic independent audit of the work delegated to the subcontractor
Which of the following is a MAJOR concern during a review of help desk activities?
A) Resolved incidents are closed without reference to end users.
B) A dedicated line is not assigned to the help desk team.
C) Certain calls could not be resolved by the help desk team.
D) The help desk instant messaging has been down for over six months.
A) Resolved incidents are closed without reference to end users.
During the system testing phase of an application development project the IS auditor should review the:
A) error reports.
B) vendor contract.
C) program change requests.
D) conceptual design specifications.
A) error reports.
Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds?
A) An integrated test facility
B) Regression tests
C) Transaction snapshots
D) Generalized audit software
D) Generalized audit software
Which of the following does an IS auditor consider to be MOST important when evaluating an organization’s IT strategy? That it:
A) supports the business objectives of the organization.
B) does not vary from the IT department’s preliminary budget.
C) was approved by line management.
D) complies with procurement procedures.
A) supports the business objectives of the organization.
A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk?
A) The business analyst writes the requirements and performs functional testing.
B) The IT manager also performs systems administration.
C) The developers promote code into the production environment.
D) The database administrator (DBA) also performs data backups.
C) The developers promote code into the production environment.
In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?
A) Approve and document the change the next business day.
B) Limit developer access to production to a specific time frame.
C) Obtain secondary approval before releasing to production.
D) Disable the compiler option in the production machine.
A) Approve and document the change the next business day.
Digital signatures require the:
A) signer to have a private key and the
receiver to have a public key.
B) signer to have a public key and the receiver to have a private key.
C) signer and receiver to have a public key.
D) signer and receiver to have a private key.
A) signer to have a private key and the
The extent to which data will be collected during an IS audit should be determined based on the:
A) availability of critical and required information.
B) auditee’s ability to find relevant evidence.
C) purpose and scope of the audit being done.
D) auditor’s familiarity with the circumstances.
C) purpose and scope of the audit being done.
In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit?
A) Wireless intrusion detection and intrusion prevention systems
B) Device authentication and data origin authentication
C) Packet headers and trailers
D) The use of cryptographic hashes
D) The use of cryptographic hashes
Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is:
A) initiated from devices that have encrypted storage.
B) restricted to predefined media access control addresses.
C) encrypted using dynamic keys.
D) encrypted using static keys.
C) encrypted using dynamic keys.
Which of the following is the BEST enabler for strategic alignment between business and IT?
A) Goals and metrics
B) A maturity model
C) A responsible, accountable, consulted and informed (RACI) chart
D) Control objectives
A) Goals and metrics
When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation?
A) Wiring and schematic diagram
B) Users’ lists and responsibilities
C) Backup and recovery procedures
D) Application lists and their details
A) Wiring and schematic diagram
Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications?
A) Parallel changeover
B) Rollback procedure
C) Phased changeover
D) Abrupt changeover
A) Parallel changeover
Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation?
A) Identify relevant risk and related opportunities.
B) Determine relevant enablers and their applicability.
C) Ensure that assurance objectives are defined.
D) Determine stakeholder requirements and involvement.
D) Determine stakeholder requirements and involvemen
Which of the following controls would be MOST effective in reducing the risk of loss due to fraudulent online payment requests?
A) Protecting web sessions using Secure Sockets Layer
B) Inputting validation checks on web forms
C) Transaction monitoring
D) Enforcing password complexity for authentication
C) Transaction monitoring
An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:
A) analytical testing.
B) substantive testing.
C) control testing.
D) compliance testing.
B) substantive testing.
The MAIN reason for requiring that all computer clocks across an organization are synchronized is to:
A) support the incident investigation process.
B) ensure that email messages have accurate time stamps.
C) prevent omission or duplication of transactions.
D) ensure smooth data transition from client machines to servers.
A) support the incident investigation process.
A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST?
A) Dump the volatile storage data to a disk.
B) Run the server in a fail-safe mode.
C) Disconnect the web server from the network.
D) Shut down the web server.
C) Disconnect the web server from the network.
Which of the following BEST encrypts data on mobile devices?
A) Data encryption standard
B) Elliptical curve cryptography C) Advanced encryption standard
D) The Blowfish algorithm
B) Elliptical curve cryptography
Which of the following results in a denial- of-service attack?
A) Negative acknowledgment attack
B) Leapfrog attack
C) Ping of death
D) Brute force attack
C) Ping of death
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?
A) Permission from the data owner of the server
B) The tools used to conduct the test
C) An intrusion detection system is enabled
D) Certifications held by the IS auditor
A) Permission from the data owner of the server
A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision?
A) Technical skills and knowledge within the organization related to sourcing and software development
B) Whether the legacy system being replaced was developed in-house
C) Privacy requirements as applied to the data processed by the application
D) The users not devoting reasonable time to define the functionalities of the solution
A) Technical skills and knowledge within the organization related to sourcing and software development
The implementation of access controls FIRST requires:
A) the creation of an access control list.
B) a classification of IS resources.
C) an inventory of IS resources.
D) the labeling of IS resources.
C) an inventory of IS resources.
An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?
A) The contractual warranties of the providers support the business needs of the organization.
B) The service level agreement of each contract is substantiated by appropriate key performance indicators.
C) At contract termination, support is guaranteed by each outsourcer for new outsourcers.
D) An audit clause is present in all contracts.
A) The contractual warranties of the providers support the business needs of the organization.A) The contractual warranties of the providers support the business needs of the organization.
An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers?
A) Make sure that only the IP addresses of existing customers are allowed through the firewall.
B) Inspect file and access permissions on all servers to ensure that all files have read-only access.
C) Ensure that ports 80 and 443 are blocked at the firewall.
D) Perform a web application security review.
D) Perform a web application security review.
Which of the following is an attribute of the control self-assessment approach?
A) Auditors are the primary control analysts
B) Broad stakeholder involvement
C) Policy driven
D) Limited employee participation
B) Broad stakeholder involvement
Applying a digital signature to data traveling in a network provides:
A) confidentiality and nonrepudiation.
B) confidentiality and integrity.
C) security and nonrepudiation.
D) integrity and nonrepudiation.
D) integrity and nonrepudiation.
Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?
A) Lack of transaction authorizations
B) Loss or duplication of EDI transmissions
C) Transmission delay
D) Deletion or manipulation of transactions prior to or after establishment of application controls
A) Lack of transaction authorizations
An IT auditor is reviewing an organization’s information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure?
A) Message digest 5
B) Secure Shell
C) Advanced Encryption Standard
D) Data Encryption Standard
C) Advanced Encryption Standard
A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft?
A) Web browser cookies are not automatically deleted.
B) System updates have not been applied on the computer.
C) The computer is improperly configured.
D) Session time out is not activated.
D) Session time out is not activated.
Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor’s PRIMARY suggestion for a postimplementation focus should be to:
A) assess whether the planned cost benefits are being measured, analyzed and reported.
B) determine whether the system’s objectives were achieved.
C) review the impact of program changes made during the first phase on the remainder of the project.
D) review control balances and verify that the system is processing data accurately.
C) review the impact of program changes made during the first phase on the remainder of the project.
A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor?
A) Duplex communication links
B) Reciprocal agreement with another organization
C) Alternate processor in the same location
D) Alternate processor at another network node
D) Alternate processor at another network node
This question refers to the following diagram. Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:
A) create an entry in the log.
B) alert the appropriate staff.
C) close firewall-1.
D) close firewall-2.
A) create an entry in the log.
During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?
A) The organization does not encrypt all of its outgoing email messages.
B) An individual’s computer screen saver function is disabled.
C) Server configuration requires the user to change the password annually.
D) Staff have to type [PHI] in the subject field of email messages to be encrypted.
D) Staff have to type [PHI] in the subject field of email messages to be encrypted.
Following good practices, formal plans for implementation of new information systems are developed during the:
A) testing phase.
B) development phase.
C) design phase.
D) deployment phase.
C) design phase.
An IS auditor is reviewing a software- based firewall configuration. Which of the following represents the GREATEST vulnerability?
A) Configuration as a virtual private network endpoint.
B) Rules permitting or denying access to systems or networks.
C) An implicit deny rule as the last rule in the rule base
D) Installation on an operating system configured with default settings.
D) Installation on an operating system configured with default settings.
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?
A) IT risk is presented in business terms.
B) The risk management framework is based on global standards.
C) Controls are implemented based on cost-benefit analysis.
D) The approval process for risk response is in place.
A) IT risk is presented in business terms.
An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor?
A) The cloud provider will not agree to an unlimited right-to-audit as part of the SLA.
B) The service level agreement (SLA) ensures strict limits for uptime and performance.
C) The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider.
D) The cloud provider’s data centers are in multiple cities and countries.
D) The cloud provider’s data centers are in multiple cities and countries.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
A) Access controls
B) Overlapping controls
C) Boundary controls
D) Compensating controls
D) Compensating controls
Which of the following is an advantage of elliptic curve encryption over RSA encryption?
A) Ability to support digital signatures
B) Computation speed
C) Simpler key distribution
D) Message integrity controls
B) Computation speed
During which phase of software application testing should an organization perform the testing of architectural design?
A) Unit testing
B) Acceptance testing
C) Integration testing
D) System testing
C) Integration testing
An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?
A) Commands typed on the command line are logged.
B) Access to the operating system command line is granted through an access restriction tool with preapproved rights.
C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.
D) Software development tools and compilers have been removed from the production environment.
C) Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.
Which of the following is the MOST effective control when granting temporary access to vendors?
A) Administrator access is provided for a limited period.
B) User IDs are deleted when the work is completed.
C) Vendor access corresponds to the service level agreement.
D) User accounts are created with expiration dates and are based on services provided.
D) User accounts are created with expiration dates and are based on services provided.
When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern?
A) The audit department does not have a consulting role in the BPR effort.
B) Controls are eliminated as part of the streamlining BPR effort.
C) Resources are not adequate to support the BPR process.
D) The BPR effort includes employees with limited knowledge of the process area.
B) Controls are eliminated as part of the streamlining BPR effort.
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign- off by:
A) the project manager.
B) business unit management.
C) systems development management.
D) the quality assurance team.
B) business unit management.
A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern?
A) The IP address space is smaller than the number of PCs.
B) Most employees use laptops.
C) Access to a network port is not restricted.
D) A packet filtering firewall is used.
C) Access to a network port is not restricted.
Which of the following is a passive attack to a network?
A) Traffic analysis
B) Message modification
C) Masquerading
D) Denial-of-service
A) Traffic analysis
Before implementing an IT balanced scorecard, an organization must:
A) deliver effective and efficient services.
B) provide business value to IT projects.
C) define key performance indicators.
D) control IT expenses.
C) define key performance indicators.
When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied?
A) Acceptance
B) Avoidance
C) Transfer
D) Mitigation
D) Mitigation
An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization’s procedures. Which of the following is the auditor’s BEST course of action?
A) Recommend regular physical inventory counts.
B) Do not report the lack of reconciliation.
C) Report the lack of daily reconciliations.
D) Recommend the implementation of a more secure access system.
C) Report the lack of daily reconciliations.
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:
A) perform an access review.
B) perform a risk assessment.
C) discuss the issue with the service provider.
D) report the issue to IT management.
D) report the issue to IT management.
In transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides:
A) antireplay service.
B) data origin authentication.
C) connectionless integrity.
D) confidentiality.
D) confidentiality.
As an IS auditor you are auditing the integrity of information stored in a data warehouse, which of the following security measures BEST ensures the integrity?
A) Change management procedures
B) Data dictionary maintenance
C) A read-only restriction
D) Validated daily backups
C) A read-only restriction
An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important?
A) Review the request for proposal.
B) Research other clients of the ISP.
C) Review monthly performance reports generated by the ISP.
D) Review the service level agreement.
D) Review the service level agreement.
The BEST audit procedure to determine if unauthorized changes have been made to production code is to:
A) examine the change control system records and trace them forward to object code files.
B) review access control permissions operating within the production program libraries.
C) examine object code to find instances of changes and trace them back to change control records.
D) review change approved designations established within the change control system.
C) examine object code to find instances of changes and trace them back to change control records.
Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?
A) Have the current configuration approved by operations management.
B) Ensure that there is an audit trail for all existing accounts.
C) Amend the IT policy to allow shared accounts.
D) Implement individual user accounts for all staff.
D) Implement individual user accounts for all staff.
After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools?
A) False-positive
B) Less-detail
C) Differential
D) False-negative
D) False-negative
Information for detecting unauthorized input from a user workstation would be BEST provided by the:
A) user error report.
B) transaction journal.
C) automated suspense file listing.
D) console log printout.
B) transaction journal.
An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack?
A) A privilege escalation
B) An impersonation
C) A race condition
D) A buffer overflow
A) A privilege escalation
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?
A) Re-performance
B) Walk-through
C) Inquiry
D) Interview
B) Walk-through
The MAIN advantage of an IS auditor directly extracting data from a general ledger systems is:
A) greater flexibility for the audit department
B) reduction in the time to have access to the information.
C) reduction of human resources needed to support the audit.
D) greater assurance of data validity
D) greater assurance of data validity
Which of the following does a lack of adequate security controls represent?
A) Threat
B) Asset
C) Vulnerability
D) Impact
C) Vulnerability
Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit?
A) Insurance coverage is adequate and premiums are current.
B) A hot site is contracted for and available as needed.
C) Data backups are performed timely and stored offsite.
D) A business continuity manual is available and current.
C) Data backups are performed timely and stored offsite.
During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor’s GREATEST concern?
A) The policy for data backup and retention has not been reviewed by the business owner for the past three years.
B) Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.
C) Restoration testing for backup media is not performed; however, all data restore requests have been successful.
D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.
D) The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.
The FIRST step in a successful attack to a system is:
A) gaining access.
B) denying services.
C) evading detection.
D) gathering information.
D) gathering information.
Which of the following would MOST effectively enhance the security of a challenge- response based authentication system?
A) Increasing the length of authentication strings
B) Implementing measures to prevent session hijacking attacks
C) Selecting a more robust algorithm to generate challenge strings
D) Increasing the frequency of associated password changes
B) Implementing measures to prevent session hijacking attacks
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:
A) provide proper cross- training for another employee.
B) ensure that the employee maintains a good quality of life, which will lead to greater productivity.
C) eliminate the potential disruption caused when an employee takes vacation one day at a time.
D) reduce the opportunity for an employee to commit an improper or illegal act.
D) reduce the opportunity for an employee to commit an improper or illegal act.
Which of the following is BEST suited for secure communications within a small group?
A) Key distribution center
B) Web of trust
C) Kerberos Authentication System
D) Certificate authority
B) Web of trust
Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor?
A) Process owners have not been identified.
B) Multiple application owners exist.
C) The billing cost allocation method has not been determined.
D) A training program does not exist.
A) Process owners have not been identified.
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:
A) only systems administrators perform the patch process.
B) the client’s change management process is adequate.
C) patches are validated using parallel testing in production.
D) an approval process of the patch, including a risk assessment, is developed.
B) the client’s change management process is adequate.
An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk?
A) Self-signed digital certificates
B) Expired digital certificates
C) Using the same digital certificate for multiple web sites
D) Using 56-bit digital certificates
A) Self-signed digital certificates
Which of the following is the BEST control over a guest wireless ID that is given to vendor staff?
A) Assignment of a renewable user ID which expires daily
B) Ensuring that wireless network encryption is configured properly
C) Use of a user ID format similar to that used by employees
D) A write-once log to monitor the vendor’s activities on the system
A) Assignment of a renewable user ID which expires daily
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:
A) has the appropriate priority level assigned.
B) is aligned with the business strategy.
C) is cost-effective.
D) is future thinking and innovative.
B) is aligned with the business strategy.
The use of digital signatures:
A) validates the source of a message.
B) requires the use of a one-time password generator.
C) provides encryption to a message.
D) ensures message confidentiality.
A) validates the source of a message.
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?
A) Undocumented approval of some project changes
B) Faulty migration of historical data from the old system to the new system
C) Duplication of existing payroll permissions on the new ERP subsystem
D) Incomplete testing of the standard functionality of the ERP subsystem
B) Faulty migration of historical data from the old system to the new system
Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to meet service level agreement (SLA) requirements for a critical IT security service?
A) Results of business continuity tests
B) Results of independent audit reports
C) Agreed-on key performance metrics
D) Compliance with the master agreement
C) Agreed-on key performance metrics
What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team?
A) White box testing
B) Beta testing
C) Regression testing
D) Alpha testing
B) Beta testing
Overall quantitative business risk for a particular threat can be expressed as:
A) the magnitude of the impact if a threat source successfully exploits the vulnerability.
B) the likelihood of a given threat source exploiting a given vulnerability.
C) a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.
D) the collective judgment of the risk assessment team.
C) a product of the likelihood and magnitude of the impact if a threat successfully exploits a vulnerability.
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:
A) dataflow diagrams.
B) semantic nets.
C) decision trees.
D) rules.
C) decision trees.
Which of the following anti-spam filtering methods has the LOWEST possibility of false- positive alerts?
A) Statistic-based
B) Rule-based
C) Heuristic filtering
D) Check-sum based
D) Check-sum based
Which of the following does a lack of adequate controls represent?
A) An asset
B) An impact
C) A vulnerability
D) A threat
C) A vulnerability
Which of the following should an IS auditor be MOST concerned about in a financial application?
A) The information security officer does not authorize all application changes.
B) Programmers have access to source code in user acceptance testing environment.
C) Programmers have access to the production database.
D) Secondary controls are documented for identified role conflicts.
C) Programmers have access to the production database.
Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization?
A) Only select personnel should have rights to view or delete audit logs.
B) Actions performed on log files should be tracked in a separate log.
C) Backups of audit logs should be performed periodically.
D) Write access to audit logs should be disabled.
A) Only select personnel should have rights to view or delete audit logs.
The MAJOR advantage of a component-based development approach is the:
A) ability to manage an unrestricted variety of data types.
B) provision for modeling complex relationships.
C) capacity to meet the demands of a changing environment.
D) support of multiple development environments.
D) support of multiple development environments.
The specific advantage of white box testing is that it:
A) determines procedural accuracy or conditions of a program’s specific logic paths.
B) examines a program’s functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.
C) ensures a program’s functional operating effectiveness without regard to the internal program structure.
D) verifies a program can operate successfully with other parts of the system.
A) determines procedural accuracy or conditions of a program’s specific logic paths.
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?
A) Stratified mean per unit
B) Unstratified mean per unit
C) Attribute sampling
D) Variable sampling
C) Attribute sampling
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
A) technical competence.
B) professional independence.
C) organizational independence.
D) professional competence.
B) professional independence.
Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?
A) Power line conditioners
B) Surge protective devices
C) Interruptible power supplies
D) Alternative power supplies
A) Power line conditioners
Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?
A) Backup and recovery
B) Configuration management
C) Incident management
D) Change management
B) Configuration management
When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with -
A) disclosure.
B) preservation.
C) evaluation.
D) analysis.
B) preservation.
Which of the following controls helps prevent duplication of vouchers during data entry?
A) A range check
B) A sequence check
C) Transposition and substitution
D) A cyclic redundancy check
B) A sequence check
Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?
A) Control costs will exceed planned budget.
B) Important business risk may be overlooked.
C) Previously audited areas may be inadvertently included.
D) Key stakeholders are incorrectly identified.
B) Important business risk may be overlooked.
Which of the following is MOST indicative of the effectiveness of an information security awareness program?
A) Information security responsibilities have been included in job descriptions.
B) All employees have signed the information security policy.
C) Most employees have attended an awareness session.
D) Employees report more information regarding security incidents
D) Employees report more information regarding security incidents.
The GREATEST benefit of having well-defined data classification policies and procedures is:
A) a decreased cost of controls.
B) a reduced risk of inappropriate system access.
C) a more accurate inventory of information assets.
D) an improved regulatory compliance.
A) a decreased cost of controls.
