Exam 3 Flashcards

Question 1

Q

The success of control self-assessment depends highly on:

A) assigning staff managers, the responsibility for building controls.
B) the implementation of a stringent control policy and rule-driven controls.
C) line managers assuming a portion of the responsibility for control monitoring.
D) the implementation of supervision and monitoring of controls of assigned duties.

Answer

A

C) line managers assuming a portion of the responsibility for control monitoring.

Line managers assuming a portion of the responsibility for control monitoring is correct. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.

Question 2

Q

An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?

A) The vendor agrees to implement controls in alignment with the enterprise.
B) The vendor agrees to provide annual external audit reports in the contract.
C) The vendor provides the latest internal audit report for verification.
D) The vendor provides the latest third- party audit report for verification.

Answer

A

B) The vendor agrees to provide annual external audit reports in the contract.

The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits.

Question 3

Q

What is the purpose of using data flow diagrams, used by the IS auditors?

A) identify key controls.
B) highlight high-level data definitions.
C) portray step-by-step details of data generation.
D) graphically summarize data paths and storage.

Answer

A

D) graphically summarize data paths and storage.

Graphically summarize data paths and storage is correct. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.

Question 4

Q

The MOST serious challenge in the operation of an intrusion detection system is:

A) learning vendor specific protocols.
B) blocking eligible connections.
C) filtering false positive alerts.
D) updating vendor-specific protocols.

Answer

A

C) filtering false positive alerts.

Filtering false-positives alerts is correct. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.

Question 5

Q

A company’s development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects?

A) Functional verification of the prototypes is assigned to end users.
B) Project responsibilities are not formally defined at the beginning of a project.
C) Program documentation is inadequate.
D) The project is implemented while minor issues are open from user acceptance testing.

Answer

A

B) Project responsibilities are not formally defined at the beginning of a project.

Project responsibilities are not formally defined at the beginning of a project is correct. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.

Question 6

Q

Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?

A) Allocating resources
B) Attention to detail
C) Managing audit staff
D) Project management

Answer

A

D) Project management

Project management is correct. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.

Question 7

Q

Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?

A) Business impact analysis
B) Incident response plan
C) Recovery time objective
D) Threat and risk analysis

Answer

A

A) Business impact analysis

Business impact analysis is correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure that IT assets are prioritized to align with the business.

Question 8

Q

An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:

A) hardware configuration.
B) ownership of intellectual property.
C) application development methodology.
D) access control software.

Answer

A

B) ownership of intellectual property.

Ownership of intellectual property is correct. The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.

Question 9

Q

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?

A) Project manager
B) Data owner
C) IS auditor
D) Database administrator

Answer

A

B) Data owner

Data owner is correct. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid.

Question 10

Q

Establishing the level of acceptable risk is the responsibility of:

A) the chief information officer.
B) quality assurance management.
C) senior business management.
D) the chief security officer.

Answer

A

C) senior business management.

Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.

Question 11

Q

An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?

A) Inquiry
B) Walk-through
C) Re-performance
D) Inspection

Answer

A

B) Walk-through

Walk-through is correct. These procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.

Question 12

Q

An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when:

A) the service level agreement does not address the responsibility of the vendor in the case of a security breach.
B) the organization is not permitted to assess the controls in the participating vendor’s site.
C) the organization is using an older version of a browser and is vulnerable to certain types of security risk.
D) laws and regulations are different in the countries of the organization and the vendor.

Answer

A

A) the service level agreement does not address the responsibility of the vendor in the case of a security breach.

The service level agreement does not address the responsibility of the vendor in the case of a security breach is correct. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.

Question 13

Q

The ultimate purpose of IT governance is to:

A) reduce IT costs.
B) encourage optimal use of IT.
C) centralize control of IT.
D) decentralize IT resources

Answer

A

B) encourage optimal use of IT.

Encourage optimal use of IT is correct. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.

Question 14

Q

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?

A) Three users with the ability to capture and verify the messages of other users and to send their own messages
B) Five users with the ability to verify other users and to send their own messages
C) Five users with the ability to capture and send their own messages
D) Three users with the ability to capture and verify their own messages

Answer

A

D) Three users with the ability to capture and verify their own messages

Three users with the ability to capture and verify their own messages is correct. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message.

Question 15

Q

The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?

A) Significant cost savings over other testing approaches
B) Assurance that new, faster hardware is compatible with the new system
C) Assurance that the new system meets functional requirements
D) Increased resiliency during the parallel processing time

Answer

A

C) Assurance that the new system meets functional requirements

Assurance that the new system meets functional requirements is correct. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.

Question 16

Q

Which of the following is normally a responsibility of the chief information security officer?

A) Executing user application and software testing and evaluation
B) Granting and revoking user access to IT resources
C) Approving access to data and applications
D) Periodically reviewing and evaluating the security policy

Answer

A

D) Periodically reviewing and evaluating the security policy

Periodically reviewing and evaluating the security policy is correct. The role of the chief information security officer is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.

Question 17

Q

Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target?

A) Blind testing
B) Double-blind testing
C) External testing
D) Targeted testing

Answer

A

B) Double-blind testing

Double-blind testing is correct. This is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.

Question 18

Q

A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is:
A) use of the user’s electronic signature by another person if the password is compromised.
B) impersonation of a user by substitution of the user’s public key with another person’s public key.
C) forgery by using another user’s private key to sign a message with an electronic signature.
D) forgery by substitution of another person’s private key on the computer.

Answer

A

A) use of the user’s electronic signature by another person if the password is compromised.

Use of the user’s electronic signature by another person if the password is compromised is correct. The user’s digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk.

Question 19

Q

Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy?

A) Users should never write down their PIN
B) Users must never keep the token in the same bag as their laptop computer.
C) Users should select a PIN that is completely random, with no repeating digits.
D) Users should not leave tokens where they could be stolen.

Answer

A

A) Users should never write down their PIN

Users should never write down their personal identification number (PIN) is correct. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.

Question 20

Q

The purpose of code signing is to provide assurance that:

A) the private key of the signer has not been compromised.
B) the signer of the application is trusted.
C) the application can safely interface with another signed application.
D) the software has not been subsequently modified.

Answer

A

D) the software has not been subsequently modified.

The software has not been subsequently modified is correct. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed.

Question 21

Q

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?

A) Draft a service level agreement for the two departments.
B) Postpone the audit until the agreement is documented.
C) Report the existence of the undocumented agreement to senior management.
D) Confirm the content of the agreement with both departments.

Answer

A

D) Confirm the content of the agreement with both departments.

Confirm the content of the agreement with both departments is correct. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties agree with the terms of the agreement.

Question 22

Q

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:

A) IS audit resources to be deployed.
B) most valuable information assets.
C) control objectives and activities.
D) auditee personnel to be interviewed.

Answer

A

C) control objectives and activities.

Control objectives and activities is correct. After the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit.

Question 23

Q

Which of the following represents an example of a preventive control with respect to IT personnel?

A) An intrusion detection system
B) A security guard stationed at the server room door
C) Implementation of a badge entry system for the IT facility
D) A fire suppression system in the server room

Answer

A

C) Implementation of a badge entry system for the IT facility

Implementation of a badge entry system for the IT facility is correct. Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility

Question 24

Q

The PRIMARY objective of conducting a post-implementation review for a business process automation project is to:

A) confirm compliance with regulatory requirements.
B) evaluate the adequacy of controls.
C) ensure that the project meets the intended business requirements.
D) confirm compliance with technological standards.

Answer

A

C) ensure that the project meets the intended business requirements.

Ensure that the project meets the intended business requirements is correct. This is the primary objective of a post-implementation review.

Question 25

Q

During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely:

A) evaluate system testing.
B) review access control configuration.
C) review detailed design documentation.
D) evaluate interface testing.

Answer

A

B) review access control configuration.

Review access control configuration is correct. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system.

Question 26

Q

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should:

A) apply a qualitative approach.
B) calculate a return on investment.
C) compute the amortization of the related assets.
D) spend the time needed to define the loss amount exactly.

Answer

A

A) apply a qualitative approach.

Apply a qualitative approach is correct. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).

Question 27

Q

While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project:

A) cannot be evaluated until the activity is completed.
B) is on schedule.
C) is ahead of schedule.
D) is behind schedule.

Answer

A

D) is behind schedule.

Is behind schedule is correct. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.

Question 28

Q

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

A) the application may not meet the requirements of the business users.
B) the application technology may be inconsistent with the enterprise architecture.
C) the application may create unanticipated support issues for IT.
D) the security controls of the application may not meet requirements.

Answer

A

B) the application technology may be inconsistent with the enterprise architecture.

The application technology may be inconsistent with the enterprise architecture is correct. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.

Question 29

Q

Which of the following should an incident response team address FIRST after a major incident in an information processing facility?

A) Documentation of the facility B) Restoration at the facility
C) Monitoring of the facility
D) Containment at the facility

Answer

A

D) Containment at the facility

Containment at the facility is correct. The first priority (after addressing life safety) is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation.

Question 30

Q

An enterprise uses privileged accounts to process configuration changes for mission- critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?

A) Ensure that audit trails are accurate and specific.
B) Ensure that personnel background checks are performed for critical personnel.
C) Ensure that personnel have adequate training.
D) Ensure that supervisory approval and review are performed for critical changes.

Answer

A

D) Ensure that supervisory approval and review are performed for critical changes.

Ensure that supervisory approval and review are performed for critical changes is correct. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.

Question 31

Q

Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?
A) Decline to deal with these vendors in the future.
B) Assess the impact of patches prior to installation.
C) Install the security patch immediately.
D) Ask the vendors for a new software version with all fixes included.

Answer

A

B) Assess the impact of patches prior to installation.

Assess the impact of patches prior to installation is correct. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization.

Question 32

Q

An IS auditor who was involved in designing an organization’s business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:

A) inform management of the possible conflict of interest after completing the audit assignment.
B) communicate the possibility of conflict of interest to audit management prior to starting the assignment.
C) inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D) decline the assignment.

Answer

A

B) communicate the possibility of conflict of interest to audit management prior to starting the assignment.

Communicate the possibility of conflict of interest to audit management prior to starting the assignment is correct. A possible conflict of interest, likely to affect the IS auditor’s independence, should be brought to the attention of management prior to starting the assignment.

Question 33

Q

IT governance is PRIMARILY the responsibility of the:

A) IT steering committee.
B) board of directors.
C) audit committee.
D) chief executive officer.

Answer

A

B) board of directors.

Board of directors is correct. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).

Question 34

Q

Involvement of senior management is MOST important in the development of:

A) standards and guidelines.
B) strategic plans.
C) IT policies.
D) IT procedures.

Answer

A

B) strategic plans.

Strategic plans is correct. These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.

Question 35

Q

Which of the following does an IS auditor FIRST reference when performing an IS audit?

A) Internal standards
B) Approved policies
C) Implemented procedures
D) Documented practices

Answer

A

B) Approved policies

Approved policies is correct. Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.

Question 36

Q

Which of the following is widely accepted as one of the critical components in networking management?

A) Proxy server troubleshooting
B) Configuration and change management
C) Application of monitoring tools
D) Topological mappings

Answer

A

B) Configuration and change management

Configuration and change management is correct. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services.

Question 37

Q

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?

A) System-generated exception reports for the review period with the reviewer’s sign-off
B) Management’s confirmation of the effectiveness of the control for the review period
C) Walk-through with the reviewer of the operation of the control
D) A sample system- generated exception report for the review period, with follow-up action items noted by the reviewer

Answer

A

D) A sample system- generated exception report for the review period, with follow-up action items noted by the reviewer

A sample system-generated exception report for the review period, with follow- up action items noted by the reviewer is correct. This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report.

Question 38

Q

Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium- sized organization?

A) Dedicated line
B) Leased line
C) Virtual private network
D) Integrated services digital network

Answer

A

C) Virtual private network

Virtual private network is correct. The most secure method is a virtual private network, using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet.

Question 39

Q

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:

A) accountability system and the ability to identify any terminal accessing system resources.
B) maintenance of access logs of usage of various system resources.
C) authorization and authentication of the user prior to granting access to system resources.
D) adequate protection of stored data on servers by encryption or other means.

Answer

A

C) authorization and authentication of the user prior to granting access to system resources.

Question 40

Q

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser- privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?

A) Hire additional staff to provide a segregation of duties for application role changes.
B) Implement a properly documented process for application role change requests.
C) Document the current procedure in detail and make it available on the enterprise intranet.
D) Implement an automated process for changing application roles.

Answer

A

B) Implement a properly documented process for application role change requests.

Implement a properly documented process for application role change requests is correct. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application.

Question 41

Q

An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application hosted in the cloud. Management’s response states that the cloud vendor is responsible for disaster recovery (DR) and DR- related testing. What is the NEXT course of action for the IS auditor to pursue?

A) Plan an audit of the cloud vendor.
B) Review an independent auditor’s report of the cloud vendor.
C) Review the vendor contract to determine its DR capabilities.
D) Request a copy of the DRP from the cloud vendor.

Answer

A

C) Review the vendor contract to determine its DR capabilities.

Review the vendor contract to determine its disaster recovery (DR) capabilities is correct. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives and recovery point objectives. Without the contractual language, the vendor is not required to provide DR services.

Question 42

Q

An IS auditor is reviewing an organization’s network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of:

A) a rented rack space in the NOC.
B) a wet pipe-based fire suppression system.
C) a carbon dioxide-based fire suppression system.
D) an uninterrupted power supply with 10 minutes of backup power.

Answer

A

C) a carbon dioxide-based fire suppression system.

A carbon dioxide (CO2)-based fire suppression system is correct. CO2 systems should not be used in areas where people are present, because their function will cause suffocation in the event of a fire. Controls should consider personnel safety first.

Question 43

Q

What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning payroll system that is replacing an existing legacy system?

A) Prototype testing
B) Parallel testing
C) Multiple testing
D) Integration testing

Answer

A

B) Parallel testing

Parallel testing is correct. This is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system.

Question 44

Q

An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?

A) Variable
B) Attribute
C) Stop-or-go
D) Judgment

Answer

A

B) Attribute

Attribute is correct. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.

Question 45

Q

Which of the following types of transmission media provide the BEST security against unauthorized access?

A) Fiber-optic cables
B) Copper wire
C) Shielded twisted pair
D) Coaxial cables

Answer

A

A) Fiber-optic cables

Fiber-optic cables is correct. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media.

Question 46

Q

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic?

A) End users having access to software tools such as packet sniffer applications
B) Corruption of the Address Resolution Protocol cache in Ethernet switches
C) Use of a default administrator password on the analog phone switch
D) Deploying virtual local area networks without enabling encryption

Answer

A

B) Corruption of the Address Resolution Protocol cache in Ethernet switches

Corruption of the Address Resolution Protocol (ARP) cache in Ethernet switches is correct. On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply “flood” the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic.

Question 47

Q

Web and email filtering tools are valuable to an organization PRIMARILY because they:

A) assist the organization in preventing legal issues
B) maximize employee performance.
C) protect the organization from viruses and non-business materials.
D) safeguard the organization’s image.

Answer

A

C) protect the organization from viruses and non-business materials.

Protect the organization from viruses and non-business materials is correct. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email.

Question 48

Q

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

A) Discovery
B) Stop-or-go
C) Classical variable
D) Probability-proportional-to- size

Answer

A

A) Discovery

Discovery sampling is correct. This is used when an IS auditor is trying to determine whether a type of event has occurred. Therefore, it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place.

Question 49

Q

When using public key encryption to secure data being transmitted across a network:

A) both the key used to encrypt and decrypt the data are public.
B) the key used to encrypt is private, but the key used to decrypt the data is public.
C) both the key used to encrypt and decrypt the data are private.
D) the key used to encrypt is public, but the key used to decrypt the data is private.

Answer

A

D) the key used to encrypt is public, but the key used to decrypt the data is private.

The key used to encrypt is public, but the key used to decrypt the data is private is correct. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

Question 50

Q

The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:

A) the internal lab testing phase.
B) the implementation phase.
C) testing and prior to user acceptance.
D) the requirements gathering process.

Answer

A

C) testing and prior to user acceptance.

The requirements gathering process is correct. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues.

Question 51

Q

Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet?
A) The CA has several data processing subcenters to administer certificates.
B) Customers can make their transactions from any computer or mobile device.
C) Customers are widely dispersed geographically, but the certificate authorities (CAs) are not.
D) The organization is the owner of the CA.

Answer

A

D) The organization is the owner of the CA.

The organization is the owner of the certificate authority( CA)is correct. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.

Question 52

Q

Which of the following situations could impair the independence of an IS auditor? The IS auditor -

A) implemented specific functionality during the development of an application.
B) provided consulting advice concerning application good practices.
C) designed an embedded audit module for auditing an application.
D) participated as a member of an application project team and did not have operational responsibilities.

Answer

A

A) implemented specific functionality during the development of an application.

Implemented specific functionality during the development of an application is correct. Independence may be impaired if an IS auditor is or has been, actively involved in the development, acquisition, and implementation of the application system.

Question 53

Q

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?

A) Stateful inspection firewalls B) Intrusion detection systems C) Packet filtering routers
D) Data mining techniques

Answer

A

D) Data mining techniques

Data mining techniques is correct. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.

Question 54

Q

Which of the following will BEST ensure the successful offshore development of business applications?

A) Stringent contract management practices
B) Detailed and correctly applied specifications
C) Post-implementation review
D) Awareness of cultural and political differences

Answer

A

B) Detailed and correctly applied specifications

Detailed and correctly applied specifications is correct. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.

Question 55

Q

The rate of change in technology increases the importance of:

A) outsourcing the IT function.
B) meeting user requirements.
C) implementing and enforcing sound processes.
D) hiring qualified personnel.

Answer

A

C) implementing and enforcing sound processes.

Implementing and enforcing sound processes is correct. Change control requires that good change management processes be implemented and enforced.

Question 56

Q

Email message authenticity and confidentiality is BEST achieved by signing the message using the:

A) receiver’s private key and encrypting the message using the sender’s public key.
B) sender’s private key and encrypting the message using the receiver’s public key.
C) sender’s public key and encrypting the message using the receiver’s private key.
D) receiver’s public key and encrypting the message using the sender’s private key.

Answer

A

B) sender’s private key and encrypting the message using the receiver’s public key.

Sender’s private key and encrypting the message using the receiver’s public key is correct. By signing the message with the sender’s private key, the receiver can verify its authenticity using the sender’s public key. Encrypting with the receiver’s public key provides confidentiality.

Question 57

Q

Which of the following would be the BEST access control procedure?

A) The data owner and an IS manager jointly create and update the user authorization tables.
B) The data owner formally authorizes access and an administrator implements the user authorization tables.
C) The data owner creates and updates the user authorization tables.
D) Authorized staff implements the user authorization tables and the data owner approves them.

Answer

A

B) The data owner formally authorizes access and an administrator implements the user authorization tables.

The data owner formally authorizes access and an administrator implements the user authorization tables is correct. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner.

Question 58

Q

An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take?

A) Recommend that all password configuration settings be identical.
B) Document the observation as an exception.
C) Determine whether this is a policy violation and document it
D) Recommend that logs of IT developer access are reviewed periodically.

Answer

A

C) Determine whether this is a policy violation and document it

Determine whether this is a policy violation and document it is correct. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed.

Question 59

Q

Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?

A) Identify all IT systems and controls that are relevant to audit objectives.
B) List all controls from the audit program to select ones matching with audit objectives.
C) Understand the business, its operating model and key processes.
D) Review the results of a risk self-assessment.

Answer

A

D) Review the results of a risk self-assessment.

Understand the business, its operating model and key processes is correct. Risk-based auditing must be based on the understanding of the business, operating model and environment. This is the first step in an IT risk assessment for a risk-based audit. Identify all

Question 60

Q

Which control is the BEST way to ensure that the data in a file have not been changed during transmission?

A) Hash values
B) Reasonableness check
C) Check digits
D) Parity bits

Answer

A

A) Hash values

Hash values is correct. These are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.

Question 61

Q

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: The existing DRP was compiled two years earlier by a systems analyst in the organization’s IT department using transaction flow projections from the operations department. The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention. The DRP has never been updated, tested or circulated to key management and staff, although interviews show that each would know what action to take for its area if a disruptive incident occurred.. The IS auditor’s report should recommend that:

A) a manager coordinates the creation of a new or revised plan within a defined time limit.
B) the deputy chief executive officer (CEO) be censured for failure to approve the plan.
C) a board of senior managers is set up to review the existing plan.
D) the existing plan is approved and circulated to all key management and staff.

Answer

A

A) a manager coordinates the creation of a new or revised plan within a defined time limit.

A manager coordinates the creation of a new or revised plan within a defined time limit is correct. The primary concern is to establish a workable disaster recovery plan (DRP) that reflects current processing volumes to protect the organization from any disruptive incident.

Question 62

Q

Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters?

A) Recovery point objective
B) Recovery time objective
C) Available data backup technologies
D) Volume of data to be backed up

Answer

A

A) Recovery point objective

Recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the acceptable amount of data loss in the case of interruption. Based on the RPO, one can design the data backup strategy for potential disasters using various technologies.

Question 63

Q

What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management?

A) IT project metrics are reported accurately.
B) Projects are aligned with the organization’s strategy.
C) Identified project risk is monitored and mitigated.
D) Controls related to project planning and budgeting are appropriate.

Answer

A

B) Projects are aligned with the organization’s strategy.

Projects are aligned with the organization’s strategy is correct. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment.

Question 64

Q

A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident?

A) Operating system patching B) A firewall
C) A network-based intrusion detection system
D) A host-based intrusion prevention system

Answer

A

D) A host-based intrusion prevention system

A host-based intrusion prevention system (IPS) is correct. This prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator.

Answer 65

A

A) IS auditor.

The IS auditor is correct. The IS auditor should make the final decision about what to include or exclude from the audit report.

Answer 66

A

C) The encryption algorithm format

The necessary communication protocols is correct. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

Answer 67

A

A) Activating an incident response team

Activating an incident response team is correct. Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational.

Answer 68

A

C) Alert management and evaluate the impact of not covering all systems.

Alert management and evaluate the impact of not covering all systems is correct. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP.

Answer 69

A

B) The IT department may not be working toward a common goal.

The IT department may not be working toward a common goal is correct. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project may or may not be working toward the company’s goals.

Answer 70

A

A) User spool and database limit controls

User spool and database limit controls is correct. User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data volume stored and the physical device capacity. Additionally, it prevents users from consuming excessive resources in ad hoc table builds (as opposed to scheduled production loads that often can run overnight and are optimized for performance purposes). In a data warehouse, because you are not running online transactions, commitment and rollback does not have an impact on performance.

Answer 71

A

D) enforcement of the management of security risk.

Enforcement of the management of security risk is correct. The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk.

Answer 72

A

C) Review policy to see if a formal exception process is required.

Review policy to see if a formal exception process is required is correct. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary
access, then one should be designed to ensure no unauthorized changes are made.

Answer 73

A

B) There should be a source code escrow agreement in place.

There should be a source code escrow agreement in place is correct. A source code escrow agreement is primarily recommended to help protect the enterprise’s investment in software, because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business.

Answer 74

A

C) encrypted with the recipient’s public key and decrypted with the recipient’s private key.

Encrypted with the recipient’s public key and decrypted with the recipient’s private key is correct. Encrypting a message with the recipient’s public key and decrypting it with the recipient’s private key ensures message confidentiality, because only the intended recipient has the correct private key to decrypt the message.

Answer 75

A

B) encryption.

Encryption is correct. Encryption of data is the most secure method of protecting confidential data from exposure.

Answer 76

A

B) The test environment may not have adequate access controls implemented to ensure data confidentiality.

The test environment may not have adequate access controls implemented to ensure data confidentiality is correct. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.

Answer 77

A

A) the conference room network is on a separate virtual local area network.

The conference room network is on a separate virtual local area network (VLAN) is correct. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.

Answer 78

A

C) approval of user access.

Approval of user access is correct. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group.

Answer 79

A

B) Double-blind testing

Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator.

Answer 80

A

B) the photo frame could be infected with malware.

The photo frame could be infected with malware is correct. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.

Answer 81

A

B) perform additional testing.

Perform additional testing is correct. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can quickly lose credibility if it is later discovered the finding was not justified or accurate.

Answer 82

A

C) This part of the network is isolated from the corporate network.

This part of the network is isolated from the corporate network is correct. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.

Answer 83

A

B) Secure Sockets Layer

Secure Sockets Layer (SSL) is correct. This is used for many e- commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code.

Answer 84

A

C) Risk transfer

Risk transfer is correct. This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.

Answer 85

A

C) The work may be construed as a self-audit.

The work may be construed as a self-audit is correct. Because the employee had been a developer, it is recommended that the audit coverage should exclude the systems developed by this employee to avoid any conflicts of interests.

Answer 86

A

C) applied changes have not introduced new errors.

Applied changes have not introduced new errors is correct. Regression testing is used to test for the introduction of new errors in the system after changes have been applied.

Answer 87

A

C) Work is completed in tunnel mode with IP security.

Work is completed in tunnel mode with IP security is correct. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.

Answer 88

A

C) The recovery point objective

The recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption.

Answer 89

A

A) Change the database password.

Change the database password is correct. The password should be changed immediately because there is no way to know whether it has been compromised.

Answer 90

A

C) Project scope management

Project scope management is correct. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project.

Answer 91

A

B) Data restoration was completed.

Data restoration was completed is correct. The most reliable method to determine whether a backup is valid would be to restore it to a system. A data restore test should be performed at least annually to verify that the process is working properly.

Answer 92

A

A) correlation of semantic characteristics of the data migrated between the two systems.

Correlation of semantic characteristics of the data migrated between the two systems is correct. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor’s main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system.

Answer 93

A

C) Extrapolation of the overall end date based on completed work packages and current resources

Extrapolation of the overall end date based on completed work packages and current resources is correct. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule).

Answer 94

A

B) consider the entire IT environment.

Consider the entire IT environment is correct. When assessing IT security risk, it is important to consider the entire IT environment.

Answer 95

A

D) hardware is protected against power surges.

Hardware is protected against power surges is correct. A voltage regulator protects against short-term power fluctuations.

Answer 96

A

A) security policy be updated to include the specific language regarding unauthorized software.

Security policy be updated to include the specific language regarding unauthorized software is correct. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls.

Answer 97

A

D) archive policy.

Archive policy is correct. With a policy of well- archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.

Answer 98

A

C) The risk associated with the use of the products is periodically assessed.

The risk associated with the use of the products is periodically assessed is correct. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process.

Answer 99

A

A) Not all functionality will be tested.

Not all functionality will be tested is correct. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.

Answer 100

A

A) A list of accounts with access levels generated by the system

A list of accounts with access levels generated by the system is correct. The access list generated by the system is the most reliable, because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective, because it was generated by the system rather than by an individual.

Answer 101

A

A) Board of directors

Board of directors is correct. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.

Answer 102

A

D) Nonrepudiation

Nonrepudiation is correct. This, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.

Answer 103

A

D) Determine whether compensating controls are in place.

Determine whether compensating controls are in place is correct. An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place.

Answer 104

A

A) evaluate the impact of the undocumented devices on the audit scope.

Evaluate the impact of the undocumented devices on the audit scope is correct. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross-connections, etc.

Answer 105

A

B) All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.

All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization is correct. Deleting and formatting only marks the sectors that contained files as being free. Publicly available tools are sufficient for someone to reconstruct data from hard drives prepared this way.

Answer 106

A

D) Establish guidelines for the level of access controls that should be assigned.

Establish guidelines for the level of access controls that should be assigned is correct. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.

Answer 107

A

A) Test plans and procedures exist and are closely followed.

Test plans and procedures exist and are closely followed is correct. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.

Answer 108

A

C) Implementing a fault- tolerant disk-to-disk backup solution

Implementing a fault-tolerant disk-to-disk backup solution is correct. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term “disk-to-disk-to-tape”). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set.

Answer 109

A

C) determine the points of entry into the network.

Determine the points of entry into the network is correct. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls.

Answer 110

A

A) Strike a balance between business and security requirements.

Strike a balance between business and security requirements is correct. Because information security policies must be aligned with an organization’s business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.

Answer 111

A

A) Standard report with configuration values retrieved from the system by the IS auditor

Standard report with configuration values that are retrieved from the system by the IS auditor is correct. Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner, because the IS auditor does not have a vested interest in the outcome of the audit.

Answer 112

A

A) Screened subnet firewall

Screened subnet firewall is correct. This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network.

Answer 113

A

D) they are set to meet both security and performance requirements.

They are set to meet both security and performance requirements is correct. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.

Answer 114

A

A) impact of any exposures discovered.

Impact of any exposures discovered is correct. An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses.

Answer 115

A

B) Payroll reports should be compared to input forms.

Payroll reports should be compared to input forms is correct. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports.

Answer 116

A

C) Protocol analyzer

Protocol analyzer is correct. These are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.

Answer 117

A

C) Establish performance measurement criteria for the authentication servers.

Establish performance measurement criteria for the authentication servers is correct. Performance criteria for the authentication servers would help to quantify acceptable thresholds for system performance, which can be measured and remediated.

Answer 118

A

A) Sensor

Sensor is correct. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.

Answer 119

A

D) Hiding information from sniffers on the net

Hiding information from sniffers on the net is correct. A virtual private network (VPN) hides information from sniffers on the Internet using tunneling. It works based on encapsulation and encryption of sensitive traffic.

Answer 120

A

D) Collusion between employees

Collusion between employees is correct. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented.

Answer 121

A

D) To detect data transposition errors

To detect data transposition errors is correct. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.

Answer 122

A

D) analysis and prioritization of business functions

Analysis and prioritization of business functions is correct. The disaster recovery plan (DRP) must primarily focus on recovering critical business functions in the event of disaster within predefined recovery time objectives (RTOs); thus, it is necessary to align the recovery of IT services based on the criticality of business functions.

Answer 123

A

C) verify the format of the number entered, then locate it on the database.

Verify the format of the number entered, then locate it on the database is correct. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number entered by the user.

Answer 124

A

A) the amount of progress achieved compared to the project schedule.

The amount of progress achieved compared to the project schedule is correct. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project.

Answer 125

A

A) social engineering.

Social engineering is correct. This is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else’s personal data.

Answer 126

A

D) stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans.

Stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans is correct. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk.

Answer 127

A

B) the users may not remember to manually encrypt the data before transmission.

The users may not remember to manually encrypt the data before transmission is correct. If the data is not encrypted, an unauthorized external party may download sensitive company data.

Answer 128

A

B) Correcting coding errors during the testing process

Correcting coding errors during the testing process is correct. Correction of code should not be a responsibility of the quality assurance team, because it would not ensure segregation of duties and would impair the team’s independence.

Answer 129

A

A) ownership is difficult to establish where resources are shared.

Ownership is difficult to establish where resources are shared is correct. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department.

Answer 130

A

The source of the executable file is certain is correct. Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. A firewall exists is incorrect. There should always be a firewall on an Internet connection; however, whether to allow active models is a decision made depending on the source of the module. A secure web connection is used is incorrect. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. The host web site is part of the organization is incorrect. Hosting the web site as part of the organization is impractical. The client will accept the program if the parameters are established to do so.

Answer 131

A

A) The organization uses an established risk framework.

All likely risk is identified and ranked is correct. Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy.

Answer 132

A

C) define, agree on, record and manage the required levels of service.

Define, agree on, record and manage the required levels of service is correct. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services.

Answer 133

A

D) shadow file processing.

In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems.

Answer 134

A

B) determine accountability and responsibility for processed transactions.

Determine accountability and responsibility for processed transactions is correct. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system.

Answer 135

A

B) Spoofing

Spoofing is correct. This is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server’s internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.

Answer 136

A

C) Program output testing

Program output testing is correct. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user.

Answer 137

A

B) False-acceptance rate

False-acceptance rate (FAR) is correct. This is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important that the impact on the false reject rate.

Answer 138

A

D) Using hash totals in the order transmitting process

Verifying production of customer orders is correct. Verification of the products produced will ensure that the produced products match the orders in the order system.

Answer 139

A

A) Unencrypted passwords are used.

Unencrypted passwords are used is correct. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.

Answer 140

A

B) Preventive

Preventive is correct. Having a manager approve transactions more than a certain amount is considered a preventive control.

Answer 141

A

A) connecting points are available in the facility to connect laptops to the network.

Connecting points are available in the facility to connect laptops to the network is correct. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access.

Answer 142

A

A) disable the employee’s logical access.

Disable the employee’s logical access is correct. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee’s logical access is the most important and immediate action to take.

Answer 143

A

A) Cyclic redundancy check

Cyclic redundancy check (CRC) is correct. CRC can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.

Answer 144

A

C) increases in quality can be achieved, if resource allocation is decreased.

Increases in quality can be achieved, if resource allocation is decreased is correct. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased, an increase in quality can be achieved if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

Answer 145

A

B) A tabletop exercise using the procedures was conducted.

A tabletop exercise using the procedures was conducted is correct. Conducting a tabletop exercise (paper-based test) of the procedures with all responsible members, best ensures that the procedures meet the requirements. This type of test can identify missing or incorrect procedures because representatives responsible for performing the tasks are present.

Answer 146

A

A) Approved suppliers for products offered by the company

Approved suppliers for products offered by the company is correct. Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization’s strategic plan.

Answer 147

A

D) accurately capture data from the organization’s systems without causing excessive performance problems.

Accurately capture data from the organization’s systems without causing excessive performance problems is correct. Although all the requirements that are listed as answer choices are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool works effectively on the systems of the organization being audited.

Answer 148

A

B) is aligned with the business plan.

Is aligned with the business plan is correct. Portfolio management takes a holistic view of an enterprise’s overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

Answer 149

A

C) Using a firewall as well as logical access controls on the hosts to control incoming network traffic

Using a firewall as well as logical access controls on the hosts to control incoming network traffic is correct. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense.

Answer 150

A

D) Review the parameter settings.

Review the parameter settings is correct. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.

Brainscape's Knowledge GenomeTM

Exam 3 Flashcards

Brainscape's Knowledge Genome^TM