Exam 4

Question 1

An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?

A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan

Answer 1

A. References from other customers

Question 2

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

A. control self-assessments.
B. a business impact analysis.
C. an IT balanced scorecard.
D. business process reengineering.

Answer 2

C. an IT balanced scorecard.

Question 3

A poor choice of passwords and transmission over unprotected communications lines are examples of:

A. vulnerabilities.
B. threats.
C. probabilities.
D. impacts.

Answer 3

A. vulnerabilities.

Question 4

To support an organization’s goals, an IS department should have:

A. a low-cost philosophy.
B. long- and short-range plans.
C .leading-edge technology.
D. plans to acquire new hardware and software.

Answer 4

B. long- and short-range plans.

Question 5

A local area network (LAN) administrator normally would be restricted from:

A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.

Answer 5

C. having programming responsibilities.

Question 6

To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?

A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics

Answer 6

B. Gain-sharing performance bonuses

Question 7

Which of the following is a mechanism for mitigating risks?

A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

Answer 7

A. Security and control practices

Question 8

Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?

A. Security incident summaries
B. Vendor best practices
C. CERT coordination center
D. Significant contracts

Answer 8

D. Significant contracts

Question 9

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees

Answer 9

D. Training provided on a regular basis to all current and new employee

Question 10

A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:

A. recovery.
B. retention.
C. rebuilding.
D. reuse.

Answer 10

B. retention.

Question 11

When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that
has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?

A. There could be a question regarding the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distance.
D. There could be different auditing norms.

Answer 11

A. There could be a question regarding the legal jurisdiction.

Question 12

The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:

A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.

Answer 12

C. archive policy.

Question 13

Effective IT governance requires organizational structures and processes to ensure that:

A. the organization’s strategies and objectives extend the IT strategy.
B. the business strategy is derived from an IT strategy.
C. IT governance is separate and distinct from the overall governance.
D. the IT strategy extends the organization’s strategies and objectives.

Answer 13

D. the IT strategy extends the organization’s strategies and objectives

Question 14

Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it:

A. has been approved by line management.
B. does not vary from the IS department’s preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.

Answer 14

D. supports the business objectives of the organization.

Question 15

Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

A. Time zone differences could impede communications between IT teams.
B. Telecommunications cost could be much higher in the first year.
C. Privacy laws could prevent cross-border flow of information.
D. Software development may require more detailed specifications.

Answer 15

C. Privacy laws could prevent cross-border flow of information.

Question 16

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations; business objectives by determining if IS:

A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.

Answer 16

B. plans are consistent with management strategy.

Question 17

An IS auditor should be concerned when a telecommunication analyst:

A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data transfer rates.
D. recommends network balancing procedures and improvements.

Answer 17

A. monitors systems performance and tracks problems resulting from program changes.

Question 18

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:

A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. a strategic information technology planning methodology is in place.
D. the plan correlates business objectives to IS goals and objectives.

Answer 18

A. there is an integration of IS and business staffs within projects.

Question 19

Which of the following provides the best evidence of the adequacy of a security awareness program?

A. The number of stakeholders including employees trained at various levels
B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices

Answer 19

D. Periodic reviews and comparison with best practices

Question 20

The advantage of a bottom-up approach to the development of organizational policies is that the policies:

A. are developed for the organization as a whole.
B. are more likely to be derived as a result of a risk assessment.
C. will not conflict with overall corporate policy.
D. ensure consistency across the organization.

Answer 20

B. are more likely to be derived as a result of a risk assessment.

Question 21

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their company in implementing a complementary plan.
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the
service bureau and its ability to fulfill the contract.
C. No, because the backup to be provided should be specified adequately in the contract.
D. No, because the service bureaus business continuity plan is proprietary information.

Answer 21

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their company in implementing a complementary plan.

Question 22

A benefit of open system architecture is that it:

A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for equipment.

Answer 22

A. facilitates interoperability.

Question 23

The ultimate purpose of IT governance is to:

A. encourage optimal use of IT.
B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT.

Answer 23

A. encourage optimal use of IT.

Question 24

Establishing the level of acceptable risk is the responsibility of:

A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

Answer 24

B. senior business management.

Question 25

In the context of effective information security governance, the primary objective of value delivery
is to:

A. optimize security investments in support of business objectives.
B. implement a standard set of security practices.
C. institute a standards-based solution.
D. implement a continuous improvement culture.

Answer 25

A. optimize security investments in support of business objectives.

Question 26

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

A. Issues of privacy
B. Wavelength can be absorbed by the human body C. RFID tags may not be removable
D. RFID eliminates line-of- sight reading

Answer 26

A. Issues of privacy

Question 27

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?

A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs

Answer 27

A. Allocating resources

Question 28

When developing a risk management program, what is the FIRST activity to be performed?

A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis

Answer 28

C. Inventory of assets

Question 29

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual’s experience and:

A. length of service, since this will help ensure technical competence.
B. age, as training in audit techniques may be impractical.
C. IS knowledge, since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.

Answer 29

D. ability, as an IS auditor, to be independent of existing IS relationships.

Question 30

IT governance is PRIMARILY the responsibility of the:

A chief executive officer.
B. board of directors.
C. IT steering committee.
D. audit committee.

Answer 30

B. board of directors.

Question 31

Which of the following is the BEST performance criterion for evaluating the adequacy of an
organization’s security awareness training?

A. Senior management is aware of critical information assets and demonstrates an adequate
concern for their protection.
B. Job descriptions contain clear statements of accountability for information security.
C. In accordance with the degree of risk and business impact, there is adequate funding for security
efforts.
D. No actual incidents have occurred that have caused a loss or a public embarrassment.

Answer 31

B. Job descriptions contain clear statements of accountability for information security.

Question 32

Which of the following is a risk of cross-training?

A Increases the dependence on one employee
B Does not assist in succession planning
C One employee may know all parts of a system
D Does not help in achieving a continuity of operations

Answer 32

C One employee may know all parts of a system

Question 33

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

A. enterprise data model.
B. IT balanced scorecard (BSC).
C. IT organizational structure.
D. historical financial statements.

Answer 33

B. IT balanced scorecard (BSC).

Question 34

The development of an IS security policy is ultimately the responsibility of the:

A. IS department.
B. security committee.
C. security administrator.
D. board of directors.

Answer 34

D. board of directors.

Question 35

An example of a direct benefit to be derived from a proposed IT-related business investment is:

A. enhanced reputation.
B. enhanced staff morale.
C. the use of new technology.
D. increased market penetration.

Answer 35

D. increased market penetration.

Question 36

Which of the following should be considered FIRST when implementing a risk management program?

A. An understanding of the organization’s threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

Answer 36

A. An understanding of the organization’s threat, vulnerability and risk profile

Question 37

Which of the following is a function of an IS steering committee?

A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information’s processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users

Answer 37

C. Approving and monitoring major projects, the status of IS plans and budgets

Question 38

Which of the following is the initial step in creating a firewall policy?

A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods

Answer 38

B. Identification of network applications to be externally accessed

Question 39

Which of the following should be included in an organization’s IS security policy?

A. A list of key IT resources to be secured
B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features

Answer 39

B. The basis for access authorization

Question 40

When an employee is terminated from service, the MOST important action is to:

A. hand over all of the employee’s files to another designated employee.
B. complete a backup of the employee’s work.
C. notify other employees of the termination.
D. disable the employee’s logical access.

Answer 40

D. disable the employee’s logical access.

Question 41

The PRIMARY objective of an audit of IT security policies is to ensure that:

A. they are distributed and available to all staff.
B. security and control policies support business and IT objectives.
C. there is a published organizational chart with functional descriptions.
D. duties are appropriately segregated.

Answer 41

B. security and control policies support business and IT objectives.

Question 42

A top-down approach to the development of operational policies will help ensure:

A. that they are consistent across the organization.
B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.

Answer 42

A. that they are consistent across the organization.

Question 43

Which of the following goals would you expect to find in an organization’s strategic plan?

A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.

Answer 43

D. Become the supplier of choice for the product offered.

Question 44

The MOST likely effect of the lack of senior management commitment to IT strategic planning is:

A a lack of investment in technology.
B a lack of a methodology for systems development.
C technology not aligning with the organization’s objectives.
D an absence of control over technology contracts.

Answer 44

C technology not aligning with the organization’s objectives.

Question 45

An IS steering committee should:

A. include a mix of members from different departments and staff levels.
B. ensure that IS security policies and procedures have been executed properly.
C. have formal terms of reference and maintain minutes of its meetings.
D. be briefed about new trends and products at each meeting by a vendor.

Answer 45

C. have formal terms of reference and maintain minutes of its meetings.