Practice Exam Flashcards
Corporate IT governance is the responsibility of:
(a) The board and management.
(b) The IS manager.
(c) The IS auditor.
(d) The audit committee.
(a) The board and management.
Organizations develop change control procedures to ensure that:
(a) Changes are controlled by the Change Controller.
(b) All changes are requested, scheduled, and completed on time.
(c) All changes are authorized, tested, and recorded.
(d) Management is advised of changes made to system.
(c) All changes are authorized, tested, and recorded.
Control problems during business process change would typically include:
(a) Poor control over file conversions.
(b) Changing effectiveness of existing control structures.
(c) Employee uncertainty and lack of cooperation.
(d) Changing control objectives.
(a) Poor control over file conversions.
Risk is commonly expressed as a function of the:
(a) Systems vulnerabilities and the cost to mitigate.
(b) Likelihood that the harm will occur and its potential impact.
(c) Types of countermeasures needed and the system’s vulnerabilities.
(d) Computer system-related assets and their costs.
(b) Likelihood that the harm will occur and its potential impact.
Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.
C. develop the audit plan on the basis of a detailed risk assessment.
Passwords should be all of the following except:
(a) Hard to guess
(b) Easy to remember
(c) Written down
(d) Frequently changed
(c) Written down
A digital signature uses similar technology to:
(a) Symmetric encryption
(b) MACing
(c) Asymmetric encryption
(d) None of the above
(c) Asymmetric encryption
A firewall provides an organization with:
(a) A mechanism for implementing and enforcing network access security policies
(b) A transformation of directive of discretionary controls into preventative controls
(c) Control over access to and from a given network
(d) All of the above
(d) All of the above
Where a disaster would result in conspicuous interruption of IT Services, potentially result in loss of business, disaster preparedness would typically be classified as:
(a) Poor
(b) Weak
(c) Adequate
(d) Good
(b) Weak
Risks specific to portable computers include all of the following except:
(a) Accidental damage in transit
(b) Ease of theft
(c) Unauthorized access
(d) Lost in transit
(c) Unauthorized access
Which of the following would BEST support 24/7 availability? A. Daily backup B. Offsite storage C. Mirroring D. Periodic testing
C. Mirroring
Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:
A. physically separated from the data center and not subject to the same risks.
B. given the same level of protection as that of the computer data center.
C. outsourced to a reliable third party.
D. equipped with surveillance capabilities.
A. physically separated from the data center and not subject to the same risks.
The PRIMARY purpose of compliance tests is to verify whether:
a. controls are implemented as prescribed.
b. documentation is accurate and current.
c. access to users is provided as specified.
d. data validation procedures are provided.
a. controls are implemented as prescribed.
Which of the following concerns about the security of an electronic message would be addressed by digital signatures?
a. Unauthorized reading
b. Theft
c. Unauthorized copying
d. Alteration
d. Alteration
The MOST effective method for limiting the damage of an attack by a software virus is:*
a. software controls.
b. policies, standards and procedures.
c. logical access controls.
d. data communication standards.
a. software controls.
Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?
a. Digital signature
b. Data encryption standard (DES)
c. Virtual private network (VPN)
d. Public key encryption
d. Public key encryption
The PRIMARY objective of a firewall is to protect:
a. internal systems from exploitation by external threats.
b. external systems from exploitation by internal threats.
c. internal systems from exploitation by internal threats.
d. itself and attached systems against being used to attack other systems.
a. internal systems from exploitation by external threats.
An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious?
a. The security officer also serves as the database administrator (DBA.)
b. Password controls are not administered over the client/server environment.
c. There is no business continuity plan for the mainframe system’s non-critical applications.
d. Most LANs do not back up file server fixed disks regularly.
b. Password controls are not administered over the client/server environment.
A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose?
a. Intrusion prevention systems
b. Firewalls
c. Routers
d. Asymmetric encryption
a. Intrusion prevention systems
An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate fifty percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take?
a. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization’s survival and the backup capacity, therefore is adequate.
b. Identify applications that could be processed at the alternate site and develop manual procedures to backup other processing.
c. Ensure that critical applications have been identified and that the alternate site could process all such applications.
d. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing.
c. Ensure that critical applications have been identified and that the alternate site could process all such applications.
Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department?
a. Developing the business continuity plan
b. Selecting and approving the strategy for business continuity plan
c. Declaring a disaster
d. Restoring the IS systems and data after a disaster
d. Restoring the IS systems and data after a disaster