Steps Flashcards

Question 1

Q

The auditor’s ROLE is to

Answer

A

EVALUATE the design and operation of internal controls.

Question 2

Q

The 5 Steps in Verifying Compliance with External Regulations (General Process)

Answer

A

(1) IDENTIFY the external requirements with which the company is responsible for being in compliance.
(2) REVIEW the specific laws and regulations with which the organization must be compliant.
(3) DETERMINE whether the organization CONSIDERED these laws and regulations when policies and procedures were developed.
(4) DETERMINE whether identified policies and procedures ADHERE to external laws and requirements.
(5) DETERMINE whether the employees are adhering to specified policies and procedures or whether DISCREPENCIES exist.

Question 3

Q

it is so important for auditors to verify compliance by

Answer

A

developing a good audit plan

Question 4

Q

The goal of the audit function is

Answer

A

to present an independent and objective evaluation of the state of the internal controls with appropriate recommendations to mitigate any detected risks if applicable.

Question 5

Q

The audit department should report

Answer

A

to the audit committee.

Question 6

Q

The audit department should NOT report

Answer

A

to senior management directly.

because it might create an independence problem.

Question 7

Q

At the highest level, the audit FUNCTION requires

Answer

A

an audit charter to establish the IS audit function.

Question 8

Q

The charter defines

Answer

A

what responsibilities senior management is delegating.

Question 9

Q

The audit committee is responsible only to

Answer

A

senior management and the board of directors

Question 10

Q

The audit committee should report findings directly to

Answer

A

senior management and the board of directors

Question 11

Q

Long-term plans are considered

Answer

A

STRATEGIC.

Question 12

Q

Strategic planning looks at what effect management’s planned long-term changes

Answer

A

to the infrastructure will have on the security of the organization.

Question 13

Q

Short-term planning is referred to as .

Answer

A

tactical planning

Question 14

Q

Tactical planning looks at issues the organization currently faces,

Answer

A

such as what is to be audited during the current year

Question 15

Q

Understanding the company is

Answer

A

just the first step

Question 16

Q

Next, the auditor must develop a plan to

Answer

A

help determine what type of audits should be performed.

Question 17

Q

STEP BY STEP

1.2 Audit Planning Process

Answer

A

Learn the business, review the mission statement, and understand its purpose and goals.
Review documentation and evaluate existing policies, procedures, and guidelines.
Identify threats, risks, and concerns.
Carry out a risk analysis.
Identify internal controls.
Define audit objectives and scope of audit.
Identify resources needed for the audit and assign appropriate personnel.

Question 18

Q

an auditor must know when

Answer

A

to perform a compliance test or a sub- stantive test, and must understand the differences between them.

Question 19

Q

Compliance tests are used to

Answer

A

verify conformity,

Question 20

Q

substantive tests verify

Answer

A

the integrity of a claim.

Question 21

Q

Standards are

Answer

A

agreed upon principles of protocol

Question 22

Q

standards detail mandatory requirements, whereas guidelines and procedures

Answer

A

offer guidance on how to maintain compliance.

Question 23

Q

Fourteen categories of standards exist:

Answer

A

S1—Audit Charter
S2—Independence
S3—Professional Ethics and Standards
S4—Competence
S5—Planning
S6—Performance of Audit Work
S7—Reporting
S8—Follow-Up Activities
S9—Irregularities and Illegal Acts
S10—IT Governance 1 September 2005
S11—Use of Risk Assessment in Audit Planning
S12—Audit Materiality
S13—Using the Work of Other Experts
S14—Audit Evidence

Question 24

Q

Thirty-five categories of guidelines exist (1-15):

Answer

A

G1—Using the Work of Other Auditors
G2—Audit Evidence Requirement
G3—Use of Computer-Assisted Audit Techniques (CAATs)
G4—Outsourcing of IS Activities to Other Organizations
G5—Audit Charter
G6—Materiality Concepts for Auditing Information Systems
G7—Due Professional Care
G8—Audit Documentation
G9—Audit Considerations for Irregularities
G10—Audit Sampling
G11—Effect of Pervasive IS Controls
G12—Organizational Relationship and Independence
G13—Use of Risk Assessment in Audit Planning
G14—Application Systems Review
G15—Planning Revised

Question 25

Q

Thirty-five categories of guidelines exist (16 - 29)

Answer

A

G16—Effect of Third Parties on an Organization’s IT Controls
G17—Effect of Nonaudit Role on the IS Auditor’s Independence
G18—IT Governance
G19—Irregularities and Illegal Acts
G20—Reporting
G21—Enterprise Resource Planning (ERP) Systems Review
G22—Business-to-Consumer (B2C) E-Commerce Review
G23—System Development Lifecycle (SDLC) Review
G24—Internet Banking
G25—Review of Virtual Private Networks
G26—Business Process Reengineering (BPR) Project Reviews
G27—Mobile Computing
G28—Computer Forensics
G29—Post-Implementation Review

Question 26

Q

Thirty-five categories of guidelines exist (30 -35)

Answer

A

. G30—Competence
. G31—Privacy
. G32—Business Continuity Plan (BCP) Review from IT Perspective
. G33—General Considerations on the Use of the Internet
. G34—Responsibility, Authority, and Accountability
. G35—Follow-Up Activities

Question 27

Q

Risk management follows a defined process that includes the following steps:

Answer

A

Develop a risk management team
Identify assets
Identify threats
Perform risk analysis
Perform risk mitigation
Monitor

Question 28

Q

STEP BY STEP

1.3 Risk-Based Audit Process

Answer

A

Gather information and plan:
. Understand the business
. Review audits from prior years
. Examine financial data
. Evaluate regulatory statutes
. Conduct inherent risk assessments
Determine internal controls and review their functionality:
. Control environment and control procedures
. Detection and control risk assessment
. Total risks
Perform compliance tests—Test and verify that controls are being applied.
Perform substantive testing—Measure the strength of the process and verify accounts.
Conclude the audit—Prepare the report.

Question 29

Q

Best control

Answer

A

would be provided by having the production control group copy the source program to the production libraries and then compile the program.

Question 30

Q

Decision Support

Answer

A

will be enhanced by using a data warehouse and data marts.

Question 31

Q

Primary objective of value delivery is to:

Answer

A

optimize security investments in support of business objectives.

Question 32

Q

The MOST robust method for disposing of magnetic media

Answer

A

Destroying

Question 33

Q

Data warehousing

Answer

A

involves data cleaning, data integration, and data consolidations.

Question 34

Q

When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be important for the client to secure ___________ of their system assets, i.e., the right to transfer from one vendor to another

Answer

A

portability

Question 35

Q

Fault

Answer

A

ST LOSS POWER

Question 36

Q

Spike

Answer

A

ST HIGH Volt

Question 37

Q

Sag

Answer

A

ST LOW Volt

Question 38

Q

Brownout

Question 39

Q

Volt Surge

Answer

A

LT HIGH Volt

Question 40

Q

Blackout

Answer

A

LT LOSS POWER

Question 41

Q

The GREATEST challenge of performing a quantitative risk analysis

Answer

A

Obtaining accurate figures on the frequency of specific threats

Question 42

Q

IDS

Answer

A

cannot detect attacks within encrypted traffic and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic.

Question 43

Q

Standard establishes mandatory

Answer

A

rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process.

Question 44

Q

The board of directors and executive officers are accountable for the functionality, reliability, and security within

Answer

A

IT Governance.

Question 45

Q

Web application attack facilitates unauthorized access to a database

Question 46

Q

Regression testing is undertaken PRIMARILY to ensure that

Answer

A

applied changes have not introduced new errors.

Question 47

Q

Capacity monitoring

Answer

A

the primary objective is to ensure compliance with the internal SLA between the business and IT, helps in arriving at expected future capacity based on usage patterns, helps in initiating procurement based on the current usage and expected future capacity.

Question 48

Q

Cryptographic hash

Answer

A

is a primary defense against alteration attacks.

Question 49

Q

Variable sampling

Answer

A

would be the best sampling technique to review an organization’s balance sheet for material transactions. It is also known as dollar estimation.

Question 50

Q

Integrity of data

Answer

A

information are changed only in a specified and authorized manner

Question 51

Q

CSA

Answer

A

highlight noncompliance to the current policy

Question 52

Q

Batch control reconciliations

Answer

A

is a compensatory control for mitigating risk of inadequate segregation of duties

Question 53

Q

RFID

Answer

A

Any RFID signal you can read can be duplicated = Issues of privacy

Question 54

Q

Concurrency control

Answer

A

manages simultaneous access to a database. It prevents two users from editing the same record at the same time and also serializes transactions for backup and recovery.

Question 55

Q

The first criteria must be to ensure that there is no ______ in the procedures and that, from a security perspective, they meet the applicable standards and, therefore, comply with policy.

Answer

A

ambiguity

Question 56

Q

The information security manager

Answer

A

is responsible for developing a security strategy based on business objectives with help of business process owners.

Question 57

Q

Load balancing

Answer

A

best ensures uninterrupted system availability by distributing traffic across multiple servers. Load balancing helps ensure consistent response time for web applications

Question 58

Q

The IS Auditor’s main responsibility during the test of the plan is to act as _________ to the success of being able to resume timely business processing.

Answer

A

an observer

Question 59

Q

The IS Auditor’s observations

Answer

A

should be documented, analyzed with appropriate recommendations brought forth to management.

Question 60

Q

The level of effectiveness of employees will be determined by their existing knowledge and capabilities, in other words, their

Answer

A

proficiencies.

Question 61

Q

Reviewing the access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system

Answer

A

(During a postimplementation)

Question 62

Q

Control Objectives for Information and Related Technology (CobiT) is a framework designed around four domains

Answer

A

. Plan and organize
. Acquire and implement
. Deliver and support
. Monitor and evaluate

Question 63

Q

As an auditor, you have a position of

Answer

A

fiduciary responsibility

Question 64

Q

Chain of Custody

Answer

A

One important issue that cannot be overlooked during a forensic audit is chain of custody. Chain of custody means that the auditor can account for who had access to the collected data, that access to the information is controlled, and that it is protected from tampering.

Answer 63

A

properly defined to develop and support reliable conclusions and opinions

Answer 64

A

. Auditing through observation
. Reviewing documentation
. Documenting systems and processes by means of flowcharting
. Using standard audit software controls to examine log files and data records
. Using specialized software packages to examine system parameter files

Answer 65

A

is a documented approach for performing the audit in a consistent and repeatable manner.

Answer 66

A

(1) A statement of work
(2) A statement of scope
(3) A statement of audit objectives

Answer 67

A

by management

Answer 68

A

provides a highly repeatable process.

Answer 69

A

knowledge of the methodology.

Answer 70

A

confidence in the audit process.

Answer 71

A

1.4 Audit Methodology
1. Audit subject—Identify which areas are to be audited
2. Audit objective—Define why the audit is occurring. As an example, the objective of the audit might be
to ensure that access to private information such as social security numbers is controlled.
3. Audit scope—Identify which specific functions or systems are to be examined.
4. Pre-audit planning—Identify what skills are needed for the audit, how many auditors are required, and what other resources are needed. Necessary policies or procedures should be identified, as should the plans of the audit. The plans should identify what controls will be verified and tested.
5. Data gathering—Identify interviewees, identify processes to be tested and verified, and obtain docu- ments such as policies, procedures, and standards. Develop procedures to test controls.
6. Evaluation of test results—These will be organization specific. The objective will be to review the results.
7. Communication with management—Document preliminary results and communicate to management.
8. Preparation of audit report—The audit report is the culmination of the audit process and might include
the identification of follow-up items.

Answer 72

A

work papers (WPs)

Answer 73

A

Auditors are responsible for maintaining confidentiality of paper, electronic, and sensitive client information. Sensitive information should always be protected.

Answer 74

A

At the audit scope step is where specific functions to be examined should be identified.

Answer 75

A

Follow-up review procedures should be developed at the audit report preparation step.

Answer 76

A

(5) At the data gathering step, the individuals to be interviewed should be determined.

Answer 77

A

. Observe employee activity
. Examine and review actual procedures and processes
. Verify employee security awareness training and knowledge
. Examine actual reporting relationships to verify segregation of duties

Answer 78

A

. A material false statement
. Knowledge that the statement was false
. Reliance on the false statement
. Resulting damages or losses

Answer 79

A

. No clear lines of authority
. A lack of documents and records
. A lack of independent checks and balances
. Nonexistent or poor separation of duties
. Few internal controls

Answer 80

A

. Name of organization being audited
. Title, date, and signature
. Statement of audit objectives
. Audit scope
. Any limitations of scope
. Audience
. Standards used in the audit
. A detail of the findings
. Conclusions, reservations, and qualifications
. Suggestions for corrective actions
. Other significant events

Answer 81

A

. Key controls must be identified.
. Key controls must be reviewed and understood.
. Key controls must be tested to verify that they are supported by the IT system.
. Management controls must be tested to verify that they operate correctly.
. Control risks, design problems, and weaknesses are delivered in the audit report.

Answer 82

A

. The system must have acceptable characteristics. Cost and items such as technical skill must be considered.
. The information system must be reliable, have existing primary controls, and collect data on the system.
. The information system must have a highly automated secondary control system.
. The auditor must be proficient in the system and information technology.
. The audit process must offer a reliable method for obtaining the audit procedure results.
. Verifiable controls of the audit reporting process must exist.

Answer 83

A

. Continuous auditing—A methodology of providing assurance that enables auditors to provide written reports quickly.
. Continuous monitoring—Monitoring provided by tools, such as antivirus, used to meet fiduciary responsibilities.

Answer 84

A

provide guidance and recommendations to senior management

Answer 85

A

is to improve quality and effectiveness.

Answer 86

A

. Learn the organization—Know the company’s goals and objectives. Start by review- ing the mission statement.
. Review the IT strategic plan—Strategic plans provide details for the next three to five years.
. Analyze organizational charts—Become familiar with the roles and responsibility of individuals within the company.
. Study job descriptions—Job descriptions detail the level of responsibility and accountability for employees’ actions.
. Evaluate existing policies and procedures—These documents detail the approved activities of employees.

Answer 87

A

. Business management—The committee is managed by the CEO or by a personally appointed and instructed representative.
. IT management—This group is represented by the CIO or a CIO representative.
. Legal—This group is represented by an executive from the legal department.
. Finance—A representative from finance is needed to provide financial guidance.
. Marketing—A representative from marketing should also be on the committee.
. Sales—A senior manager for sales should be on the committee to make sure that the organization has the technology needed to convert shoppers into buyers.
. Quality control—Quality control ensures that consumers view products and services favorably and that products meet required standards. As such, quality control should be represented on the committee.
. Research and development (R&D)—Because R&D focuses on developing new prod- ucts, this department should be represented on the committee. IT must meet the needs of new product development.
. Human resources (HR)—Managing employees is as complex as the technology need- ed to be successful. HR should be represented on the committee.

Answer 88

A

. The customer perspective—Includes the importance the company places on meeting customer needs. Even if financial indicators are good, poor customer ratings will even- tually lead to financial decline.
. Internal operations—Includes the metrics managers use to measure how well the organization is performing and how closely its products meet customer needs.
. Innovation and learning—Includes corporate culture and its attitudes toward learn- ing, growth, and training.
. Financial evaluation—Includes timely and accurate financial data. Typically focuses on profit and market share.

Answer 89

A

EA and a structure for its governance.

Answer 90

A

. Performance reference model—A framework used to measure performance of major IT investments
. Business reference model—A framework used to provide an organized, hierarchical model for day-to-day business operations
. Service component reference model—A framework used to classify service compo- nents with respect to how they support business or performance objectives
. Technical reference model—A framework used to categorize the standards, specifica- tions, and technologies that support and enable the delivery of service components and capabilities
. Data reference model—A framework used to provide a standard means by which data may be described, categorized, and shared

Answer 91

A

. Shared cost—With this method, all departments of the organization share the cost. The advantage of this method is that it is relatively easy to implement and for account- ing to handle. Its disadvantage is that some departments might feel that they are paying for something they do not use.

. Chargeback—With this method, individual departments are directly charged for the services they use. This is a type of pay-as-you-go system. Proponents of this system believe that it shifts costs to the users of services. Those opposing the chargeback sys- tem believe that it is not that clear-cut. As an example, what if your city of 1,000 people decided to divide electrical bills evenly so that everyone pays? Many might complain, as not everyone uses the same amount of electricity. Opponents of the chargeback system make the same argument, as end users don’t consume IT resources evenly.
. Sponsor pays—With this method, project sponsors pay all costs. Therefore, if sales asks for a new system to be implemented, sales is responsible for paying the bills. Although this gives the sponsor more control over the project, it might lead to the feeling that some departments are getting a free ride and, thus, can cause conflicts.

Answer 92

A

. Human resources documents
. Quality-assurance procedures
. Process and operation manuals
. Change-management documentation
. IT forecasts and budgets
. Security policies and procedures
. Organizational charts and functional diagrams
. Job details and descriptions
. Steering committee reports

Answer 93

A

. Excessive costs
. Budget overruns
. Late projects
. A high number of aborted projects
. Unsupported hardware changes or unauthorized purchases
. Lack of documentation
. Out-of-date documentation
. Employees unaware of or unknowledgeable about documentation

Answer 94

A

. Accepted—The risk is understood and has been evaluated. Management has decieded that the benefits outweigh the risk. As an example, the company might be considering setting up an e-commerce website. Although it is agreed that risks exist, the benefit of the added cash flow make these risks acceptable.
. Reduced—Installing a firewall is one method in which risk can be reduced.
. Transferred—The risk is transferred to a third party. As an example, insurance is
obtained.
. Rejected—Depending on the situation, any one of the preceding methods might be an acceptable way to handle risk. Risk rejection is not acceptable, as it means that the risk will be ignored on the hope that it will go away or not occur.

Answer 95

A

. Hardware . Software
. Employees . Services
. Reputation
. Documentation

Answer 96

A

. What did the asset cost to acquire or create?
. What is the liability if the asset is compromised?
. What is the production cost if the asset is made unavailable?
. What is the value of the asset to competitors and foreign governments?
. How critical is the asset, and how would its loss affect the company?

Answer 97

A

. Business owners and senior managers
. Legal counsel
. HR representatives
. IS auditors
. Network administrators
. Security administrators
. Operations
. Facility records
. Government records and watchdog groups, such as CERT and Bugtraq

Answer 98

A

. Physical threat/theft
. Human error
. Application error/buffer overflow
. Equipment malfunction
. Environmental hazards
. Malicious software/covert channels

Answer 99

A

. Financial loss
. Loss of reputation
. Danger or injury to staff, clients, or customers
. Loss of business opportunity
. Breach of confidence or violation of law

Answer 100

A

. Quantitative risk assessment—Deals with dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
. Qualitative risk assessment—Ranks threats by nondollar values and is based more on scenario, intuition, and experience.

Answer 101

A

Determine the asset value (AV) for each information asset.
Identify threats to the asset.
Determine the exposure factor (EF) for each information asset in relation to each threat.
Calculate the single loss expectancy (SLE).
Calculate the annualized rate of occurrence (ARO).
Calculate the annualized loss expectancy (ALE).

Answer 102

A

Determine the exposure factor—This is a subjective potential percentage of loss to a specific asset if a specific threat is realized. This is usually in the form of a percentage, similar to how weather reports predict the likelihood of weather conditions.
Calculate the single loss expectancy (SLE)—The SLE value is a dollar figure that represents the orga- nization’s loss from a single loss or the loss of this particular information asset. SLE is calculated as follows:
Single Loss Expectancy = Asset Value × Exposure Factor
Items to consider when calculating the SLE include the physical destruction or theft of assets, loss of data, theft of information, and threats that might delay processing.
Assign a value for the annualized rate of occurrence (ARO)—The ARO represents the estimated fre- quency at which a given threat is expected to occur. Simply stated, how many times is this expected to happen in one year?
Assign a value for the annualized loss expectancy (ALE)—The ALE is an annual expected financial loss to an organization’s information asset because of a particular threat occurring within that same cal- endar year. ALE is calculated as follows:
Annualized Loss Expectancy (ALE) =
Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)
The ALE is typically the value that senior management needs to assess to prioritize resources and deter-
mine what threats should receive the most attention.
Analyze the risk to the organization—The final step is to evaluate the data and decide to accept,
reduce, or transfer the risk.

Answer 103

A

. Lost productivity
. Cost of repair
. Value of the damaged equipment or lost data
. Cost to replace the equipment or reload the data

Answer 104

A

. The Delphi Technique—A group assessment process that allows individuals to con- tribute anonymous opinions.
. Facilitated Risk Assessment Process (FRAP)—A subjective process that obtains results by asking a series of questions. It places risks into one of 26 categories. FRAP is designed to be completed in a matter of hours, making it a quick process to perform.

Answer 105

A

. Background checks
. Educational checks
. Reference checks
. Confidentiality agreements
. Noncompete agreements
. Conflict-of-interest agreements

Answer 106

A

. Security practices, policies, and procedures
. Employee package of benefits
. Paid holiday and vacation policy
. Work schedule and overtime policy
. Moonlighting and outside employment
. Employee evaluations
. Disaster response and emergency procedures
. Disciplinary action process for noncompliance

Answer 107

A

. In-house training
. Classroom training
. Vendor training
. On-the-job training
. Apprenticeship programs
. Degree programs
. Continuing education programs

Answer 108

A

. Internally—Insourced
. Externally—Outsourced
. Combination—Hybrid

Answer 109

A

. Data entry
. Application/web hosting
. Help desk
. Payroll processing
. Check processing
. Credit card processing

Answer 110

A

Request a change.
Approve the request.
Document the proposed change.
Test the proposed change.
Implement the change.

Answer 111

A

. Hardware and software requisitioning
. Software development
. Information systems operations
. Human resources management
. Security

Answer 112

A

. Control of documents
. Control of records
. Control of nonconforming product
. Corrective action
. Preventive action
. Internal audits

Answer 113

A

. Risk assessment and treatment
. Security policy
. Organization of information security
. Asset management
. Human resources security
. Physical and environmental security
. Communications and operations management
. Access control
. Information systems acquisition, development, and maintenance
. Information security incident management
. Business continuity management
. Compliance

Answer 114

A

. Performance concerns
. IT control profiling . Awareness
. Benchmarking

Answer 115

A

Envision
Initiate
Diagnose
Redesign
Reconstruct 6. Evaluate

Answer 116

A

. Help desk
. End-user support manager
. Quality assurance manager
. Data manager
. Rank and file employees
. Systems-development manager
. Software-development manager

Answer 117

A

. Authorization—Verifying cash, approving purchases, and approving changes
. Custody—Accessing cash, merchandise, or inventories
. Record keeping—Preparing receipts, maintaining records, and posting payments.
. Reconciliation—Comparing dollar amounts, counts, reports, and payroll summaries

Answer 118

A

. Job rotation—The concept is to not have one person in one position for too long a period of time. This prevents a single employee from having too much control.
. Audit trail—Although audit trails are a popular item after a security breach, they should be examined more frequently. Audit trails enable an auditor to determine what actions specific individuals performed; they provide accountability.
. Reconciliation—This is a specific type of audit in which records are compared to make sure they balance. Although they’re primarily used in financial audits, they are also useful for computer batch processing and other areas in which totals should be compared.
. Exception report—This type of report notes errors or exceptions. Exception reports should be made available to managers and supervisors so that they can track errors and other problems.
. Transaction log—This type of report tracks transactions and the time of occurrence. Managers should use transaction reports to track specific activities.
. Supervisor review—Supervisor reviews can be performed through observation or inquiry, or remotely using software tools and applications.

Answer 119

A

Investment portfolio analysis

Answer 120

A

is not only a technical issue, but also a business and governance challenge that involves risk management,reporting and accountability. Effective security requires the active engagement of executive management.

Answer 121

A

acceptable to the business when the downtime is acceptable without breaching any legal requirements. Making a profit is not the reason for using a warm site.

Answer 122

A

optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic.

Answer 123

A

when a record is deleted and all other referenced records are automatically deleted.

Answer 124

A

Business process risk + Business intelligence risk + Privacy risk + Externality risk

Answer 125

A

reusing design and program components

Answer 126

A

transaction log

Answer 127

A

responsibility assignment Matrix

Answer 128

A

as the framework for developing logical access controls.

Answer 129

A

a degausser

Answer 130

A

anticipating problems in advance and readying with solutions, and providing automation plans for the help desk.

Answer 131

A

A step-by-step set of audit procedures and instructions that should be performed to complete an audit

Answer 132

A

an application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes

Answer 133

A

palm, hand, iris, retina, fingerprint and voice, respectively. (PH-I-RF-V)

Answer 134

A

load balancing between clouds

Answer 135

A

automated systems balancing could be used.

Answer 136

A

an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes

Answer 137

A

amount of moisture in the air at a given temperature in relation to the maximum amount of moisture the air could hold at the same temperature. In a data center or computer room, maintaining ambient relative humidity levels between 45% and 55% is recommended for optimal performance and reliability.

Answer 138

A

exceeded 85°F (30°C).

Answer 139

A

as “root cause” analysis.

Answer 140

A

use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment.

Answer 141

A

financial losses

Answer 142

A

on the completeness, accuracy or existence of activities or transactions during the audit period

Answer 143

A

total menetary amount, total items, total documents, hash totals

Answer 144

A

combines functional and product departmentalization, creates a dual reporting structure, and is optimal where product groups are necessary.

Answer 145

A

the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of an organization’s overall governance program. Risk management, reporting, and accountability are accountability are central features of these policies and internal controls

Answer 146

A

during SDLC and that these controls work as expected.

Answer 147

A

maintenance, review of changes, and review and redesign of processes.

Answer 148

A

. A unique purpose
. A temporary nature
. A primary customer and/or sponsor . Uncertainty

Answer 149

A

. Scope—How much work is defined? What do the sponsor and the customer expect from this project?
. Time—How long is this project scheduled to run? Does it have a defined schedule? When does the product need to be launched, or when does the service need to be operational? Answering these questions will help determine how long the project will run.
. Cost—How much money is this project expected to cost? Has the sponsor approved it?

Answer 150

A

are PMBOK (IEEE Standard 1490) Prince 2 (projects in a controlled environment) and Project Management Institute (PMI).

Answer 151

A

. Senior management—Provides necessary resources to complete project.
. Stakeholders—A person, group, or business unit that has a share or an interest in the
project activities.
. Project steering committee—Ultimately responsible. Must ensure that the stake- holders’ needs are met and oversee direction and scope of project. The committee acts as project-oversight board.
. Project sponsor—Works with the project manager to ensure success and is responsi- ble for allocating funding for the project.
. Project manager—Responsible for day-to-day management of the project team.
. Project team—Responsible for performing operational tasks within the project.
. Quality assurance—Responsible for reviewing the activities of the project-manage- ment team and ensuring that output meets quality standards. This role/group does not necessarily act as part of the project team as a whole. QA activities can be carried out by external parties to the project team; including auditors.

Answer 152

A

. Forming
. Storming
. Norming
. Performing

Answer 153

A

Developing the work breakdown structure is an important task at the start of the project-management process because it identifies specific tasks and specifies what resources are needed for completion of the task

Answer 154

A

. Scope—The scope of the project can be better defined by understanding areas/activi- ties/personnel needed to complete the project. For example, software projects must define how big the applications will be. Will the project involve a few thousand lines of code or millions of lines of code?
. Time—Time can be better established by building a project timeline that lists each task and specifies a timeframe for each.
. Cost—Cost can be determined by examining the lines of code, the number of people in the project team, and the time needed for each phase of the project.

Answer 155

A

. The chosen source code language—Using an obscure or unpopular language will most likely drive up costs.
. The size of the application—The size or complexity of the application has a bearing on cost. As an example, the level of security needed is something that will affect the complexity of a given application. This also has a direct correlation to the scope of the project.
. The project time constraints—If a project is projected to be completed in one month versus three months, this might mean that more overtime needs to be paid, along with fees for rushed services.
. Computer and resource accessibility—If resources are available only during certain times, the output of the project team will most likely be reduced.
. Project team experience—Every individual has a learning curve that adds cost to inexperienced team members.
. The level of security needed—A project that needs very high levels of security con- trols will take additional time and effort to develop.

Answer 156

A

counting source lines of code (SLOC).

Answer 157

A

is a method that the ISO has approved as a standard to estimate the complexity of soft- ware. FPA can be used to budget application-development costs, estimate productivity after project completion, and determine annual maintenance costs. FPA is based on the number of inputs, outputs, interfaces, files, and queries.

Answer 158

A

the number of user inputs, number of user outputs, number of user inquiries, number of files, and number of external interfaces.

Answer 159

A

If an organization decides to use function point metrics, it must develop criteria for determining whether an entry is simple, average, or complex.

Answer 160

A

. Productivity = FP/person-month
. Quality = defects/FP
. Cost= $/FP

Answer 161

A

identify resources needed for each specific task.

Answer 162

A

function point analysis is one of the best techniques for estimating the scope and cost of the project.

Answer 163

A

for estimating time when a degree of uncertainty exists.

Answer 164

A

Gantt chart

Answer 165

A

a critical-path method that applies a weighed average duration estimate.

Answer 166

A

estimate the best and worst time estimates.

Answer 167

A

best, worst, and most likely time estimates.

Answer 168

A

. The most optimistic time in which the task will be completed
. The most likely time in which the task will be completed
. The worst-case scenario or longest the task will take

Answer 169

A

DIFFICULT

Answer 170

A

Determine the average amount of time to complete the task. In the previous example, this was estimat- ed to be five work days.
Estimate the best possible completion time for the task. For this step by step, assume that it is three work days.
Estimate the worst possible completing time. For this step, assume 10 work days.
Plug these values into the PERT weighted average formula:
(3 + 10 +(4 × 5) ÷ 6)= 5.5 days
The value of 5.5 days would be recorded as the critical path time.

Answer 171

A

. Compiling a list of each task required to complete the project
. Determining the time that each task will take, from start to finish
. Examining the dependencies between each task

Answer 172

A

crashing, in that the project sponsor must be prepared to pay a premium for early completion as a bonus or in overtime charges.

Answer 173

A

the relation of tasks is not as easily seen as it is with Gantt charts.

Answer 174

A

a project- management planning and control technique.

Answer 175

A

is the most critical aspect and software projects need to be delivered quickly.

Answer 176

A

changes and must examine how this could affect any existing controls and the overall project.

Answer 177

A

end-user training. When new software products are released to users, the users must be trained on how the application works, what type of authentication is required, and how overrides or dual controls work.

Answer 178

A

to close the project.

Answer 179

A

transfer control to the appropriate individuals.

Answer 180

A

. Administrative closure
. Release of final product or service
. Update of organizational assets

Answer 181

A

examine how things could have been done differently or what changes should be implement- ed next time.

Answer 182

A

after the project has been in use for some time.

Answer 183

A

. To minimize risk
. To maximize return
. To establish controls so that the likelihood that the software meets user needs is high

Answer 184

A

The auditor must be able to review information at each step of the process and provide input on the adequacy of con- trols being designed. Auditors are also responsible for reporting independently to management on the status of the project and the implementation of controls. Auditors might also become more deeply involved in the process, based on their individual skills and abilities.

Answer 185

A

five primary phases and the post implementation phase.

Answer 186

A

controls during the design phase of the SDLC.

Answer 187

A

there is no turning back.

Answer 188

A

NIST SP 800-34

Answer 189

A

add security checks at each phase

Answer 190

A

may not meet the customer’s needs.

Answer 191

A

In this step, the feasibility of the project is considered. The cost of the project must be dis- cussed, as well as the potential benefits that it will bring to the system’s users. A payback analy- sis must be performed to determine how long the project will take to pay for itself. In other words, the payback analysis determines how much time will lapse before accrued benefits will overtake accrued and continuing costs. If it is deter- mined that the project will move forward, the team will want to develop a preliminary time- line. During the feasibility phase, everyone gets a chance to meet and understand the goals of the project.

Answer 192

A

This phase entails fully defining the need and then mapping how the proposed solution meets the need. This requires the participation of management as well as users. Users should also be involved because they should have input on how the applications are designed.
At this phase, an entity relationship diagram (ERD) is often used. An ERD helps map the requirements and define the relationship between elements. The basic components of an ERD are an entity and a relationship. An entity is very much like a database, in that it is a grouping of like data elements. An entity has specific attributes, which are called the entity’s primary key. Entities are drawn as a rectangular box with an identifying name. Relationships describe how entities are related to each other and are defined as a diamond. ERDs can be used to help define a data dictionary. When a data dictionary is designed, the database schema can be devel- oped. The database schema defines the database tables and fields, and the relationship between them. The completed ERD will be used in the design phase as the blueprint for the design.

Answer 193

A

verify the requirements and determine whether adequate security controls are being defined.

Answer 194

A

. Preventive—Preventive controls can include user authentication and data encryption.
. Detective—Detective controls can include embedded audit modules and audit trails.
. Corrective—Corrective controls can include fault tolerance controls and data integrity mechanisms.

Answer 195

A

usually developed during the requirements phase.

Answer 196

A

time, cost, and availability of a pre- designed substitute.

Answer 197

A

request for proposal (RFP)

Answer 198

A

. Does the vendor have a software product that will work as is?
. Will the vendor have to modify the software product to meet our needs?
. Will the vendor have to create a new, nonexistent software product for us?

Answer 199

A

(1) Is the vendor reliable, and

(2) do references demonstrate past commitment to service?

Answer 200

A

to negotiate and sign a contract. Auditors will want to make sure that a sufficient level of security will be designed into the product and that risks are minimized.

Answer 201

A

During the design phase, users might not be involved, but the auditor will still be working in an advisory role. The auditor must again check that security controls are still in the design and test documents. Test plans should detail how security controls will be tested. Tests should be performed to validate specific program units, subsystems, interfaces, and backup/recovery. Change-control procedures should be developed to prevent uncontrolled changes.

Answer 202

A

“kitchen sink syndrome.” Scope creep is most likely to occur in the design phase. Little changes might not appear to have a big cost impact on a project, but they will have a cumulative effect and increase the length and cost of the project

Answer 203

A

Reverse engineering

Reverse engineering converts executable code into human-readable format and can be performed with tools such as IDA Pro. This is a somewhat controversial subject because, although reverse engineering has legitimate uses, a company could use it to disassemble anoth- er company’s program. Most software licenses make this illegal. Reverse engineering is also sometimes used to bypass access-restriction mechanisms.

Answer 204

A

During the development phase, programmers work to develop the application code. Programmers might use online programming facilities so that many programmers can access the code directly from their workstation. Although this typically increases productivity, it also increases risk because someone might gain unauthorized access to the program library. Programmers should strive to develop modules that have high cohesion and low coupling. Cohesion addresses the fact that a module is focused on a single task. Coupling is the meas- urement of the interconnection between modules. Low coupling means that a change to one module should not affect another.

Answer 205

A

high cohesion and low coupling.

Answer 206

A

that input and output controls, audit mechanisms, and file-protection schemes are used.

Answer 207

A

dollar counts, transaction counts, error detection, and correction.

Answer 208

A

validity checking and authorizing controls.

Answer 209

A

an important part of the Development phase of SDLC.

Answer 210

A

. Top down—Top-down testing starts with a depth or breadth approach. Its advantage is that it gets programmers working with the program so that interface problems can be found sooner. It also allows for early testing of major functions.
. Bottom up—Bottom-up testing works up from the code to modules, programs, and all the way to systems. The advantage of bottom-up testing is that it can be started as soon as modules are complete; work does not have to wait until the entire system is finished. This approach also allows errors in modules to be discovered early. Most application testing follows the bottom-up approach.

Answer 211

A

. Unit testing—Examines an individual program or module
. Interface testing—Examines hardware or software to evaluate how well data can be
passed from one entity to another
. System testing—A series of tests that can include recovery testing, security testing, stress testing, volume testing, and performance testing. Although unit and interface testing focus on individual objects, the objective of system testing is to assess how well the system functions as a whole.
. Final acceptance testing—When the project staff is satisfied with all other tests, final acceptance testing, or user acceptance testing, must be performed. This occurs before the application is implemented into a production environment.

Answer 212

A

Alpha test
Pilot test White-box test
Black-box test Function test Regression test
Parallel test
Sociability test

Answer 213

A

decide what programming language they will use.

Answer 214

A

. Generation Five (5GL)—Natural language
. Generation Four (4GL)—Very high-level language . Generation Three (3GL)—High-level language
. Generation Two (2GL)—Assembly language
. Generation One (1GL)—Machine language

Answer 215

A

are authorized to write code. These citizen programmers can have a detrimental effect on security. No single user should ever have complete control over the development of an application program.

Answer 216

A

In the implementation phase, the application is prepared for release into its intended environ- ment. Final user acceptance is performed, as are certification and accreditation. This is typi- cally the final step in accepting the application and agreeing that it is ready for use. Certification is the technical review of the system or application. Certification testing might include an audit of security controls, a risk assessment, or a security evaluation. Accreditation is management’s formal acceptance of a system or application. Typically, the results of the certification testing are compiled into a report, and management’s acceptance of the report is used for accredita- tion. Management might request additional testing, ask questions about the certification report, or accept the results as is. Once accepted, a formal acceptance statement is usually issued.

Answer 217

A

performed during the implementation phase.

Answer 218

A

program and data conversions.

Answer 219

A

classroom training, online training, practice sessions, and user manuals.

Answer 220

A

all at once or phased in over time.

Answer 221

A

. Parallel operation—Both the old and new systems are run at the same time. Results between the two systems can be compared. Fine-tuning can also be performed on the new system as needed. As confidence in the new system improves, the old system can be shut down. The primary disadvantage of this method is that both systems must be maintained for a period of time.
. Phased changeover—If the system is large, a phased changeover might be possible. With this method, systems are upgraded one piece at a time.
. Hard changeover—This method establishes a date at which users are forced to change over. The advantage of the hard changeover is that it forces all users to change at once. However, this introduces a level of risk into the environment because things can go wrong.

Answer 222

A

In the post-implementation phase, some might be ready to schedule a party and declare suc- cess. What really needs to be done is to assess the overall success of the project. Actual costs versus projected costs should be reviewed to see how well cost-estimating was done at the fea- sibility phase. Return on investment (ROI) and payback analysis should be reviewed. A gap analysis can determine whether there is a gap between requirements that were or were not met. An independent group might conduct performance measurement, such as an audit. If this is the case, it should not be done by auditors who were involved in the SDLC process.

Answer 223

A

. Is the system adequate?
. What is the true ROI?
. Were the chosen standards followed?
. Were good project-management techniques used?

Answer 224

A

the maintenance cost sur- passes the benefits/returns from the application.

Answer 225

A

This means that, at some point, these systems must be decommissioned and disposed of. This step of the process is reached when the application or system is no longer needed. Those involved in the disposal process must consider the dis- position of the application. Should it be destroyed or archived, or does the information need to be migrated into a new system? Disk sanitization and destruction are also important, to ensure confidentiality. This is an important step that is sometimes overlooked.

Answer 226

A

. Incremental development—Defines an approach that develops systems in stages so that development is performed one step at a time. A minimal working system might be deployed while subsequent releases build on functionality or scope.
. Spiral development—The spiral model was developed based on the experience of the waterfall model. The spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases.
. Prototyping—The prototyping model reduces the time required to deploy applica- tions. Prototyping uses high-level code to quickly turn design requirements into appli- cation screens and reports that the users can review. User feedback can fine-tune the application and improve it. Top-down testing works well with prototyping. Although prototyping clarifies user requirements, it can result in overly optimistic project time- lines. Also, when change happens quickly, it might not be properly documented, which is a real concern for the auditor.
. Rapid application development (RAD)—RAD uses an evolving prototype and requires heavy user involvement. Per ISACA, RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. With the RAD model, strict limits are placed on development time. RAD has four unique stages, which include concept, functional design, development, and deployment.

Answer 227

A

real savings in development time and costs.

Answer 228

A

uses proto- typing as its core development tool.

Answer 229

A

agile software development. With this development model, teams of programmers and business experts work closely together. Project requirements are developed using an iterative approach because the project is both mission driven and component based. The project manager becomes much more of a facilitator in these situations.

Answer 230

A

. Extreme programming (XP)—The XP development model requires that teams include business managers, programmers, and end users. These teams are responsible for developing useable applications in short periods of time. Issues with XP are that teams are responsible not only for coding, but also for writing the tests used to verify the code. Lack of documentation is also a concern. XP does not scale well for large projects.
. Scrum—Scrum is an iterative development method in which repetitions are referred to as sprints and typically last 30 days. Scrum is typically used with object-oriented tech- nology and requires strong leadership and a team meeting each day for a short time. The idea here is for more planning and directing tasks from the project manager to the team. The project manager’s main task is to work on removing any obstacles from the team’s path.

Answer 231

A

to update software by reusing as many of the components as possible instead of designing an entirely new system.

Answer 232

A

he information also can be grouped for the development process in various ways, including data-oriented system development (DOSD),
object-oriented systems development (OOSD),
component-based development (CBD),
and web- based application development (WBAD).

Answer 233

A

developing a change- control process and also for approving changes.

Answer 234

A

Request the change.
Approve the change request.
Document the change request.
Test the proposed change.
Present the results to the change-control board.
Implement the change, if approved.
Document the new configuration.

Answer 235

A

created. These documents should be kept off-site in case of a disaster or other situation.

Answer 236

A

poor oversight or the lack of proper security controls. Items to look for include the following:

Answer 237

A

. Changes are implemented directly by the software vendor, without internal control.
. Programmers place code in an application that has not been tested or validated.
. The changed source code has not been reviewed by the proper employee.
. No formal change process is in place.
. The change review board has not authorized the change.
. The programmer has access to both the object code and the production library.

Answer 238

A

The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback.

Answer 239

A

monitored by the security administrator.

Answer 240

A

can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk.

Answer 241

A

more efficient than X.25

Answer 242

A

time slots are available on demand with information identifying the source of the transmission contained in the header of each ATM cell

Answer 243

A

Verification that the total in a batch agrees with the total calculated by the system.

Answer 244

A

to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

Answer 245

A

interferences caused by the following conditions: Sequence or nonatomic + Deadlock, live lock, or locking failure.

Answer 246

A

an organization should perform a risk assessment, which would then be presented to business unit management for review and acceptance

Answer 247

A

all IT components, including software. Project management is about scheduling, resource management and progress tracking of software development. Problem management records and monitors incidents. Risk management involves risk identification, impact analysis, an action plan, etc.

Answer 248

A

the only security assessment that can link vulnerabilities together by exploiting them sequentially.

Answer 249

A

False acceptance means unauthorized user is permitted access= FAR-UP False rejection is when authorized person is denied access= FRR- AD

Answer 250

A

company is trying to reduce it’s sever environment footprint, so the in-house application servers were moved to another location, hosted by a 3rd party. So the application software, application servers were being moved and supported by another company which is IaaS.

Answer 251

A

could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information.

Answer 252

A

data confidentiality

Answer 253

A

management’s objectives for and delegation of authority to IS auditors.

Answer 254

A

ensures Data confidentiality

Answer 255

A

informal methods of monitoring and controlling a system development life cycle project since it is hard to document the communication all the time. Evidence is hard in informal methods

Answer 256

A

a manual or automated form where activities are logged with a sequential control number for tracking purposes.

Answer 257

A

and not owning it, unless they pay more money. Escrow may provide some protection if the vendor goes out of business, but does not prevent software from being discontinued.

Answer 258

A

screen-authoring and report-writing utilities that automate database access.

Answer 259

A

create the business logic necessary for data transformation.

Answer 260

A

document internal program logic.

Answer 261

A

should be the basis for management’s decision to buy available software or to build a custom software application

Answer 262

A

rotated to ensure the experience of the recovery plan DRP is spread among the managers.

Answer 263

A

to help define the database schema.

Answer 264

A

for estimation of work during the feasibility study.

Answer 265

A

support requirements but lowers the overall risk. The old and new systems are run in parallel to verify integrity while building user familiarity with the new system.

Answer 266

A

to the new system in small steps or phases may be possible. This may take an extended period of time. The concept is best suited to either an upgrade of an existing system, or to the conversion of one department at a time. The phased approach creates a support burden similar to that of parallel operation. A well-managed phased changeover presents a moderate level of risk.

Answer 267

A

are designed for predictable data that has a consistent structure and a known or fixed length.

Answer 268

A

are designed for data that has a variety of possible data formats.

Answer 269

A

In certain environments, executing an abrupt change to the new system may be necessary. This is known as a hard changeover, a full change occurring at a particular cutoff date and time. The purpose is to force migration of all the users at once. A hard changeover may be used after successful parallel operation or in times of emergency

Answer 270

A

formal method of communication between the affected parties. A checklist provides guidelines for reviewing functions and activities for assurance and evaluative purposes. Checklists can detect whether activities were performed according to plans, policies, and procedures

Answer 271

A

on the undocumented knowledge contained in a person’s head. Agile is the direct opposite of capturing knowledge through project documentation.

Answer 272

A

i.e. The review at the end of every SDLC phase is intended to prevent the project from proceeding unless it receives management’s approval.

Answer 273

A

atomicity (all or nothing), consistency, isolation (transactions operate independently), and durability (data is maintained).

Answer 274

A

project management, software verification and validation, software configuration management, and software quality assurance. These activities become a baseline and any subsequent changes require management approvals. Proposed changes are compared to the baseline, which is the standard.

Answer 275

A

are those costs inherent in selecting one option in favor of another. When a software package’s implementation is delayed, inherent costs of other projects being deferred during its implementation is an example of opportunity cost. The time lost due to delayed implementation of a current project could have been applied to developing a new project. Opportunity costs are hard to quantify precisely, but can be among the most important factors in software selection

Answer 276

A

are the costs to update and adapt software to match changing organizational needs. The maintenance costs of a system will vary widely, depending upon such factors as the type of application, the complexity of the system, and the need for periodic updates

Answer 277

A

since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization.

Answer 278

A

is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server’s internal network address.

Answer 279

A

is designed to limit the availability of a resource and is characterized by a high number of requests which require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced.

Answer 280

A

provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic.

Answer 281

A

To the extent that is achieved is a good measure of the effectiveness of the strategy.

Answer 282

A

is the primary sampling method used for compliance testing.

Answer 283

A

impersonation through a telephone call, dumpster diving and shoulder surfing.

Answer 284

A

Track the availability of telecommunication lines and circuits. Interruptions due to power/line failure, traffic overload, operator error or other anomalous conditions are identified in a downtime report.

Answer 285

A

security strategy based on which security baselines are determined

Answer 286

A

may result in hardware and software incompatibility

Brainscape's Knowledge GenomeTM

Steps Flashcards

Brainscape's Knowledge Genome^TM