UAE Practice Exam 1 Flashcards
Which of the following controls would BEST detect intrusion?
A.User IDs and user privileges are granted through authorized procedures.
B.Automatic logoff is used when a workstation is inactive for a particular period of time.
C.Automatic logoff of the system occurs after a specified number of unsuccessful attempts.
D.Unsuccessful logon attempts are monitored by the security administrator.
D is the correct answer.
Justification
User IDs and the granting of user privileges define a policy. This is a type of administrative or managerial control that may prevent intrusion but would not detect it.
Automatic logoff is a method of preventing access through unattended or inactive terminals but is not a detective control.
Unsuccessful attempts to log on are a method for preventing intrusion, not detecting it.
Intrusion is detected by the active monitoring and review of unsuccessful logon attempts.
IT governance is PRIMARILY the responsibility of the:
A.CEO.
B.board of directors.
C.IT steering committee.
D.audit committee.
B is the correct answer.
Justification
The CEO is instrumental in implementing IT governance according to the directions of the board of directors.
IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).
The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors.
The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.
If inadequate, which of the following is the MOST likely contributor to a denial-of-service (DoS) attack?
A.Router configuration and rules
B.Design of the internal network
C.Updates to the router system software
D.Audit testing and review techniques
A is the correct answer.
Justification
Improper router configuration and rules can lead to denial-of-service (DoS) attacks.
An inefficient design of the internal network may also lead to a DoS attack, but this is not as high a risk as router misconfiguration errors.
Updates to router software have led to a DoS attack in the past, but this is a subset of router configuration and rules.
Audit testing and review techniques can cause a DoS attack if tests disable systems or applications, but this is not the most likely risk.
Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information?
A.Degaussing
B.Defragmenting
C.Erasing
D.Destroying
D is the correct answer.
Justification
Degaussing or demagnetizing is a good control, but not sufficient to fully erase highly confidential information from magnetic media.
The purpose of defragmentation is to improve efficiency by eliminating fragmentation in file systems; it does not remove information.
Erasing or deleting magnetic media does not remove the information; this method simply changes a file’s indexing information.
Destroying magnetic media is the only way to assure that confidential information cannot be recovered.
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following represents the HIGHEST potential risk?
A.Undocumented approval of some project changes
B.Faulty migration of historical data from the old system to the new system
C.Incomplete testing of the standard functionality of the ERP subsystem
D.Duplication of existing payroll permissions on the new ERP subsystem
B is the correct answer.
Justification
Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system.
The most significant risk after a payroll system conversion is loss of data integrity resulting in the organization being unable to pay employees in a timely and accurate manner. Loss of data integrity can also result in incorrect records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount.
A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system.
Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.
The MAIN advantage of an information systems (IS) auditor directly extracting data from a general ledger system is:
A.reduction of human resources needed to support the audit.
B.reduction in the time to have access to the information.
C.greater flexibility for the audit department.
D.greater assurance of data validity.
D is the correct answer.
Justification
Although the burden on human resources to support the audit may decrease if the information systems (IS) auditor directly extracts the data, this advantage is not as significant as the increased data validity.
This will not necessarily reduce the time to have access to the information, because time will need to be scheduled for training and granting access.
There may be more flexibility for the IS auditor to adjust the data extracts to meet various audit requirements; however, this is not the main advantage.
If the IS auditor executes the data extraction, there is greater assurance that the extraction criteria will not interfere with the required completeness, and, therefore, all required data will be collected. Asking IT to extract the data may expose the risk of filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects the data, all internal references correlating the various data tables/elements will be understood, and this knowledge may reveal vital elements to the completeness and correctness of the overall audit activity.
An offsite information processing facility (IPF) with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:
A.cold site.
B.warm site.
C.dial-up site.
D.duplicate processing facility.
A is the correct answer.
Justification
A cold site is ready to receive equipment but does not offer any components at the site in advance of the need.
A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment—such as disk units, controllers and central processing units— to operate an information processing facility (IPF).
A dial-up site is used for remote access, but not for offsite information processing.
A duplicate IPF is a dedicated, fully developed recovery site that can back up critical applications.
The reason for establishing a stop or freezing point on the design of a new system is to:
A.prevent further changes to a project in process.
B.indicate the point at which the design is to be completed.
C.require that changes after that point be evaluated for cost-effectiveness.
D.provide the project management team with more control over the project design.
C is the correct answer.
Justification
The stop point is intended to provide greater control over changes but not to prevent them.
The stop point is used for project control but not to create an artificial fixed point that requires the design of the project to cease.
Projects often tend to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all the cost benefits and the payback period.
A stop point is used to control requirements, not project design.
The output of the risk management process is an input for making:
A.business plans.
B.audit charters.
C.security policy decisions.
D.software design decisions.
C is the correct answer.
Justification
Making a business plan is not the goal of the risk management process.
Risk management can help create the audit plan, but not the audit charter.
The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.
Risk management drives the design of security controls in software but influencing security policy is more important.
An organization requests that an information systems (IS) auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following meets this objective?
A.VoIP infrastructure needs to be segregated using virtual local area networks.
B.Buffers need to be introduced at the VoIP endpoints.
C.Ensure that end-to-end encryption is enabled in the VoIP system.
D.Ensure that emergency backup power is available for all parts of the VoIP infrastructure.
A is the correct answer.
Justification
Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) best protects the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which helps to ensure uptime).
The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method.
Encryption is used when VoIP calls use the Internet (not the local area network (LAN)) for transport because the assumption is that the physical security of the building and the Ethernet switch and VLAN security are adequate.
The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.
A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:
A.with their named account to make the changes.
B.with the shared DBA account to make the changes.
C.to the server administrative account to make the changes.
D.to the user’s account to make the changes.
A is the correct answer.
Justification
Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes.
The DBA account is typically a shared user account. The shared account makes it difficult to establish the identity of the support user who is performing the database update.
The server administrative accounts are shared and may be used by multiple support users. In addition, the server privilege accounts may not have the ability to perform database changes.
The use of a normal user account does not have sufficient privileges to make changes on the database.
An information systems (IS) auditor discovers that some users installed personal software on their PCs. This is not explicitly forbidden by the security policy. The BEST approach for an IS auditor is to recommend that the:
A.IT department implement control mechanisms to prevent unauthorized software installation.
B.security policy be updated to include the specific language regarding unauthorized software.
C.IT department prohibit the download of unauthorized software.
D.users obtain approval from an IS manager before installing nonstandard software.
B is the correct answer.
Justification
An information systems (IS) auditor’s obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy.
Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls.
Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact disks (CDs) and USB drives.
Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.
Which of the following should be the FIRST action of an information systems (IS) auditor during a dispute with a department manager over audit findings?
A.Retest the control to validate the finding.
B.Engage a third party to validate the finding.
C.Include the finding in the report with the department manager’s comments.
D.Revalidate the supporting evidence for the finding.
D is the correct answer.
Justification
Retesting the control normally occurs after the evidence has been revalidated.
Although there are cases where a third party may be needed to perform specialized audit procedures, an information systems (IS) auditor should first revalidate the supporting evidence to determine whether there is a need to engage a third party.
Before putting a disputed finding or management response in the audit report, the IS auditor should take care to review the evidence that is used in the finding to ensure audit accuracy.
Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections that are pointed out by a department manager should be taken into consideration. Therefore, the first step is to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.
During the planning stage of an information systems (IS) audit, the PRIMARY goal of an IS auditor is to:
A.address audit objectives.
B.collect sufficient evidence.
C.specify appropriate tests.
D.minimize audit resources.
A is the correct answer.
Justification
ISACA Information Systems (IS) Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in the other options are all undertaken to address audit objectives and, thus, are secondary.
The IS auditor does not collect evidence in the planning stage of an audit.
Specifying appropriate tests is not the primary goal of audit planning.
Effective use of audit resources is a goal of audit planning, not minimizing audit resources.
An information systems (IS) auditor is reviewing an organization’s information security policy, which requires encryption of all data placed on USB drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure?
A.Data Encryption Standard (DES)
B.Message digest 5
C.Advanced Encryption Standard (AES)
D.Secure Shell (SSH)
C is the correct answer.
Justification
Data Encryption Standard (DES) is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure.
Message digest 5 (MD5) is an algorithm used to generate a one-way hash of data (a fixed-length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 cannot be used to encrypt data on a USB drive.
Advanced Encryption Standard (AES) provides the strongest encryption of all the choices listed and provides the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible; therefore, AES is the best choice for encrypting sensitive data.
secure shell (SSH) is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.
While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location is:
A.shadow file processing.
B.electronic vaulting.
C.hard-disk mirroring.
D.hot-site provisioning.
A is the correct answer.
Justification
In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking systems.
Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. This method is not usually in real time, unlike a shadow file system.
Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server.
A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.
From a control perspective, the PRIMARY objective of classifying information assets is to:
A.establish guidelines for the level of access controls that should be assigned.
B.ensure access controls are assigned to all information assets.
C.assist management and auditors in risk assessment.
D.identify which assets need to be insured against losses.
A is the correct answer.
Justification
Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
Not all information needs to be protected through access controls. Overprotecting data would be expensive.
The classification of information is usually based on the risk assessment, not the other way around.
Insuring assets is valid; however, this is not the primary objective of information classification.
An information systems (IS) auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of the IS auditor while evaluating the transaction should be to:
A.maintain impartiality while evaluating the transaction.
B.ensure that the independence of the IS auditor is maintained.
C.ensure that the integrity of the evidence is maintained.
D.assess all relevant evidence for the transaction.
C is the correct answer.
Justification
Although it is important for an information systems (IS) auditor to be impartial, in this case it is more critical that the evidence be preserved.
Although it is important for an IS auditor to maintain independence, in this case, it is more critical that the evidence be preserved.
The IS auditor has been requested to perform an investigation to capture evidence that may be used for legal purposes, and, therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.
Although it is also important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.
Which of the following provides the MOST relevant information for proactively strengthening security settings?
A.Bastion host
B.Intrusion detection system (IDS)
C.Honeypot
D.Intrusion prevention system (IPS)
C is the correct answer.
Justification
A bastion host is a hardened system used to host services. It does not provide information about an attack.
Intrusion detection systems (IDSs) are designed to detect and address an attack in progress and stop it as soon as possible.
The design of a honeypot is such that it lures the hacker and provides clues about the hacker’s methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, to obtain information about the hacker’s strategy and methods.
Intrusion prevention systems (IPS) are designed to detect and address an attack in progress and stop it as soon as possible.
An information systems (IS) auditor performing an application maintenance audit would review the log of program changes for the:
A.authorization of program changes.
B.creation date of a current object module.
C.number of program changes actually made.
D.creation date of a current source program.
A is the correct answer.
Justification
The auditor wants to ensure that only authorized changes have been made to the application. The auditor would therefore review the log of program changes to verify that all changes have been approved.
The creation date of the current object module does not indicate earlier changes to the application.
The auditor reviews the system to notice the number of changes actually made but then verifies that all the changes were authorized.
The creation date of the current source program does not identify earlier changes.
An information systems (IS) auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:
A.EDI trading partner agreements.
B.physical controls for terminals.
C.authentication techniques for sending and receiving messages.
D.program change control procedures.
C is the correct answer.
Justification
Electronic data interchange trading partner agreements minimize exposure to legal issues but do not resolve the problem of unauthorized transactions.
Physical control is important and may provide protection from unauthorized people accessing the system but does not provide protection from unauthorized transactions by authorized users.
Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions.
Change control procedures do not resolve the issue of unauthorized transactions.
The MOST likely effect of the lack of senior management commitment to IT strategic planning is:
A.lack of investment in technology.
B.lack of a methodology for systems development.
C.Technology not aligning with organization objectives.
D.absence of control over technology contracts.
C is the correct answer.
Justification
Lack of management commitment almost certainly affects investment, but the primary loss is the lack of alignment of IT strategy with the strategy of the business.
Systems development methodology is a process-related function and not a key concern of management.
A steering committee should exist to ensure that the IT strategies support the organization’s goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is not aligned with organization strategy.
Approval for contracts is a business process and is controlled through financial process controls. This is not applicable here.
Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to ensure that:
A.adequate cross-training exists between functions.
B.an effective internal control environment is in place by increasing morale.
C.potential irregularities in processing are identified by a temporary replacement.
D.the risk of processing errors is reduced.
C is the correct answer.
Justification
Cross-training is a good practice to follow but can be achieved without the requirement for mandatory vacation.
Good employee morale and high levels of employee satisfaction are worthwhile objectives, but they should not be considered a means to achieve an effective internal control system.
Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected.
Although rotating employees can contribute to fewer processing errors, this is not typically a reason to require a mandatory vacation policy.
During an assessment of software development practices, an information systems (IS) auditor finds that open-source software components were used in an application designed for a client. What is the GREATEST concern that the auditor has about the use of open-source software?
A.The client did not pay for the open-source software components.
B.The organization and client must comply with open-source software license terms.
C.Open-source software has security vulnerabilities.
D.Open-source software is unreliable for commercial use.
B is the correct answer.
Justification
A major benefit of using open-source software is that it is free. The client is not required to pay for the open-source software components; however, both the developing organization and the client should be concerned about the licensing terms and conditions of the open source software components that are being used.
There are many types of open-source software licenses and each has different terms and conditions. Some open-source software licensing allows use of the open-source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products can violate licensing terms by selling the product for profit. The information systems (IS) auditor should be most concerned with open-source software licensing compliance to avoid unintended intellectual property risk or legal consequences.
Open-source software, just like any software code, should be tested for security flaws and should be part of the normal system development life cycle (SDLC) process. This is not more of a concern than licensing compliance.
Open-source software does not inherently lack quality. Like any software code, it should be tested for reliability and should be part of the normal SDLC process. This is not more of a concern than licensing compliance.
The information systems (IS) auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?
A.Significant cost savings over other testing approaches
B.Assurance that new, faster hardware is compatible with the new system
C.Assurance that the new system meets functional requirements
D.Increased resiliency during the parallel processing time
C is the correct answer.
Justification
Parallel operation is generally expensive and does not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups. Parallel operation is twice the amount of work as running a production system and, therefore, costs more time and money.
Hardware compatibility should be determined and tested much earlier in the conversion project and is not an advantage of parallel operation. Compatibility is generally determined based on the application’s published specifications and on system testing in a lab environment. Parallel operation is designed to test the application’s effectiveness and integrity of application data, not hardware compatibility. In general, hardware compatibility relates more to the operating system level than to a particular application. Although new hardware in a system conversion must be tested under a real production load, this can be done without parallel systems.
Parallel operation provides a high level of assurance that the new system functions properly compared to the old system, and therefore, the new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.
Increased resiliency during parallel processing is a legitimate outcome from this scenario, but the advantage it provides is temporary and minor, so this is not the correct answer.
Information systems (IS) control objectives are useful to IS auditors because they provide the basis for understanding the:
A.desired result or purpose of implementing specific control procedures.
B.best information systems (IS) security control practices relevant to a specific entity.
C.techniques for securing information.
D.security policy.
A is the correct answer.
Justification
An information systems (IS) control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity.
Control objectives provide the actual objectives for implementing controls and may or may not be based on good practices.
Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself.
A security policy mandates the use of IS controls, but the controls are not used to understand policy.
*An information systems (IS) auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?
A.Network administrators are responsible for quality assurance.
B.System administrators are application programmers.
C.End users are security administrators for critical applications.
D.Systems analysts are database administrators (DBAs).
B is the correct answer.
Justification
Ideally, network administrators should not be responsible for quality assurance because they can approve their own work. However, that is not as serious as the combination of system administrator and application programmer, which allows nearly unlimited abuse of privilege.
When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation-of-duties perspective.
In some distributed environments, especially with small staffing levels, users may also manage security.
Although a database administrator (DBA) is a very privileged position it is not in conflict with the role of a systems analyst.
An information systems (IS) auditor examining the security configuration of an operating system (OS) should review the:
A.transaction logs.
B.authorization tables.
C.parameter settings.
D.routing tables.
C is the correct answer.
Justification
Transaction logs are used to track and analyze transactions related to an application or system interface, but that is not the primary source of audit evidence in an operating system (OS) audit.
Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an OS.
Configuration parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization’s workload and control environment. Improper implementation and/or monitoring of OSs can result in undetected errors and corruption of the data being processed, and lead to unauthorized access and inaccurate logging of system usage.
Routing tables do not contain information about the OS and, therefore, provide no information to aid in the evaluation of controls.
Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery between two organizations?
A.Developments may result in hardware and software incompatibility.
B.Resources may not be available when needed.
C.The recovery plan cannot be live tested.
D.The security infrastructures in each organization may be different.
A is the correct answer.
Justification
If one organization updates its hardware and software configuration, it may mean it is no longer compatible with the other party’s systems in the agreement. This may mean that each organization is unable to use the facilities at the other organization to recover their processing following a disaster.
Resources unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and not the greatest risk.
The plan can be tested by paper-based walk-throughs and possibly by agreement between the organizations.
The difference in security infrastructures, although a risk, is not insurmountable.
Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an information systems (IS) auditor?
A.Process owners have not been identified.
B.The billing cost allocation method has not been determined.
C.Multiple application owners exist.
D.A training program does not exist.
A is the correct answer.
Justification
When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. The absence of a defined process owner may cause issues with monitoring or authorization controls.
Cost allocation is the method business owners use to calculate profitability for the purpose of financial reporting. The billing cost allocation method of application usage is of less importance than identifying process owners.
The fact that multiple application owners exist is not a concern for an information systems (IS) auditor if process owners have been identified, because the process owners are responsible for the specific process.
The lack of a training program is only a minor concern for the IS auditor.
An information systems (IS) auditor reviewing access controls for a client-server environment should FIRST:
A.evaluate the encryption technique.
B.identify the network access points.
C.review the identity management system.
D.review the application-level access controls.
B is the correct answer.
Justification
Evaluating encryption techniques would be performed at a later stage of the review.
A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified.
Reviewing the identity management system would be performed at a later stage of the review.
Reviewing the application-level access controls would be performed at a later stage of the review.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an information systems (IS) auditor should be aware of which of the following?
A.The point at which controls are exercised as data flow through the system.
B.Only preventive and detective controls are relevant.
C.Corrective controls are regarded as compensating.
D.Classification allows an IS auditor to determine the controls that are missing.
A is the correct answer.
Justification
An information systems (IS) auditor should focus on when controls are exercised as data flow through a computer system.
Corrective controls may also be relevant because they allow an error or problem to be corrected.
Corrective controls remove or reduce the effects of errors or irregularities and are not exclusively regarded as compensating controls.
The existence and function of controls are important but not the classification.
Which of the following would an information systems (IS) auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program?
A.System downtime log
B.Vendor reliability figures
C.Regularly scheduled maintenance log
D.Written preventive maintenance schedule
A is the correct answer.
Justification
A system downtime log provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control.
Vendor reliability figures are not an effective measure of a preventive maintenance program.
Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well.
A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.
An information systems (IS) auditor is carrying out a system configuration review. Which of the following is the BEST evidence in support of the current system configuration settings?
A.System configuration values that are imported to a spreadsheet by the system administrator
B.Standard report with configuration values that are retrieved from the system by the information systems (IS) auditor
C.Dated screenshot of the system configuration settings that are made available by the system administrator
D.Annual review of approved system configuration values by the business owner
B is the correct answer.
Justification
Evidence that is not system-generated information can be modified before it is presented to an information systems (IS) auditor. Therefore, it may not be as reliable as evidence that is obtained by the IS auditor. For example, a system administrator can change the settings or modify the graphic image before taking a screenshot.
Evidence that is obtained directly from the source by an IS auditor is more reliable than information that is provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of the audit.
The rules may be modified by the administrator prior to taking the screenshot; therefore, this is not the best evidence.
The annual review provided by a business owner may not reflect current information.
Which of the following BEST provides assurance of the integrity of new staff?
A.Background screening
B.References
C.Bonding
D.Qualifications listed on a resume
A is the correct answer.
Justification
A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver’s license abstracts, financial status checks, verification of education, etc.
References are important and need to be verified, but they are not as reliable as background screening, because the references themselves may not be validated as trustworthy.
Bonding is directed at due-diligence compliance and does not ensure integrity.
Qualifications listed on a resume may be used to demonstrate proficiency but will not indicate the integrity of the candidate employee.
During an information systems (IS) audit, which is the BEST method for an IS auditor to evaluate the implementation of separation of duties within an IT department?
A.Discuss with the IT managers.
B.Review the IT job descriptions.
C.Research past IT audit reports.
D.Evaluate the organizational structure.
A is the correct answer.
Justification
Discussing the implementation of separation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department.
Job descriptions may not be the best source of information because they can be outdated, or what is documented in the job descriptions may be different from what is performed.
Past information systems (IS) audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned.
Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.
An information systems (IS) auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:
A.Verify how the organization complies with the standards.
B.Identify and report the existing controls.
C.Review the metrics for quality evaluation.
D.Request all standards adopted by the organization.
D is the correct answer.
Justification
The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are.
The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance.
The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics.
Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows its own standards cannot be performed until the information systems (IS) auditor has determined what standards exist.
An organization’s information systems (IS) audit charter should specify the:
A.plans for IS audit engagements.
B.objectives and scope of IS audit engagements.
C.detailed training plan for the IS audit staff.
D.role of the IS audit function.
D is the correct answer.
Justification
Planning is the responsibility of audit management.
The objectives and scope of each information systems (IS) audit should be agreed on in an engagement letter. The charter specifies the objectives and scope of the audit function but not of individual engagements.
A training plan that is based on the audit plan should be developed by audit management.
An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. The charter should be approved by the highest level of management and, if available, by the audit committee.
*When reviewing the development of information security policies, the PRIMARY focus of an information systems (IS) auditor should be on assuring that these policies:
A.are aligned with globally accepted industry good practices.
B.are approved by the board of directors and senior management.
C.strike a balance between business and security requirements.
D.provide direction for implementing security procedures.
C is the correct answer.
Justification
An organization is not required to base its IT policies on industry good practices. Policies must be based on the culture and business requirements of the organization.
It is essential that policies be approved; however, that is not the primary focus during the development of the policies.
Because information security policies must be aligned with an organization’s business and security objectives, this is the primary focus of the information systems (IS) auditor when reviewing the development of information security policies.
Policies cannot provide direction if they are not aligned with business requirements.
What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team?
A.Alpha testing
B.White box testing
C.Regression testing
D.Beta testing
D is the correct answer.
Justification
Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users.
White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. This testing stage determines if the program operates the way it is supposed to at a functional level. White box testing does not typically involve external users.
Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors (i.e., the same tests are run after multiple successive program changes to ensure that the fix for one problem did not break another part of the program). Regression testing is not the last stage of testing and does not typically involve external users.
Beta testing is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort.
An organization has contracted with a vendor for a turnkey solution for its electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:
A.a backup server is available to run ETCS operations with up-to-date data.
B.a backup server is loaded with all relevant software and data.
C.the systems staff of the organization is trained to handle any event.
D.source code of the ETCS application is placed in escrow.
D is the correct answer.
Justification
Having a backup server with current data is critical but not as critical as ensuring the availability of the source code.
Having a backup server with relevant software is critical but not as critical as ensuring the availability of the source code.
Having staff training is critical but not as critical as ensuring the availability of the source code.
Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization can modify the software if the vendor ceases to be in business.
A project development team is considering using production data for its test deck. The team removed sensitive data elements before loading it into the test environment. Which of the following additional concerns should an information systems (IS) auditor have with this practice?
A.Not all functionality will be tested.
B.Production data are introduced into the test environment.
C.Specialized training is required.
D.The project may run over budget.
A is the correct answer.
Justification
A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.
The presence of production data in a test environment is not a concern if the sensitive elements have been scrubbed.
Creation of a test deck from production data does not require specialized knowledge, so this is not a concern.
The risk of a project running over budget is always a concern, but it is not related to the practice of using production data in a test environment.
Which of the following should be of PRIMARY concern to an information systems (IS) auditor reviewing the management of external IT service providers?
A.Minimizing costs for the services provided
B.Prohibiting the provider from subcontracting services
C.Evaluating the process for transferring knowledge to the IT department
D.Determining if the services were provided as contracted
D is the correct answer.
Justification
Minimizing costs, if applicable and achievable (depending on the customer’s need), is traditionally not part of an information systems (IS) auditor’s job. This work is normally done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements.
Subcontracting providers can be a concern but is not the primary concern. This issue should be addressed in the contract.
Transferring knowledge to the internal IT department might be desirable under certain circumstances but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof.
From an IS auditor’s perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements.
Which of the following is the MOST reasonable option for recovering a noncritical system?
A.Warm site
B.Mobile site
C.Hot site
D.Cold site
D is the correct answer.
Justification
A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations that should be recovered in a moderate amount of time.
A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site relies on the scale of operations.
A hot site is contracted for a shorter time period at a higher cost, and it is better suited for recovery of vital and critical applications.
Generally, a cold site is contracted for a longer period at a lower cost. It is generally used for noncritical applications because it requires more time to make a cold site operational.
The extent to which data will be collected during an information systems (IS) audit should be determined based on the:
A.availability of critical and required information.
B.auditor’s familiarity with the circumstances.
C.auditee’s ability to find relevant evidence.
D.purpose and scope of the audit being done.
D is the correct answer.
Justification
The extent to which data will be collected during an information systems (IS) audit should be based on the scope, purpose and requirements of the audit and not be constrained by the ease of obtaining the information or by the IS auditor’s familiarity with the area being audited.
An IS auditor must be objective and thorough and not subject to audit risk through preconceived expected results based on familiarity with the area being audited.
Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee’s ability to find relevant evidence. If evidence is not readily available, the auditor must ensure that other forms of audit are considered to ensure compliance in the area that is subject to audit.
The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope, or just a high-level review, will most likely require less data collection than an audit with a wider purpose and scope.
A programmer maliciously modified a production program to change data and then restored the program back to the original code. Which of the following would MOST effectively detect the malicious activity?
A.Comparing source code
B.Reviewing system log files
C.Comparing object code
D.Reviewing executable and source code integrity
B is the correct answer.
Justification
Source code comparisons are ineffective because the original programs were restored, and the changed program does not exist.
Reviewing system log files is the only trail that may provide information about unauthorized activities in the production library.
Object code comparisons are ineffective because the original programs were restored, and the changed program does not exist.
Reviewing executable and source code integrity is an ineffective control, because the source code was changed back to the original and will agree with the current executable.
*The PRIMARY benefit of an enterprise architecture initiative is to:
A.enable the enterprise to invest in the most appropriate technology.
B.ensure security controls are implemented on critical platforms.
C.allow development teams to be more responsive to business requirements.
D.provide business units with greater autonomy to select IT solutions that fit their needs.
A is the correct answer.
Justification
The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.
Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA does not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization.
Although the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development.
A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:
A.is cost-effective.
B.is forward thinking and innovative.
C.is aligned with the business strategy.
D.has the appropriate priority level assigned.
C is the correct answer.
Justification
The IT strategy should be cost-effective, but it must align with the business strategy for the strategy to be effective.
The IT strategy should be forward-thinking and innovative, but it must align with the business strategy to be effective.
The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy.
The IT strategy should be appropriately prioritized; however, it must align with the business strategy first and then it will be prioritized.
The database administrator (DBA) suggests that database efficiency can be improved by denormalizing some tables. This will result in:
A.loss of confidentiality.
B.increased redundancy.
C.unauthorized accesses.
D.application malfunctions.
B is the correct answer.
Justification
Denormalization should not cause loss of confidentiality even though confidential data may be involved. The database administrator (DBA) should ensure that access controls to the databases remain effective.
Normalization is a design or optimization process for a relational database that increases redundancy. Redundancy, which is usually considered positive for resource availability, is negative in a database environment because it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons.
Denormalization pertains to the structure of the database, not the access controls. It should not result in unauthorized access.
Denormalization may require some changes to the calls between databases and applications but should not cause application malfunctions.
When reviewing the desktop software compliance of an organization, the information systems (IS) auditor should be MOST concerned if the installed software:
A.is installed, but not documented in the IT department records.
B.is being used by users not properly trained in its use.
C.is not listed in the approved software standards document.
D.has a license that will expire in the next 15 days.
C is the correct answer.
Justification
All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software.
Discovering that users have not been formally trained in the use of a software product is common, and, although not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively.
Installing software not allowed by policy is a serious violation and can put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies.
A software license that is about to expire is not a risk if there is a process in place to renew it.
*Enterprise governance of IT frameworks MAINLY helps organizations address business issues by:
A.aligning high-level strategic objectives with operational-level objectives, followed by direct work outcomes.
B.establishing a risk management capability to address business issues and preserve the value delivered to stakeholders.
C.developing a roadmap to help fill in the gap between the current state (as-is) and the desired state (to-be).
D.conducting multiple meetings with different stakeholder groups to learn about their expectations.
A is the correct answer.
Justification
The strategic alignment between business objectives and enterprise IT objectives is one of the most important advantages of applying enterprise governance of information and technology (EGIT) frameworks because it helps in achieving enterprise objectives and delivering value at a reasonable cost.
Establishing risk management practices and processes as part of EGIT frameworks is much more effective after aligning the objectives of enterprise IT with the strategic direction of the organization, better preserving the value delivered to stakeholders.
Conducting assessments and developing roadmaps comes after establishing strategic alignment between enterprise IT and business strategies.
Such meetings are a good tool to develop successful enterprise IT strategies but should be done after understanding the business strategies and aligning enterprise IT with them.
*Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?
A.Statistical-based
B.Signature-based
C.Neural network
D.Host-based
A is the correct answer.
Justification
A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious.
A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. Signature-based systems traditionally have low levels of false positives but may be weak at detecting new attacks.
A neural network combines statistical- and signature-based IDSs to create a hybrid and better system.
Host-based is another type of IDS, but it would not be used to monitor network activity.
During a postimplementation review, which of the following activities should be performed?
A.User acceptance testing (UAT)
B.Return on investment (ROI) analysis
C.Activation of audit trails
D.Updates of the state of enterprise architecture (EA) diagrams
B is the correct answer.
Justification
User acceptance testing (UAT) supports the process of ensuring that the system is production ready and satisfies all documented requirements. User acceptance testing should be performed prior to the implementation (perhaps during the development phase), not after the implementation.
Following implementation, a cost-benefit analysis or return on investment (ROI) should be reperformed to verify that the original business case benefits are delivered and business value is created.
An audit trail is a detailed record of the activities on a database or system. The audit trail should be activated during the implementation of the application, not during the postimplementation review.
Although updating the enterprise architecture (EA) diagrams is a good practice, it is not normally part of a postimplementation review.
Which of the following is the BEST way for an information systems (IS) auditor to determine the effectiveness of a security awareness and training program?
A.Review the security training program.
B.Ask the security administrator.
C.Interview a sample of employees.
D.Review the security reminders to employees.
C is the correct answer.
Justification
A security training program may be well designed, but the results of the program are determined by employee awareness.
Asking the security administrator does not show the effectiveness of a security awareness and training program, because such a program should target more than just the administrator.
Interviewing a sample of employees is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined, and effective security is dependent on people. Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness training.
Reviewing the security reminders to the employees is not the best way to find out the effectiveness of the training awareness, because sending reminders may result in little actual awareness.
Which of the following situations is addressed by a software escrow agreement?
A.The system administrator requires access to software to recover from a disaster.
B.A user requests to have software reloaded onto a replacement hard drive.
C.The vendor of custom-written software goes out of business.
D.An information systems (IS) auditor requires access to software code written by the organization.
C is the correct answer.
Justification
Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party—not the internal libraries.
Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party.
A software escrow is a legal agreement between a software vendor and a customer to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement.
Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software.
An information systems (IS) auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?
A.The default configurations are changed.
B.All tables in the database are denormalized.
C.Stored procedures and triggers are encrypted.
D.The service port used by the database server is changed.
A is the correct answer.
Justification
Default database configurations, such as default passwords and services, need to be changed; otherwise, the database can be easily compromised by malicious code and by intruders.
The denormalization of a database is related more to performance than to security.
Limiting access to stored procedures is a valid security consideration but not as critical as changing default configurations.
Changing the service port used by the database is a component of the configuration changes that can be made to the database, but other more critical configuration changes should be made first.
*An organization implemented an online customer help desk application using a software as a service (SaaS) operating model. An information systems (IS) auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor regarding availability. What is the BEST recommendation that the IS auditor can provide?
A.Ask the SaaS vendor to provide a weekly report on application uptime.
B.Implement an online polling tool to monitor the application and record outages.
C.Log all application outages reported by users and aggregate the outage time weekly.
D.Contract an independent third party to provide weekly reports on application uptime.
B is the correct answer.
Justification
Weekly application availability reports are useful, but these reports represent only the vendor’s perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated.
Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor’s service level agreement (SLA) reports ensures that the vendor’s monitoring of the SLA is accurate and that all conflicts are appropriately resolved.
Logging the outage times reported by users is helpful but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent.
Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the software as a service (SaaS) vendor to monitoring the third party.
*An information systems (IS) auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST?
A.Ignore the absence of management approval because employees follow the policies.
B.Recommend immediate management approval of the policies.
C.Emphasize the importance of approval to management.
D.Report the absence of documented approval.
D is the correct answer.
Justification
Absence of management approval is an important (material) finding and, although it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved.
Although the information systems (IS) auditor would likely recommend that the policies should be approved as soon as possible and may also remind management of the critical nature of this issue, the first step is to report this issue to the relevant stakeholders.
The first step is to report the finding and provide recommendations later.
The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organizational policy, and it was discovered that the policies had not been approved, the organization may face a lawsuit.
For which of the following controls would an information systems (IS) auditor look in an environment where duties cannot be appropriately segregated?
A.Overlapping controls
B.Boundary controls
C.Access controls
D.Compensating controls
D is the correct answer.
Justification
Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls.
Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls.
Access controls for resources are based on individuals and not on roles. For a lack of separation of duties, the information systems (IS) auditor expects to find that a person has higher levels of access than are ideal. The IS auditor wants to find compensating controls to address this risk.
Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
When reviewing a hardware maintenance program, an information systems (IS) auditor should assess whether:
A.the schedule of all unplanned maintenance is maintained.
B.it is in line with historical trends.
C.it has been approved by the IS steering committee.
D.the program is validated against vendor specifications.
D is the correct answer.
Justification
Unplanned maintenance cannot be scheduled.
Hardware maintenance programs do not necessarily need to be in line with historic trends.
Maintenance schedules normally are not approved by the steering committee.
Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications.
