When installing an intrusion detection system, which of the following is MOST important? A) Identifying messages that need to be quarantined B) Properly locating it in the network architecture An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? A)
Implement the Simple Network Management Protocol to allow active monitoring. D) Physically secure wireless access points to prevent tampering. During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: A) manager approves a change request and then reviews it in production. C) manager initiates a change request and subsequently approves it. To protect a Voice-over Internet Protocol infrastructure against a denial-of- service attack, it is MOST important to secure the: A) intrusion detection system. B) session border controllers. An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? A) Select a sample of change tickets and review them for authorization. C) Trace a sample of modified programs to supporting change tickets. Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? A) Hash
functions D) Virtual private network tunnel A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant
position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and - A) age, because training in audit techniques may be impractical. D) ability, as an IS auditor, to be independent of existing IT relationships. An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A) encrypt electronic orders. D) verify the identity of senders and determine if orders correspond to contract terms.
B) Properly locating it in the network architecture
C) Preventing denial-of-service attacks
D) Minimizing the rejection errors
B) Use service set identifiers that clearly identify the organization.
C) Encrypt traffic using the Wired Equivalent Privacy mechanism.
D) Physically secure wireless access points to prevent tampering.
B) programmer codes a change in the development environment and tests it in the test environment.
C) manager initiates a change request and subsequently approves it.
D) user raises a change request and tests it in the test
environment.
B) session border
controllers.
C) backbone gateways.
D) access control servers
B) Use query software to analyze all change tickets for missing fields.
C) Trace a sample of modified programs to supporting change tickets.
D) Perform a walk-through by tracing a program change from start to finish.
B) Secret key encryption
C) Dynamic Internet protocol address and port
D) Virtual private network tunnel
B) length of service, because this will help ensure technical competence.
C) IT knowledge, because this will bring enhanced credibility to the audit function.
D) ability, as an IS auditor, to be independent of existing IT relationships.
B) perform reasonableness checks on
quantities ordered before filling orders.
C) acknowledge receipt of electronic orders with a confirmation message.
D) verify the identity of senders and determine if orders correspond to contract terms.
An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?
A) Unauthorized access
B) System unavailability
C) Exposure to malware
D) System integrity
Which of the following would MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?
A) Designing the cybersecurity controls
B) Conducting the vulnerability assessment
C) Delivering cybersecurity awareness training
D) Advising on the cybersecurity framework
A) Designing the cybersecurity controls
An IS auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?
A) Request that the system be shut down to preserve evidence.
B) Ask for immediate suspension of the suspect accounts.
C) Investigate the source and nature of the incident.
D) Report the incident to management.
D) Report the incident to management.
The internal audit division of an organization is planning a general IS audit as part of their internal IS audit function. Which of the following activities takes place during the FIRST step of the planning phase?
A) Identification
of key information owners
B) Development of a risk assessment
C) Define the audit scope
D) Development of an audit program
B) Development of a risk assessment
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:
A) authentication.
B) data integrity.
C) nonrepudiation.
D) replay protection.
The Secure Sockets Layer protocol ensures the confidentiality of a message by using:
A) message authentication codes.
B) symmetric encryption.
C) hash function.
D) digital signature certificates.
An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take?
A) Retest the control to confirm the finding.
B) Discuss the finding with the IT auditor's manager.
C) Elevate the risk associated with the control.
D) Discuss the finding with the auditee's manager.
B) Discuss the finding with the IT auditor's manager.
The computer security incident response team of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:
A) implement individual solutions.
B) use this information to launch attacks.
C) fail to understand the threat.
D)forward the security alert.
B) use this information to launch attacks.
Which of the following is the BEST indicator that a newly developed system will be used after it is in production?
A) Regression testing
B) Sociability testing
C) User acceptance testing
D) Parallel testing
C) User acceptance testing
Which of the following is the INITIAL step in creating a firewall policy?
A) A cost-benefit analysis of methods for securing the applications
B) Identification of vulnerabilities associated with network applications to be externally accessed
C) Identification of network
applications to be externally accessed
D) Creation of an application traffic matrix showing protection methods
C) Identification of network applications to be externally accessed
From a control perspective, the key element in job descriptions is that they -
A) are
current, documented and readily available to the employee.
B) establish responsibility and accountability for the employee's actions.
C) provide instructions on how to do the job and define authority.
D) communicate management's specific job performance expectations.
B) establish responsibility and accountability for the employee's actions.
What is the PRIMARY control purpose of required vacations or job rotations?
A) allow cross-training for development.
B) provide a competitive employee benefit.
C) detect improper or illegal employee acts.
D) help preserve employee morale.
C) detect improper or illegal employee acts.
An IS auditor performing an audit of the newly installed Voice- over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?
A) Network cabling is disorganized and not properly labeled.
B) The telephones are using the same cable used for LAN connections.
C) wiring closet also contains power lines and breaker
panels.
D) The local area network (LAN) switches are not connected to uninterruptible power supply units.
D) The local area network (LAN) switches are not connected to uninterruptible power supply units.
An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be?
A) Review the results of stress tests during user acceptance testing.
B) Request vendor technical support to resolve performance issues.
C) Request additional IS audit resources.
D) Review the implementation of selected integrated controls.
A) Review the results of stress tests during user acceptance testing.
An IS auditor reviewing an organization that uses cross-training practices should assess the risk of -
A) dependency on a single person.
B) one person knowing all parts of a system.
C) inadequate succession
planning.
D) a disruption of operations.
B) one person knowing all parts of a system.
When testing for compliance, which of the following sampling methods is MOST useful?
A) Difference estimation sampling
B) Variable sampling
C) Stratified mean per unit sampling
D)
Attribute sampling
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?
A) User security awareness
B) Use of intrusion detection/intrusion prevention systems
C) Domain name system server security hardening
D) User registration and password policies
C) Domain name system server security hardening
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:
A) continuous improvement and monitoring plans.
B) post-BPR process flowcharts.
C) pre-BPR process flowcharts.
D) BPR
project plans.
B) post-BPR process flowcharts.
An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered -
A)
can support the organization in the long term.
B) can deliver on the immediate contract.
C) has significant financial obligations that can impose liability to the organization.
D) is of similar financial standing as the organization.
A) can support the organization in the long term.
Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization?
A) Post-implementation functional testing
B) User acceptance testing
C) Validation of user requirements
D) Registration and review of changes
D) Registration and review of changes
The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be?
A) Disabling of unused ports presents a potential risk.
B) Soft zoning presents a potential risk.
C) There is no significant potential risk.
D) The SAN administrator presents a potential risk.
D) The SAN administrator presents a potential risk.
Which of the following is a form of two- factor user authentication?
A) An iris scan and a fingerprint scan
B) A smart card and personal identification number
C) A unique user ID and complex, non- dictionary password
D) A magnetic strip card and a proximity badge
B) A smart card and personal identification number
Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system?
A) Review of business requirements
B) System accreditation
C) System certification
D) Post-implementation review
D) Post-implementation review
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to -
A) collect sufficient evidence.
B) minimize audit resources.
C) specify appropriate tests.
D) address audit objectives.
D) address audit objectives.
Electromagnetic emissions from a terminal represent a risk because they:
A) could damage or erase nearby storage media.
B) could have adverse health effects on personnel.
C) can disrupt processor functions.
D) can be detected and displayed.
D) can be detected and displayed.
To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet:
A) allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled).
B)
specifies the route that a packet should take through the network (the source routing field is enabled).
C) puts multiple destination hosts (the destination field has a broadcast address in the destination field).
D) indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on).
B) specifies the route that a packet should take through the network (the source routing field is enabled).
Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet?
A) Asymmetric cryptography
B) Message authentication code
C) Digital certificates
D) Digital signatures
In what capacity would an IS auditor MOST likely see a hash function applied?
A) Authorization
B) Identification
C) Authentication
D) Encryption
Which of the following would be BEST prevented by a raised floor in the computer machine room?
A) Damage of wires around computers and servers
B) Shocks from earthquakes
C) Water flood damage
D) A power failure from static
electricity
A) Damage of wires around computers and servers
An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend?
A) Modify the firewall rules to further protect the application server.
B) Implement a host-based intrusion detection system.
C) Apply the patch only after it has been thoroughly tested.
D) Assess the overall risk, then recommend whether to deploy the patch.
D) Assess the overall risk, then recommend whether to deploy the patch.
A substantive test to verify that tape library inventory records are accurate is -
A) checking whether receipts and issues of tapes are accurately recorded.
B) determining whether the movement of tapes is authorized.
C) determining whether bar code readers are installed.
D) conducting a physical count of the tape inventory
D) conducting a physical count of the tape inventory
Which of the following is the responsibility of information asset owners?
A) Implementation of access rules to data and programs
B) Implementation of information security within applications
C) Provision of physical and logical security for data
D) Assignment of criticality
levels to data
D) Assignment of criticality levels to data
An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern?
A) Voice communication uses the same equipment that is used for data communication.
B) The team that supports the data network also is responsible for the telephone system.
C) Voice communication is not encrypted on the local network.
D) Ethernet switches are not protected by uninterrupted power supply units.
D) Ethernet switches are not protected by uninterrupted power supply units.
Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting?
A) Findings are clearly tracked back to evidence.
B) Recommendations address root causes of findings.
C) Remediation plans are provided by responsible parties.
D) Risk statement includes an explanation of a
business impact.
A) Findings are clearly tracked back to evidence.
Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application?
A) Return on investment to the company
B) Total cost
of ownership of the application
C) The resources required for implementation
D) The cost and complexity of security requirements
A) Return on investment to the company
The responsibility for authorizing access to a business application system belongs to the:
A) data
owner.
B) security administrator.
C) IT security manager.
D) requestor's immediate supervisor.
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
A) Routers
B) Virtual local area networks
C) Firewalls
D) Layer 2 switches
Assignment of process ownership is essential in system development projects because it:
A) enables the tracking of the development completion percentage.
B) ensures that system design is based on business needs.
C) minimizes the gaps between requirements and functionalities.
D) optimizes the design cost of user acceptance test cases.
B) ensures that system design is based on business needs.
Which of the following presents an inherent risk with no distinct identifiable preventive controls?
A) Unauthorized application shutdown
B) Viruses
C) Piggybacking
D) Data diddling
Confidentiality of transmitted data can best be delivered by encrypting the:
A) session key with the sender's public key.
B) messages with the receiver's private key.
C) message digest with the sender's private key.
D) session key with the receiver's public key.
D) session key with the receiver's public key.
An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if:
A) software development teams continually re-plan each step of their major projects.
B) application features and development processes are not extensively documented.
C) certain project iterations produce proof-of-concept deliverables and unfinished
code.
D) project managers do not manage project resources, leaving that to project team members.
C) certain project iterations produce proof-of-concept deliverables and unfinished code.
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?
A) Generating disk images of the compromised system
B) Rebooting the system
C) Removing the system from the network
D) Dumping the memory content to a file
An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor?
A) Developers could gain elevated access to production servers.
B) Developers have the ability to create or de- provision servers.
C) Developers can affect the performance of production servers with their applications.
D) Developers could install unapproved applications to any servers.
B) Developers have the ability to create or de- provision servers.
When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process?
A) Discuss a single solution.
B)
Demonstrate feasibility.
C) Consider security controls.
D) Consult the audit department.
B) Demonstrate feasibility.
The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should:
A) take no action, because the IT processes related to patch management appear to be adequate.
B) review the patch management policy and determine the risk associated with this condition.
C) recommend that IT systems personnel test and then install the patches immediately.
D) recommend that patches be applied every month or immediately upon release.
B) review the patch management policy and determine the risk associated with this condition.
This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system between the:
A) web server and the firewall.
B)
Internet and the firewall.
C) Internet and the web server.
D) firewall and the organization's network.
D) firewall and the organization's network.
While performing a risk analysis, an IS auditor identifies threats and potential impacts. What would the IS auditor should do NEXT?
A) identify information assets and the underlying systems.
B) disclose the threats and impacts to management.
C) identify and evaluate the existing controls.
D) ensure the risk assessment is aligned to management's risk assessment process.
C) identify and evaluate the existing controls.
An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general- purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks?
A)
Install a dedicated router between the two networks.
B) Establish two physically separate networks.
C) Implement virtual local area network segmentation.
D) Install a firewall between the networks.
D) Install a firewall between the networks.
An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?
A) Guest users who are logged in are not isolated from each other.
B) A login screen is not displayed for guest users.
C) A single factor authentication technique is used to grant access.
D) The guest network is not segregated from the production network.
D) The guest network is not segregated from the production network.
An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that:
A) the environmental impact of the data center has not been considered.
B) it
has not been determined how the project fits into the overall project portfolio.
C) the organizational impact of the project has not been assessed.
D) not all IT stakeholders have been given an opportunity to provide input.
C) the organizational impact of the project has not been assessed.
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:
A) improper transaction authorization.
B) application interface failure.
C) excessive transaction turnaround time.
D) nonvalidated batch totals.
A) improper transaction authorization.
The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be?
A) The IS auditor should gather more information
about the specific implementation.
B) Digital signatures are not adequate to protect confidentiality.
C) The IS auditor should recommend implementation of digital watermarking for secure email.
D) Digital signatures are adequate to protect confidentiality.
B) Digital signatures are not adequate to protect confidentiality.
The PRIMARY reason for using digital signatures is to ensure data:
A) availability.
B) correctness.
C) confidentiality.
D) integrity.
The FIRST step in the execution of a problem management mechanism should be:
A) root cause analysis.
B) exception reporting.
C) exception ranking.
D) issue analysis.
Which of the following is an effective preventive control to ensure that a database administrator complies with the custodianship of the enterprise's data?
A) Review of access logs and activities
B) Segregation of duties
C) Management supervision
D) Exception reports
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:
A) card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards.
B) the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure.
C) non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no
proof of identity.
D) access cards are not labeled with the organization's name and address to facilitate easy return of a lost card.
C) non-personalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity.
An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?
A) Project risk assessment
B) Post-implementation review
C) User acceptance testing
D) Management approval of the system
B) Post-implementation review
An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed?
A) Have periodic meetings with the client IT manager.
B) Require the vendor to provide monthly status reports.
C) Require that performance parameters be stated within the contract.
D)
Conduct periodic audit reviews of the vendor.
D) Conduct periodic audit reviews of the vendor.
What is the PRIMARY reason that an IS auditor would verify that the process of post- implementation review of an application was completed after a release?
A) To check that
the project meets expectations
B) To make sure that users are appropriately trained
C) To determine whether proper controls were implemented
D) To verify that the project was within budget
A) To check that the project meets expectations
During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:
A) brute force attack.
B) buffer overflow.
C) war dialing attack.
D) distributed denial-of-service attack.
Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been:
A) independently time stamped.
B) encrypted by the most secure algorithm.
C) recorded by multiple logging systems.
D) verified to ensure log integrity.
D) verified to ensure log integrity.
An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST?
A) Review the data flow diagram.
B) Evaluate the change request process.
C) Evaluate the reconciliation controls.
D) Review user access.
A) Review the data flow diagram.
When reviewing the configuration of network devices, an IS auditor should FIRST identify:
A) whether components of the network are missing.
B) the good practices for the type of network devices deployed.
C) the importance of the network devices in the topology.
D) whether subcomponents of the network are being used appropriately.
C) the importance of the network devices in the topology.
Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to:
A)
review subsequent program change requests.
B) assess whether the planned cost benefits are being measured, analyzed and reported.
C) review controls built into the system to assure that they are operating as designed.
D) determine user feedback on the system has been documented.
C) review controls built into the system to assure that they are operating as designed.
When two or more systems are integrated, the IS auditor must review input/output controls in the:
A) systems sending and receiving data.
B) systems sending output to other systems.
C) systems receiving the output of other systems.
D) interfaces between the two systems.
A) systems sending and receiving data.
The GREATEST risk from an improperly implemented intrusion prevention system is:
A) blocking of critical systems or services due to false triggers.
B) too many alerts for system administrators to verify.
C) decreased network performance due to additional traffic.
D) reliance on specialized
expertise within the IT organization.
A) blocking of critical systems or services due to false triggers.
The MOST effective biometric control system is the one with:
A) the lowest equal-error rate.
B) a false-rejection rate equal to the failure-to- enroll rate.
C)
the highest equal- error rate.
D) false-rejection rate equal to the false- acceptance rate.
A) the lowest equal-error rate.
In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:
A) sufficiency.
B) compliance.
C)
documentation.
D) implementation.
Correct Assessing IT risk is BEST achieved by -
A) reviewing IT control weaknesses identified in audit reports.
B) using the organization's past actual loss experience to determine current exposure.
C) evaluating threats and vulnerabilities associated with existing IT assets and IT projects.
D) reviewing published loss statistics from comparable
organizations.
C) evaluating threats and vulnerabilities associated with existing IT assets and IT projects.
Which of the following is the BEST method of controlling scope creep in a system development project?
A) Adopting a matrix project management structure
B)
Identifying the critical path of the project
C) Establishing a software baseline
D) Defining penalties for changes in requirements
C) Establishing a software baseline
Inadequate programming and coding practices increase the risk of:
A) synchronize flood.
B)
buffer overflow exploitation. C) brute force attacks.
D) social engineering.
B) buffer overflow exploitation.
Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system?
A) Process walk-through
B)
Observation
C) Documentation review
D) Re-performance
Which of the following BEST limits the impact of server failures in a distributed environment?
A) Redundant pathways
B) Standby power
C) Dial backup lines
D) Clustering
Which of the following conditions should be of GREATEST concern to an IS auditor regarding the outsourcing of IT services?
A) Periodic renegotiation is not specified in the outsourcing contract.
B) Core activities that provide a differentiated advantage to the organization have been outsourced.
C) The outsourcing contract fails to cover every action required by the business.
D) Similar activities are outsourced to more than one vendor.
B) Core activities that provide a differentiated advantage to the organization have been outsourced.
When conducting a penetration test of an IT system, an organization should be MOST concerned with:
A) logging changes made to production system.
B) restoring systems to the original state.
C) the confidentiality of the report.
D) finding all weaknesses on the system.
B) restoring systems to the original state.
Which of the following is MOST directly affected by network performance monitoring tools?
A) Confidentiality
B) Availability
C) Integrity
D) Completeness
In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario?
A) Preventing the release manager from making program modifications
B) Hiring additional staff to provide segregation of duties
C) Verifying that only approved program changes are implemented
D) Logging of changes to development libraries
C) Verifying that only approved program changes are implemented
The project steering committee is ultimately responsible for:
A) ensuring that system controls are in place.
B) project deliverables, costs and timetables.
C) allocating the funding for the project.
D) day-to-day management and
leadership of the project.
B) project deliverables, costs and timetables.
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?
A) No recommendation is necessary because the current approach is appropriate for a medium-sized organization.
B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.
C) Create an IT risk management department and establish an IT risk framework with the aid of external risk management
experts.
D) Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.
B) Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.
A company is planning to install a network- based intrusion detection system to protect the web site that it hosts. Where should the device be installed?
A) Outside the firewall
B) On the server that hosts the web site
C) In the demilitarized zone
D) On the local network
C) In the demilitarized zone
Which of the following is the MOST reliable form of single factor personal identification?
A) Iris scan
B) Smart card
C) Password
D) Photo identification
Authorizing access to application data is the responsibility of the:
A) data owner.
B) data custodian.
C) security
administrator.
D) application administrator.
An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy?
A) Stateful inspection firewall
B) Proxy server
C) Web content filter
D) Web cache server
Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?
A) Service measures were not included in the SLA.
B) A service adjustment resulting from an exception report took a day to implement.
C) The complexity of application logs used for service monitoring made the review difficult.
D) The document is updated on an annual basis.
A) Service measures were not included in the SLA.
In a public key infrastructure, a registration authority:
A) digitally signs a message to achieve nonrepudiation of the signed message.
B) issues the certificate after the required attributes are verified and the keys are generated.
C) registers signed messages to protect them from future
repudiation.
D) verifies information supplied by the subject requesting a certificate.
D) verifies information supplied by the subject requesting a certificate.
Neural networks are effective in detecting fraud because they can:
A) discover new trends because they are
inherently linear.
B) address problems that require consideration of a large number of input variables.
C) solve problems where large and general sets of training data are not obtainable.
D) make assumptions about the shape of any curve relating variables to the output.
B) address problems that require consideration of a large number of input variables.
Which of the following provides the MOST relevant information for proactively strengthening security settings?
A) Intrusion prevention system B) Intrusion detection system
C) Bastion host
D) Honeypot
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step?
A) Inform appropriate personnel immediately.
B) Observe the response mechanism.
C) Ensure deletion of the virus.
D) Clear the virus from the network.
A) Inform appropriate personnel immediately.
Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?
A) Volume testing
B) Load testing
C) Stress testing
D) Recovery resting
Which of the following is the key benefit of a control self-assessment?
A) Fraud detection will be improved because internal business staff
are engaged in testing controls.
B) Internal auditors can shift to a consultative approach by using the results of the assessment.
C) Management ownership of the internal controls supporting business objectives is reinforced.
D) Audit expenses are reduced when the assessment results are an input to external audit work.
C) Management ownership of the internal controls supporting business objectives is reinforced.
A top-down approach to the development of operational policies helps to ensure -
A) that they are implemented as a part of risk assessment.
B) that they are reviewed periodically.
C) compliance with all policies.
D) that they are consistent across the organization.
D) that they are consistent across the organization.
Which of the following would MOST effectively reduce social engineering incidents?
A) Email monitoring policy
B) Security awareness training
C) Increased physical security measures
D) Intrusion detection systems
B) Security awareness training
Which of the following groups would create MOST concern to an IS auditor if they have full access to the production database?
A) Business users
B) System administrators
C) Information security team
D) Application developers
D) Application developers
The internal audit department of an organization has written some scripts that are used for continuous auditing of some information systems. The IT department of that organization has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function?
A) Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence.
B) Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.
C) Sharing the scripts is not permitted
because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.
D) Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B) Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.
As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through:
A) strategic alignment.
B) resource management.
C) performance measurement.
D) value delivery.
C) performance measurement.
When developing a formal enterprise security program, the MOST critical success factor is the -
A) selection of a security process owner.
B) creation of a security unit.
C) establishment of a review board.
D) effective support of an executive sponsor.
D) effective support of an executive sponsor.
As an outcome of information security governance, strategic alignment provides -
A) baseline security following good practices.
B) institutionalized and commoditized solutions.
C) security requirements driven by enterprise requirements.
D) an understanding of risk exposure.
C) security requirements driven by enterprise requirements.
As an IS auditor, you have identified that reports on product profitability produced by an organization's finance and marketing departments give different results. Your further investigation reveals that the product definition being used by the two departments is different. As an IS auditor, what should you recommend?
A) Management signs-off on requirements for new reports
B) Standard software tools are used for report development
C) Organizational data governance practices are put in place
D) User acceptance testing occurs for all reports before release into production
C) Organizational data governance practices are put in place
An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production?
A) The VM server is included
in the disaster recovery plan.
B) Allocated physical resources are available.
C) System administrators are trained to use the VM architecture.
D) Server configuration has been hardened appropriately.
D) Server configuration has been hardened appropriately.
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:
A) approve the patch after doing a risk assessment.
B) apply the patch according to the patch's release notes.
C) thoroughly test the patch before sending it to production.
D) ensure that a good change management process is in place.
D) ensure that a good change management process is in place.
Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?
A) To reduce requirements for periodic internal audits
B) To collect evidence while transactions are processed
C) To increase efficiency of the audit
function
D) To identify and report fraudulent transactions
B) To collect evidence while transactions are processed
Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?
A) Automated tests should be performed through the use of scripting.
B) Test coverage should be restricted to functional requirements.
C) Requirements should be tested in terms of importance and frequency of use.
D) The number of required test runs should be reduced by retesting only defect fixes.
C) Requirements should be tested in terms of importance and frequency of use.
An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when:
A) the configuration management database is not maintained.
B) the test environment is installed on the production server.
C) change management records are paper based.
D) test systems run different configurations
than do production systems.
A) the configuration management database is not maintained
What is the PRIMARY purpose of an IT forensic audit?
A) to preserve evidence of criminal activity.
B) the systematic collection and analysis of evidence after a system
irregularity.
C) to participate in investigations related to corporate fraud.
D) to assess the correctness of an organization's financial statements.
B) the systematic collection and analysis of evidence after a system irregularity.
A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future?
A) Ensure that developers do not have access to code after testing.
B) Improve regression test cases.
C) Conduct an application user access review.
D) Activate audit trails for a limited period after release.
A) Ensure that developers do not have access to code after testing.
An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration?
A) System breach notification procedures
B) Chain of custody
of electronic evidence
C) Escalation procedures to external agencies
D) Procedures to recover lost data
B) Chain of custody of electronic evidence
The PRIMARY purpose of installing data leak prevention software is to:
A) detect attempts to destroy sensitive data
in an internal network.
B) control confidential documents leaving the internal network.
C) block external systems from accessing internal resources.
D) restrict user access to confidential files stored on servers.
B) control confidential documents leaving the internal network.
Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience?
A) Internal quality requirements
B) The audit guidelines
C) The audit methodology
D) Professional standards
D) Professional standards
After identifying the findings, the IS auditor should FIRST:
A) determine mitigation measures for the findings.
B) obtain remediation deadlines to close the findings. C) inform senior management of the findings.
D) gain agreement on the findings.
D) gain agreement on the findings.
Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a post implementation review?
A) The code was missed during the initial implementation.
B) The error was discovered during the postimplementation review.
C) The release team used the same change order number.
D) The change did not have
change management approval.
D) The change did not have change management approval.
A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response?
A) Revision of the OS baseline configuration
B) Assessment of the risk and identification of compensating controls
C) Approval of the exception to policy to meet business needs
D) Initial rejection of the request because it is against the security policy
B) Assessment of the risk and identification of compensating controls
Over the long term, which of the following has the greatest potential to improve the security incident response process?
A) Simulation exercises performed by incident response team
B) Ongoing security training for users
C) Documenting responses to an incident
D) A walk-through review of incident response procedures
A) Simulation exercises performed by incident response team
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?
A) Beta testing
B) Alpha testing
C) White box testing
D) Regression testing
When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT -
A) has all the personnel and equipment it needs.
B) plans are consistent with management strategy.
C) uses its equipment and personnel efficiently and effectively.
D) has sufficient excess capacity to respond to changing directions.
B) plans are consistent with management strategy.
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make?
A) Implement a source code version control tool.
B) Schedule user
testing to occur at a given time each day.
C) Only retest high-priority defects.
D) Consider the feasibility of a separate user acceptance environment.
D) Consider the feasibility of a separate user acceptance environment.
A cyclic redundancy check is commonly used to determine the:
A) integrity of a downloaded program.
B) adequacy of encryption.
C) accuracy of data input.
D) validity of data transfer.
D) validity of data transfer.
An IS auditor is performing a post- implementation review of an organization's system and identifies
output errors within an accounting application. The IS auditor determined this was caused by input errors.
Which of the following controls should the IS auditor recommend to management?
A) Run-to-run totals
B) Reconciliations
C) Recalculations
D) Limit checks
Applying a retention date on a file will ensure that:
A) data cannot be read until the date is set.
B) datasets
having the same name are differentiated.
C) data will not be deleted before that date.
D) backup copies are not retained after that date.
C) data will not be deleted before that date.
When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk?
A) Subscribers report key compromises to the certificate authority.
B) There is no registration authority for reporting key compromises.
C) Digital certificates contain a public key that is used to encrypt messages and verify digital signatures.
D) The certificate revocation list is not current.
D) The certificate revocation list is not current.
An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation?
A) Message digest algorithms
B) Digital signatures
C) Digital certificates
D) Symmetric key encryption
Which of the following BEST helps ensure that deviations from the project plan are identified?
A) A project resource plan
B) Project performance criteria
C) A project management approach
D) A project management framework
B) Project performance criteria
Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?
A) To prevent conflicts of interest
B) To prevent theft of IT assets
C) To prevent employee performance issues
D) To prevent the misuse of corporate resources
A) To prevent conflicts of interest
Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?
A) Server utilization data
B) Server logs
C) Benchmark test results
D) Downtime reports
A) Server utilization data
An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?
A) Production access is granted to the individual support ID when needed.
B) Developers use a firefighter ID to promote
code to production.
C) A dedicated user promotes emergency changes to production.
D) Emergency changes are authorized prior to promotion.
A) Production access is granted to the individual support ID when needed.
Which of the following best describes integrated auditing?
A. Integrated auditing places internal control in the hands of management and reduces
the time between the audit and the time of reporting.
B. Integrated auditing combines the operational audit function, the financial audit function, and the IS audit function.
C. Integrated auditing combines the operational audit function and the IS audit function.
D. Integrated auditing combines the financial audit function and the IS audit function.
B. Integrated auditing is a methodology that combines the operational audit function, the financial audit function, and the IS audit function.
Therefore, answers C and D are incorrect because they do not list all three types of functions to be integrated. Answer A is incorrect because it describes the control self-assessment (CSA), which is used to verify the reliability of internal controls and places internal controls in the hands of management.
Which type of sampling would best be used to uncover fraud or other attempts to bypass regulations?
A. Attribute sampling
B. Frequency estimating sampling
C. Stop-and-go sampling
D. Discovery sampling
D. Discovery sampling
Discovery sampling would best be used to uncover fraud or other attempts to bypass regulations. Answer A is incorrect because attribute sampling is used to determine the rate of occur- rence. Answer B is incorrect because frequency sampling is another name for attribute sampling. Both describe the same sampling technique. Answer C is incorrect because stop-and-go sampling is used when the auditor believes that only a few errors will be found in a population.
Which of the following best describes this statement: This risk can be caused by the failure of internal controls and can result in a material error.
A. Audit risk
B. Inherent risk
C. Detection risk
D. Control risk
D. Control risk
A control risk is the risk caused by the failure of internal controls; it can result in a material error. Answer A is incorrect because the audit risk is the amount of risk the organization is willing to accept. Answer B is incorrect because the inherent risk is the risk that can occur because of the lack of compensating controls. Combined, inherent risks can create a material risk. Answer C is incorrect because detection risk is the risk if an auditor does not design tests in such a way as to detect a material risk.