Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
159 Cards in this Set
- Front
- Back
|
The HIPAA Security Rule includes:
a.Standardizing formats for health-related information b.Administrative controls protecting patient privacy c.Securing medical charts d.Information access management |
ANS:D
Source: Chapter 17, page 431-432 |
|
|
A system configuration error is a type of:
a. Technical threat b. Administrative threat c. Physical threat d. Technical and administrative threat |
ANS: B
Source: Chapter 18, page 453 |
|
|
In reference to Identity Access Management, provisioning includes:
a. Approving and terminating an identity b. Establishing password parameters c. Enforcing access rights d. Monitoring access |
ANS: A
Source: GTAG 9, PPT slide 5 |
|
|
Which of the following components does NOT lead to effective IT governance?
a. Organizational structure b. Risk management c. IT process d. Audit universe |
ANS: D
Source: GTAG 1, Page 6-7 |
|
|
What is the proper order of the IT audit plan process?
a. Define the IT Universe , Understand the Business, Formalize Audit Plan, Perform Risk Assessment, b. Understand the Business, Define the IT Universe, Perform Risk Assessment, Formalize Audit Plan c. Understand the Business, Formalize Audit Plan , Define the IT Universe, Perform Risk Assessment, d. Formalize Audit Plan, Understand the Business, Define the IT Universe, Perform Risk Assessment |
ANS: B
Source: GTAG 11, Page 3 |
|
|
Which of the following is NOT part of the IT management layer in the IT environment?
a. System Monitoring b. Planning c. Networks d. IT Governance |
ANS: D
Source: GTAG 4, page 4 |
|
|
Which of the following is NOT one of the four key layers of the IT environment?
a. IT management b. Internal connections c. Technical infrastructure d. Applications |
ANS: B
Source: GTAG 4, p3 |
|
|
Provisioning, a key concept related to IAM…
a. Should include establishment of IAM strategy b. Monitors the provisioning process. c. Proven approaches to conducting the BCP audit. d. Refers to an identity’s creation, change, termination, validation, approval, propagation, and communication. |
ANS: D
Source: GTAG 9, PPT SLIDE 6 |
|
|
Which of the following is NOT a risk of IT outsourcing?
a. Loss of data privacy. b. Unexpected increase in outsourcing costs. c. Lack of contract compliance. d. Over staffing. |
ANS: D
Source: GTAG7, page 16 |
|
|
What is the highest level in the Capability Maturity Model?
a. Defined b. Optimization c. Repeatable d. Valuation |
ANS: B
Source: Class |
|
|
For the purpose of assessing roles and responsibilities, IT controls can be classified as:
a. Management controls b. Application controls c. Technical controls d. Governance controls |
ANS: B
Source: GTAG 1, PPT SLIDE 4 |
|
|
A good source for insuring that you have considered all significant area of IT governance is to reference:
a. The Sarbanes-Oxley b. The Health Insurance Portability and Accountability Act (HIPPA) c. The Payment Card Industry regulation (PCI) d. The Control Objectives for Information and Related Technology (COBIT) |
ANS: D
Source: Chapter 2, Page 40 |
|
|
An efficient Information Security Governance activity will reflect the concept of proportionality by all the following but:
a. . Encouraging a tiered structure of internal control b. Allow for properly approved deviations to policies and standards c. Achieving efficiency through automation d. Adjusting reporting based on the level of management involved |
ANS: C
Source: GTAG 15, page 5 |
|
|
Which of the following is not BIA Pre-requisite Risk Assessment?
a. Identify potential risks to business b. Understand likely business impacts c. Ensure Risk Mitigation is deployed d. Document recovery strategies, BCP solutions, recovery steps |
ANS: D
Source: GTAG 10, PPT SLIDE 11 |
|
|
Which IT Risk assessment process is NOT correct?
a. Considers all the layers of the IT environment b. Be performed by the appropriate personnel c. Strictly be based on interviews d. Be supplemented with the appropriate level of analysis after discovery |
ANS: C
Source: GTAG 4, PPT slide 7 |
|
|
Defining the IT audit universe should consider elements on which layers?
a. Technical layer b. IT management and IT controls c. Technical layer and IT controls d. Technical layer, IT management and IT controls |
ANS: D
Source: GTAG 11, PPT SLIDE 12 |
|
|
When we develop the IT Audit Plan, which of the following is wrong?
a. Consider mandated audit areas b. Focus on high risk audit subjects c. Make the predefined audit frequency d. Integrate the IT audit plan with non-IT audit activities |
ANS: C
Source: GTAG 11, PPT SLIDE 15 |
|
|
Which of the following questions is not related to Identity and Access management (IAM)?
a. Who has access to what information? b. Is the information that has been accessed important? c. Is the access appropriate for the job being performed? d. Is the access and activity monitored, logged, and reported appropriately? |
ANS: B
Source: GTAG 9, PPT SLIDE 3 |
|
|
Which of the following is not part of the IT Risk Management Life Cycle?
a. Identify information assets b. Quantify and qualify risks c. Implement Controls d. Manage residual risks |
ANS: C
Source: Chapter. 18, pg 445 |
|
|
The three layers of IT are:
a. Technical Layer, User Layer, IT Controls b. Technical Layer, IT Controls, IT Management c. User Layer, IT Management, IT Controls d. Governance, IT Controls, Technical Layer |
ANS: B
Source: GTAG 11 ppt, slide 4 |
|
|
Segregation of duties is part of which layer of IT?
a. Technical Layer b. Governance Layer c. IT Management Layer d. IT Controls Layer |
ANS: D
Source: GTAG 11 ppt, slide 6 |
|
|
Which of the following is NOT a preventative control?
a. Requiring usernames and passwords to access a system b. Firewalls c. Logging all activities performed on a system d. Ensuring terminated employees have their accounts disabled |
ANS: C
Source: Textbook, Ch. 2, pg 36 |
|
|
“An ongoing process supported by senior management and funded to ensure that the necessary are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance” is the definition of which of the following terms?
a. IT Controls b. Business Continuity Management c. IT Audit Management d. IT Audit Planning |
ANS: B
Source: GTAG 10 ppt, slide 3 |
|
|
What is the normal IT auditing process?
a. Understand the environment, evaluate design, identify key controls, test effectiveness, report findings b. Identify key controls, understand the environment, test effectiveness, evaluate design, report findings c. Identify key controls, understand the environment, evaluate design, test effectiveness, report findings d. Understand the environment, identify key controls, evaluate design, test effectiveness, report findings |
ANS: D
Source: GTAG 4, PPT slide 9 |
|
|
Which of the following is not a technical layer?
a. Databases b. Operating systems c. Networks d. Programming |
ANS: D
Source: GTAG 11, PPT SLIDE 5 |
|
|
Which of the following is not a step of risk management?
a. Asset valuation b. Vulnerability assessment c. Risk determination d. Control environment |
ANS: D
Source: GTAG 6, PPT SLIDE 14 |
|
|
All of the following are definitions of Information Security Governance except:
a. Promoting good information security (IS) practices b. Controlling IS risks associated with the business c. Creating an overall IS activity that reflects the organization’s needs and risk appetites d. Establish the basis for evaluating management performance |
ANS: D
Source: GTAG 15, PPT Slide 7 |
|
|
_______ responsibility for internal controls typically involves reaching into all areas of the organization with special attention to critical assets, sensitive information, and operational functions.
a. Management b. The board c. Auditors d. Audit committee |
ANS: A
Source: GTAG 1 |
|
|
Cost savings that lead to outsourcing contracts for the wrong reasons exemplifies which IT Outsourcing Risk?
a. Transaction b. Feasibility c. Strategy d. Transition |
ANS: C
Source: GTAG 7, PPT SLIDE 5 |
|
|
Which of the following is false in regards to auditing entity-level controls?
a. IT personnel should not perform data entry. b. Programmers and those performing run/maintain support should directly be able to modify production code. c. Programmers should be separate from those performing IT operations support. d. IT security organization should be responsible for setting policies and monitoring for compliance with those polices. |
ANS: B
Source: Chapter 3, page 66 |
|
|
Managing passwords falls under what Identity and Access Management concept?
a. Administration b. Enforcement c. Communication d. Provisioning |
ANS: B
Source: GTAG 11, PPT SLIDE 4 |
|
|
The Treadway Commission, formed in the mid-1980s in response to growing US financial crises and demand for increased government oversight is a framework now commonly referred to as:
a. COBIT b. COSO c. BASEL d. ISO 9000 |
ANS: B
Source: Chapter 16 |
|
|
Why are IT controls especially important for reviews of Sarbanes-Oxley compliance?
a. Because continuity of business is critical for SOX. b. Because financial reports are often generated from the internal data warehouse. c. Because change management is impacts IT projects. d. Because inadequate security controls can lead to losses |
ANS: B
Source: Chapter 17 |
|
|
Virtualization allows the separation of the operating system from the hardware. Why is this a benefit?
a. It decreases data security risk. b. It allows travelers and telecommuters to work from almost anywhere. c. It makes asset management of hardware less challenging. d. It eliminates the need for encryption. |
ANS: B
Source: Class discussion 2/14/13 |
|
|
Which of the following is not maturity level for outsourcing controls?
A. Defined B. Managed C. Ad-Hoc D. Repeatable |
ANS: C
Source: Class presentation 2/28/2013 |
|
|
In the context of GTAG 5, what can be an example of personal information?
a. Medical records b. Bank account number c. Personal telephone number d. Salary information |
ANS: C
Source: GTAG 5, Page 4 |
|
|
How does asymmetric key algorithm work?
a. The sender use a private key to encrypt the message, while the receiver use to a public key to decrypt the message. b. Both the sender and receiver use a similar private key to encrypt and decrypt the message c. Both the sender and receiver use a similar public key to encrypt and decrypt the message d. The sender use a public key to encrypt the message, while the receiver use to a private key to decrypt the message. |
ANS: D
Source: Guest speaker’s presentation |
|
|
A client communicates sensitive data across the Internet. Which of the following controls would be most effective to prevent the use of the information if it were intercepted by an unauthorized party?
a. A firewall. b. Passwords. c. An access log. d. Encryption. |
ANS: D
Source: GTAG 9 |
|
|
When two devices in a data communications system are communicating, which of the following term is commonly used to describe the agreement how both data and control information are to be packaged and interpreted?
a. Communication channel b. Communication protocol c. Communication package d. Communication library |
ANS: B
Source: Class lecture |
|
|
Which of the following is not a responsibility of internal auditor related to information security?
a. Access information control environments, including understanding, adoption, and effectiveness. b. Validate IS efforts and compare current practices to industry standards. c. Recommend improvements. d. Dedicate sufficient resources to be effective. |
ANS: D
Source: GTAG 5, Page 3 |
|
|
In a top-down approach used when considering controls to implement and determining areas on which to focus, which one is not in management controls?
a. Standards b. Environmental Controls c. Policies d. Physical Controls |
ANS: C
Source: GTAG 1, PPT slide 5 |
|
|
Which sentence about IT Risk assessment process is not correct?
a. Consider all the layers of the IT environment b. Be fully performed yearly, not just an update of the prior year c. Only consider dynamic risks during risk assessment d. Risk assessment should not strictly be based on interviews |
ANS: C
Source: GTAG 4, PPT slide 7 |
|
|
Which one belongs to the second stage of vulnerability management life-cycle?
a. Validate b. Set OLAs c. Automate d. Assess Risks |
ANS: D
Source: GTAG 6, PPT slide 3 |
|
|
When assessing a company’s IAM posture, which is not internal auditors’ job?
a. Aligning business and management units b. Establishing budgets c. Developing achievable implementation plans d. Developing technology which can enable a more effective control environment |
ANS: D
Source: GTAG 9, PPT slide 9 |
|
|
Which sentence about how to maximize IA value in BCP process is wrong?
a. Understand the scope of business continuity b. Approach opposed to a documentation review c. Focus on the analysis part of the BCM Life-cycle d. Understand BCP and management objectives |
ANS: C
Source: GTAG 10, PPT slide 20 |
|
|
Which one does not belong to the three dimensions of IT domain?
a. IT controls b. Technical System c. Technical layer d. IT management |
ANS: B
Source: GTAG 11, PPT slide 4 |
|
|
IT risk assessment process should:
a. Only consider dynamic risk b. Just update the prior year’s risk assessment c. Be supplemented with the appropriate level of analysis after discovery d. Only be performed by the CAE |
ANS: C
Source: GTAG 4 ppt, slide 7 |
|
|
Which of the following should NOT be taken into consideration when creating an identity:
a. The amount of time the employee has been with the organization b. Employee’s function within the organization c. How the identity will be used d. Basis of granting access to identity owner (roles, rules, or user-specific needs) |
ANS: A
Source: GTAG 9 ppt, slide 7 |
|
|
Which of the following is NOT a risk for data centers?
a. Water and fire detection system b. Disorganized cables and wires c. Unauthorized access d. Strict biometrics |
ANS: D
Source: In class presentation |
|
|
Requiring a user ID and a password would be an example of what type of control?
a. Detective b. Corrective c. Preventative d. Reactive |
ANS: C
Source: Chapter 2, page 34 |
|
|
IT controls are broken down into 3 groups, which one of these controls is not included in the IT Technical group?
a. Systems Development Controls b. Application Based Controls c. Physical And Environmental Controls d. Systems Software Controls |
ANS: C
Source: GTAG 1, PPT SLIDE 5 |
|
|
Which one of these answers is in the correct order for a Normal Audit Process?
a. Understand the Environment > Evaluate Design > Identify Key Controls > Test Effectiveness > Report Findings b. Understand the Environment > Identify Key Controls > Evaluate Design > Test Effectiveness > Report Findings c. Understand the Environment > Test Effectiveness > Identify Key Controls > Evaluate Design > Report Findings d. Understand the Environment > Identify Key Controls > Test Effectiveness > Evaluate Design > Report Findings |
ANS: B
Source: GTAG 4, PPT SLIDE 9 |
|
|
At the Identification and Validation stage, which of the following is not considered a characteristic of a high-performing organization?
a. Effective asset management b. Knowledge % of critical assets scanned and managed. c. High level of configuration variance d. Scans are validated and false positives are identified. |
ANS: C
Source: GTAG 6, PPT Slide 9 |
|
|
Which of the following is not a key concept related to IAM in the enforcement process?
a. Authentication b. Authorization c. Logging d. Accessibility |
ANS: D
Source: GTAG 9, PPT SLIDE 8 |
|
|
In the business continuity management lifecycle, which of the following is not considered analysis?
a. Risk assessment b. Solutions development and enhancements c. Business Impact Analysis d. Business Continuity Strategy Design |
ANS: B
Source: GTAG 10, PPT SLIDE 9 |
|
|
The BCM Lifecycle consist of four stages; which of the following is not considered a stage?
a. Culture b. Governance c. Execution d. Development |
ANS: D
Source: GTAG 10, PPT Slide 9 |
|
|
IT domain consists of 3 dimensions, which of the following is a dimension?
a. IT Planning b. IT Management c. IT General Control d. Database |
ANS: B
Source: GTAG 11, PPT SLIDE 4 |
|
|
Which of the following is not one of the recommended steps performed when conducting a Business Impact Analysis?
a. Identify business processes and define critical processes b. Assess the impact of potential disruptive events c. Define recovery time objective and recovery point objective for processes and resources d. Identify other parties and physical resources for recovery |
ANS: B
Source: GTAG 10 |
|
|
What is the primary function of an IT supporting application?
a. To process and record business transactions b. To help facilitate communication between vendors and the purchasing department of an organization c. To facilitate business activities but generally not transactions d. To maintain the software architecture in the organization |
ANS: C
Source: GTAG 4 |
|
|
In which stage of the IT Outsourcing process does the auditor determine whether there is an appropriate approval and procurement process?
a. Strategic Fit and Sourcing Evaluation b. Implementation and Transition c. Monitoring and Reporting d. Tender Process and Contracting |
ANS: D
Source: GTAG 7 |
|
|
From a control perspective, the PRIMARY objective of classifying information assets is to
a. Establish guidelines for the level of access controls that should be assigned. b. Ensure access controls are assigned to all information assets c. Identify which assets need to be insured against losses d. Assist management and auditors in risk assessment. |
ANS: A
Source: Chapter 2, GTAG 11 |
|
|
To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:
a. Enterprise data model b. IT balanced scorecard (BSC) c. Historical financial statements d. IT organizational structure |
ANS: B
Source: Chapter 16, GTAG 1 |
|
|
The GREATEST advantage of using web services for the exchange of information between two systems is:
a. secure communications b. improved performance c. efficient interfacing d. enhanced documentation |
ANS: C
Source: Chapter 18, GTAG 15 |
|
|
An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?
a. A clause regarding supplier limitation of liability b. A clause defining penalty payments for poor performance c. Predefined service level report templates d. A clause providing a “right to audit” service provider |
ANS: A
Source: Chapter 18, GTAG 15 |
|
|
While downloading software, a hash may be provided to
a. Ensure that the software comes from a genuine source b. Ensure that the software is the correct revision number c. Serve as a license key for paid users of the software d. Ensure that the software has not been modified |
ANS: C
Source: Chapter 18, GTAG 15 |
|
|
Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the:
a. Registration authority (RA) b. Certificate authority (CA). c. Receiver d. Certificate repository |
ANS: B
Source: Chapter 2, GTAG 11 |
|
|
When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to:
a. Carry the flash drive in a portable safe b. Assure management that you will not lose the flash drive c. Encrypt the folder containing the data with a strong key d. Request that management deliver the flash drive by courier |
ANS: D
Source: GTAG 1, Chapter 16 |
|
|
Implementing effective IT Controls will aid in all of the following, except:
a. Controlling costs b. Earning the highest rates of return on assets c. Protecting of information assets d. Complying with laws and regulations |
ANS: B
Source: GTAG 1, PPT slide 6 |
|
|
An IT risk assessment process should:
a. Only consider certain layers of the IT environment b. Consider only static and not dynamic risks c. Be performed in depth every year d. Be based solely on interviews |
ANS: C
Source: GTAG 4, PPT SLIDE 7 |
|
|
The IT Domain contains three dimensions, consisting of:
a. IT Budget (Cost); IT Controls (Process); and the Technical Layer (Technology) b. IT Budget (Cost); IT Controls (Process); and IT Management (People) c. The Technical Layer (Technology); IT Budget (Cost); and IT Management (People) d. The Technical Layer (Technology); IT Controls (Process); and IT Management (People) |
ANS: D
Source: GTAG 11, PPT Slide 4 |
|
|
Business Continuity Management (BCM) is an ongoing process that ensures all of the following, except:
a. Identification of the impact of potential losses b. Maintenance of viable recovery strategies and recovery plans c. Profit maximization through cost cutting d. Continuity of services through personnel training, plan testing, and maintenance |
ANS: C
Source: GTAG 10, PPT Slide 3 |
|
|
Key challenges to an effective Business Continuity Management (BCM) plan do not include:
a. Getting Executive and Stakeholder Support b. Knowledgeable staff c. Funding d. Performing Sufficient Testing |
ANS: B
Source: GTAG 10, PPT SLIDE 6 |
|
|
Which of the following is part of the Identification and Validation section of the Vulnerability Management Cycle?
a. Assess risks b. Prioritize vulnerabilities c. Create a mitigation process d. Scoping Systems |
ANS: C
Source GTAG 6, PPT slide 7 |
|
|
Which is not a piece of the technical layer for IT audit?
a. Programming b. Database c. Application d. Operating systems |
ANS: A
Source GTAG 11, slide 5 |
|
|
Which of the following components of internal control is defined incorrectly per the COSO model?
a. Control environment: sets the tone of an organization, influencing the control consciousness of its people b. Control Activities: the policies and procedures that help to ensure that management directives are carried out c. Monitoring: process that assesses the quality of the system’s performance over time d. Information and communication: pertinent information should be identified, destroyed, and communicated in a form and time frame that lets people carry out their responsibilities |
ANS: D
Source: IT Auditing book, pg 396-7 |
|
|
Several aspects in the world of IT auditing has changed over the past 40 years, which of the following aspects has not changed.
a. Technical control testing b. Overall audit structure c. IT costs d. Business processes |
ANS: B
Source: GTAG 1, PPT slide 10 |
|
|
A ________ risk is when the data is incomplete or inaccurate.
a. Efficiency b. Security c. Confidentiality d. Integrity |
ANS: D
Source: GTAG 4, PPT SLIDE 6 |
|
|
When defining the IT universe, the top down approach should specifically identify:
a. Key business objectives and processing b. Areas of significant risk c. Audit hours d. Key controls |
ANS: A
Source: GTAG 11, PPT Slide 11 |
|
|
When the CAE is looking into the company’s ISG, he/she should be particularly concerned about all of the following except:
a. Protection of information b. Technology Protection c. Responsibility to Board d. Organizational risks |
ANS: B
Source: GTAG 15, PPT SLIDE 13 |
|
|
In the Vulnerability Management Lifecycle, which of the following is not a step of the remediation stage:
a. Detecting b. Creating a mitigation process c. Scoping Systems d. Prioritize Vulnerabilities |
ANS: B
Source: GTAG 6, PPT Slide 3 |
|
|
______________ provides a repository of personal information related to purchase and utilization patterns, including communication partners, time, location and content.
a. POS Data b. RFID c. Operational Data d. Transactional Data |
ANS: D
Source: GTAG 5, PPT SLIDE 11 |
|
|
Which of the following is not part of an entity’s objectives in the enterprise risk-management framework, as outlined in the COSO model?
a. Operations b. Strategic c. Monitoring d. Reporting |
ANS: D
Source: Chapter 16, page 399 |
|
|
In reviewing the overall IT organization structure to ensure that it provides for clear assignment of authority and responsibility over IT operations and that it provides for adequate segregation of duties, which of the following is not true?:
a. Programmers and those performing run/maintain support for systems should directly be able to modify production code, production data, or the job-scheduling structure b. An IT security organization should be responsible for setting policies and monitoring for compliance with those policies c. IT personnel should not perform data entry d. Programmers and those performing run/maintain support for systems should be separate from those performing IT operations support (such as support for networks, data centers, operating systems, and so on) |
ANS: A
Source: Chapter 3, page 66 |
|
|
Requiring employees to have a user ID and a password to access a system is what type of control?
a. Detective control. b. Preventive control c. Access control d. Both B and C |
ANS: D
Source: Chapter 2, page 36 |
|
|
All of the following are elements of risk in a quantitative risk analysis except,
a. Assets b. Controls in place c. Threats d. Vulnerabilities |
ANS: B
Source: Chapter 18, page 441 |
|
|
Which is an advantage of a Storage Area Network (SAN) as opposed to a Network Attached Storage?
a. Traditionally costs less b. Easier file sharing c. High performance, more predictable d. Less processing power |
ANS: C
Source: Chapter 10, page 268 |
|
|
The technical layer includes which of the following elements?
a. Application b. System Operations c. Database d. Both A and D |
ANS: D
Source: GTAG 11,PPT SLIDE 5 |
|
|
Which of the following concepts is not related to identity and access management?
a. Confidentiality b. Administration c. Enforcement d. Logging |
ANS: A
Source: GTAG 9, PPT slide 6&8 |
|
|
Selecting audit subjects and bundling into distinct audit engagements belong to which of the following IT Audit Plan Development Process?
a. Understanding the Business b. Defining IT Universe c. Performing Risk Assessment d. Formalizing Audit Plan |
ANS: D
Source: GTAG 11, Page 3 |
|
|
Which of the following is not true about KPIs?
a. KPI refers to key performance indicators b. KPI can be anything that an organization identifies as being an important driver of the business c. KPIs are all financial data d. The organization itself should define the ranges of acceptable and unacceptable key result |
ANS: C
Source: GTAG 15, Page 12 |
|
|
The Content Addressed Storage (CAS) is
a. Accessible only to the attached server b. Also known as file storage and is often accessed by users and applications as mapped drives c. A scalable and flexible storage subsystem generally available to more than one host at the same time d. An Object-oriented storage designed specifically for archival storage of unique items that are not intended to be changed after they are stored |
ANS: D
Source: Chapter 10, Page 267 |
|
|
A router
a. Is an extension of the concept of a hub b. Forward packets between different networks c. Is essential to help segment networks and users into appropriate security zones d. Composed of interconnected LANs |
ANS: B
Source: Chapter 5, Page 122-124 |
|
|
Which of the followings is NOT true about Cloud Computing?
a. It provides servers, storage, and computer power as service b. It gives business the flexibility to launch an initiative or program c. It usually requires buying and maintaining expansive IT capacity d. Resources are provided dynamically like a utility over the internet |
ANS: C
Source: GTAG 7, Page 5-6 |
|
|
In the information security governance triangle, which part does the evaluation work?
a. IT Governance b. IT Projects c. IT Operations d. Corporate Governance |
ANS: D
Source: GTAG 15, slide 8 |
|
|
Business impact analyses are used to identify critical business process that need to be recovered by events. Which is not an event in BIA?
a. Identifying the other parties and physical resources. b. Identifying business processes. c. Performing risk assessment. d. Obtaining sponsor and manager approval of BIA. |
ANS: C
Source: GTAG 10, slide 12 |
|
|
What is the password control belong to?
a. Application Control b. IT Infrastructure Service c. General Control d. Business Process |
ANS: C
Source: Lecture |
|
|
Risk management has been defined as “the process of identifying risk, assess risk, and taking steps to reduce risk to an acceptable level”. Which is not one of these steps?
a. Asset Valuation b. Threat assessment c. Risk determination d. Risk Valuation |
ANS: D
Source: GTAG 6, Slide 14 |
|
|
Which questions cannot address by Identity and Access Management?
a. Who has access to what information? b. Is the access available to manage everything? c. Is the access appropriate for the job being performed? d. Is the access and activity monitored, logged, and reported appropriately? |
ANS: B
Source: GTAG 9, slide 3 |
|
|
The question of whether an adequate IT framework is in place to support the overall needs of the business refers to the concept of:
a. Risk Appetite b. IT Adequacy c. Risk Tolerance d. IT Governance |
ANS: D
Source: GTAG 1 page 5 |
|
|
Which of these is not a healthy response to risk from a corporate perspective
a. Accepting a risk that has a low potential impact and probability of occurring b. Implementing a control to mitigate or lessen the impact of a vulnerability c. Ignoring a risk that isn’t common to the industry d. Eliminating or replacing IT programs that may support business operations |
ANS: C
Source: GTAG 1 page 12 |
|
|
When talking about IT controls around a physical data center, fences with barbed wire lining would be classified as ____________ controls.
a. Technical Corrective b. Physical Detective c. Procedural Corrective d. Physical Preventative |
ANS: D
Source: GTAG 1 Slide 4 |
|
|
This famous theory points the flaws of a “check list audit” by asserting that although companies may be similar, each IT control and risk environment presents a unique set of challenges and risks.
a. Theory of Risk Assessment b. Control Environment Theory c. Checklist Audit Theory d. The Snowflake Theory |
ANS: D
Source: GTAG 4, Page 6 |
|
|
A work security badge granting access to the headquarters would be classified as a __________ whereas, a role restriction to have access to a customer invoicing system and process invoices would be classified as a ________.
a. general control, application control b. application control, general control c. general control, general control d. application control, application control |
ANS: A
Source: GTAG 11, Slide 6 |
|
|
When planning for an audit of Information Security Governance (ISG), the auditor should address the following except:
a. Gain an understanding of the current governance hierarchy and reporting structure b. Validate the purpose of each component of the governance environment c. Decide which components you will enforce following the audit d. Understand regulatory variants and industry trends that affect the governance environment externally |
ANS: C
Source: GTAG 15, page 9-10 |
|
|
Which of the following is not one of the generally accepted elements of information security?
a. Integrity b. Confidentiality c. Availability d. Portability |
ANS: D
Source: GTAG 1, page 21 |
|
|
A risk that is constantly changing that tends to be less driven by the industry and more driven by the evolution of technology is:
a. Pervasive risk b. Dynamic risk c. Specific risk d. Interface risk |
ANS: B
Source: GTAG 4, page 8 |
|
|
All of the following show an organization’s effective control of its network, EXCEPT for:
a. Vulnerability scans scheduled on a regular basis b. Employees are allowed to reconfigure their IT systems arbitrarily and install software c. A network architecture diagram that shows the location of IT assets as well as perimeter security devices protecting those assets is in place d. Every IT asset deployed on the network can be identified |
ANS: B
Source: GTAG 6, page 8 |
|
|
Which of the following would be considered sensitive personal information?
a. Date of birth b. Home address c. Medical records d. Individual’s photograph |
ANS: C
Source: GTAG 5, pages 3 &4 |
|
|
Relocating activities that were previously managed in the domestic country refers to:
a. Relocation Management b. Outsourcing c. Exportation d. Off-shoring |
ANS: D
Source: GTAG 7, page 4 |
|
|
Which is one of the test steps for auditing Entity-Level controls?
a. Review data center exterior lighting, building orientation, signage, fences, and neighborhood characteristics to identify facility related risks. b. Ensure the backup media can be retrieved promptly from off-site storage facilities. c. Verify that thresholds exist that limit broadcast/multicast traffic on ports. d. Review the IT strategic planning process and ensure that it aligns with business strategies. |
ANS: D
Source: Chapter 3 page 66 |
|
|
Which is not one of the phases of the IT Risk Management Life Cycle?
a. Identify information assets b. Quantify and qualify threats c. Assess vulnerabilities d. Evaluate disaster-recovery processes |
ANS: D
Source: Chapter 18 Page 445 |
|
|
Which model of cloud model shares only the physical infrasture?
a. SaaS model b. PaaS model c. IaaS model d. Dedicated hosting model |
ANS: D
Source: Chapter 14 page 341 |
|
|
When participating in MMA style fighting, never do the following:
a. Choke out your opponent b. Offer your arms to your opponent c. Ground and Pound your opponent d. Maintain control over your breathing |
ANS: B
Source: Guest Lecturer |
|
|
Which of the following is not part of the Technical Layer of IT:
a. Applications b. Database c. Programming d. Operating Systems |
ANS: C
Source: GTAG 11, PPT SLIDE 5 |
|
|
DAS, NAS, SAN, AND CAS are all examples of:
a. Co-sourcing b. Data Storage c. Data Analysis tools d. Type of auditing techniques |
ANS: B
Source: Text, p. 266 |
|
|
Which of the following is NOT part of the IT life cycle:
a. Bargaining b. Renegotiation c. Reversibility d. Implementation and Transition |
ANS: A
Source: GTAG 7, p. 7 |
|
|
Identity and Access Management (IAM) attempts to address which of the following questions:
a. Who has access to what information? b. What is the information being used for? c. Where was the information originated? d. Why is this particular information important to our objectives? |
ANS: A
Source: GTAG 9, PPT SLIDE 3 |
|
|
Which of the following is NOT an area that leads to information about effective IT governance?
a. Leadership b. Organization Structure c. Executive Contracts d. Control Activities |
ANS: C
Source: GTAG 1, page 6&7 |
|
|
Which of the following is NOT a regulation that a business should comply with?
a. SOX b. LISO c. HIPPA d. PCI |
ANS: B
Source: Textbook page 40 |
|
|
IT can be acceptable for an organization to have aging IT systems
a. True b. False |
ANS: A
Source: Mark Salamasick when talking about Fry Electronic and Motel 6 |
|
|
Which of the following is NOT important when considering data center design?
a. Layout of pluming system within the building b. Conspicuousness of building c. Proximity to central management location d. Proximity to airport/airway flight paths |
ANS: C
Source: Text, p. 338 |
|
|
Which is NOT one of the three dimensions of the IT domain?
a. a. Technical layer b. b. System Operations c. c. IT controls d. d. IT management |
ANS: B
Source: GTAG 11, PPT slide 4 |
|
|
._______________ refers to an identity’s creation, change, termination, validation, approval, propagation, and communication.
a. Administration b. Provisioning c. Enforcement d. Authentication |
ANS: B
Source: GTAG 9, PPT slide 6 |
|
|
_______________ involves understanding the costs and disruptions that may result from moving operations either to another service provider or back in-house.
a. Reversibility b. Strategic Fit and Sourcing Evaluation c. Monitoring and Reporting d. Renegotiation |
ANS: A
Source: GTAG 7, page 10 |
|
|
A good source for insuring that you have considered all significant area of IT governance is to reference:
a. Databases b. Networks c. Systems Monitoring d. Operating Systems |
ANS: C
Source: GTAG 4 Page 4 |
|
|
What is the layer that sits between hardware and the operating system in virtualization?
a. Virtual Machine b. Hypervisor c. Storage Area Network (SAN) d. Virtual Servers |
ANS: B
Source: Chapter 11, page 279 |
|
|
Which of the following is not a way to search for rogue access points on a network?
a. Updating wireless network firmware b. Manual monitoring of network traffic c. Wireless Monitoring Appliances d. War-driving tools |
ANS: A
Source: Chapter 12, page 302 |
|
|
What law regulates merchants in regards to storing, processing or transmitting cardholder information?
a. PCI Data Security Standard b. The Sarbanes-Oxley Act of 2002 c. Gramm-Leach-Bliley Act d. No laws regulate merchants in regards to storing, processing or transmitting cardholder information. |
ANS: D
Source: Chapter 17, page 436 |
|
|
Out of the four methods for consulting, which is the best method to perform reviews of certain areas of an organization without turning them into unnecessarily large efforts?
a. Early Involvement b. Informal Audits c. Knowledge Sharing d. Self-assessments |
ANS: B
Source: Chapter 1, page 11 |
|
|
In IT Outsourcing which of the following Risk and Control Considerations deal with the outsourcing arrangement failing?
a. Reversibility b. Strategic Fit and Sourcing Evaluation c. Monitoring & Reporting d. Renegotiation |
ANS: A
Source: GTAG 7, page 10 |
|
|
Which one of the following is NOT a part of the 7-layer OSI Model?
a. Network b. Transport c. Packet d. Application |
ANS: C
Source: Chapter 5 page 121 |
|
|
Business Continuity Plan Testing occurs during which stage of the BCM life cycle?
a. Governance b. Analysis c. Execution d. Culture |
ANS: C
Source: GTAG 10, PPT slide 9 |
|
|
What is NOT a role of Internal Audit in Business Continuity Planning?
a. Establish a framework b. Develop a BCP program for management c. Add value to the BCP process d. Proven approaches to conducting the BCP audit |
ANS: B
Source: GTAG 10, PPT slide1 9 |
|
|
Which is the correct order of stages for performing the audit plan?
a. Planning, Fieldwork, Solution Development, Report Drafting, Issue Tracking b. Issue Tracking, Planning, Fieldwork, Report Drafting, Solution Development c. Planning, Issue Tracking, Fieldwork, Solution Development, Report Drafting d. Planning, Report Drafting, Solution Development, Fieldwork, Issue Tracking |
ANS: A
Source: Chapter 2 Page 93 |
|
|
In class we discussed a set of requirements designed to ensure that companies process, store or transmit credit card information securely. What is this standard referred to as?
a. CCISS-credit card information security standard b. PCI DSS-payment card industry data security standard c. GAPCS-generally accepted payment card standard d. GAAP-generally accepted accounting principles |
ANS: B
Source: Class Discussions |
|
|
An IT audit group might be called on to review ALL but one of the following
a. Social Media Usage b. Databases c. System Platform d. Data Center Facilities |
ANS: A
Source: Chapter 1, page 21 |
|
|
Which is not a common type of firewall(s)?
a. Application Firewalls b. Application-Proxy Gateway c. Packet Filtering Firewalls d. Pro-Virus Firewalls |
ANS: D
Source: Chapter 5, page 124-125 |
|
|
For the purpose of assessing roles and responsibilities, IT controls can be classified as
a. Management controls b. Application controls c. Technical controls d. Governance controls |
ANS: B
Source: GTAG 1 PPT slide 4 |
|
|
A good source for insuring that you have considered all significant area of IT governance is to reference:
a. The Sarbanes-Oxley b. The Health Insurance Portability and Accountability Act (HIPPA) c. The Control Objectives for Information and Related Technology (COBIT) d. The Payment Card Industry regulation (PCI) |
ANS: C
Source: Chapter 2, page 40 |
|
|
When we develop the IT Audit Plan, which of the following is wrong ?
a. Consider mandated audit areas b. Make the predefined audit frequency c. Focus on high risk audit subjects d. Mitigating Critical Vulnerabilities |
ANS: D
Source: GTAG 11, Slide 15 |
|
|
Which of the following is not an element that helps us to understand the IT support model?
a. the degree of system and geographic centralization b. the degree of outsourcing c. the degree of reliance on technology d. the degree of the regulation and compliance |
ANS: D
Source: GTAG 11, slide 10 |
|
|
Which of the following is not a IT fraud risk assessment key elements?
a. Manage relationship b. Inherent risk of fraud c. Control gaps d. Business impact |
ANS: A
Source: GTAG 13, slide 15 |
|
|
Which of the following is not an example of a key IT control concept?
a. Assurance is provided by the IT controls within the system of internal controls. b. The internal auditor’s assurance is an independent and objective assessment that the IT-related controls are operating as intended. c. Assurance should not be continuous to keep independence and should also provide a reliable trail of evidence. d. Assurance is based on understanding, examining, and assessing the key controls related to the risks they manage and performing sufficient testing to ensure the controls are designed appropriately and functioning effectively and continuously. |
ANS: C
Source: GTAG 1 |
|
|
Best practice IT governance does not consist of?
a. Identification and management of IT risks and enablement of improved IT operations. b. Enhancing the relationship between the business and IT. c. IT governance improving adaptability of IT to changing business and IT environments. d. Developing and implementing IT controls with business units to increase synergy across departments. |
ANS: D
Source: GTAG 1 |
|
|
Dynamic risk is risk that is?
a. Not constantly changing. b. Tends to be less driven by the industry and more driven by the evolution of technology. c. Typically driven by the industry within which the organization operates. d. Done through inquiry and interview techniques, which are in many cases, adequate. |
ANS: B
Source: GTAG 4 |
|
|
Fundamentally, IAM attempts to address the following important questions except:
a. Is the access to information protected by encryption? b. Who has access to what information? c. Is the access appropriate for the job being performed? d. Is the access and activity monitored, logged, and reported appropriately? |
ANS: A
Source: GTAG 9 |
|
|
Access to specific functionality in a system or application that is granted to a specific user is?
a. Authentication b. Authorization c. Identity d. Entitlement |
ANS: D
Source: GTAG 9 |
|
|
A process for attempting to verify an identity against values in an identity repository is?
a. Identity b. Authorization c. Authentication d. Entitlement |
ANS: C
Source: GTAG 9 |
|
|
An asymmetric public key encryption mechanism requires ___ key(s)
a. 1 b. 2 c. 3 d. 4 |
ANS: B
Source: Chris Davis |
|
|
As internal stakeholders in IT governance, the Board of Directors should:
a. Become informed of role and impact of IT on the enterprise. b. Assign accountability. c. Understand the strategic value of the IT function. d. Inform and educate executives on IT issues. |
ANS: C
Source: GTAG 1, Section 3, pages 8-9 |
|
|
Which ONE of the following is an Application Control?
a. Change management b. Physical contols c. Segregation of duties d. Operating System |
ANS: C
Source: GTAG 11 Slide 9 |
|
|
Which of the following is NOT a method for consulting and early involvement
a. Informal audits b. Knowledge sharing c. Self-assessments d. Risk profiling |
ANS: D
Source: "IT Auditing Using Controls to Protect Information Assets", 2nd Edition, Chris Davis Chapter 1, Early Involvement |
|
|
An organization’s use of ERM must include which of the following
a. Audit Risks b. Residual Risks c. IT Risks d. Inherent Risks |
ANS: C
Source: GTAG 1, PPT slide 11 |
|
|
Who is responsible the design, implementation, and ongoing maintenance of controls within an organization?
a. Internal Auditor b. Management c. External Auditor d. Board of Directors |
ANS: B
Source: GTAG 3, PPT SLIDE 2 |
|
|
Data centers today typically do not provide which of the following services
a. Physical hosting of mainframes and distributed servers and other IT assets b. Telephone customer service c. Continuous monitoring of the server’s performance and operational status. d. Backup and restoration. |
ANS: B
Source: GTAG 7 PPT SLIDE 5 |
|
|
The outsourcing life cycle includes all of the following except:
a. Protection of information b. Monitoring and reporting c. Renegotiation d. Tendering process and contracting |
ANS: A
Source: GTAG 7, PPT SLIDE 7 |
|
|
The degree of successful risk management is directly dependent upon:
a. Detecting b. The affected business processes c. The role of internal auditors d. Serving as repositories for financial, operational, and regulatory data |
ANS: B
Source: GTAG 8, PPT Slide 1 |
|
|
All of these are application controls except:
a. Input Controls b. Integrity Controls c. Resource Controls d. Processing Controls |
ANS: C
Source: GTAG 8, PPT SLIDE 2 |
|
|
Which of the following is not a reason that organizations embark on IAM?
a. Improved regulatory compliance. b. Reduced information security risk. c. Increased IT operating and development costs. d. Improved operating efficiencies and transparency |
ANS: B
Source: GTAG 9 |
