Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
100 Cards in this Set
- Front
- Back
|
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the auditor to: |
confirm that the control is operating as designed. Note: Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives. |
|
|
The FIRST step in execution of a problem management mechanism should be: |
exception reporting. Note: The reporting of operational issues is normally the first step in tracking problems. |
|
|
An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should: |
accurately capture data from the organization's systems without causing excessive performance problems. Note: While all of the choices above are desirable in a software tool evaluated for auditing an data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited. |
|
|
After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? |
Develop recovery strategies. Note: Once the BIA is completed, the next phase in the BCP development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster that will meet the time lines and priorities defined through the BIA. |
|
|
In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? |
Procedures that verify that only approved program changes are implemented. Note: An IS auditor must consider recommending a better process. An IS auditor should recommend a formal change control process that manages and could detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process. |
|
|
A small organization has only one database administrator (DBA). The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties (SoD) be enforced in this scenario? |
Ensure that the database logs are forwarded to a UNIX server where the DBA does not have root access. Note: By creating logs that the DBA cannot erase or modify, segregation of duties is enforced. |
|
|
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? |
Use the DBA account to make changes, log the changes and review the change log the following day. Note: The use of a DBA account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. Because of an abbreviated number of steps are used, this represents an adequate set of compensating controls. |
|
|
An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: |
the organizational impact of the project has not been assessed. Note: The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact - a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. |
|
|
A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? |
A quality plan is not part of the contracted deliverables. Note: A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. |
|
|
Which of the following provides the GREATEST assurance of message authenticity? |
The hash code is encrypted using the sender's private key. Note: Encrypting the hash code using the sender's private key provides assurance of the authenticity of the message and prevents anyone from being able to alter the hash code. |
|
|
Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan? |
Preparedness tests Note: Preparedness tests involve simulation of the entire environment (in phases) at relatively low cost and help the team to better understand and prepare for the actual test scenario. |
|
|
An IS auditor is reviewing the disaster recovery plan (DRP) for a large organization with multiple locations requiring high systems availability. Which of the following causes the GREATEST concern? |
Backup media are not tested. Note: Testing backups provides assurance that the backup data are reliable and will be available when needed. Without backup data, the organization is not addressing the risk of availability. |
|
|
The specific advantage of white box testing is that it: |
determines procedural accuracy or conditions of a program's specific logic paths. Note: White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s logic paths. |
|
|
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? |
Verifying production to customer orders Note: Verification will ensure that produced products match the orders in the customer order system. |
|
|
During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? |
The organization and client must comply with open source software license terms. Note: There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely, but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences. |
|
|
The PRIMARY reason for using digital signatures is to ensure data: |
integrity. Note: Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin. |
|
|
While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software that supports the accounting application. The MOST appropriate action for the IS auditor to take is to: |
continue to test the accounting application controls and include mention of the change management software control deficiency in the final report. Note: It is the responsibility of the IS auditor to report on findings that could have a material impact on the effectiveness of controls—whether or not they are within the scope of the audit. |
|
|
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? |
Project management Note: Audits often involve resource management, deliverables, scheduling and deadlines similar to project management best practices. |
|
|
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? |
Attribute sampling Note: Attribute sampling is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control. |
|
|
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: |
requirement for protecting confidentiality of information could be compromised. Note: Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. |
|
|
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: |
examine source program changes without information from IS personnel. Note: When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify the changes. |
|
|
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? |
Corruption of the address resolution protocol (ARP) cache in Ethernet switches Note: On an Ethernet switch there is a data table known as the address resolution protocol (ARP) cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply “flood” the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic. |
|
|
An IS auditor evaluating logical access controls should FIRST: |
obtain an understanding of the security risk to information processing. Note: When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk. |
|
|
A message signed with a digital signature cannot be repudiated by the sender because a digital signature: |
authenticates contents and sender at the time of signature. Note: Digital signatures for the sender are attested by the certificate authority and can be verified by the recipient; therefore, repudiation is not possible. Additionally, the digital signature mechanism ensures the integrity of the message content by creating a one-way hash at both the source and destination and then comparing the two. |
|
|
Email message authenticity and confidentiality is BEST achieved by signing the message using the: |
sender's private key and encrypting the message using the receiver's public key. Note: By signing the message with the sender’s private key, the receiver can verify its authenticity using the sender’s public key. Encrypting with the receiver’s public key provides confidentiality. |
|
|
An organization's IS audit charter should specify the: |
role of the IS audit function. Note: An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. |
|
|
Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications? |
Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center. Note: Of the given choices, this is the most suitable answer. The disaster recovery plan (DRP) includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. Not having real-time backups may be a problem depending on recovery point objective (RPO). |
|
|
A hot site should be implemented as a recovery strategy when the: |
disaster tolerance is low. Note: Disaster tolerance is the time gap during which the business can accept nonavailability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. |
|
|
Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? |
Double-blind testing Note: Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real. |
|
|
The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? |
Discovery Note: Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. |
|
|
An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? |
That test plans and procedures exist and are closely followed. Note: The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. |
|
|
Which of the following would be the GREATEST cause for concern when data are sent over the Internet using secured hypertext transmission protocol (HTTPS) protocol? |
Presence of spyware in one of the ends Note: Encryption using Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnels makes it difficult to intercept data in transit, but when spyware is running on an end user's computer, data are collected before encryption takes place. |
|
|
The MAIN purpose of a transaction audit trail is to: |
determine accountability and responsibility for processed transactions. Note: Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. |
|
|
During which phase of software application testing should an organization perform the testing of architectural design? |
Integration testing Note: Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. |
|
|
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? |
Review changes in the software version control system. Note: It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. |
|
|
In auditing a database environment, an IS auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions? |
Installing patches or upgrades to the operating system. Note: Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA were performing this function, there would be a risk based on inappropriate segregation of duties. |
|
|
Which of the following is an advantage of an integrated test facility (ITF)? |
Periodic testing does not require separate test processes. Note: An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. |
|
|
When using a digital signature, the message digest is computed: |
by both the sender and the receiver. Note: A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm. |
|
|
The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: |
duration of the outage. Note: The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. |
|
|
In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database? |
Real-time replication to a remote site Note: With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information located in the remote site. This assumes that both sites were not affected by the same disaster. |
|
|
Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? |
Implementing a fault-tolerant disk-to-disk backup solution Note: Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape”). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set. |
|
|
A certificate authority (CA) can delegate the processes of: |
establishing a link between the requesting entity and its public key. Note: Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. |
|
|
Which of the following goals would you expect to find in an organization's strategic plan? |
Become the supplier of choice for the product offered. Note: Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization’s strategic plan. |
|
|
Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? |
Adequate involvement of stakeholders Note: The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before proceeding. |
|
|
Which one of the following could be used to provide automated assurance that proper data files are being used during processing? |
Internal labeling, including file header records Note: Internal labeling, including file header records, is correct because it can provide assurance that proper data files are being used and it allows for automatic checking. |
|
|
Which of the following is the BEST control to implement to mitigate the risk of an insider attack? |
Limit individuals’ access to the duties required by their jobs. Note: The most critical factor to consider is to limit the access granted to individuals to only the duties required for their jobs. Insider attacks may be initiated by employees, consultants and/or contractors of an organization. Insider-related risk is the most difficult risk to defend against because insiders typically have been granted some physical and logical access to systems, applications and networks. Remote access to corporate networks and data also is common, due to technology such as virtual private networks (VPNs) and smart phones, and poses a great threat to corporate data. There is a need to put into place strong and effective controls to mitigate this risk, the most basic of which is limiting access to what users need to do their jobs. |
|
|
Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? |
Audit trails Note: Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users. |
|
|
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? |
Domain name system (DNS) server security hardening Note: The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched. |
|
|
The PRIMARY purpose of an IT forensic audit is: |
the systematic collection and analysis of evidence after a system irregularity. Note: The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. |
|
|
Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database? |
Commitment and rollback controls Note: Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will be completed entirely or not at all; i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pretransaction state. |
|
|
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: |
the threats/vulnerabilities affecting the assets. Note: One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls. |
|
|
Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the: |
customer over the authenticity of the hosting organization Note: Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. |
|
|
Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed? |
The time and cost implications caused by the change Note: Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. |
|
|
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? |
Compliance testing Note: Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. |
|
|
A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? |
Technical skills and knowledge within the organization related to sourcing and software development Note: Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. |
|
|
Which of the following statements is valid while drafting a business continuity plan (BCP)? |
Downtime costs increase with time. Note: Downtime costs—such as loss of sales, idle resources, salaries—increase with time. A business continuity plan (BCP) should be drawn to achieve the lowest downtime costs possible. |
|
|
The GREATEST benefit of having well-defined data classification policies and procedures is: |
a decreased cost of controls. Note: An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, more costly than is required based on the data classification. |
|
|
Which of the following is MOST important to ensure business continuity? |
Backup data Note: Data are the most important of all options listed, and without data, a business cannot recover. |
|
|
When auditing a proxy-based firewall, an IS auditor should: |
verify that the filters applied to services such as hypertext transmission protocol (HTTP) are effective. Note: A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between MAC and IP addresses is a task for protocols such as address resolution protocol (ARP)/reverse address resolution protocol (RARP). |
|
|
During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? |
Staff have to type “[PHI]” in the subject field of email messages to be encrypted. Note: There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information. |
|
|
Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IT department? |
Allocating resources Note: The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor will ensure that the resources are being managed adequately. |
|
|
Which of the following is widely accepted as one of the critical components in networking management? |
Configuration management Note: Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Configuration management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords, and possibly hardening the network by disabling unneeded services. |
|
|
Which of the following is the BEST method to ensure data confidentiality in a commercial business-to-business (B2B) web application? |
Encrypting transactions using the recipient's public key Note: Encrypting the transactions with the recipient's public key will provide confidentiality via asymmetric cryptography. The recipient will then decrypt with a personal private key. |
|
|
Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan (BCP) of an organization? |
A team of IT and information security staff conducted the business impact analysis (BIA) Note: To be effective, the BIA should be conducted with input from a wide array of stakeholders. The business requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery. Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical assets being overlooked. |
|
|
In a public key infrastructure (PKI), a registration authority: |
verifies information supplied by the subject requesting a certificate Note: A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request a certificate on behalf of themselves or their organization |
|
|
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? |
Detection Note: Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. |
|
|
Which of the following controls would be MOST effective to reduce the risk of loss due to fraudulent online payment requests? |
Transaction monitoring Note: An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. |
|
|
An investment advisor emails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: |
encrypting the hash of the newsletter using the advisor's private key Note: It is not the intention of the investment advisor to maintain the confidentiality of the newsletter. The objective is to assure the receivers that it came to them without any modification (i.e. to give message integrity). The hash is encrypted using the advisor's private key. The recipients can open the newsletter, calculate its hash over the newsletter with the same algorithm, and decrypt the received hash using the advisor's public key. If the two hashes are equal, the newsletter was not modified in transit. |
|
|
The GREATEST benefit of implementing an expert system is the: |
capturing of the knowledge and experience of individuals in an organization. Note: The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. This will allow other users to access information formerly held only by experts. |
|
|
An IS auditor conducting a physical security audit of an organization's back office processing facility would find which of the following techniques MOST effective to determine that the company's sensitive information is secure? |
Social engineering Note: It has often been said that people are the weakest link in the security chain and social engineering is a technique used to exploit human vulnerabilities to obtain confidential or sensitive organization information. This technique can be used to gain unauthorized access to the organization facilities and manipulate people to divulge sensitive information - e.g. a social engineer may walk into company facilities, obtain confidential papers or information left on employees' desks and printers, and even pose as a member of the help desk team to obtain user passwords. |
|
|
Assignment of process ownership is essential in system development project because it: |
ensures that the system design is based on business needs. Note: The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins. |
|
|
The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service (DoS) attack is to deny all: |
outgoing traffic with IP source addresses external to the network. Note: Outgoing traffic with an IP source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service (DoS) attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack. |
|
|
Which of the following would help to ensure the portability of an application connected to a database? |
Usage of a structured query language (SQL) Note: The use of structured query language (SQL) facilitates portability because it is an industry standard used by many systems. |
|
|
An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend? |
Assess the overall risk, then decide whether to deploy the patch Note: While it is important to ensure that the systems are properly patched, a risk assessment needs to be performed to determine the likelihood and probability of the vulnerability being exploited. Therefore, the patch would be applied only if the risk of circumventing the existing security controls is great enough to warrant it. |
|
|
Which of the following would BEST describe encrypting and decrypting data using an asymmetric encryption algorithm? |
Use the receiver's private key to decrypt data encrypted by the receiver's public key. Note: In asymmetric encryption, if the message was encrypted by the receiver's public key, it can only be decrypted by the receiver's private key. |
|
|
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: |
ensure that a good change management process is in place. Note: An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. |
|
|
An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: |
verify that the security requirements have been properly specified in the project plan. Note: If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. |
|
|
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? |
Implement integrity constraints in the database Note: Implementing integrity constraints in the database is a preventative control because data are checked against predefined tables or rules, preventing any undefined data from being entered. |
|
|
Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? |
Uptime guarantee Note: The most important element of an SLA is the measurable terms of performance, such as uptime agreements. |
|
|
During an application audit, the IS auditor finds several problems related to corrupt data in the database. Which of the following is a corrective control that the IS auditor should recommend? |
Proceed with restore procedures Note: Proceeding with restore procedures is a corrective control. Restore procedures can be used to recover databases to their last-known archived version. |
|
|
Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? |
During the test, some of the backup systems were defective or not working, causing the test of these systems to fail. Note: The purpose of the test is to test the backup plan. When the backup systems are not working then the plan cannot be counted on in a real disaster. This is the most serious problem. |
|
|
Which of the following BEST helps ensure that deviations from the project plan are identified? |
Project performance criteria Note: To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success. |
|
|
The success of control self-assessment (CSA) depends highly on: |
having line managers assume a portion of the responsibility for control monitoring. Note: The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which the line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. |
|
|
The optimal business continuity strategy for an entity is determined by the: |
lowest sum of downtime cost and recovery cost Note: Both costs have to be minimized, and the strategy for which the sum of the costs is the lowest is the optimal strategy. |
|
|
In the process of evaluating program change controls, an IS auditor would use source code comparison software to: |
examine source program changes without information from IS personnel. Note: When an IS auditor, uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent, and relatively complete assurance of program changes because the source code comparison will identify the changes. |
|
|
Which of the following is a MAJOR concern during a review of help desk activities? |
Resolved incidents are closed without reference to users. Note: The help desk function is a service-oriented unit. The users must sign off before an incident can be regarded as closed. |
|
|
In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: |
substantive testing Note: Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy, or existence of activities or transactions during the audit period. |
|
|
The ultimate purpose of IT governance is to: |
encourage optimal use of IT. Note: IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. |
|
|
An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption: |
can cause key management to be difficult. Note: In a symmetric algorithm, each pair of users needs a unique pair of keys so the number of keys grows and key management can become overwhelming. |
|
|
Which of the following BEST supports the prioritization of new IT projects? |
Investment portfolio analysis Note: It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. |
|
|
Which of the following activities performed by a database administrator (DBA) should be performed by a different person? |
Deleting database activity logs Note: Because database activity logs record activities performed by the DBA, deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties is associated with the DBA's role. |
|
|
During a review of an outsourced network operations center (NOC), an IS auditor concludes that the procedures to monitor remote network administration activities by the outsourced agency are inadequate. During the management discussion, the chief information officer (CIO) justifies this issue as a help desk activity, covered by help desk procedures, and points out that intrusion detection system (IDS) logs are activated and firewall rules are monitored. What is the BEST course of action for the IS auditor to take? |
Document the identified finding in the audit report. Note: IS auditor independence would dictate that the additional information provided by the auditee will be taken into consideration. Normally, an IS auditor would not automatically retract or revise the finding. |
|
|
Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment? |
Performance issues due to Internet delivery method. Note: The risk that could be most likely encountered in a SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. |
|
|
Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? |
Observation Note: Dual control requires that two people carry out an operation. The observation technique would help to ascertain whether two individuals do indeed get involved in execution of the operation and an element of oversight exists. It would also be obvious if one individual is masquerading and filling in the role of the second person. |
|
|
Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? |
User management Note: User management assumes ownership of the project and resulting systems, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing, and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. |
|
|
After reviewing the disaster recovery plan (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting? |
Confirming factual accuracy of the findings. Note: The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on or respond to recommendations for corrective action. |
|
|
Which of the following preventive controls BEST helps secure a web application? |
Developer training Note: Of the given choices, teaching developers to write secure code is the best way to secure a web application. |
|
|
What is the BEST way to verify that a digital signature is valid? |
Verify that the sender's public key certificate is from a trusted certificate authority (CA) Note: Digital signatures are enabled by using the sender's private key. The CA binds the identity of the public key with sender's private key to enable the identification of the sender. |
|
|
Validated digital signatures in an email software application will: |
help detect spam. Note: Validated electronic signatures are based on qualified certificates that are created by a certificate authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure his/her email server of client to automatically delete emails from specific senders. |
|
|
An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: |
can support the organization in the long term. Note: The long-term financial viability of a vendor is essential for deriving maximum value for the organization - it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. |
