Revision 4
COMENTARIOS |
ESTADÍSTICAS |
RÉCORDS
|
Título del Test:
 Revision 4 Descripción: Revision 4 |
Nuevo Comentario| Comentarios |
|---|
NO HAY REGISTROS |
|
A shared resource matrix is a technique commonly used to locate: Malicious code. Security flaws. Trap doors. Covert channels. You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you’re seeing a series of bits placed in the “Urgent Pointer” field of a TCP packet. This is only 16 bits which isn’t much but it concerns you because: It is normal traffic because sometimes the previous fields 16-bit checksum value can over run into the urgent pointer’s 16-bit field causing the condition. This could be a sign of covert channeling in bank network communications and should be investigated. It could be a sign of a damaged network cable causing the issue. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem. John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor?. Risk Mitigation. Risk Acceptance. Risk Avoidance. Risk transfer. Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks?. Risk Mitigation. Risk Acceptance. Risk Avoidance. Risk transfer. Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized? Risk transfer. Risk Mitigation. Risk Acceptance. Risk Avoidance. Risk Avoidance. Which of the following control is intended to discourage a potential attacker?. Deterrent. Preventive. Corrective. Recover. Which of the following audit include specific tests of control to demonstrate adherence to specific regulatory or industry standard?. Compliance Audit. Financial Audit. Operational Audit. Forensic audit. Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?. A. Identifying where existing data resides and establishing a data classification matrix. B. Requiring users to save files in secured folders instead of a company-wide shared drive. C. Reviewing data transfer logs to determine historical patterns of data flow. D. Developing a DLP policy and requiring signed acknowledgment by users. During an exit interview, senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report. Which of the following would be the auditor’s BEST course of action? Finalize the draft audit report without changes. Revise the assessment based on senior management’s objections. Gather evidence to analyze senior management’s objections. Escalate the issue to audit management. Escalate the issue to audit management. Which of the following is the MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?. Standardized enterprise architecture (EA). A uniform IT chargeback process. IT project governance and management. IT performance monitoring and reporting. The implementation of an IT governance framework requires that the board of directors of an organization: approve the IT strategy. be informed of all IT initiatives. have an IT strategy committee. address technical IT issues. An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective?. Utilize solid state memory. Implement a data retention policy. Perform periodic tape backups. Stream backups to the cloud. Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?. Business objectives. Alignment with the IT tactical plan. Compliance with industry best practice. IT steering committee minutes. An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?. A significant increase in external attack attempts. A significant increase in approved exceptions. A significant increase in cybersecurity audit findings. A significant increase in authorized connections to third parties. Which of the following is the MAJOR advantage of automating internal controls?. A. To enable the review of large value transactions. B. To help identify transactions with no segregation of duties. C. To efficiently test large volumes of data. D. To assist in performing analytical reviews. Which of the following reports should an IS auditor use to check compliance with a service level agreements (SLA) requirement for uptime?. A. Utilization reports. B. Hardware error reports. C. System logs. D. Availability reports. When performing an audit of a client relationship management (CRM) system migration project, which of the following should be of GREATEST concern to an IS auditor?. A. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks. B. Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system. C. A single implementation is planned, immediately decommissioning the legacy system. D. Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system’s software. After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?. A. Stress. B. Black box. C. Interface. D. System. An IS auditor performing an application maintenance audit would review the log of program changes for the: A. authorization of program changes. B. creation date of a current object module. C. number of program changes actually made. D. creation date of a current source program. consideration in the warehouse’s design. 983. Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a sys-tem’s inputs and outputs. True or false?. o True. o False. Who assumes ownership of a systems-development project and the resulting system?. o User management. o Project steering committee. o IT management. o Systems developers. How does the SSL network protocol provide confidentiality?. o Through symmetric encryption such as RSA 224. o Through asymmetric encryption such as Data Encryption Standard, or DES. o Through asymmetric encryption such as Advanced Encryption Standard, or AES. o Through symmetric encryption such as Data Encryption Standard, or DES. Which of the following is a good control for protecting confidential data residing on a PC?. o Personal firewall. o File encapsulation. o File encryption. o Host-based intrusion detection. What does PKI use to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transac-tions? and digital certificates and two-factor authentication 225. o A combination of public-key cryptography. o A combination of public-key cryptography and two-factor authentication. o A combination of public-key cryptography and digital certificates. o A combination of digital certificates and two-factor authentication. Which of the following do digital signatures provide?. o Authentication and integrity of data. o Authentication and confidentiality of data. o Confidentiality and integrity of data. o Authentication and availability of data. Regarding digital signature implementation, which of the following answers is correct?. oA digital signature is created by the sender to prove message integrity by en-crypting the message with the sender’s private key. Upon receiving the data, the recipient can decrypt the data using the sender’s public key. o A digital signature is created by the sender to prove message integrity by en-crypting the message with the recipient’s public key. Upon receiving the data, the recipient can decrypt the data using the recipient’s public key. o A digital signature is created by the sender to prove message integrity by ini-tially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it. o A digital signature is created by the sender to prove message integrity by en-crypting the message with the sender’s public key. Upon receiving the data, the recipient can decrypt the data using the recipient’s private key. Which of the following is an effective method for controlling down-loading of files via FTP?. o An application-layer gateway, or proxy firewall, but not stateful inspection firewalls. o An application-layer gateway, or proxy firewall. o A circuit-level gateway. o A first-generation packet-filtering firewall. Which of the following provides the strongest authentication for physical access control?. o Sign-in logs. o Dynamic passwords. o Key verification. o Biometrics. What can ISPs use to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources?. o OSI Layer 2 switches with packet filtering enabled. o Virtual Private Networks. o Access Control Lists (ACL). o Point-to-Point Tunneling Protocol. What is the key distinction between encryption and hashing algo-rithms? Explanation: A key distinction between encryption and hashing algorithms is that hashing algorithms are irreversible. o Hashing algorithms ensure data confidentiality. o Hashing algorithms are irreversible. o Encryption algorithms ensure data integrity. o Encryption algorithms are not irreversible. Which of the following is BEST characterized by unauthorized modi-fication of data before or during systems data entry?. o Data diddling. o Skimming. oData corruption. oSalami attack. An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?. A. Source code version control. B. Project change management controls. C. Existence of an architecture review board. D. Configuration management. Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?. A. Lack of portability for users. B. Calculation errors in spreadsheets. B. Inability to quickly modify and deploy a solution. D. Loss of time due to manual processes. An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?. A. It reduces the sample size required to perform the audit. B. It improves the reliability of the data. C. It reduces the error rate. D. It enables the auditor to work with 100% of the transactions. Which of the following is MOST important for an organization to consider when planning to outsource data storage to a third-party provider?. A. The cost of delivering the service. B. The country in which the provider operates. C. The classification levels of the stored data. D. The skill set and experience of the provider. Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?. A. The standards have no reference to an industry-recognized framework. B. The standards are not detailed in policies and procedures. C. The standards are not readily available to organization-wide users. D. The standards have not been revised within the last year. Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?. A. Changes are promoted to production by the development group. B. Developers have access to the testing environment. C. Object code can be accessed by the development group. D. Change approvals are not formally documented. The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and: A. product registration. B. procurement. C. payroll processing. D. payment processing. Which of the following BEST protects private health information from data loss for clients that utilize remote health-monitoring devices?. A. Digital certificates. B. Remote device wipe functionality. C. Information security training. D. Encrypted device storage. An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor's penetration attacks and actual attacks?. A. Restricted host IP addresses of simulated attacks. B. Testing techniques of simulated attacks. C. Source IP addresses of simulated attacks. D. Timing of simulated attacks. Which of the following is BEST supported by enforcing data definition standards within a database?. A. Data confidentiality. B. Data security. C. Data formatting. D. Data retention. Which of the following should be the FIRST step to successfully implement a corporate data classification program?. A. Check for the required regulatory requirements. B. Select a data loss prevention (DLP) protocol. C. Confirm that adequate resources are available for the project. D. Approve a data classification policy. An IS auditor has been asked to investigate critical business applications that have been producing suspicious results. Which of the following should be done FIRST?. A. Evaluate control design. B. Evaluate incident management. C. Review configuration management. D. Review user access rights. Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?. A. EUC tests of operational effectiveness. B. EUC access control matrix. C. EUC availability controls. D. EUC inventory. Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?. A. The date and time stamp of the received message. B. The digital signature. C. The sender’s private key. D. The message header. An IS auditor observes that each department follows a different approach for creating and securing spreadsheet macros. Which of the following is the auditor's BEST recommendation for management in this situation?. A. Provide end-user training on spreadsheet macro development. B. Prohibit further development of end-user computing (EUC) applications by end users. C. Implement an end-user computing (EUC) governance framework. D. Secure the folders where macro-enabled spreadsheets are stored. Which of the following is the PRIMARY objective of enterprise architecture (EA)?. A. Enforcing the IT policy across the organization. B. Managing and planning for IT investments. C. Executing customized development and delivery of projects. D. Maintaining detailed system documentation. As part of a payroll department IS audit, which of the following is the PRIMARY reason an IS auditor would recommend that a supervisor review exception reports before authorizing payments?. A. To identify unusual fluctuations or changes in any employee's monthly pay. B. To evaluate gaps between employee performance and salary adjustments. C. To verify the accuracy of bank account information for payroll deposit. D. To collect statistical information in preparation for future pay scale review. Which of the following is MOST important for an IS auditor to confirm upon learning that an organization utilizes storage virtualization for key systems in their environment?. A. Restoration testing is performed at regular intervals. B. Redundancy is included in the storage architecture. C. Backup drives are available at the disaster recovery hot site. D. Access to physical media is limited to authorized individuals. An organization outsources its IT function to a third-party provider that supplies all hardware and support personnel. Which of the following poses the GREATEST risk that the provider's IT resources may not be available to meet the organization's objectives?. A. The service contract does not include penalty or termination provisions. B. The service provider does not make independent audit reports available. C. The service provider is located offshore. D. Service level agreements (SLAs) are not established and monitored. The use of control totals satisfies which of the following control objectives?. A. Processing integrity. B. Transaction integrity. C. Distribution control. D. System recoverability. An organization has outsourced the maintenance of its customer database to an external vendor, and the vendor has requested live data to test the performance of the database. Which of the following is MOST important for the IS auditor to recommend?. D. Ensure data transfer details are specified in the service engagement contract. C. Ensure the data is backed up before providing it to the vendor. B. Ensure both parties agree the data will be destroyed after the testing is complete. A. Ensure sensitive field data is anonymized by random characters. An IS auditor notes that an organization's DevOps team has both production and developer access. The head of IT operations agrees that there is a segregation of duties concern but considers both types of access to be necessary for the team. Which of the following is the auditor's BEST recommendation?. A. Implement weekly management reviews to confirm that no change was both developed and deployed by the same engineer. B. Require DevOps engineers’ access to production systems to be reauthorized quarterly by the head of IT operations. C. Have developer access removed from the DevOps engineers. D. Implement an automated control to prevent deployment if the developer is also trying to deploy the change. Which of the following BEST indicates that an organization's risk management practices contribute to the effectiveness of internal IS audits?. A. The audit team participates in risk scenario development workshops. B. The audit department utilizes the corporate risk register. C. The audit department uses the existing risk analysis templates. D. The audit department follows the same reporting format used by the IT risk function. Which of the following should be of GREATEST concern to an IS auditor when using data analytics?. A. The data source lacks integrity. B. The data analytics software is open source. C. The data set contains irrelevant fields. D. The data was not extracted by the auditor. An organization wants an independent measure of an outsourced system's availability. This measure is directly related to contractual payment obligations. Which of the following procedures would an IS auditor MOST likely recommend?. A. Requiring end users to report any service disruptions. B. Polling the remote service at regular intervals. C. Scanning for errors or warnings from system logs. D. Comparing downtime to approved maintenance windows. Which of the following should be identified FIRST when assessing the maturity level of an organization’s vulnerability management practices?. A. Applicable IT governance framework. B. Key security team members to interview. C. Applicable security framework. D. Scope of vulnerability reports. Which of the following indicators would BEST demonstrate the efficiency of a help desk operation?. A. The percentage of system uptime supported. B. The percentage of tickets resolved over a period of time. C. Number of calls received per day. D. The number of users supported. Which of the following BEST enables an organization to control which software can be installed on a user’s computer?. A. Blocked list. A. Access list. B. Capabilities list. C. Baseline list. A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?. A. Perform periodic reconciliations. B. Improve user acceptance testing (UAT). C. Ensure system owner sign-off for the system fix. D. Conduct functional testing. During an investigation, it was determined that an employee leaked company system administrative credentials on a public social media site.What is the IS auditor’s FIRST recommendation?. A. Prosecute the employee. B. Change privileged passwords. C. Initiate forensic investigation. D. Initiate shutdown of the system. Which of the following is the MOST critical factor for the successful implementation of an IT governance framework?. A. Alignment with industry benchmarks. B. Alignment with business strategy. C. Alignment with information security standards. D. Alignment with a risk management framework. Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?. A. Understanding the purpose of each spreadsheet. B. Ascertaining which spreadsheets are most frequently used. C. Identifying the spreadsheets with built-in macros. D. Reviewing spreadsheets based on file size. The PRIMARY benefit of automating application testing is to: A. reduce the time to review code. B. provide test consistency. C. replace all manual test processes. D. provide more flexibility. Which of the following is the BEST indication that an IT service desk function needs to improve its incident management processes?. A. Information found in many incident records is incomplete. B. The service desk spends most of its time on recurring incidents. C. Back-end releases are the major cause of system disruptions. D. Service level metrics for resolution time have not been met several times. Which of the following is the BEST way to reduce the attack surface for a server farm?. A. Implement effective vulnerability management procedures. B. Uninstall unnecessary applications and services. C. Evaluate server configuration periodically. D. Ensure applications are periodically patched. A matrix showing the current state and challenges of an organization’s software release management practices is MOST useful for: \. A. writing up an internal audit report. B. determining the overall maturity level. C. improving the developer experience. D. seeking approval for new tooling. What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?. A. To keep the risk register updated. B. To eliminate unnecessary risk. C. To determine whether risk is changing. D. To align resources with the greatest risk. Which of the following is MOST important for an IS auditor to confirm when assessing the security of a new cloud-based IT application that is linked with the organization’s existing technology?. A. The application programming interfaces (APIs) are adequately secured. B. The on-premise database has adequate encryption at rest. C. The cloud provider shares an external audit report. D. The organization has a flat network structure. An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?. A. Allocate audit resources. B. Determine the audit universe. C. Prioritize risks. D. Review prior audit reports. Which of the following should be identified FIRST during the risk assessment process?. A. Vulnerability. B. Existing controls. C. Legal requirements. D. Information assets. An organization’s IT risk assessment should include the identification of: A. vulnerabilities. B. compensating controls. C. business process owners. D. business needs. Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?. A. Release management policies have not been updated in the past two years. B. Identify assets to be protected. C. Evaluate controls in place. D. Identify potential threats. An IS auditor has been asked to review a recently implemented quality management system (QMS). Which of the following should be the auditor’s PRIMARY focus?. A. Training materials prepared for coaching employees. B. Processes to measure the performance of business-critical transactions. C. Cost-benefit analysis of the development and implementation of the QMS. D. Stability of the implemented QMS system over a period of time. An organization’s business continuity plan (BCP) should be: A. updated based on changes to personnel and environments. B. tested whenever new applications are implemented. C. updated before an independent audit review. D. tested after an intrusion attempt into the organization’s hot site. Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?. A. The array cannot recover from a natural disaster. B. The array relies on proper maintenance. C. The array cannot offer protection against disk corruption. D. Disks of the array cannot be hot-swapped for quick recovery. Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of an organization's social media practices?. A. Some employees have not received adequate training in the use of social media. B. The organization does not have a social media policy. C. Employees are using corporate devices to access mainstream social media websites. D. Employees are using corporate branding on personal social media postings. When reviewing a business impact analysis (BIA), it is MOST important for an IS auditor to ensure input was obtained from which group of stakeholders?. A. Business executives. B. Business process owners. C. Third-party consultants. D. Risk management. Which of the following is MOST effective for controlling visitor access to a data center?. A. Visitors sign in at the front desk upon arrival. B. Pre-approval of entry requests. C. Visitors are escorted by an authorized employee. D. Closed-circuit television (CCTV) is used to monitor the facilities. After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit. This evidence indicates that procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by this oversight?. A. Operational. B. Audit. C. Financial. Inherent. External experts were used on a recent IT audit engagement. While assessing the external experts’ work, the internal audit team found some gaps in the evidence that may have impacted their conclusions. What is the internal audit team’s BEST course of action?. A. Engage another expert to conduct the same testing. B. Recommend the external experts conduct additional testing. C. Report a scope limitation in their conclusions. D. Escalate to senior management. When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business requirements?. A. Network throttling. B. Service discovery. C. Backup and restoration capabilities. D. Scalable architectures and systems. When auditing an organization’s software acquisition process, the BEST way for an IS auditor to understand the software benefits to the organization would be to review the: A. alignment with IT strategy. B. business case. C. feasibility study. D. request for proposal (RFP. Which of the following is the MOST effective way to assess the controls over the hardware maintenance process?. A. Review the hardware maintenance logs to confirm all recorded dates are within one year. B. Compare the hardware maintenance log with the recommended maintenance schedule. C. Validate that management tracks the mean time between failures (MTBFs). D. Identify the required maintenance procedures and ensure the maintenance policy is in alignment. An organization has implemented segregation of duties with appropriate job definitions and restrictions on overlapping roles. Which type of control has been implemented?. A. Preventive. B. Detective. C. Physical. D. Corrective. During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?. A. Recommend the utilization of software licensing monitoring tools. B. Recommend the purchase of additional software license keys. C. Validate user need for shared software licenses. D. Verify whether the licensing agreement allows shared use. Which of the following is a preventive control that can protect against internal fraud in an organization?. A. Continuous auditing. B. Management review. C. External audits. D. Segregation of duties. An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should: A. coordinate disaster recovery administration with the outsourcing vendor. B. delegate evaluation of disaster recovery to a third party. C. delegate evaluation of disaster recovery to internal audit. D. discontinue maintenance of the disaster recovery plan (DRP). When using data analytics to perform an audit, the IS auditor should FIRST: A. identify testing models. B. define data needs. C. identify data sources. D. prepare the data. In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?. A. Risk management techniques. B. Access control rules. C. Value-added activity analysis. D. Incident management techniques. An IS auditor observes a system performance monitoring too that states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required an IS auditor should review: A. system baselines. B. the system process activity log. C. the number of CPUs allocated to each virtual machine. D. organizational objectives. Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?. A. Number of false negatives. B. Number of false positives. C. Legitimate traffic blocked by the system. D. Reliability of IDS logs. An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor’s NEXT step should be to: A. evaluate the impact of the cloud application on the audit scope. B. revise the audit scope to include the cloud-based application. C. review the audit report when performed by the third party. D. report the control deficiency to senior management. An IS auditor observes a system performance monitoring tool which states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required, an IS auditor should review: A. the system process activity log. B. system baselines. C. the number of CPUs allocated to each virtual machine. D. organizational objectives. An IS auditor has been invited to join an IT project team responsible for building and deploying a new digital customer marketing platform. Which of the following is the BEST way for the auditor to support this project while maintaining independence?. A. Develop selection criteria for potential digital technology vendors. B. Conduct an industry peer benchmarking exercise and advise on alternative solutions. C. Conduct a risk assessment of the proposed initiative. D. Design controls based on current regulatory requirements for digital technologies. In which of the following SDLC phases would the IS auditor expect to find that controls have been incorporated into system specifications?. A. Development. B. Implementation. C. Design. D. Feasibility. Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack encrypted data at rest?. A. Use of symmetric encryption. B. Use of asymmetric encryption. C. Random key generation. D. Short key length. Which of the following is the PRIMARY reason for an IS auditor to issue an interim audit report?. A. To avoid issuing a final audit report. B. To enable the auditor to complete the engagement in a timely manner. C. To provide feedback to the auditee for timely remediation. D. To provide follow-up opportunity during the audit. An IS auditor reviewing a new application for compliance with information privacy principles should be the MOST concerned with: A. nonrepudiation. B. collection limitation. C. availability. D. awareness. An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?. A. Improve the change management process. B. Perform a configuration review. C. Establish security metrics. D. Perform a penetration test. The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?. A. Control. B. Prevention. C. Inherent. D. Detection. A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?. A. Review a sample of PCRs for proper approval throughout the program change process. B. Trace a sample of program changes from the log to completed PCR forms. C. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date. D. Trace a sample of complete PCR forms to the log of all program changes. During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to: A. recommend a control to automatically update access rights. B. determine the reason why access rights have not been revoked. C. direct management to revoke current access rights. D. determine if access rights are in violation of software licenses. When using data analytics to perform an audit, the IS auditor should FIRST: D. prepare the data. A. identify testing models. B. define data needs. C. identify data sources. D. prepare the data. Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?. A. Data mining. B. Botnet attack. C. Malware sharing. D. Phishing attempt. Which of the following is the BEST preventative control to ensure that database integrity is maintained?. A. Mandatory annual user access reviews. B. Biometric authentication. C. Role-based access. D. Mandatory password changes. Which of the following is the BEST way to faster continuous improvement of IS audit processes and practices?. A. Frequently review IS audit policies, procedures, and instruction manuals. B. Establish and embed quality assurance (QA) within the IS audit function. C. Invite external auditors and regulators to perform regular assessment of the IS audit function. D. Implement rigorous managerial review and sign-off of IS audit deliverables. An IS auditor is reviewing an origination’s release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?. A. Agile development approach. B. Critical path methodology. C. Rapid application development. D. Function point analysis. A large organization has a centralized infrastructure team and decentralized application support teams reporting into their respective business units. Which of the following is the GREATEST potential issue with his organizational structure?. A. Redundancy of IT resources used across the organization. B. Failure to align with industry best practices across the organization. C. Inconsistent allocation of IT spend across the organization. D. Inconsistent IT strategy across the organization. Which of the following is the BEST way to determine the effectiveness of an organization’s current patch management system?. A. Perform a vulnerability assessment. B. Perform secure code review. C. Perform a network scan. D. Perform penetration testing. Which of the following is the GREATEST advantage of utilizing guest operating systems in a virtual environment?. A. They can be logged into and monitored from any location. B. They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP). C. They can be wiped quickly in the event of a security breach. D. They are easier to containerize with minimal impact to the rest of the environmen. An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure.What type of cloud computing environment would BEST meet the organization’s objective?. A. Database as a Service (DBaaS). B. Infrastructure as a Service (IaaS). C. Software as a Service (SaaS). D. Platform as a Service (PaaS. Which of the following is MOST important to consider when establishing the retention period for customer data within a specific database orapplication?. A. Enterprise classification level. B. System performance. C. Hardware capacity. D. Minimum regulatory requirements. Which of the following is the BEST way for an IS auditor to determine the completeness of data migration?. A. Review migration logs to identify possible failures. B. Review the implemented data cleanup process. C. Reconcile migrated records with records in the source system. D. Examine formal departmental review of the data migration. An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor’s BEST course of action?. A. Ensure a gap analysis is conducted. B. Ensure regulatory reporting is completed. C. Ensure the risk register is updated. D. Ensure risk acceptance is documented. Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program?. A. Scans are performed less frequently than required by the organization’s vulnerability scanning schedule. B. Steps taken to address identified vulnerabilities are not formally documented. C. Results are not approved by senior management. D. Results are not reported to individuals with authority to ensure resolution. The MOST appropriate person to chair the steering committee for an enterprise-wide system development should be the: A. business analyst. B. project manager. C. IS director. D. executive level manager. An IS auditor has been asked to audit a complex system with computerized and manual elements. Which of the following should be identified FIRST?. A. Manual controls. B. System risks. C. Programmed controls. D. Input validation. Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?. A. Better understanding of the business and processes. B. Ability to negotiate recommendations with management. C. Increased IS audit staff visibility and availability throughout the year. D. Increased independence and impartiality of recommendations. Which of the following threats is mitigated by a firewall?. A. Asynchronous attack. B. Intrusion attack. C. Trojan horse. D. Passive assault. Which of the following is the MOST important element of quality control with respect to an audit engagement?. A. Increase of audit quality through multiple follow-up audits. B. Responsibility of leadership for quality in audits. C. Assignment of engagement teams for audits. D. Resolution procedures for differences of opinion in audits. Which of the following tests would BEST indicate that a software development project is ready to be deployed into the production environment?. A. Performance. B. Parallel. C. Unit. D. Quality assurance (QA). In the development of a new financial application, the IS auditor’s FIRST involvement should be in the: C. system test. A. control design. B. application design. C. system test. D. feasibility study. Which of the following is a PRIMARY benefit of a maturity model?. A. It facilitates communication with regulatory bodies. B. It benchmarks the organization to peer performance levels. C. It facilitates the establishment of organizational capability. D. It provides the organization with a standard assessment tool. Which of the following approaches would BEST enable an e-commerce website to handle unpredictable amounts of traffic?. A. Index key databases to improve response time. B. Re-factor applications to improve efficiency. C. Cluster application servers to distribute web traffic. D. Configure resources to scale. During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?. A. Industry standard business definitions. B. Input from customers. C. Validation of rules by the business. D. Built-in data error prevention application controls. Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?. A. A combination of questionnaires, workshops, and interviews is used. B. Outsourced business processes are excluded from the scope of the BIA. C. Resource dependencies for critical processes are not determined. D. Recovery objectives are identified without conducting risk assessments. Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?. A. Black box testing report. B. Static software composition analysis. C. Penetration test report. D. Web application vulnerability report. Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?. A. Materiality. B.Independence. C. Integrity. D. Accountability. Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves for care?. A. Software as a Service (SaaS) provider. B. Network segmentation. C. Infrastructure as a Service (IaaS) provider. D. Dynamic localization. The GREATEST limitation of a network-based intrusion detection system (IDS) is that it: A. provides only for active rather than passive IDS monitoring. B. does not monitor for denial of service (DoS) attacks. C. consumes excessive network resources for detection. D. does not detect attacks originating on the server hosting the IDS. During an information security audit of a mid-sized organization, an IS auditor notes that the organization's information security policy is not sufficient. What is the auditor's BEST recommendation for the organization?. A. Obtain an external consultant's support to rewrite the policy. B. Identify and close gaps compared to a best-practice framework. C. Perform a benchmark with competitors’ policies. D. Define roles and responsibilities for regularly updating the policy. Which of the following is the BEST source of information to determine the required level of data protection on a file server?. A. Acceptable use policy and privacy statements. B. Previous data breach incident reports. C. Data classification policy and procedures. D. Access rights of similar file servers. Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s capacity management planning?. A. Many of the resource requirements are based on estimates. B. The organization is increasingly dependent on the use of cloud providers. C. Some planning areas are not well developed. D. Current resource utilization is not monitored. Which of the following is the MOST appropriate indicator of change management effectiveness?. A. Time lag between changes to the configuration and the update of records. B. Number of system software changes. C. Number of incidents resulting from changes. D. Time lag between changes and updates of documentation materials. Which of the following is an indication of possible hacker activity involving voice communications?. A. Direct inward system access (DISA) is found to be disabled on the company’s exchange. B. Outbound calls are found to significantly increase in frequency during non-business hours. C. Inbound calls experience significant fluctuations based on time of day and day of week. D. The abandonment rate of service desk calls is increasing during the early morning. An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?. A. Overviews of interviews between data center personnel and the auditor. B. Summary memos reflecting audit opinions regarding noted weaknesses. C. Detailed evidence of the successes and weaknesses of all contingency testing. D. Prior audit reports involving other corporate disaster recovery audits. Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?. A. Electronic copies of customer sales receipts are maintained. B. Monthly bank statements are reconciled without exception. C. The data transferred over the POS interface is encrypted. D. Nightly batch processing has been replaced with real-time processing. Which of the following is PRIMARY responsibility of an IT steering committee?. A. Prioritizing IT projects in accordance with business requirements. B. Validating and monitoring the skill sets of IT department staff. C. Establishing IT budgets for the business. D. Reviewing periodic IT risk assessments. Which of the following should be an IS auditor’s GREATEST concern when assessing an IT service configuration database?. A. The database is not encrypted at rest. B. The database is read-accessible for all users. C. The database is executable for all users. D. The database is write-accessible for all users. Who would provide an IS auditor with the MOST helpful input during an interview to determine whether business requirements for an application were met?. A. User management. B. Project sponsors. C. Senior management. D. Project management. Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?. A. Deviation detection. B. Cluster sampling. C. Random sampling. D. Classification. Capacity management tools are PRIMARILY used to ensure that: A. available resources are used efficiently and effectively. B. concurrent use by a large number of users is enabled. C. proposed hardware acquisitions meet capacity requirements. D. computer systems are used to their maximum capacity most of the time. Which of the following poses the GREATEST risk to a virtualized environment?. A. Server cloning occurs without appropriate approval from IT management. B. A network map has not been updated. C. Backup testing does not occur at regular intervals. D. Security zones within the environment are combined. Which of the following auditing techniques would be used to detect the validity of a credit card transaction based on time, location, and date of purchase?. A. Integrated test facility (ITF). B. Data analytics. C. Hash totals. D. Check sums. While evaluating the data classification process of an organization, an IS auditor’s PRIMARY focus should be on whether: A. data is correctly classified. B. a data dictionary is maintained. C. data retention requirements are clearly defined. D. data classifications are automated. Which of the following is a deterrent security control that reduces the likelihood of an insider threat event?. A. Removing malicious code. B. Distributing disciplinary policies. C. Creating contingency plans. D. Executing data recovery procedures. Which of the following is the GREATEST risk related to the use of virtualized environments?. A. There may be increased potential for session hijacking. B. There may be insufficient processing capacity to assign to guests. C. Ability to change operating systems may be limited. D. The host may be a potential single point of failure within the system. A white box testing method is applicable with which of the following testing processes?. A. Sociability testing. B. Integration testing. C. Parallel testing. D. User acceptance testing (UAT). Which of the following is the GREATEST benefit to an organization as a result of effective IS audit risk assessments?. A. Credibility with management is enhanced. B. The scope for future audits is established. C. Low-risk areas can be eliminated. D. Audits will be targeted to high-risk areas. |