CISA Studying: ISACA
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/268
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
269 Terms
An information systems (IS) auditor performing an audit of the newly installed Voice-over Internet Protocol system is inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?
A.The local area network (LAN) switches are not connected to uninterruptible power supply units.
B. Network cabling is disorganized and not properly labeled.
C.The telephones are using the same cable used for LAN connections.
D.The wiring closet also contains power lines and breaker panels.
The local area network (LAN) switches are not connected to uninterruptible power supply units.
Explanation: Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.
Which of the following is an example of the defense in-depth security principle?
A.Using two firewalls to consecutively check the incoming network traffic
B.Using a firewall as well as logical access controls on the hosts to control incoming network traffic
C.Lack of physical signs on the outside of a computer center building
D.Using two firewalls in parallel to check different types of incoming traffic
Using a firewall as well as logical access controls on the hosts to control incoming network traffic
Explanation: Defense in-depth means using different security mechanisms that back up each other. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense.
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following can result in eavesdropping of Voice-over Internet Protocol (VoIP) traffic?
A.Corruption of the Address Resolution Protocol cache in Ethernet switches
B.Use of a default administrator password on the analog phone switch
C.Deploying virtual local area networks VLANs without enabling encryption
D.End users having access to software tools such as packet sniffer applications
Corruption of the Address Resolution Protocol cache in Ethernet switches
Explanation: On an Ethernet switch, there is a data table known as the address resolution protocol (ARP) cache that stores mappings between media access control and internet protocol (IP) addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply flood the directed traffic to all ports of the switch, which can allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic.
The reason a certification and accreditation process is performed on critical systems is to ensure that:
A. security compliance has been technically evaluated.
B. data have been encrypted and are ready to be stored.
C. the systems have been tested to run on different platforms.
D.the systems have followed the phases of a waterfall model.
Security compliance has been technically evaluated
Explanation: Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration.
Enterprise XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the enterprise network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?
A.Single sign-on (SSO) authentication
B.Password complexity requirements
C.Multifactor authentication (MFA)
D.Internet Protocol (IP) address restrictions
Multifactor authentication (MFA)
Explanation: Multifactor authentication (MFA) is the best method to provide a secure connection because it uses multiple factors, typically, what you have (e.g., a device to generate one-time passwords), what you are (e.g., biometric characteristics) or what you know (e.g., a personal identification number or password). Using a password without the use of one or more of the other factors is not the best method for this scenario. Internet Protocol (IP) addresses can always change or be spoofed and, therefore, are not the best form of authentication for the scenario.
Which of the following preventive controls BEST helps secure a web application?
A.Password masking
B.Developer training
C.Use of encryption
D.Vulnerability testing
Developer training
Explanation: Of the given choices, teaching developers to write secure code is the best way to secure a web application.
Which of the following types of firewalls would BEST protect a network from an Internet attack?
A.Screened subnet firewall
B.Application filtering gateway
C.Packet filtering router
D.Circuit-level gateway
Screened subnet firewall
Explanation: A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the enterprise network.
Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This is the best solution to protect an application but not a network.
An organization requests that an information systems (IS) auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following meets this objective?
A.VoIP infrastructure needs to be segregated using virtual local area networks.
B.Buffers need to be introduced at the VoIP endpoints.
C.Ensure that end-to-end encryption is enabled in the VoIP system.
D.Ensure that emergency backup power is available for all parts of the VoIP infrastructure.
VoIP infrastructure needs to be segregated using virtual local area networks
Explanation: Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) best protects the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which helps to ensure uptime).
Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when:
A.a firewall exists.
B.a secure web connection is used.
C.the source of the executable file is certain.
D.the host website is part of the enterprise.
The source of the executable file is certain
Explanation: Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere.
The information systems (IS) management of a multinational enterprise is considering upgrading its existing virtual private network (VPN) to support Voice-over Internet Protocol (VoIP) communication via tunneling. Which of the following considerations should be PRIMARILY addressed?
A.Reliability and quality of service
B.Means of authentication
C.Privacy of voice transmissions
D.Confidentiality of data transmissions
Reliability and quality of service
Explanation: Reliability and quality of service (QoS) are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls. Confidentiality is not a concern because the enterprise currently has a VPN; confidentiality of data and Voice-over Internet Protocol traffic has been implemented by the VPN using tunneling.
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?
A.Malicious code can be spread across the network.
B.The VPN logon can be spoofed.
C.Traffic can be sniffed and decrypted.
D.The VPN gateway can be compromised.
Malicious code can be spread across the network.
Explanation: Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client can spread to the enterprise’s network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic.
An IT auditor completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings would be the BIGGEST risk to the enterprise?
A. Network penetration tests are performed by an internal team.
B. Network firewall rules are not approved by the chief information security officer (CISO) before implementation.
C. Network penetration tests are not performed.
D.The inventory of network devices was last updated two years ago.
The inventory of network devices was last updated two years ago
Explanation: Not performing penetration tests is a risk to network security, but lack of a complete asset inventory and their criticality is a bigger risk. Keeping an up-to-date asset inventory is the most important requirement to keep an enterprise’s information assets secure. Without a complete inventory list and asset criticality determination, the risk assessment cannot be completed and controls will be inadequate.
Which of the following statements is useful while drafting a disaster recovery plan (DRP)?
A.Downtime costs decrease as the recovery point objective (RPO) increases.
B.Downtime costs increase with time.
C.Recovery costs are independent of time.
D.Recovery costs can only be controlled on a short-term basis.
Downtime costs increase with time
Explanation: Downtime costs—such as loss of sales, idle resources and salaries—increase with time. A disaster recovery plan (DRP) should be drawn up to achieve the lowest downtime costs possible.
Management considered two projections for its disaster recovery plan (DRP): plan A with two months to fully recover and plan B with eight months to fully recover. The recovery point objectives (RPOs) are the same in both plans. It is reasonable to expect that plan B projected higher:
A.downtime costs.
B.resumption costs.
C.recovery costs.
D.walk-through costs.
Downtime costs
Explanation: Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher.
A disaster recovery plan (DRP) for an organization’s financial system specifies that the recovery point objective (RPO) is zero and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution?
A.A hot site that can be operational in eight hours with asynchronous backup of the transaction logs
B.Distributed database systems in multiple locations updated asynchronously.
C.Synchronous updates of the data and standby active systems in a hot site
D.Synchronous remote copy of the data in a warm site that can be operational in 48 hours
Synchronous remote copy of the data in a warm site that can be operational in 48 hours
Explanation: The synchronous copy of the data storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO. A hot site meets the recovery time objective (RTO) but incurs higher costs than necessary.
Which of the following is the MOST critical element to execute a disaster recovery plan (DRP) effectively?
A.Offsite storage of backup data
B.Up-to-date list of key disaster recovery contacts
C.Availability of a replacement data center
D.Clearly defined recovery time objective
Offsite storage of backup data
Explanation: Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems.
Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan?
A.Preparedness tests
B.Paper tests
C.Full operational tests
D.Actual service disruption
Preparedness tests
Explanation: Preparedness tests involve simulation of the entire environment (in phases) at a relatively low cost and help the team to better understand and prepare for the actual test scenario.
During a disaster recovery test, an information systems (IS) auditor observes that the performance of the disaster recovery site’s server is slow. To find the root cause of this, the IS auditor should FIRST review the:
A.event error log generated at the disaster recovery site.
B.disaster recovery test plan.
C.disaster recovery plan (DRP).
D.configurations and alignment of the primary and disaster recovery sites.
Configurations and alignment of the primary and disaster recovery sites
Explanation: Because the configuration of the system is the most probable cause, the IS auditor should review that first
Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan’s effectiveness?
A.Paper test
B. Post-test
C.Preparedness test
D.Walk-through
Preparedness test
Explanation: A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan’s effectiveness. It also provides a means to improve the plan in increments.
After a disaster declaration, the media creation date at a warm recovery site is based on the:
A.recovery point objective (RPO)
B.recovery time objective (RTO)
C.service delivery objective (SDO)
D.maximum tolerable outage (MTO)
Recovery point objective (RPO)
Explanation: The recovery point objective (RPO) defines the acceptable data loss in a disruption, indicating the earliest acceptable data recovery point. It quantifies the permissible data loss in case of interruption. The media creation date reflects the RPO for data restoration.
The MAIN purpose for periodically testing offsite disaster recovery facilities is to:
A.protect the integrity of the data in the database.
B.eliminate the need to develop detailed contingency plans.
C.ensure the continued compatibility of the contingency facilities.
D.ensure that program and system documentation remains current.
Ensure the continued compatibility of the contingency facilities
Explanation: The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans will work in an actual disaster.
The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:
A.increase.
B.decrease.
C.remain the same.
D. be unpredictable.
Increase
Explanation: Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period is more than the cost of operations during a nondisaster period when no DRP was in place).
To address an organization’s disaster recovery requirements, backup intervals should not exceed the:
A.service level objective.
B.recovery time objective (RTO).
C.recovery point objective (RPO).
D.maximum acceptable outage (MAO).
Maximum acceptable outage (MAO)
Explanation: The maximum acceptable outage (MAO) is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption or maximum allowable downtime. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization’s survival.
Which of the following is the BEST reason for integrating the testing of noncritical systems in the disaster recovery plan (DRP) with the business continuity plan (BCP)?
A. To ensure that the DRPs is aligned to the business impact analysis (BIA).
B.Infrastructure recovery personnel can be assisted by business subject matter experts.
C.The BCPs may assume the existence of capabilities that are not in the DRPs.
D. To provide business executives with knowledge of disaster recovery capabilities.
The BCPs may assume the existence of capabilities that are not in the DRPs
Explanation: The BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities (e.g., they cannot support a large number of employees working from home). Although the noncritical systems are important, it is possible that they are not part of the DRPs. For example, an organization may use an online system that does not interface with the internal systems. If the business function using the system is a critical process, the system should be tested, and it may not be part of the DRP. Therefore, DRP and BCP testing should be integrated.
An information systems (IS) auditor is reviewing the most recent disaster recovery plan of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan?
A.Executive management
B. IT management
C.Board of directors
D.Steering committee
IT management
Explanation: Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management’s approval is most important to verify that the system resources will be available in the event that a disaster event is triggered.
When reviewing a disaster recovery plan, an information systems (IS) auditor should be MOST concerned with the lack of:
A.process owner involvement.
B.well-documented testing procedures.
C.an alternate processing facility.
D.a well-documented data classification scheme.
Process owner involvement
Explanation: Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the disaster recovery plan. If the information systems (IS) auditor determines that process owners were not involved, this is a significant concern.
Which of the following is the BEST practice of configuration and release management in software development?
A.Ad-hoc software deployments
B.Automated deployment pipelines
C.Lack of version control
D.Manual tracking of configuration changes
Automated deployment pipelines
Explanation: Automated deployment pipelines are an important aspect of configuration and release management. They involve automating the deployment process, including building, testing and deploying software to different environments. Automated pipelines ensure consistency, reduce manual errors and enable frequent and efficient releases. Automated pipelines also provide visibility into the deployment process and allow for quick rollbacks in case of issues or failures.
Which is the MAIN benefit for an enterprise that has implemented continuous integration and continuous deployment (CICD) change management?
A.Ensures that all changes are documented
B.Increases speed with which software is created and delivered
C.Automates testing to detect success or failure of an integration
D.Logs all actions taken by developers
Increases speed with which software is created and delivered
Explanation: Increasing the speed for the creation and delivery of software is the main goal of implementing continuous integration and continuous deployment (CICD). The other options are pieces required to implement CICD.
Assignment of process ownership is essential in system development projects because it:
A.enables the tracking of the development completion percentage.
B.optimizes the design cost of user acceptance test cases.
C.minimizes the gaps between requirements and functionalities.
D.ensures that system design is based on business needs.
Ensures that system design is based on business needs
Explanation: The involvement of process owners ensures that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.
An airline is currently redesigning its reservation system. The configuration team has configured the customer registration process and moved it to the controlled environment. What step did they execute?
A.Checking in
B.Recording the baseline
C.Registering configuration item changes
D.Checking out
Checking in
Explanation: Checking in is the process of moving an item to the controlled environment. When a change is required (and supported by a change control form), the configuration manager will check out the item.
Which of the following BEST describes the role of an information systems (IS) auditor in improving quality assurance?
A.Internal auditor
B.Reviewer
C.Workshop facilitator
D.Consultant
Consultant
Explanation: Audit is primarily a quality control activity; however, the auditor can help an organization in improving quality assurance by guiding it on control effectiveness. This is the role of a consultant.
An information systems (IS) auditor assesses the project management process for an internal software development project. Concerning the software functionality, the IS auditor should look for sign-off by:
A.the project manager.
B. systems development management.
C. business unit management.
D.the quality assurance team.
Business unit management
Explanation: Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software.
The quality assurance team ensures the quality of the project by measuring adherence to the organization’s system development life cycle. They will conduct testing but not sign off on the project requirements.
An information systems (IS) auditor is asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed?
A.Require the vendor to provide monthly status reports.
B.Have periodic meetings with the client IT manager.
C.Conduct periodic audit reviews of the vendor.
D.Require that performance parameters be stated within the contract.
Conduct periodic audit reviews of the vendor
Explanation: Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client’s requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to look at the vendor’s current state to ensure that the vendor is one with which they want to continue to work.
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A.Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C.Enforcement of security rules by providing punitive actions for any violation of security rules
D.Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
Assimilation of the framework and intent of a written security policy by all appropriate parties
Explanation: Assimilation of the framework and intent of a written security policy by all levels of management and users of the system are critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount.
The PRIMARY benefit of an enterprise architecture initiative is to:
A.enable the enterprise to invest in the most appropriate technology.
B.ensure security controls are implemented on critical platforms.
C.allow development teams to be more responsive to business requirements.
D.provide business units with greater autonomy to select IT solutions that fit their needs.
Enable the enterprise to invest in the most appropriate technology
Explanation: The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.
Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party?
A.Current service level agreement (SLA)
B.Recent independent third-party audit report
C.Current business continuity plan (BCP) procedures
D.Recent disaster recovery plan (DRP) test report
Recent independent third-party audit report
Explanation: An independent third-party audit report provides assurance of the existence and effectiveness of internal controls at the third party.
A service level agreement (SLA) defines the contracted level of service; however, it does not provide assurance related to internal controls.
During an audit, an information systems (IS) auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?
A.Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B.Use common industry standard aids to divide the existing risk documentation into several individual types of risk, which will be easier to handle.
C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization.
D.Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization’s risk management.
Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization’s risk management
Explanation: Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities with the respective management and to keep the risk register and mitigation plans up to date.
Although common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk.
An information systems (IS) auditor reviewing the process of log monitoring wants to evaluate the organization’s manual review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A.Inspection
B.Inquiry
C.Walk-through
D.Reperformance
Walk-through
Explanation: Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses.
Which of the following is evaluated as a preventive control by an information systems (IS) auditor performing an audit?
A.Transaction logs
B.Before and after image reporting
C.Table lookups
D.Tracing and tagging
Table lookups
Explanation: Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data from being entered.
Tracing and tagging is used to test application systems and controls but is not a preventive control in itself.
In a risk-based information systems (IS) audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:
A.stop-or-go sampling.
B.substantive testing.
C.compliance testing.
D.discovery sampling.
Substantive testing
Explanation: Because both the inherent and control risk are high in this case, additional testing is required. Substantive testing obtains audit evidence on the completeness, accuracy, or existence of activities or transactions during the audit period.
Which of the following is MOST important for an information systems (IS) auditor to understand when auditing an ecommerce environment?
A.The technology architecture of the ecommerce environment
B.The policies, procedures and practices forming the control environment
C.The nature and criticality of the business processes supported by the application
D.Continuous monitoring of control measures for system availability and reliability
The nature and criticality of the business processes supported by the application
Explanation: The ecommerce application enables the execution of business transactions. Therefore, it is important to understand the nature and criticality of the business processes supported by the ecommerce application to identify specific controls to review.
An information systems (IS) auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:
A.IDS sensors are placed outside of the firewall.
B.a behavior-based IDS is causing many false alarms.
C.a signature-based IDS is weak against new types of attacks.
D.the IDS is used to detect encrypted traffic.
A behavior-based IDS is causing many false alarms
Explanation: An excessive number of false alarms from a behavior-based intrusion detection system (IDS) indicates that additional tuning is needed. False positives cannot be eliminated entirely, but ignoring this warning sign may negate the value of the system by causing those responsible for monitoring its warnings to become convinced that anything reported is false.
An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets.
During an information systems (IS) audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:
A.periodic review of user activity logs.
B.verification of user authorization at the field level.
C. review of data communication access activity logs.
D.periodic review of changing data files.
Periodic review of user activity logs
Explanation: General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted.
Verification of user authorization at the field level is a database- and/or an application-level access control function and not applicable to an operating system. While verifying user authorization is important, it's a one-time check and doesn't provide ongoing monitoring of user activity. Periodic reviews of logs offer continuous surveillance.
An information systems (IS) auditor observes large outbound volumes of binary executable data at random intervals. Which of the following is the BEST recommendation for the IS auditor to make?
A.Check cloud service provider service level agreements to review storage terms.
B. Review historical peak hour timings and system testing schedules.
C. Review the firewall logs and network traffic.
D.Check for backup schedules for high volumes of binary executable data.
Review the firewall logs and network traffic.
Explanation: Large outbound volumes of binary executable data at random intervals can be a sign of malicious activity, such as data exfiltration or a compromised system. Ransomware infections often dump affected data at remote servers before encrypting the victim computers. A large volume of binary executable data can indicate this type of attack.
Reviewing the firewall logs and network traffic will allow the auditor to identify the source of this traffic, its destination, and any unusual patterns that might indicate a security breach. This provides the most direct and actionable information for further investigation.
A programmer maliciously modified a production program to change data and then restored the program back to the original code. Which of the following would MOST effectively detect the malicious activity?
A.Comparing source code
B.Reviewing system log files
C.Comparing object code
D.Reviewing executable and source code integrity
Reviewing system log files
Explanation: Reviewing system log files is the only trail that may provide information about unauthorized activities in the production library.
Source code and object code comparisons are ineffective because the original programs were restored, and the changed program does not exist.
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?
A.Parity check
B.Echo check
C.Block sum check
D.Cyclic redundancy check
Cyclic redundancy check
Explanation: The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as, in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.
Echo check involves the receiver sending the data back to the sender for verification.
Which of the following controls would BEST detect intrusion?
A.User IDs and user privileges are granted through authorized procedures.
B.Automatic logoff is used when a workstation is inactive for a particular period of time.
C.Automatic logoff of the system occurs after a specified number of unsuccessful attempts.
D.Unsuccessful logon attempts are monitored by the security administrator.
Unsuccessful logon attempts are monitored by the security administrator
Explanation: Intrusion is detected by the active monitoring and review of unsuccessful logon attempts. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting it.
Recovery procedures for an information processing facility (IPF) are BEST based on:
A.recovery time objective (RTO)
B.recovery point objective (RPO)
C.maximum tolerable outage (MTO)
D.information security policy.
Recovery Time Objective (RTO)
Explanation: The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives.
The recovery point objective (RPO) has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse.
An information systems (IS) auditor evaluates the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?
A.Changes are authorized by IT managers at all times.
B.User acceptance testing (UAT) is performed and properly documented.
C.Test plans and procedures exist and are closely followed.
D.Capacity planning is performed as part of each development project.
Test plans and procedures exist and are closely followed
Explanation: The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.
While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.
An information systems (IS) auditor reviewing the application change management process for a large multinational organization should be MOST concerned when:
A.test systems run different configurations than production systems.
B.change management records are paper based.
C.the configuration management database is not maintained.
D.the test environment is installed on the production server.
The configuration management database is not maintained
Explanation: The configuration management database (CMDB) is used to track configuration item (CI) and the dependencies between them. An out-of-date CMDB in a large multinational organization can result in incorrect approvals being obtained or leave out critical dependencies during the test phase.
Although it is not ideal to have the test environment installed on the production server, it is not a control-related concern. If the test and production environments are kept separate, they can be installed on the same physical server(s).
During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions?
A.One-for-one checking
B. Data file security
C.Transaction logs
D.File updating and maintenance authorization
Transaction logs
Explanation: Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. Transaction logs also help to determine which transactions have been posted to an account—by a particular individual during a particular period.
File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.
When auditing a database environment, an information systems (IS) auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions?
A.Performing database changes according to change management procedures
B.Installing patches or upgrades to the operating system
C.Sizing table space and consulting on table join limitations
D.Performing backup and recovery procedures
Installing patches or upgrades to the operating system
Explanation: Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA is performing this function, there is risk based on inappropriate separation of duties.
Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small enterprise?
A. Post-implementation functional testing
B.Registration and review of changes
C.Validation of user requirements
D.User acceptance testing (UAT)
Registration and review of changes
Explanation: This control requires that any changes made to the application are formally documented, reviewed by a designated authority, and approved before being deployed to production, minimizing the risk of unauthorized or fraudulent code being introduced into the system.
An information systems (IS) auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes?
A. Select a sample of change tickets and review them for authorization.
B.Perform a walk-through by tracing a program change from start to finish.
C.Trace a sample of modified programs to support change tickets.
D.Use query software to analyze all change tickets for missing fields.
Trace a sample of modified programs to support change tickets
Explanation: Tracing modified programs to change tickets is the best way to test change management controls and detect undocumented changes.
Selecting a sample of change tickets and reviewing them for authorization helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets.
Which of the following test techniques would the information systems (IS) auditor use to identify specific program logic that has not been tested?
A.Snapshot
B.Tracing and tagging
C.Logging
D.Mapping
Mapping
Explanation: Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.
Who should review and approve system deliverables as they are defined and accomplished, to ensure the successful completion and implementation of a new business system application?
A.User management
B.Project steering committee
C.Senior management
D.Quality assurance (QA) staff
User management
Explanation: User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented.
Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an information systems (IS) auditor’s PRIMARY suggestion for a postimplementation focus should be to:
A.assess whether the planned cost benefits are being measured, analyzed and reported.
B. review control balances and verify that the system is processing data accurately.
C. review the impact of program changes made during the first phase on the remainder of the project.
D.determine whether the system’s objectives were achieved.
Review the impact of program changes made during the first phase on the remainder of the project
Explanation: Because management is aware that the project had problems, reviewing the subsequent impact provides insight into the types and potential causes of the project issues. This insight helps to identify whether IT has adequately planned for those issues in subsequent projects.
During which phase of software application testing should an organization perform the testing of architectural design?
A.Acceptance testing
B.System testing
C.Integration testing
D.Unit testing
Integration testing
Explanation: Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design.
Which testing environment is required to ensure complete code coverage to test every code path in software testing, including those that will only be used when an error occurs?
A.White box
B.Gray box
C. Black box
D.Dynamic
White box
Explanation: For testing the full code, a white box test is required.
Which of the following BEST helps organizations in optimizing audit resources and improving the quality of audits?
A.Independent review of audit work
B.Integrated audit approach
C. Global auditing standards
D.Risk-based audit approach
Integrated audit approach
Explanation: An integrated audit approach focuses on combining different types of audits at the same time; the results of different audit scopes can be shared to provide a focused and quality audit report. A risk-based audit approach focuses on allocating resources to high-risk areas to make audits more effective but may not optimize resources.
The MAJOR advantage of a component-based development approach is the:
A.ability to manage an unrestricted variety of data types.
B.provision for modeling complex relationships.
C.capacity to meet the demands of a changing environment.
D. support of multiple development environments.
Support of multiple development environments
Explanation: Component-based development allows for modularity, where software is broken down into reusable components. This means that when requirements change, only the affected component needs to be modified, making it much easier to adapt the system to new needs without overhauling the entire application. This adaptability is a key benefit in today's rapidly changing business environment.
The PRIMARY objective of implementing corporate governance is to:
A.provide strategic direction.
B.control business operations.
C.align IT with business.
D.implement good practices.
Provide strategic direction
Explanation: Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly used. Hence, the primary objective of corporate governance is to provide strategic direction.
Which of the following is the MOST critical to the quality of data in a data warehouse?
A.Accuracy of the source data
B.Credibility of the data source
C.Accuracy of the extraction process
D.Accuracy of the data transformation
Accuracy of the source data
Explanation: Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse.
The GREATEST benefit of having well-defined data classification policies and procedures is:
A.a more accurate inventory of information assets.
B.a decreased cost and improvement of controls.
C.a reduced risk of inappropriate system access.
D.an improved regulatory compliance.
Decreased cost and improvement of controls
Explanation: An important benefit of a well-defined data classification process is to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, costlier than what is required based on the data classification.
Which of the following choices BEST helps information owners to properly classify data?
A.Understanding of technical controls that protect data
B. Training on enterprise policies and standards
C.Use of an automated data leak prevention tool
D.Understanding which people need to access the data
Training on enterprise policies and standards
Explanation: While implementing data classification, it is most essential that enterprise policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified.
The FIRST step in data classification is to:
A.establish ownership.
B.perform a criticality analysis.
C.define access rules.
D.create a data dictionary.
Establish ownership
Explanation: Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification.
What is the MAIN benefit of implementing a risk-based audit? A risk-based audit approach:
A.links internal auditing to the enterprise’s overall risk management framework.
B.ensures that risk, risk responses and actions are being properly classified and reported.
C.helps to identify residual risk not in line with the risk appetite, so that appropriate action is being taken to treat the risk.
D.allows auditors to provide assurance to the board of directors that risk management processes are managing risk effectively in relation to the risk appetite.
Allows auditors to provide assurance to the board of directors that risk management processes are managing risk effectively in relation to the risk appetite
Explanation: The main benefit of implementing a risk-based audit is to assure senior management about the efficacy of risk management processes based on the outcome of the audit. Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure that they continue to operate effectively.
An alert raised from a data loss prevention (DLP) solution about sensitive data in transit is BEST investigated and resolved by:
A.the security officer.
B.the data loss prevention (DLP) administrator.
C.the incident response team.
D.the data owner.
Data owner
Explanation: The data owner is the best person to make decisions regarding data being sent over networks. Therefore, the data owner should investigate and resolve any alerts from the data loss prevention (DLP) solution.
A cyclic redundancy check is commonly used to determine the:
A.accuracy of data input.
B.integrity of a downloaded program.
C.adequacy of encryption.
D.validity of data transfer.
Validity of data transfer
Explanation: The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check.
Which of the following BEST helps in controlling false-positive alerts received during the implementation of a data loss prevention (DLP) solution?
A.Implement the data loss prevention (DLP) solution in monitor-mode.
B.Plan data loss prevention (DLP) implementation in a phased manner.
C.Appoint an external expert to define rules for the data loss prevention (DLP) solution.
D.Perform data classification before implementing the data loss prevention (DLP) solution.
Plan data loss prevention (DLP) implementation in a phased manner
Explanation: Implementing a data loss prevention (DLP) solution in a phased manner with a limited number of devices and connections helps in optimizing rules to minimize false-positive alerts.
Performing data classification before considering data loss prevention (DLP) is necessary, but it may not help in controlling false-positive alerts.
An information security policy stating that “a fixed time duration of inactivity must initiate a password-enabled screensaver” addresses which of the following attack methods?
A.Piggybacking
B.Dumpster diving
C.Shoulder surfing
D.Impersonation
Shoulder surfing
Explanation: Shoulder surfing refers to observing a user while entering/viewing sensitive data on the screen. This may enable the observer to obtain login information or other sensitive information.
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?
A.User registration and password policies
B.User security awareness
C.Use of intrusion detection/intrusion prevention systems
D.Domain name system (DNS) server security hardening
Domain name system (DNS) server security hardening
Explanation: The pharming attack redirects the traffic to an unauthorized website by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that can allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.
During a review of intrusion detection logs, an information systems (IS) auditor notices traffic coming from the Internet, which appears to originate from the internal internet protocol (IP) address of the enterprise payroll server. Which of the following malicious activities would MOST likely cause this type of result?
A.Denial-of-service (DoS) attack
B.Spoofing
C.Port scanning
D. Man-in-the-middle attack
Spoofing
Explanation: Spoofing involves an attacker forging the source IP address to make it appear as if the traffic is coming from a legitimate internal system like the payroll server, allowing them to access the network or send malicious data seemingly from within the company.
Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server’s internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.
During an information systems (IS) audit of a global enterprise, the IS auditor discovers that the enterprise uses Voice-over Internet Protocol as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the enterprise’s Voice-over Internet Protocol (VoIP) infrastructure?
A. Network equipment failure
B.Distributed denial-of-service attack
C.Premium-rate fraud (toll fraud)
D. Social engineering attack
Distributed denial-of-service attack
Explanation: A distributed denial of service (DDoS) attack would potentially disrupt the enterprise’s ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications.
The use of Voice-over Internet Protocol does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. (option A)
What method might an information systems (IS) auditor use to test wireless security at branch office locations?
A.War dialing
B. Social engineering
C.War driving
D.Password cracking
War driving
Explanation: War driving is a technique for locating and gaining access to wireless networks by driving or walking around a building with a wireless-equipped computer.
War dialing is primarily used to detect exposed modems by dialing phone numbers. It's not as effective for testing wireless network security.
An Internet-based attack using password sniffing can:
A.enable one party to act as if they are another party.
B.cause modification to the contents of certain transactions.
C. be used to gain access to systems containing proprietary information.
D.result in major problems with billing systems and transaction processing agreements.
Be used to gain access to systems containing proprietary information
Explanation: Password sniffing attacks can be used to gain access to systems on which proprietary information is stored.
A perpetrator looking to gain access to, and gather information about, encrypted data being transmitted over a network would MOST likely use:
A.eavesdropping.
B.spoofing.
C.traffic analysis.
D.masquerading.
Traffic analysis
Explanation: In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and, through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted, and eavesdropping would not yield any meaningful results.
In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties. Encrypted traffic is generally protected against eavesdropping
Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source.
In masquerading, the intruder presents an identity other than the original identity. This is an active attack.
Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?
A.Statistical-based
B.Signature-based
C.Neural network
D. Host-based
Statistical-based
Explanation: Statistical-based IDSs rely on creating a baseline of "normal" network behavior and flag anything that deviates significantly from that baseline as suspicious. However, normal network activity can sometimes fluctuate or exhibit unusual patterns that are not malicious, leading the IDS to generate false alarms.
Host-based IDSs monitor activity on individual hosts rather than the network itself. This can provide a more focused and detailed view of potential threats, potentially reducing the rate of false alarms related to network-level anomalies. However, they may still generate false alarms based on unusual user activity on the host machine.
Web application developers occasionally use hidden fields on web pages to save information about a client session. This technique is used to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail website application. The MOST likely web-based attack due to this practice is:
A.parameter tampering.
B.cross-site scripting.
C.cookie poisoning.
D.stealth commanding.
Parameter tampering
Explanation: Hidden fields, like other form fields, can be manipulated by attackers to alter the values sent to the server. This can lead to unauthorized access, data modification, or other malicious actions
Cross-Site Scripting (XSS): XSS is not directly related to hidden fields used for session state. XSS involves injecting malicious scripts into a website's content.
Cookie Poisoning: While cookies can be used to store session data, hiding session information in hidden fields doesn't specifically make the application more vulnerable to cookie poisoning. Cookie poisoning involves manipulating cookies to impersonate a user.
Stealth Commanding: Stealth commanding is a very specific type of attack where an attacker hijacks a web server by installing unauthorized code. Hidden fields are not typically used to exploit this type of attack
The PRIMARY purpose of implementing redundant array of inexpensive disks (RAID) level 1 in a file server is to:
A.achieve performance improvement.
B.provide user authentication.
C.ensure availability of data.
D.ensure the confidentiality of data.
Ensure availability of data
Explanation: RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data on the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data.
An organization with a limited budget has a recovery time objective (RTO) of 72 hours and a recovery point objective (RPO) of 24 hours. Which of the following would BEST meet the requirements of the business?
A. Hot site
B.Cold site
C.Mirrored site
D.Warm site
Warm site
Explanation: A warm site is a suitable solution because it provides essential infrastructure and most of the required IT equipment at a reasonable cost. Additional equipment can be obtained through vendor agreements within days.
Which of the following database controls ensure that the integrity of transactions is maintained in an online transaction processing system’s database?
A.Authentication controls
B. Data normalization controls
C.Read/write access log controls
D.Commitment and rollback controls
Commitment and rollback controls
Explanation: Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will be completed entirely or not at all (i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pretransition state).
Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster?
A.Members of the recovery team were available.
B.Recovery time objectives (RTOs) were met.
C.Inventory of backup media was properly maintained.
D.Backup media was completely restored at an alternate site.
Recovery time objectives (RTOs) were met
Explanation: Effective backup and restore procedures are ensured by meeting recovery time objectives (RTOs), which are defined during the business impact analysis (BIA) stage with input from business process owners.
The inventory of the backup media is only one element of the successful recovery. (option C)
The restoration of backup media is a critical success, but only if they were able to be restored within the time frames set by the RTO. (option d)
Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?
A.Ensure that media are encrypted.
B.Maintain a duplicate copy.
C.Maintain chain of custody.
D.Ensure that personnel are bonded.
Maintain a duplicate copy
Explanation: Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data.
Chain of custody is an important control, but it will not mitigate a loss if a locked area is broken into and media removed or if media are lost while in an individual’s custody.
Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters?
A.Recovery point objective (RPO)
B.Volume of data to be backed up
C.Available data backup technologies
D.Recovery time objective (RTO)
Recovery point objective (RPO)
Explanation: The recovery point objective (RPO) determines acceptable data loss and the earliest recovery point in time, quantifying the acceptable data loss in case of interruption for designing backup strategies.
Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day?
A.Implementing a fault-tolerant disk-to-disk backup solution.
B.Making a full backup weekly and an incremental backup nightly.
C.Creating a duplicate storage area network (SAN) and replicating the data to a second SAN.
D.Creating identical server and storage infrastructure at a hot site.
Implementing a fault-tolerant disk-to-disk backup solution
Explanation: Disk-to-disk backup involves writing the primary backup to disk instead of tape. This allows for later copying, cloning or migration to tape. It ensures minimal system performance impact, enables fast backups of large data volumes and offers immediate transfer to an alternate disk set in case of failure.
Although a backup strategy is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. This does not enable the system to be available 24/7. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to magnetic media or deploy a disk-to-disk solution, which is effectively the same thing.
It is MOST appropriate to implement an incremental backup scheme when:
A.there is limited recovery time for critical data.
B. online disk-based media are preferred.
C.there is limited media capacity.
D.a random selection of backup sets is required
There is limited media capacity
Explanation: In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage.
When reviewing system parameters, an information systems (IS) auditor’s PRIMARY concern should be that:
A.they are set to meet both security and performance requirements.
B.changes are recorded in an audit trail and periodically reviewed.
C.changes are authorized and supported by appropriate documents.
D.access to parameters in the system is restricted.
They are set to meet both security and performance requirements
Explanation: The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.
Which of the following BEST limits the impact of server failures in a distributed environment?
A.Redundant pathways
B.Clustering
C.Dial backup lines
D.Standby power
Clustering
Explanation: Clustering allows two or more servers to work as a unit so that when one of them fails, the other takes over.
Contractual provisions for a hot, warm or cold site should PRIMARILY cover which of the following considerations?
A.Physical security measures
B. Total number of subscribers
C.Number of subscribers permitted to use a site at one time
D.References by other users
Number of subscribers permitted to use a site at one time
Explanation: The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers.
The PRIMARY benefit of an IT manager monitoring technical capacity is to:
A.identify the need for new hardware and storage procurement.
B.determine the future capacity need based on usage.
C.ensure that the service level requirements are met.
D.ensure that systems operate at optimal capacity.
Ensure that the service level requirements are met
Explanation: Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT.
Which of the following BEST ensures that users have uninterrupted access to a critical, heavily used web-based application?
A.Disk mirroring
B.redundant array of inexpensive disks (RAID)
C.Dynamic domain name system (DNS)
D.Load balancing
Load balancing
Explanation: Load balancing distributes traffic across multiple servers, ensuring uninterrupted system availability and consistent response time for web applications. It also redirects traffic to functional servers if a server fails.
By evaluating application development projects against the capability maturity model, an information systems (IS) auditor should be able to verify that:
A.reliable products are guaranteed.
B.programmers’ efficiency is improved.
C. Security requirements are designed.
D.predictable software processes are followed.
Predictable software processes are followed
Explanation: By evaluating the organization’s development projects against the CMM, an information systems (IS) auditor determines whether the development organization follows a stable, predictable software development process.
Two months after a major application implementation, management, which assumes that the project went well, requests that an information systems (IS) auditor perform a review of the completed project. The IS auditor’s PRIMARY focus should be to:
A.determine whether user feedback on the system has been documented.
B.assess whether the planned cost benefits are being measured, analyzed and reported.
C. review controls built into the system to assure that they are operating as designed.
D. Review subsequent program change requests.
Review controls built into the system to assure that they are operating as designed
Explanation: Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed.
An information systems (IS) auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process MOST likely:
A.checks to ensure that the type of transaction is valid for the card type.
B.verifies the format of the number entered, then locates it on the database.
C.ensures that the transaction entered is within the cardholder’s credit limit.
D.confirms that the card is not shown as lost or stolen on the master file.
Verifies the format of the number entered, then locates it on the database
Explanation: The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number entered by the user.
The initial validation is not used to check the transaction type—just the validity of the card number. (option A)
Normally, it is essential to involve which of the following stakeholders in the initiation stage of a project?
A.System owners
B.System users
C.System designers
D.System builders
System owners
Explanation: System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. System users are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are the same personnel.
Which of the following is an advantage of the top-down approach to software testing?
A.Interface errors are identified early.
B.Testing can be started before all programs are complete.
C. It is more effective than other testing approaches.
D.Errors in critical modules are detected sooner.
Interface errors are identified early
Explanation: The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. Detecting errors in critical modules sooner is an advantage of the bottom-up approach to system testing.
An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?
A.user acceptance testing (UAT)
B.Project risk assessment
C.Postimplementation review
D. Management approval of the system
Postimplementation review
Explanation: The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track.
User acceptance testing (UAT) verifies that the system functionality is deemed acceptable by the end users of the system; however, a review of UAT does not validate whether the system is performing as designed because UAT is performed on a subset of system functionality. The UAT review is a part of the postimplementation review.
An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the information systems (IS) auditor is to determine that there is a:
A.correlation of semantic characteristics of the data migrated between the two systems.
B.correlation of arithmetic characteristics of the data migrated between the two systems.
C.correlation of functional characteristics of the processes between the two systems.
D.relative efficiency of the processes between the two systems.
Correlation of semantic characteristics of the data migrated between the two systems
Explanation: Because the two systems can have a different data representation, including the database schema, the information systems (IS) auditor’s main concern should be to verify that the interpretation of the data (structure) is the same in the new system as it was in the old system.
During a postimplementation review of an enterprise resource management system, an information systems (IS) auditor is MOST likely to:
A. review access control configuration.
B.evaluate interface testing.
C. review detailed design documentation.
D.evaluate system testing.
Review access control configuration
Explanation: Reviewing access control configuration is the first task performed to determine whether security has been appropriately mapped in the system.