Q

An IS auditor should expect which of the following items to be included in the request for proposal (RFP)
when IS is procuring services from an independent service provider (ISP)?

A. References from other customers

B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan

A. References from other customers

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

A. control self-assessments.
B. a business impact analysis.
C. an IT balanced scorecard.
D. business process reengineering.

C. an IT balanced scorecard.

A poor choice of passwords and transmission over unprotected communications lines are examples of:

A. vulnerabilities.
B. threats.
C. probabilities.
D. impacts.

A. vulnerabilities.

Q
To support an organization’s goals, an IS department should have:

A. a low-cost philosophy.
B. long- and short-range plans.
C .leading-edge technology.
D. plans to acquire new hardware and software.

B. long- and short-range plans.

A local area network (LAN) administrator normally would be restricted from:

A. having end-user responsibilities.

B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.

C. having programming responsibilities.

To minimize costs and improve service levels an outsourcer should seek which of the following contract
clauses?

A. O/S and hardware refresh frequencies

B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics

B. Gain-sharing performance bonuses

Which of the following is a mechanism for mitigating risks?

A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

A. Security and control practices

Which of the following is the BEST information source for management to use as an aid in the
identification of assets that are subject to laws and regulations?

A. Security incident summaries

B. Vendor best practices
C. CERT coordination center
D. Significant contracts

D. Significant contracts

The management of an organization has decided to establish a security awareness program. Which of
the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents

B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees

D. Training provided on a regular basis to all current and new employee

10

A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy
enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.

B. retention.

11

When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor
observes that the technological infrastructure is based on a centralized processing scheme that
has been outsourced to a provider in another country. Based on this information, which of the following
conclusions should be the main concern of the IS auditor?

A. There could be a question regarding the legal jurisdiction.

B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distance.
D. There could be different auditing norms.

A. There could be a question regarding the legal jurisdiction.

12

The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:

A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.

C. archive policy.

13

Effective IT governance requires organizational structures and processes to ensure that:

A. the organization’s strategies and objectives extend the IT strategy.
B. the business strategy is derived from an IT strategy.
C. IT governance is separate and distinct from the overall governance.
D. the IT strategy extends the organization’s strategies and objectives.

D. the IT strategy extends the organization’s strategies and objectives

14

Which of the following would an IS auditor consider to be the MOST important when evaluating an
organization’s IS strategy? That it:

A. has been approved by line management.

B. does not vary from the IS department’s preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.

D. supports the business objectives of the organization.

15

Which of the following would MOST likely indicate that a customer data warehouse should remain in-
house rather than be outsourced to an offshore operation?

A. Time zone differences could impede communications between IT teams.

B. Telecommunications cost could be much higher in the first year.
C. Privacy laws could prevent cross-border flow of information.
D. Software development may require more detailed specifications.

C. Privacy laws could prevent cross-border flow of information.

16

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the
organizations; business objectives by determining if IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.

B. plans are consistent with management strategy.

17

An IS auditor should be concerned when a telecommunication analyst:

A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data transfer rates.
D. recommends network balancing procedures and improvements.

A. monitors systems performance and tracks problems resulting from program changes.

18

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:

A. there is an integration of IS and business staffs within projects.

B. there is a clear definition of the IS mission and vision.
C. a strategic information technology planning methodology is in place.
D. the plan correlates business objectives to IS goals and objectives.

A. there is an integration of IS and business staffs within projects.

19

Which of the following provides the best evidence of the adequacy of a security awareness program?

A. The number of stakeholders including employees trained at various levels

B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices

D. Periodic reviews and comparison with best practices

20

The advantage of a bottom-up approach to the development of organizational policies is that the
policies:

A. are developed for the organization as a whole.

B. are more likely to be derived as a result of a risk assessment.
C. will not conflict with overall corporate policy.
D. ensure consistency across the organization.

Study These Flashcards

B. are more likely to be derived as a result of a risk assessment.

21

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to
request and review a copy of each vendor’s business continuity plan?

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their
company in implementing a complementary plan.
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the
service bureau and its ability to fulfill the contract.
C. No, because the backup to be provided should be specified adequately in the contract.
D. No, because the service bureaus business continuity plan is proprietary information.

Study These Flashcards

A. Yes, because an IS auditor will evaluate the adequacy of the service bureaus’ plan and assist their
company in implementing a complementary plan.

22
Q

A benefit of open system architecture is that it:

A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for equipment.

Study These Flashcards

A. facilitates interoperability.

23

The ultimate purpose of IT governance is to:

A. encourage optimal use of IT.

B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT.

Study These Flashcards

A. encourage optimal use of IT.

24

Establishing the level of acceptable risk is the responsibility of:

A. quality assurance management.

B. senior business management.
C. the chief information officer.
D. the chief security officer.

Study These Flashcards

B. senior business management.

25

In the context of effective information security governance, the primary objective of value delivery
is to:

A. optimize security investments in support of business objectives.

B. implement a standard set of security practices.
C. institute a standards-based solution.
D. implement a continuous improvement culture.

Study These Flashcards

A. optimize security investments in support of business objectives.

26

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers
for all products. Which of the following is the PRIMARY concern associated with this initiative?

A. Issues of privacy
B. Wavelength can be absorbed by the human body C. RFID tags may not be removable
D. RFID eliminates line-of- sight reading

Study These Flashcards

A. Issues of privacy

27

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS
department?

A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs

Study These Flashcards

A

A. Allocating resources

28

When developing a risk management program, what is the FIRST activity to be performed?

A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis

Study These Flashcards

C. Inventory of assets

29

A long-term IS employee with a strong technical background and broad managerial experience has
applied for a vacant position in the IS audit department. Determining whether to hire this individual for
this position should be based on the individual’s experience and:

A. length of service, since this will help ensure technical competence.

B. age, as training in audit techniques may be impractical.
C. IS knowledge, since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.

Study These Flashcards

D. ability, as an IS auditor, to be independent of existing IS relationships.

30

IT governance is PRIMARILY the responsibility of the:

A chief executive officer.

B. board of directors.
C. IT steering committee.
D. audit committee.

Study These Flashcards

B. board of directors.

31

Which of the following is the BEST performance criterion for evaluating the adequacy of an
organization’s security awareness training?

A. Senior management is aware of critical information assets and demonstrates an adequate

concern for their protection.
B. Job descriptions contain clear statements of accountability for information security.
C. In accordance with the degree of risk and business impact, there is adequate funding for security
efforts.
D. No actual incidents have occurred that have caused a loss or a public embarrassment.

Study These Flashcards

B. Job descriptions contain clear statements of accountability for information security.

32

Which of the following is a risk of cross-training?

A Increases the dependence on one employee

B Does not assist in succession planning
C One employee may know all parts of a system
D Does not help in achieving a continuity of operations

Study These Flashcards

C One employee may know all parts of a system

33
Q

To gain an understanding of the effectiveness of an organization’s planning and management of

investments in IT assets, an IS auditor should review the:

A. enterprise data model.

B. IT balanced scorecard (BSC).
C. IT organizational structure.
D. historical financial statements.

Study These Flashcards

B. IT balanced scorecard (BSC).

34

The development of an IS security policy is ultimately the responsibility of the:

A. IS department.
B. security committee.
C. security administrator.
D. board of directors.

Study These Flashcards

D. board of directors.

35

An example of a direct benefit to be derived from a proposed IT-related business investment is:

A. enhanced reputation.
B. enhanced staff morale.
C. the use of new technology.
D. increased market penetration.

Study These Flashcards

A
D. increased market penetration.

36

Which of the following should be considered FIRST when implementing a risk management program?

A. An understanding of the organization’s threat, vulnerability and risk profile

B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

Study These Flashcards

A. An understanding of the organization’s threat, vulnerability and risk profile

37

Which of the following is a function of an IS steering committee?

A. Monitoring vendor-controlled change control and testing

B. Ensuring a separation of duties within the information’s processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users

Study These Flashcards

C. Approving and monitoring major projects, the status of IS plans and budgets

38

Which of the following is the initial step in creating a firewall policy?

A. A cost-benefit analysis of methods for securing the applications

B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods

Study These Flashcards

A

B. Identification of network applications to be externally accessed

39

Which of the following should be included in an organization’s IS security policy?

A. A list of key IT resources to be secured

B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features

Study These Flashcards

B. The basis for access authorization

40

When an employee is terminated from service, the MOST important action is to:

A. hand over all of the employee’s files to another designated employee.

B. complete a backup of the employee’s work.
C. notify other employees of the termination.
D. disable the employee’s logical access.

Study These Flashcards

D. disable the employee’s logical access.

41

The PRIMARY objective of an audit of IT security policies is to ensure that:

A. they are distributed and available to all staff.

B. security and control policies support business and IT objectives.
C. there is a published organizational chart with functional descriptions.
D. duties are appropriately segregated.
Study These Flashcards

B. security and control policies support business and IT objectives.

42

A top-down approach to the development of operational policies will help ensure:

A. that they are consistent across the organization.

B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.

Study These Flashcards

A. that they are consistent across the organization.

43

Which of the following goals would you expect to find in an organization’s strategic plan?

A. Test a new accounting package.

B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.

Study These Flashcards

D. Become the supplier of choice for the product offered.

44

The MOST likely effect of the lack of senior management commitment to IT strategic planning is:

A a lack of investment in technology.

B a lack of a methodology for systems development.
C technology not aligning with the organization’s objectives.
D an absence of control over technology contracts.

Study These Flashcards

C technology not aligning with the organization’s objectives.

45

An IS steering committee should:

A. include a mix of members from different departments and staff levels.

B. ensure that IS security policies and procedures have been executed properly.
C. have formal terms of reference and maintain minutes of its meetings.
D. be briefed about new trends and products at each meeting by a vendor.

Study These Flashcards

C. have formal terms of reference and maintain minutes of its meetings.