Questions missed the first time

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?

Correct A. Nonrepudiation

B. Encryption

C. Authentication

D. Integrity

.

You are correct, the answer is A.

A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.

B. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made.

C. Authentication is necessary to establish the identification of all parties to a communication.

D. Integrity ensures that transactions are accurate but does not provide the identification of the customer

Which of the following BEST ensures the integrity of a server’s operating system (OS)?

A. Protecting the server in a secure location

B. Setting a boot password

Correct C. Hardening the server configuration

D. Implementing activity logging

You are correct, the answer is C.

A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS).

B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS.

C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.

D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

The IS auditor is reviewing an organization’s human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured?

A. Database digital signatures

Incorrect B. Database encryption nonces and other variables

C. Database media access control (MAC) address authentication

D. Database initialization parameters

You answered B. The correct answer is D.

A. Digital signatures are used for authentication and nonrepudiation, and are not commonly used in databases. As a result, this is not an area in which the IS auditor should investigate.

B. A nonce is defined as a “parameter that changes over time” and is similar to a number generated to authenticate one specific user session. Nonces are not related to database security (they are commonly used in encryption schemes).

C. A media access control (MAC) address is the hardware address of a network interface. MAC address authentication is sometimes used with wireless local area network (WLAN) technology, but is not related to database security.

D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file (“init.ora” in the case of Oracle DBMS), which contains many settings. The system initialization parameters address many “global” database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?

A. Manually copy files to accomplish replication.

B. Review changes in the software version control system.

Incorrect C. Ensure that developers do not have access to the backup server.

D. Review the access control log of the backup server.

You answered C. The correct answer is B.

A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another.

B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions.

C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk.

D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site’s address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor’s GREATEST concern with this process is that:

Correct A. the users may not remember to manually encrypt the data before transmission.

B. the site credentials were sent to the financial services company via email.

C. personnel at the consulting firm may obtain access to sensitive data.

D. the use of a shared user ID to the FTP site does not allow for user accountability.

You are correct, the answer is A.

A. If the data is not encrypted, an unauthorized external party may download sensitive company data.

B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it.

C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data.

D. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:

A. identify and assess the risk assessment process used by management.

B. identify information assets and the underlying systems.

C. disclose the threats and impacts to management.

Correct D. identify and evaluate the existing controls.

You are correct, the answer is D.

A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place.

B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed.

C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated.

D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

The PRIMARY purpose of an IT forensic audit is:

A. to participate in investigations related to corporate fraud.

B. the systematic collection and analysis of evidence after a system irregularity.

C. to assess the correctness of an organization’s financial statements.

Incorrect D. to preserve evidence of criminal activity.

You answered D. The correct answer is B.

A. Forensic audits are not limited to corporate fraud.

B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings.

C. Assessing the correctness of an organization’s financial statements is not the primary purpose of most forensic audits.

D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.

The sender of a public key would be authenticated by a:

A. certificate revocation list (CRL).

B. digital signature.

Correct C. digital certificate.

D. receiver’s private key.

You are correct, the answer is C.

A. A certificate revocation list (CRL) is the list of certificates that can no longer be trusted.

B. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination.

C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message.

D. The sender’s public key cannot be opened by any key except the sender’s private key.

When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern?

A. Controls are eliminated as part of the BPR effort.

Incorrect B. Resources are not adequate to support the BPR process.

C. The audit department is not involved in the BPR effort.

D. The BPR effort includes employees with limited knowledge of the process area.

You answered B. The correct answer is A.

A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern.

B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort.

C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort.

D. A recommended best practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern.

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?

A. Request that the system be shut down to preserve evidence.

B. Report the incident to management.

C. Ask for immediate suspension of the suspect accounts.

Incorrect D. Immediately investigate the source and nature of the incident.

You answered D. The correct answer is B.

A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down.

B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor’s role to respond to incidents during an audit.

C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management.

D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:

A. database integrity checks.

B. validation checks.

C. input controls.

Correct D. database commits and rollbacks.

You are correct, the answer is D.

A. Database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point.

B. Validation checks will prevent introduction of corrupt data, but will not address system failure.

C. Input controls are important to protect the integrity of input data, but will not address system failure.

D. Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?

A. Transaction logs

B. Before and after image reporting

Correct C. Table lookups

D. Tracing and tagging

You are correct, the answer is C.

A. Transaction logs are a detective control and provide audit trails.

B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control.

C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.

D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

As a driver of IT governance, transparency of IT’s cost, value and risk is primarily achieved through:

Correct A. performance measurement.

B. strategic alignment.

C. value delivery.

D. resource management.

You are correct, the answer is A.

A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency.

C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment.

D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments.

Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS?

A. Two-factor authentication

B. A digital certificate

Correct C. Audit trails

D. Single sign-on authentication

You are correct, the answer is C.

A. Two-factor authentication would enhance security while logging into the human resource management system (HRMS) application; however, it will not establish accountability for actions taken subsequent to login.

B. A digital certificate will also enhance login security to conclusively authenticate users logging into the application. However, it will not establish accountability because user ID and transaction details will not be captured without an audit trail.

C. Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users.

D. Single sign-on authentication allows users to log in seamlessly to the application, thus easing the authentication process. However, this would also not establish accountability.

A decision support system (DSS) is used to help high-level management:

A. solve highly structured problems.

B. combine the use of decision models with predetermined criteria.

Correct C. make decisions based on data analysis and interactive models.

D. support only structured decision-making tasks.

You are correct, the answer is C.

A. A decision support system (DSS) is aimed at solving less structured problems.

B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria.

C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.

D. A DSS supports semistructured decision-making tasks.

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

A. Issues of privacy

Incorrect B. Wavelength can be absorbed by the human body

C. RFID tags may not be removable

D. RFID eliminates line-of-sight reading

You answered B. The correct answer is A.

A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID.

B. That wavelength can be absorbed by the human body is a concern of less importance.

C. That RFID tags may not be removable is a concern of less importance than the violation of privacy.

D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?

A. Commands typed on the command line are logged.

Correct B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs.

C. Access to the operating system command line is granted through an access restriction tool with preapproved rights.

D. Software development tools and compilers have been removed from the production environment.

You are correct, the answer is B.

A. Having a log is not a control; reviewing the log is a control.

B. The matching of hash keys over time would allow detection of changes to files.

C. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control.

D. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls?

Correct A. Use of a point-to-point leased line

B. Use of a firewall rule to allow only the Internet protocol (IP) address of the remote site

C. Use of two-factor authentication

D. Use of a nonstandard port for Telnet

You are correct, the answer is A.

A. A leased line will effectively extend the local area network (LAN) of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet.

B. A firewall rule at the headquarters network to only allow Telnet connections from the Internet protocol (IP) address assigned to the remote site would make the connection more secure; however, there is the possibility that the source address could be spoofed by an attacker and, therefore, a dedicated leased line would be more secure.

C. While two-factor authentication would enhance the login security, it would not secure the transmission channel against eavesdropping, and, therefore, a leased line would be a better option.

D. Attacks on network services start with the assumption that network services use the standard transmission control protocol (TCP)/IP port number assigned for the service, which is port 23 for Telnet. By reconfiguring the host and client, a different port can be used. Assigning a nonstandard port for services is a good general security practice because it makes it more difficult to determine what service is using the port; however, in this case, creating a leased-line connection to the remote site would be a better solution.

During which of the following phases in system development would user acceptance test plans normally be prepared?

A. Feasibility study

Correct B. Requirements definition

C. Implementation planning

D. Postimplementation review

You are correct, the answer is B.

A. The feasibility study is too early for such detailed user involvement.

B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient.

C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan.

D. User acceptance testing should be completed prior to implementation.

The MOST important point of consideration for an IS auditor while reviewing an enterprise’s project portfolio is that it:

A. does not exceed the existing IT budget.

B. is aligned with the investment strategy.

C. has been approved by the IT steering committee.

Correct D. is aligned with the business plan.

You are correct, the answer is D.

A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan.

B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan.

C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan.

D. Portfolio management takes a holistic view of an enterprise’s overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions?

A. One-for-one checking

B. Data file security

Correct C. Transaction logs

D. File updating and maintenance authorization

You are correct, the answer is C.

A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure.

B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account.

C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period.

D. File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.

The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)?

Correct A. Contact information of key personnel

B. Server inventory documentation

C. Individual roles and responsibilities

D. Procedures for declaring a disaster

You are correct, the answer is A.

A. In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan.

B. Asset inventory is important and should be linked to the change management process of the organization, but having access to key people may compensate for outdated records.

C. Individual roles and responsibilities are important, but in a disaster many people could fill different roles depending on their experience.

D. The procedures for declaring a disaster are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.

In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems?

Incorrect A. Maintaining system software parameters

B. Ensuring periodic dumps of transaction logs

C. Ensuring grandfather-father-son file backups

D. Maintaining important data at an offsite location

You answered A. The correct answer is B.

A. Maintaining system software parameters is important for all systems, not just online systems.

B. Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historic data. Because online systems do not have a paper trail that can be used to recreate data, maintaining transaction logs is critically important to prevent data loss. The volume of activity usually associated with an online system may make other more traditional methods of backup impractical.

C. Having generations of backups is best practice for all systems.

D. All backups should consider offsite storage at a location that is accessible but not likely to be affected by the same disaster.

The PRIMARY purpose of a business impact assessment (BIA) is to:

Correct A. define recovery strategies.

B. identify the alternate site.

C. improve recovery testing.

D. calculate the annual loss expectancy (ALE).

You are correct, the answer is A.

A. One of the primary outcomes of a business impact assessment (BIA) is the recovery time objective (RTO) and the recovery point objective (RPO), which help in defining the recovery strategies.

B. A BIA, itself, will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project.

C. A BIA, itself, will not help improve recovery testing. That is done during the implementation and testing phase of the project.

D. The annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.

Which of the following is the MOST effective type of antivirus software to detect an infected application?

A. Scanners

B. Active monitors

Correct C. Integrity checkers

D. Vaccines

You are correct, the answer is C.

A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective.

B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files.

C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus.

D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk?

A. Confidentiality of the information stored in the database

Correct B. The hardware being used to run the database application

C. Backups of the information in the overseas database

D. Remote access to the backup database

You are correct, the answer is B.

A. Confidentiality of the information stored in the database is not a major concern, because the information is intended for public use.

B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users.

C. Backups of the information in the overseas database are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally.

D. Remote access to the backup database does not impact availability.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:

A. eavesdropping.

B. spoofing.

Correct C. traffic analysis.

D. masquerading.

You are correct, the answer is C.

A. In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties.

B. Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source.

C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results.

D. In masquerading, the intruder presents an identity other than the original identity. This is an active attack.

Which of the following IT governance best practices improves strategic alignment?

A. Supplier and partner risk is managed.

Incorrect B. A knowledge base on customers, products, markets and processes is in place.

C. A structure is provided that facilitates the creation and sharing of business information.

D. Top management mediates between the imperatives of business and technology.

You answered B. The correct answer is D.

A. Supplier and partner risk being managed is a risk management best practice, but not a strategic function.

B. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice, but does not ensure strategic alignment.

C. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice, but is not as effective as top management involvement in business and technology alignment.

D. Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice.

An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:

A. the controls already in place.

B. the effectiveness of the controls in place.

C. the mechanism for monitoring the risk related to the assets.

Correct D. the threats/vulnerabilities affecting the assets.

You are correct, the answer is D.

A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address.

B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address.

C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk.

D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of:

A. variable sampling.

B. substantive testing.

Correct C. compliance testing.

D. stop-or-go sampling.

You are correct, the answer is C.

A. Variable sampling is used to estimate numerical values such as dollar values.

B. Substantive testing substantiates the integrity of actual processing such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized.

C. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized.

D. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

The MAJOR advantage of a component-based development approach is the:

A. ability to manage an unrestricted variety of data types.

B. provision for modeling complex relationships.

Incorrect C. capacity to meet the demands of a changing environment.

D. support of multiple development environments.

You answered C. The correct answer is D.

A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types.

B. Component-based development is no better than many other development methods at modeling complex relationships.

C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.

D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset?

A. Results of a risk assessment

Incorrect B. Relative value to the business

C. Results of a vulnerability assessment

D. Cost of security controls

You answered B. The correct answer is A.

A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review.

B. The relative value of an asset to the business is one element considered in the risk assessment; this alone does not determine the level of protection required.

C. The results of a vulnerability assessment would be useful when creating the risk assessment; however, this would not be the primary focus.

D. The cost of security controls is not a primary factor to consider because the expenditures on these controls are determined by the value of the information assets being protected.

The reason for establishing a stop or freezing point on the design of a new system is to:

Incorrect A. prevent further changes to a project in process.

B. indicate the point at which the design is to be completed.

C. require that changes after that point be evaluated for cost-effectiveness.

D. provide the project management team with more control over the project design.

You answered A. The correct answer is C.

A. The stop point is intended to provide greater control over changes, but not to prevent them.

B. The stop point is used for project control, but not to create an artificial fixed point that requires the design of the project to cease.

C. Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period.

D. A stop point is used to control requirements, not systems design.

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:

A. stop-or-go sampling.

Correct B. substantive testing.

C. compliance testing.

D. discovery sampling.

You are correct, the answer is B.

A. Stop-or-go sampling is used when an IS auditor believes few errors will be found in the population, and thus would not be the best type of testing to perform in this case.

B. Because both the inherent and control risk are high in this case, additional testing would be required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

C. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. While performing compliance testing is important, performing additional substantive testing would be more appropriate in this case.

D. Discovery sampling is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing would be the better option.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process?

A. The encryption algorithm format

Incorrect B. The detailed internal control procedures

C. The necessary communication processes

D. The proposed trusted third-party agreement

You answered B. The correct answer is C.

A. Encryption algorithms are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

B. Internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

C. The communications processes must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

D. Third-party agreements are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

What is the GREATEST risk of a bank outsourcing its data center?

Incorrect A. Loss or leakage of information

B. Noncompliance with regulatory requirements

C. Vendor failure or bankruptcy

D. Loss of internal knowledge and experience

You answered A. The correct answer is B.

A. The risk of loss or leakage of information is a serious risk because it will lead to financial and other penalties if it happens; however, that may happen even if the bank does not outsource. The greatest risk is noncompliance with regulations because it will subject the bank to fines and sanctions regardless of whether a breach happens.

B. The greatest risk is noncompliance with regulations because regulations are mandatory and a violation could lead to loss of the bank’s charter to operate.

C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in place then it should not materially affect the bank as much as noncompliance or a loss or leakage of information.

D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that resulting from noncompliance or a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract termination, can also help mitigate the risk of loss of internal knowledge.

Determining the service delivery objective (SDO) should be based PRIMARILY on:

Correct A. the minimum acceptable operational capability.

B. the cost-effectiveness of the restoration process.

C. meeting the recovery time objectives (RTOs).

D. the allowable interruption window (AIW).

You are correct, the answer is A.

A. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.

B. The cost-effectiveness of the restoration process is not the main consideration of determining the SDO.

C. Meeting the recovery time objectives (RTO) may be one of the considerations in determining the SDO, but it is a secondary factor.

D. The allowable interruption window (AIW) may be one of the factors secondary to determining the SDO.

Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the:

A. customer over the authenticity of the hosting organization.

B. hosting organization over the authenticity of the customer.

Incorrect C. customer over the confidentiality of messages from the hosting organization.

D. hosting organization over the confidentiality of messages passed to the customer.

You answered C. The correct answer is A.

A. Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key.

B. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer.

C. The customer cannot be assured of the confidentiality of messages from the host because many people have access to the public key and can decrypt the messages from the host.

D. The host cannot be assured of the confidentiality of messages sent out, because many people have access to the public key and can decrypt it.

Involvement of senior management is MOST important in the development of:

A. strategic plans.

B. IT policies.

C. IT procedures.

Incorrect D. standards and guidelines.

You answered D. The correct answer is A.

A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.

B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan.

C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures.

D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.

An organization has implemented a disaster recovery plan (DRP). Which of the following steps should be carried out next?

A. Obtain senior management sponsorship.

B. Identify business needs.

Correct C. Conduct a paper test.

D. Perform a system restore test.

You are correct, the answer is C.

A. Senior management sponsorship should have been obtained prior to implementing the plan.

B. Business needs identification should have been obtained prior to implementing the plan.

C. A best practice would be to conduct a paper test. This tests the plan in a non-hazardous manner by stepping through the plan with key members of the recovery team.

D. A paper test should be conducted first, followed by system or full testing.

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information (PHI). Which of the follow contractual terms would be the GREATEST risk to the customer organization?

A. Data ownership is retained by the customer organization.

Correct B. The third-party provider reserves the right to access data to perform certain operations.

C. Bulk data withdrawal mechanisms are undefined.

D. The customer organization is responsible for backup, archive and restore.

You are correct, the answer is B.

A. The customer organization would want to retain data ownership and, therefore, this would not be a risk.

B. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information (PHI), regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure.

C. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider.

D. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider’s processes. This would only be a risk if the customer organization was unable to perform these activities itself.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk proactively?

A. Use of computer-assisted audit techniques (CAATs)

B. Quarterly risk assessment

C. Sampling of transaction logs

Correct D. Continuous auditing

You are correct, the answer is D.

A. Using software tools such as computer-assisted audit techniques (CAATs) to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results.

B. Quarterly risk assessment may be a good technique, but not as responsive as continuous auditing.

C. The sampling of transaction logs is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis.

D. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly.

Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization’s change control procedures?

A. Review software migration records and verify approvals.

Correct B. Identify changes that have occurred and verify approvals.

C. Review change control documentation and verify approvals.

D. Ensure that only appropriate staff can migrate changes into production.

You are correct, the answer is B.

A. Software migration records may not have all changes listed—changes could have been made that were not included in the migration records.

B. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved.

C. Change control records may not have all changes listed.

D. Ensuring that only appropriate staff can migrate changes into production is a key control process but, in itself, does not verify compliance.

Which of the following is the initial step in creating a firewall policy?

Incorrect A. A cost-benefit analysis of methods for securing the applications

B. Identification of network applications to be externally accessed

C. Identification of vulnerabilities associated with network applications to be externally accessed

D. Creation of an application traffic matrix showing protection methods

You answered A. The correct answer is B.

A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step.

B. Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications.

C. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications.

D. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies:

A. are aligned with globally accepted industry best practices.

B. are approved by the board of directors and senior management.

Correct C. strike a balance between business and security requirements.

D. provide direction for implementing security procedures.

You are correct, the answer is C.

A. An organization is not required to base its IT policies on industry best practices. Policies must be based on the culture and business requirements of the organization.

B. It is essential that policies be approved; however, that is not the primary focus during the development of the policies.

C. Information security policies must be first of all aligned with an organization’s business and security objectives.

D. Policies cannot provide direction if they are not aligned with business requirements.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:

A. verify how the organization follows the standards.

B. identify and report the controls currently in place.

C. review the metrics for quality evaluation.

Correct D. request all standards that have been adopted by the organization.

You are correct, the answer is D.

A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards.

B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance.

C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics.

D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?

Incorrect A. User acceptance testing (UAT)

B. Project risk assessment

C. Postimplementation review

D. Management approval of the system

You answered A. The correct answer is C.

A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review.

B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed.

C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track.

D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recommend?

A. Review of the access control privilege authorization process

B. Implementation of an identity management system (IMS)

C. Enhancement of procedures to audit changes made to sensitive customer data

Incorrect D. Granting of fire call accounts only to managers

You answered D. The correct answer is A.

A. In this case, the IS auditor should recommend reviewing the process of access control management. Emergency system administration-level access should only be granted on an as-needed basis and configured to a predefined expiration date. Accounts with temporary privileges require strong controls to limit the lifetime of the privileges and use of these accounts should be closely monitored.

B. While implementing an identity management system (IMS) may solve the problem, it would be most cost-efficient to first review access privileges.

C. Enhancing procedures to audit changes made to sensitive customer data does not prevent the misuse of these accounts and should be performed after reviewing the process.

D. It is not realistic to grant fire call accounts only to managers.

An IS auditor should recommend the use of library control software to provide reasonable assurance that:

A. program changes have been authorized.

B. only thoroughly tested programs are released.

C. modified programs are automatically moved to production.

Incorrect D. source and executable code integrity is maintained.

You answered D. The correct answer is A.

A. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized.

B. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested.

C. Programs should not be moved automatically into production without proper authorization.

D. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization’s security policy?

A. Review the parameter settings.

Incorrect B. Interview the firewall administrator.

C. Review the actual procedures.

D. Review the device’s log file for recent attacks.

You answered B. The correct answer is A.

A. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.

B. An interview with the firewall administrator will not ensure that the firewall is configured correctly.

C. Reviewing the actual procedures is good, but will not ensure that the firewall rules are correct and compliant with policy.

D. Recent attacks may indicate problems with the firewall, but will not ensure that it is correctly configured.

To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:

Correct A. the entire message, enciphering the message digest using the sender’s private key, enciphering the message with a symmetric key and enciphering the key by using the receiver’s public key.

B. any part of the message, enciphering the message digest using the sender’s private key, enciphering the message with a symmetric key and enciphering the key using the receiver’s public key.

C. the entire message, enciphering the message digest using the sender’s private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver’s public key.

D. the entire message, enciphering the message digest using the sender’s private key and enciphering the message using the receiver’s public key.

You are correct, the answer is A.

A. Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender’s private key creates a digital signature and addresses nonrepudiation. Encrypting the message with a symmetric key most efficiently addresses the confidentiality of the message, thereafter enciphering the symmetric key using the receiver’s public key, which transports (distributes) the symmetric key securely to the receiver.

B. Only hashing a part of the message would only verify the integrity of that part of the message.

C. Enciphering the message with a public key would be much too slow to be practical.

D. Enciphering the entire message with a public key would be too slow to be practical.

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider?

A. Payment terms

B. Uptime guarantee

Incorrect C. Indemnification clause

D. Default resolution

You answered C. The correct answer is B.

A. Payment terms are typically included in the master agreement rather than in the service level agreement (SLA).

B. The most important element of an SLA is the measurable terms of performance, such as uptime agreements.

C. The indemnification clause is typically included in the master agreement rather than in the SLA.

D. The default resolution would only apply in case of a default of the SLA; therefore, it is more important to review the performance conditions of the SLA.

When selecting audit procedures, an IS auditor should use professional judgment to ensure that:

Correct A. sufficient evidence will be collected.

B. all significant deficiencies identified will be corrected within a reasonable period.

C. all material weaknesses will be identified.

D. audit costs will be kept at a minimum level.

You are correct, the answer is A.

A. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor’s past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA’s guidelines provide information on how to meet the standards when performing IS audit work.

B. The correction of deficiencies is the responsibility of management and is not a part of the audit procedure selection process.

C. Identifying material weaknesses is the result of appropriate competence, experience and thoroughness in planning and executing the audit and not of professional judgment. Professional judgment is not a primary input to the financial aspects of the audit. Audit procedures and use of professional judgment cannot ensure that all deficiencies/weaknesses will be identified and corrected.

D. Professional judgment will ensure that audit resources and costs are used wisely, but this is not the primary objective of the auditor when selecting audit procedures.

This question refers to the following diagram.

Internet–Firewall1–Mail Gateway–Firewall2–IDS

Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:

Incorrect A. alert the appropriate staff.

B. create an entry in the log.

C. close firewall-2.

D. close firewall-1.

You answered A. The correct answer is B.

A. The first action taken by an intrusion detection system (IDS) will be to create a log entry and then alert the administrator.

B. Creating an entry in the log is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet.

C. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. After the IDS has logged the suspicious traffic, it may signal firewall-2 to close, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator, valuable time can be lost, in which a hacker could also compromise firewall-2.

D. The IDS will usually only protect the internal network by closing firewall-2 and will not close the externally facing firewall-1.

Which one of the following could be used to provide automated assurance that proper data files are being used during processing?

Correct A. Internal labeling, including file header records

B. Version usage

C. Parity checking

D. File security controls

You are correct, the answer is A.

A. Internal labeling, including file header records, is correct because it can provide assurance that proper data files are being used and it allows for automatic checking.

B. Version usage is not correct because this may not necessarily allow for automatic checking. This helps only in respect to assurance that the correct file and version are being used.

C. Parity checking is not correct because it is a data integrity validation method typically used by a data transfer program. While parity checking may help to ensure that data and program files are transferred successfully, it does not help to ensure that the proper data or program files are being used.

D. File security controls is not correct because they cannot be used to provide assurance that proper data files are being used and cannot allow for automatic checking. They can be used to provide assurance that unauthorized users do not have access to the application and/or access to read or alter the data in an unauthorized manner.

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?

Incorrect A. A sufficient quantity of data for each test case

B. Data representing conditions that are expected in actual processing

C. Completing the test on schedule

D. A random sample of actual data

You answered A. The correct answer is B.

A. The quantity of data for each test case is not as important as having test cases that will address all types of operating conditions.

B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity.

C. It is more important to have adequate test data than to complete the testing on schedule.

D. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?

Incorrect A. Project sponsor

B. System development project team (SDPT)

C. Project steering committee

D. User project team (UPT)

You answered A. The correct answer is C.

A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project.

B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project.

C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results.

D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

An IS auditor is reviewing the backup strategy and the backup technology in use by an organization. The IS auditor would be MOST concerned if:

Correct A. data restoration tests are not being regularly performed.

B. disk subsystems are being backed up to other disks, and not to tape.

C. daily backup logs are purged quarterly.

D. backups of critical company data are not encrypted.

You are correct, the answer is A.

A. The only way to ensure with certainty that a backup is working is to perform a data restoration test. If this were not being done regularly, it would be a concern.

B. Current backup technology utilizes disk-to-disk backup technology, which is considered to be reliable and will have a faster recovery time than tape, so this would not be a concern.

C. While it is important to maintain logs to document that the backup process is operating effectively, not retaining the logs would not be a major concern.

D. Encrypting backup data may be required in certain cases to protect valuable data, but data that are critical may not necessarily be classified as being confidential. Because encryption adds time and expense to the backup process, it would only be used when required to meet the security requirements rather than in all cases.

An IS auditor is reviewing a corporate web server. Which of the following should be of MOST concern to the IS auditor?

Correct A. System patches are not applied.

B. The server is not accessed through a virtual private network (VPN).

C. Server logs are not being captured.

D. The network address translation is not enabled.

You are correct, the answer is A.

A. Web servers should have up-to-date patches because they are accessible to the Internet and are prone to attack.

B. It is not typically required that the web server be accessed by a virtual private network (VPN) because the web server contains public information.

C. While logging is important, lack of system patching is a more significant issue.

D. Network address translation does not have any impact on server security and therefore is not a concern.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether:

A. there is an integration of IT and business personnel within projects.

B. there is a clear definition of the IT mission and vision.

C. a strategic information technology planning scorecard is in place.

Incorrect D. the plan correlates business objectives to IT goals and objectives.

You answered D. The correct answer is A.

A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan.

B. A clear definition of the IT mission and vision would be covered by a strategic plan.

C. A strategic information technology planning scorecard would be covered by a strategic plan.

D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.

Which of the following is the MOST common concern for an IS auditor regarding audit logs?

A. Logs can be examined only by system administrators.

B. Logs require special tools for collection and review.

C. Logs are typically not backed up regularly.

Correct D. Logs are collected but not analyzed.

You are correct, the answer is D.

A. Logs can be accessed and reviewed by authorized personnel with a minimal amount of training; however, in most cases no one is reviewing the logs on a regular basis.

B. Log analysis tools range from simple filters to complex security event and incident management (SEIM) systems.

C. Logs are rarely backed up and may be subject to alteration by administrators.

D. One of the most common problems with audit logs is that they are collected but not analyzed. In most circumstances, audit logs are reviewed only in the case of an incident, error or exception.

Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether:

Incorrect A. all threats can be completely removed.

B. a cost-effective, built-in resilience can be implemented.

C. the recovery time objective (RTO) can be optimized.

D. the cost of recovery can be minimized.

You answered A. The correct answer is B.

A. It is impossible to remove all existing and future threats.

B. It is critical to initially identify information assets that can be made more resilient to disasters, e.g., diverse routing, alternate paths or multiple communication carriers. Preventing a problem is always better than planning to address a problem when it happens.

C. The optimization of the recovery time objective (RTO) comes later in the development of the disaster recovery strategy.

D. Efforts to minimize the cost of recovery come later in the development of the disaster recovery strategy.

Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to meet service level agreement (SLA) requirements for a critical IT security service?

A. Compliance with the master agreement

Correct B. Agreed-on key performance metrics

C. Results of business continuity tests

D. Results of independent audit reports

You are correct, the answer is B.

A. The master agreement typically includes terms, conditions and costs, but does not typically include service levels.

B. Metrics allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time.

C. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review.

D. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process?

Incorrect A. Test a sample population of change requests

B. Test a sample of authorized changes

C. Interview personnel in charge of the change control process

D. Perform an end-to-end walk-through of the process

You answered A. The correct answer is D.

A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design.

B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls.

C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it.

D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely:

Correct A. increase.

B. decrease.

C. remain the same.

D. be unpredictable.

You are correct, the answer is A.

A. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place.

B. The implementation of a DRP will always result in additional costs to the organization.

C. The implementation of a DRP will always result in additional costs to the organization.

D. The costs of a DRP are fairly predictable and consistent.

The effect of which of the following should have priority in planning the scope and objectives of an IS audit?

Correct A. Applicable statutory requirements

B. Applicable corporate standards

C. Applicable industry best practices

D. Organizational policies and procedures

You are correct, the answer is A.

A. The effect of applicable statutory requirements must be factored in while planning an IS audit—the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutory requirements.

B. Statutory requirements always take priority over corporate standards.

C. Industry best practices help plan an audit; however, best practices are not mandatory and can be deviated from to meet organization objectives.

D. Organizational policies and procedures are important, but statutory requirements always take priority. Organizational policies must be in alignment with statutory requirements.

Which of the following is widely accepted as one of the critical components in networking management?

Correct A. Configuration management

B. Topological mappings

C. Application of monitoring tools

D. Proxy server troubleshooting

You are correct, the answer is A.

A. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Configuration management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services.

B. Topological mappings provide outlines of the components of the network and its connectivity. This is important to address issues such as single points of failure and proper network isolation, but is not the most critical component of network management.

C. Application monitoring is not a critical part of network management.

D. Proxy server troubleshooting is used for troubleshooting purposes, and managing a proxy is only a small part of network management.

The most common reason for the failure of information systems to meet the needs of users is that:

A. user needs are constantly changing.

B. the growth of user requirements was forecast inaccurately.

C. the hardware system limits the number of concurrent users.

Correct D. user participation in defining the system’s requirements was inadequate.

You are correct, the answer is D.

A. Although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project.

B. Projects may fail as the needs of the users increase; however, this can be mitigated through better change control procedures.

C. Rarely do hardware limitations affect the usability of the project as long as the requirements were correctly documented at the beginning of the project.

D. Lack of adequate user involvement, especially in the system’s requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?

A. Recommend redesigning the change management process.

B. Gain more assurance on the findings through root cause analysis.

C. Recommend that program migration be stopped until the change process is documented.

Incorrect D. Document the finding and present it to management.

You answered D. The correct answer is B.

A. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed.

B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.

C. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed.

D. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.

During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result?

A. A denial-of-service (DoS) attack

Correct B. Spoofing

C. Port scanning

D. A man-in-the-middle attack

You are correct, the answer is B.

A. A denial-of-service (DoS) attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (botnets) and may involve attacks from multiple computers at once.

B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server’s internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.

C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server, but would not normally create a log entry that indicated external traffic from an internal server address.

D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker’s conduit. This type of attack would not register as an attack originating from the payroll server, but instead might be designed to hijack an authorized connection between a workstation and the payroll server.

Disaster recovery planning (DRP) addresses the:

A. technological aspect of business continuity planning (BCP).

B. operational part of business continuity planning.

C. functional aspect of business continuity planning.

Incorrect D. overall coordination of business continuity planning.

You answered D. The correct answer is A.

A. Disaster recovery planning (DRP) is the technological aspect of business continuity plan (BCP) that focuses on IT systems and operations.

B. Business resumption planning addresses the operational part of BCP.

C. Disaster recovery addresses the technical components of business recovery.

D. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

In a client-server architecture, a domain name service (DNS) is MOST important because it provides the:

A. address of the domain server.

B. resolution service for the name/address.

C. IP addresses for the Internet.

Incorrect D. domain name system.

You answered D. The correct answer is B.

A. The domain name service (DNS) enables users to access the Internet using URLs based on words instead of needing to know the IP addresses of a website.

B. DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. Because names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.

C. The DNS is a translation or cross-reference tool; it does not provide the IP addresses for the Internet.

D. The DNS within an organization is part of the global Domain Name System; it does not provide the name system, it supports it.

Which of the following BEST ensures that business requirements are met prior to implementation?

Incorrect A. Feasibility study

B. User acceptance testing (UAT)

C. Postimplementation review

D. Implementation plan

You answered A. The correct answer is B.

A. A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and therefore is of greater value.

B. UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met.

C. The postimplementation review occurs after the implementation.

D. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.

IT governance is PRIMARILY the responsibility of the:

A. chief executive officer (CEO).

Correct B. board of directors.

C. IT steering committee.

D. audit committee.

You are correct, the answer is B.

A. The chief executive officer (CEO) is instrumental in implementing IT governance according to the directions of the board of directors.

B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).

C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The IT steering committee enforces governance on behalf of the board of directors.

D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.

An IS auditor who is auditing an application determines that, due to resource constraints, one user holds roles as both a developer and a release coordinator. Which of the following options would the IS auditor MOST likely recommend?

A. Revoke the user’s developer access.

B. Revoke the user’s release coordinator access.

Correct C. Management review of user activities

D. Periodic audit of user activities

You are correct, the answer is C.

A. Given the resource constraints, revoking access would prevent the developer from performing assigned duties. In this case, due to resource constraints, the segregation of duties issue cannot be eliminated; however, secondary controls in the form of management review can be applied.

B. Given the resource constraints, revoking access would prevent the release coordinator from performing assigned duties. In this case, due to resource constraints, the segregation of duties issue cannot be eliminated; however, secondary controls in the form of management review can be applied.

C. If an individual requires roles with conflicting segregation of duties, the best control given the circumstances is to monitor that individual’s access in the production environment. Although this is not the preferred method of resolving segregation of duties conflicts, it is the best compensating control given the current business circumstances.

D. Periodic independent reviews, such as an audit, while useful, would not serve as an adequate control in this situation.

As part of the business continuity planning (BCP) process, which of the following should be identified FIRST in the business impact analysis (BIA)?

A. Risk such as single point-of-failure and infrastructure risk

Incorrect B. Threats to critical business processes

C. Critical business processes for ascertaining the priority for recovery

D. Resources required for resumption of business

You answered B. The correct answer is C.

A. Risk should be identified after the critical business processes have been identified.

B. The identification of threats to critical business processes can only be determined after the critical business processes have been identified.

C. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented.

D. Identification of resources required for business resumption will occur after the identification of critical business processes.

Where would an IS auditor MOST likely see a hash function applied?

A. Authentication

B. Identification

C. Authorization

Incorrect D. Encryption

You answered D. The correct answer is A.

A. The purpose of a hash function is to produce a “fingerprint” of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources.

B. Hash functions are not used for identification. They are used to validate the authenticity of the identity.

C. Hash functions are not typically used to provide authorization. Authorization is provided after the authentication has been established.

D. Hash functions are algorithms that map or translate one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result using the same algorithm. Hash functions do not encrypt data.

Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device?

A. Hubs

Correct B. Switches

C. Routers

D. Firewalls

You are correct, the answer is B.

A. Hubs will broadcast all data to all network ports.

B. Switches are at a low level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device.

C. Routers allow packets to be given or denied access based on the addresses of the sender and receiver, and the type of packet.

D. Firewalls are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization.

Which of the following acts as a decoy to detect active Internet attacks?

Correct A. Honeypots

B. Firewalls

C. Trapdoors

D. Traffic analysis

You are correct, the answer is A.

A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals’ computer systems. The concept of a honeypot is to learn from intruder’s actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks.

B. A firewall is basically a preventive measure.

C. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system.

D. Traffic analysis is a type of passive attack based on capturing network traffic.

The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and determined that he/she is the only user with administrative rights to the system. What should the IS auditor’s initial determination be?

A. The SAN is secure and no significant risk exists.

B. The SAN presents a potential risk because soft zoning should be used.

C. The SAN presents a potential risk because audit logs are not reviewed in a timely manner.

Correct D. The SAN presents a potential risk because only one employee has access.

You are correct, the answer is D.

A. While the storage area network (SAN) may have been implemented with good controls, the greatest risk is that only one person has the knowledge and ability to maintain the system.

B. Hard zoning is more secure and is preferred to soft zoning. Zoning is used to separate different data sources from each other (for instance, to ensure that payroll and human resource [HR] data are stored separately from sales data). Hard zones are enforced by the infrastructure (in hardware) and are therefore more secure than soft zones, which are implemented in software or firmware.

C. The question does not provide information regarding whether logs are reviewed in a timely manner, and thus, the IS auditor does not have enough information to determine whether this is a risk area.

D. The largest potential risk in this scenario is the risk that the SAN administrator represents a “single point of failure.” Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN in his/her absence. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. If the SAN is securely configured, using hard zoning, logging and monitoring, and disabling of unused ports, no significant risk appears to exist regarding that configuration.

Which of the following is the GREATEST concern to an IS auditor reviewing an organization’s use of third-party-provided cloud services to store health care billing information?

A. Disparate backup requirements

Incorrect B. Availability of infrastructure

C. Segregation of client data

D. Integrity of data

You answered B. The correct answer is C.

A. Although disparate backup requirements may present a challenge, the primary concern is maintaining segregation of client data.

B. Availability of infrastructure is an inherent benefit of cloud services, and as such is not a primary concern.

C. In a shared services infrastructure, several clients access the same set of services. Therefore, the primary concern is maintaining segregation of client data.

D. Although integrity of data is important, maintaining confidentiality of the data through segregation is a greater concern.

In a public key infrastructure (PKI), a registration authority:

Correct A. verifies information supplied by the subject requesting a certificate.

B. issues the certificate after the required attributes are verified and the keys are generated.

C. digitally signs a message to achieve nonrepudiation of the signed message.

D. registers signed messages to protect them from future repudiation.

You are correct, the answer is A.

A. A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor’s right to request a certificate on behalf of themselves or their organization.

B. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed.

C. The sender who has control of his/her private key signs the message, not the registration authority.

D. Registering signed messages is not a task performed by registration authorities.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?

A. Increase the time allocated for system testing.

Correct B. Implement formal software inspections.

C. Increase the development staff.

D. Require the sign-off of all project deliverables.

You are correct, the answer is B.

A. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process.

B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved.

C. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes.

D. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application?

A. Preventing the compromise of the source code during the implementation process

Correct B. Ensuring that vendor default accounts and passwords have been disabled

C. Removing the old copies of the program from escrow to avoid confusion

D. Verifying that the vendor is meeting support and maintenance agreements

You are correct, the answer is B.

A. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation.

B. Disabling vendor default accounts and passwords is a critical part of implementing a new application.

C. Because this is a new application, there should not be any problem with older versions in escrow.

D. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.

Which of the following will MOST successfully identify overlapping key controls in business application systems?

A. Reviewing system functionalities that are attached to complex business processes

B. Submitting test transactions through an integrated test facility (ITF)

Correct C. Replacing manual monitoring with an automated auditing solution

D. Testing controls to validate that they are effective

You are correct, the answer is C.

A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure has been established from the beginning, finding any overlap in key controls will not be possible.

B. An integrated test facility (ITF) is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls.

C. As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts have the opportunity to come across unnecessary or overlapping key controls in existing systems.

D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

An IS auditor is evaluating the effectiveness of the organization’s change management process. What is the MOST important control that the IS auditor should look for to ensure system availability?

A. That changes are authorized by IT managers at all times

B. That user acceptance testing (UAT) is performed and properly documented

C. That test plans and procedures exist and are closely followed

Incorrect D. That capacity planning is performed as part of each development project

You answered D. The correct answer is C.

A. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management.

B. User acceptance testing (UAT) is important but not a critical element of change control and would not usually address the topic of availability as asked in the question.

C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.

D. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor’s main concern about the new process?

A. Whether key controls are in place to protect assets and information resources

Incorrect B. Whether the system addresses corporate customer requirements

C. Whether the system can meet the performance goals (time and resources)

D. Whether the new system will support separation of duties

You answered B. The correct answer is A.

A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process.

B. The system must meet the requirements of all customers not just corporate customers. This is not the IS auditor’s main concern.

C. The system must meet performance requirements, but this is of secondary concern to the need to ensure that key controls are in place.

D. Separation of duties is a key control—but only one of the controls that should be in place to protect the assets of the organization.

An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern?

A. Test or training user IDs

B. Shared IDs

C. Administrative IDs

Correct D. User IDs of past employees

You are correct, the answer is D.

A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk.

B. The use of shared IDs, while not a best practice, is not as great a risk as having a terminated employee with access to the network. There can be many situations in which a shared ID is necessary. The risk with shared IDs is that accountability cannot be established.

C. Administrative IDs are commonly found on a network and are not cause for concern.

D. If a user’s network ID is not disabled on termination, the user or other unauthorized individual could potentially gain access to the network. User IDs of past employees pose the greatest risk because users can access the network via the Internet. In addition, many applications rely on network credentials to identify and authenticate access.

The PRIMARY benefit of an enterprise architecture (EA) initiative would be to:

A. enable the organization to invest in the most appropriate technology.

B. ensure that security controls are implemented on critical platforms.

C. allow development teams to be more responsive to business requirements.

Incorrect D. provide business units with greater autonomy to select IT solutions that fit their needs.

You answered D. The correct answer is A.

A. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization.

C. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development.

D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:

Correct A. system and the IT operations team can sustain operations in the emergency environment.

B. resources and the environment could sustain the transaction load.

C. connectivity to the applications at the remote site meets response time requirements.

D. workflow of actual business operations can use the emergency system in case of a disaster.

You are correct, the answer is A.

A. The applications have been operated intensively; but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested.

B. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load.

C. Because users were able to connect to and use the system, the response time must have been satisfactory.

D. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.

A characteristic of User Datagram Protocol (UDP) in network communications is:

Correct A. packets may arrive out of order.

B. increased communication latency.

C. incompatibility with packet broadcast.

D. error correction may slow down processing.

You are correct, the answer is A.

A. User Datagram Protocol (UDP) utilizes a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped.

B. The advantage of UDP is that the lack of error checking allows for reduced latency. Time-sensitive applications, such as online video or audio, often use UDP because of the reduced latency of this protocol.

C. UDP is compatible with packet broadcast (sending to all on the local network) and multicasting (sending to all subscribers).

D. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?

Correct A. Implement a log management process.

B. Implement a two-factor authentication.

C. Use table views to access sensitive data.

D. Separate database and application servers.

You are correct, the answer is A.

A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour.

B. Implementing a two-factor authentication would prevent unauthorized access to the database, but would not record the activity of the user when using the database.

C. Using table views would restrict users from seeing data that they should not be able to see, but would not record what users did with data they were allowed to see.

D. Separating database and application servers may help in better administration or even in implementing access controls, but does not address the accountability issues.

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?

A. Validated daily backups

B. Change management procedures

C. Data dictionary maintenance

Correct D. A read-only restriction

You are correct, the answer is D.

A. Backups address availability, not integrity. Validated backups ensure that the backup will work when needed.

B. Adequate change management procedures protect the data warehouse and the systems with which the data warehouse interfaces from unauthorized changes, but are not usually concerned with the data.

C. Data dictionary maintenance procedures provide for the definition and structure of data that are input to the data warehouse. This will not affect the integrity of data already stored.

D. Because most data in a data warehouse are historic and do need to be changed, applying read-only restrictions prevents data manipulation.

An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor’s next action?

A. Analyze the need for the structural change.

B. Recommend restoration to the originally designed structure.

C. Recommend the implementation of a change control process.

Correct D. Determine whether the modifications were properly approved.

You are correct, the answer is D.

A. The first action taken by the IS auditor should be to verify whether the changes were authorized. Then the question can be asked, if necessary, whether the changes were required.

B. The IS auditor should not recommend reverting to the former design until validating the approval and need for the change.

C. A change control process should be in place and may just not have been followed. After the details of this are learned, a recommendation can be made regarding a change control process.

D. An IS auditor should first determine whether the modifications were properly approved, and perhaps why this change happened without properly updating the documentation.

An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration?

A. Chain of custody of electronic evidence

Incorrect B. System breach notification procedures

C. Escalation procedures to external agencies

D. Procedures to recover lost data

You answered B. The correct answer is A.

A. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation.

B. System breach notification is an important aspect and in many cases may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply.

C. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation.

D. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.

The risk of dumpster diving is BEST mitigated by:

A. implementing security awareness training.

B. placing shred bins in copy rooms.

Incorrect C. developing a media disposal policy.

D. placing shredders in individual offices.

You answered C. The correct answer is A.

A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items.

B. The shred bins may not be properly used if users are not aware of proper security techniques.

C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective.

D. The shredders may not be properly used if users are not aware of proper security techniques.

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date?

Correct A. The group walks through the different scenarios of the plan, from beginning to end.

B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility.

C. The group is aware of full-interruption test procedures.

D. Interdepartmental communication is promoted to better respond in the case of a disaster.

You are correct, the answer is A.

A. A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses.

B. The ability of the group to ensure that specific systems can actually perform adequately at the alternate offsite facility is a parallel test and does not involve group meetings.

C. Group awareness of full-interruption test procedures is the most intrusive test to regular operations and the business.

D. While improving communication is important, it is not the most valued method to ensure that the plan is up to date.

Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan’s effectiveness?

A. Paper test

B. Posttest

Correct C. Preparedness test

D. Walk-through

You are correct, the answer is C.

A. A paper test is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan’s execution. A paper test usually precedes the preparedness test.

B. A posttest is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems.

C. A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan’s effectiveness. It also provides a means to improve the plan in increments.

D. A walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.

Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program?

Correct A. A system downtime log

B. Vendors’ reliability figures

C. Regularly scheduled maintenance log

D. A written preventive maintenance schedule

You are correct, the answer is A.

A. A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control.

B. Vendor’s reliability figures are not an effective measure of a preventive maintenance program.

C. Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well.

D. A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?

A. User acceptance testing (UAT)

B. Project risk assessment

Correct C. Postimplementation review

D. Management approval of the system

You are correct, the answer is C.

A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review.

B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed.

C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track.

D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

An IS auditor observed brute force attacks on the administrator account. The BEST recommendation to prevent a successful brute force attack would be to:

A. increase the password length for the user.

B. configure a session timeout mechanism.

Incorrect C. perform periodic vulnerability scans.

D. configure a hard-to-guess username.

You answered C. The correct answer is D.

A. Increasing the password length is not as good as having a username that cannot be discovered.

B. Session timeouts do not prevent unauthorized access.

C. Vulnerability scans typically test for default usernames and passwords and are a good detective control, but performing periodic vulnerability scans does not prevent brute force attacks.

D. Knowledge of both a username and password is required to successfully compromise an account using brute force attack. If a username is guessable, brute force attacks are much more feasible.

An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?

Incorrect A. Ensure that audit trails are accurate and specific.

B. Ensure that personnel have adequate training.

C. Ensure that personnel background checks are performed for critical personnel.

D. Ensure that supervisory approval and review are performed for critical changes.

You answered A. The correct answer is D.

A. Audit trails are a detective control and, in many cases, can be altered by those with privileged access.

B. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice.

C. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance.

D. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.

A company’s development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects?

A. Functional verification of the prototypes is assigned to end users.

B. The project is implemented while minor issues are open from user acceptance testing (UAT).

Correct C. Project responsibilities are not formally defined at the beginning of a project.

D. Program documentation is inadequate.

You are correct, the answer is C.

A. Prototypes are verified by users.

B. User acceptance testing (UAT) is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage.

C. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.

D. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?

A. Computer-aided software engineering (CASE) tools

Incorrect B. Embedded data collection tools

C. Trend/variance detection tools

D. Heuristic scanning tools

You answered B. The correct answer is C.

A. Computer-aided software engineering (CASE) tools are used to assist in software development.

B. Embedded (audit) data collection software, such as systems control audit review file (SCARF) or systems audit review file (SARF), is used to provide sampling and production statistics, but not to conduct an audit log analysis.

C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.

D. Heuristic scanning tools are a type of virus scanning used to indicate possible infected traffic.

An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol (VoIP) technology. Which of the following is the GREATEST concern?

A. Voice communication uses the same equipment that is used for data communication.

Correct B. Ethernet switches are not protected by uninterrupted power supply (UPS) units.

C. Voice communication is not encrypted on the local network.

D. The team that supports the data network also is responsible for the telephone system.

You are correct, the answer is B.

A. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, which can save on wiring cost and simplify both the installation and support of the telephone system. This use of shared infrastructure is a benefit of VoIP and therefore is not a concern.

B. VoIP telephone systems use the LAN infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply (UPS) units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center.

C. VoIP devices do not normally encrypt the voice traffic on the local network, so this is not a concern. Typically, a VoIP phone system connects to a telephone company voice circuit, which would not normally be encrypted. If the system uses the Internet for connectivity, then encryption is required.

D. VoIP telephone systems use the LAN infrastructure of a company for communication, so the personnel who support and maintain that infrastructure are now responsible for both the data and voice network by default. Therefore, this would not be a concern.

A disaster recovery plan (DRP) for an organization’s financial system specifies that the recovery point objective (RPO) is zero and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution?

A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs

B. Distributed database systems in multiple locations updated asynchronously

C. Synchronous updates of the data and standby active systems in a hot site

Correct D. Synchronous remote copy of the data in a warm site that can be operational in 48 hours

You are correct, the answer is D.

A. A hot site would meet the recovery time objective (RTO), but would incur higher costs than necessary.

B. Asynchronous updates of the database in distributed locations do not meet the recovery point objective (RPO).

C. Synchronous updates of the data and standby active systems in a hot site meet the RPO and RTO requirements, but are more costly than a warm site solution.

D. The synchronous copy of the data storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation?

Incorrect A. Symmetric key encryption

B. Digital signatures

C. Message digest algorithms

D. Digital certificates

You answered A. The correct answer is D.

A. Symmetric key encryption uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation.

B. Digital signatures provide message integrity and nonrepudiation; however, confidentiality is not provided.

C. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation.

D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person’s identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.

The BEST audit procedure to determine if unauthorized changes have been made to production code is to:

A. examine the change control system records and trace them forward to object code files.

B. review access control permissions operating within the production program libraries.

Correct C. examine object code to find instances of changes and trace them back to change control records.

D. review change approved designations established within the change control system.

You are correct, the answer is C.

A. Checking the change control system will not detect changes that were not recorded in the control system.

B. Reviewing access control permissions will not identify unauthorized changes made previously.

C. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes.

D. Reviewing change approved designations will not identify unauthorized changes.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?

A. Load testing

B. Stress testing

C. Recovery testing

Incorrect D. Volume testing

You answered D. The correct answer is A.

A. Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate.

B. Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing.

C. Recovery testing evaluates the ability of a system to recover after a failure.

D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.

Ideally, stress testing should be carried out in a:

A. test environment using test data.

B. production environment using live workloads.

Correct C. test environment using live workloads.

D. production environment using test data.

You are correct, the answer is C.

A. A test environment should always be used to avoid damaging the production environment, but only testing with test data may not test all aspects of the system adequately.

B. Testing should never take place in a production environment.

C. Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production level workloads is important to ensure that the system will operate effectively when moved into production.

D. It is not advisable to do stress testing in a production environment. Additionally, if only test data are used, there is no certainty that the system was stress tested adequately.

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?

A. Lack of transaction authorizations

B. Loss or duplication of EDI transmissions

C. Transmission delay

Incorrect D. Deletion or manipulation of transactions prior to or after establishment of application controls

You answered D. The correct answer is A.

A. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk.

B. Loss or duplication of electronic data interchange (EDI) transmissions is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions.

C. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.

D. Deletion or manipulation of transactions prior to or after establishment of application controls is an example of risk, logging will detect any alteration to the data and the impact is not as great as that of unauthorized transactions.

Which of the following is the MOST effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol?

A. Install the vendor’s security fix for the vulnerability.

Incorrect B. Block the protocol traffic in the perimeter firewall.

C. Block the protocol traffic between internal network segments.

D. Stop the service until an appropriate security fix is installed.

You answered B. The correct answer is D.

A. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective.

B. Blocking the protocol on the perimeter does not stop the worm from spreading if it is introduced to the internal network(s) via a USB or other portable media.

C. Blocking the protocol helps to slow the spread, but also prohibits any software that utilizes it from working between segments.

D. Stopping the service and installing the security fix is the safest way to prevent the worm from spreading.

The MAJOR advantage of a component-based development approach is the:

A. ability to manage an unrestricted variety of data types.

B. provision for modeling complex relationships.

C. capacity to meet the demands of a changing environment.

Correct D. support of multiple development environments.

You are correct, the answer is D.

A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types.

B. Component-based development is no better than many other development methods at modeling complex relationships.

C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.

D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?

Incorrect A. System unavailability

B. Exposure to malware

C. Unauthorized access

D. System integrity

You answered A. The correct answer is C.

A. While untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users.

B. Untested CGI scripts do not inherently lead to malware exposures.

C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers.

D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?

A. Use of a capability maturity model (CMM)

B. Regular monitoring of task-level progress against schedule

C. Extensive use of software development tools to maximize team productivity

Correct D. Postiteration reviews that identify lessons learned for future use in the project

You are correct, the answer is D.

A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics.

B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project.

C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.

Receiving an electronic data interchange (EDI) transaction and passing it through the communication’s interface stage usually requires:

A. translating and unbundling transactions.

Correct B. routing verification procedures.

C. passing data to the appropriate application system.

D. creating a point of receipt audit log.

You are correct, the answer is B.

A. Electronic data interchange (EDI) or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services.

B. The communication’s interface stage requires routing verification procedures.

C. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system.

D. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication’s interface stage.

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?

Correct A. A cost-benefit analysis

B. An annualized loss expectancy (ALE) calculation

C. A comparison of the cost of the IPS and firewall and the cost of the business systems

D. A business impact analysis (BIA)

You are correct, the answer is A.

A. In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option.

B. The annualized loss expectancy (ALE) is the expected monetary loss that is estimated for an asset over a one-year period. It is a useful calculation that should be included in determining the necessity of controls, but is not sufficient alone.

C. The cost of the hardware assets should be compared to the total value of the information that the asset protects, including the cost of the systems where the data reside and across which data are transmitted.

D. Potential business impact is only one part of the cost-benefit analysis.

Which of the following preventive controls BEST helps secure a web application?

A. Password masking

B. Developer training

Incorrect C. Encryption

D. Vulnerability testing

You answered C. The correct answer is B.

A. Password masking is a necessary preventive control, but is not the best way to secure an application.

B. Of the given choices, teaching developers to write secure code is the best way to secure a web application.

C. Encryption will protect data, but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices.

D. Vulnerability testing can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.

An organization has implemented an online customer help desk application using a Software as a Service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide?

A. Ask the SaaS vendor to provide a weekly report on application uptime.

Correct B. Implement an online polling tool to monitor the application and record outages.

C. Log all application outages reported by users and aggregate the outage time weekly.

D. Contract an independent third party to provide weekly reports on application uptime.

You are correct, the answer is B.

A. Weekly application availability reports are useful, but these reports represent only the vendor’s perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated.

B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor’s service level agreement (SLA) reports would ensure that the vendor’s monitoring of the SLA is accurate and that all conflicts are appropriately resolved.

C. Logging the outage times reported by users is helpful, but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent.

D. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?

A. Advise on the adoption of application controls to the new database software.

B. Provide future estimates of the licensing expenses to the project team.

C. Recommend at the project planning meeting how to improve the efficiency of the migration.

Correct D. Review the acceptance test case documentation before the tests are carried out.

You are correct, the answer is D.

A. Independence could be compromised if the IS auditor advises on the adoption of specific application controls.

B. Independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project.

C. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor’s independence.

D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented?

Incorrect A. The reporting of the mean time between failures over time

B. The overall mean time to repair failures

C. The first report of the mean time between failures

D. The overall response time to correct failures

You answered A. The correct answer is C.

A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues.

B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues.

C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented.

D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

To prevent Internet protocol (IP) spoofing attacks, a firewall should be configured to drop a packet if:

A. the source routing field is enabled.

Incorrect B. it has a broadcast address in the destination field.

C. a reset flag (RST) is turned on for the transmission control protocol (TCP) connection.

D. dynamic routing is used instead of static routing.

You answered B. The correct answer is A.

A. IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing.

B. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing.

C. Turning on the reset flag (RST) is part of the normal procedure to end a transmission control protocol (TCP) connection.

D. The use of dynamic or static routing will not represent a spoofing attack.

When reviewing a hardware maintenance program, an IS auditor should assess whether:

Incorrect A. the schedule of all unplanned maintenance is maintained.

B. it is in line with historical trends.

C. it has been approved by the IS steering committee.

D. the program is validated against vendor specifications.

You answered A. The correct answer is D.

A. Unplanned maintenance cannot be scheduled.

B. Hardware maintenance programs do not necessarily need to be in line with historic trends.

C. Maintenance schedules normally are not approved by the steering committee.

D. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications.

Which of the following results in a denial-of-service (DoS) attack?

A. Brute force attack

Correct B. Ping of death

C. Leapfrog attack

D. Negative acknowledgement (NAK) attack

You are correct, the answer is B.

A. A brute force attack is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords.

B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service.

C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host.

D. A negative acknowledgment (NAK) is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

You are correct, the answer is B.

A. A brute force attack is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords.

B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service.

C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host.

D. A negative acknowledgment (NAK) is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

Two-factor authentication can be circumvented through which of the following attacks?

A. Denial-of-service

Correct B. Man-in-the-middle

C. Key logging

D. Brute force

You are correct, the answer is B.

A. A denial-of-service attack does not have a relationship to authentication.

B. A man-in-the-middle attack is similar to piggybacking in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. This is done in many instances of bank fraud.

C. Key logging could circumvent single-factor authentication, but not two-factor authentication.

D. Brute force could circumvent single-factor authentication, but not two-factor authentication.

Which of the following should be the MOST important criterion in evaluating a backup solution for sensitive data that must be retained for a long period of time due to regulatory requirements?

A. Full backup window

B. Media costs

C. Restore window

Correct D. Media reliability

You are correct, the answer is D.

A. Full backup window is less critical than reliability.

B. Media price is a consideration, but should not be more important than the ability to provide the required reliability. Using a low-cost but inadequate media may lead to penalties if data cannot be accessed when they are required.

C. The restore window is the amount of time taken to recover the data. Because these are compliance-related backup data and are not being used for production, this is less critical than reliability.

D. To comply with regulatory requirements, the media should be reliable enough to ensure an organization’s ability to recover the data should they be required for any reason.

Which of the following is an attribute of the control self-assessment (CSA) approach?

Correct A. Broad stakeholder involvement

B. Auditors are the primary control analysts

C. Limited employee participation

D. Policy driven

You are correct, the answer is A.

A. The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization’s business processes. The attributes of CSA include: empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement.

B. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors.

C. Limited employee participation is an attribute of a traditional audit approach.

D. Policy-driven is an attribute of a traditional audit approach.

Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)?

A. Circuit gateway

B. Application gateway

Incorrect C. Packet filter

D. Screening router

You answered C. The correct answer is B.

A. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization’s network.

B. An application gateway firewall is effective in preventing applications such as File Transfer Protocols (FTPs) from entering the organization’s network.

C. A packet filter firewall or screening router will allow or prevent access based on IP packets/address.

D. A screening router is not able to effectively control application level security.

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?

A. Analyzer

B. Administration console

C. User interface

Correct D. Sensor

You are correct, the answer is D.

A. Analyzers receive input from sensors and determine the presence of and type of intrusive activity.

B. An administration console is the management interface component of an intrusion detection system (IDS).

C. A user interface allows the administrators to interact with the IDS.

D. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity?

Incorrect A. Draft and publish a clear practice for enterprise-level incident response.

B. Establish a cross-departmental working group to share perspectives.

C. Develop a scenario and perform a structured walk-through.

D. Develop a project plan for end-to-end testing of disaster recovery.

You answered A. The correct answer is C.

A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around.

B. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable.

C. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans.

D. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

When reviewing an implementation of a Voice-over Internet Protocol (VoIP) system over a corporate wide area network (WAN), an IS auditor should expect to find:

Incorrect A. an integrated services digital network (ISDN) data link.

B. traffic engineering.

C. wired equivalent privacy (WEP) encryption of data.

D. analog phone terminals.

You answered A. The correct answer is B.

A. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate Voice-over Internet Protocol (VoIP) services.

B. To ensure that quality of service requirements are achieved, the VoIP service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed to provide quality of service (QoS) and class of service (CoS) support using statistical techniques such as traffic engineering.

C. Wired equivalent privacy (WEP) is an encryption scheme related to wireless networking.

D. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.

Recovery procedures for an information processing facility are BEST based on:

A. recovery time objective (RTO).

B. recovery point objective (RPO).

C. maximum tolerable outage (MTO).

Incorrect D. information security policy.

You answered D. The correct answer is A.

A. The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery timeframe based on maximum tolerable outage (MTO) and available recovery alternatives.

B. The recovery point objective (RPO) has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

C. MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse.

D. An information security policy does not address recovery procedures.

An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address?

A. Simple Object Access Protocol (SOAP)

B. Address Resolution Protocol (ARP)

C. Routing Information Protocol (RIP)

Incorrect D. Transmission Control Protocol (TCP)

You answered D. The correct answer is B.

A. Simple Object Access Protocol (SOAP) is a platform-independent XML-based protocol, enabling applications to communicate with each other over the Internet, and does not deal with media access control (MAC) addresses.

B. Address Resolution Protocol (ARP) provides dynamic address mapping between an IP address and hardware (MAC) address.

C. Routing Information Protocol (RIP) specifies how routers exchange routing table information.

D. Transmission Control Protocol (TCP) enables two hosts to establish a connection and exchange streams of data.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?

A. Function point analysis (FPA)

Correct B. Earned value analysis (EVA)

C. Cost budget

D. Program evaluation and review technique (PERT)

You are correct, the answer is B.

A. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget.

B. Earned value analysis (EVA) is an industry standard method for measuring a project’s progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists.

C. Cost budgets do not address time.

D. Program evaluation and review technique (PERT) aids time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.

When conducting a compliance review of an organization’s incident response process, the BEST approach for the IS auditor is to determine whether:

A. roles and responsibilities are clearly defined.

B. incident response data are secure.

C. incident response staff members are qualified.

Correct D. past incidents were handled appropriately.

You are correct, the answer is D.

A. Roles and responsibilities may be established within the policy or separately documented and are important for the IS auditor to understand. However, the policy should be reviewed first.

B. While it is important to protect incident response data, this is a subset, not a primary focus, of the incident response compliance review. A compliance audit focuses on the performance of a process measured against the set policy or standard.

C. Ensuring that incident response staff members are qualified should be part of a compliance assessment. However, it is performed after the IS auditor reviews the policies and procedures to ensure what he/she reviews the process against.

D. Compliance reviews focus on the performance of a process measured against the set policy or standard. This can be achieved only when the IS auditor determines that past incidents were handled appropriately, in alignment with established policies and procedures.

An IS auditor is evaluating the controls around provisioning visitor access cards to the organization’s IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should:

A. disregard the lack of reconciliation because no discrepancies were discovered.

Incorrect B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.

C. report the lack of daily reconciliation as an exception.

D. recommend the implementation of a biometric access system.

You answered B. The correct answer is C.

A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control.

B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient.

C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management’s mandated activity.

D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the current process is deficient.

Which of the following is an advantage of elliptic curve encryption (ECC) over RSA encryption?

Correct A. Computation speed

B. Ability to support digital signatures

C. Simpler key distribution

D. Message integrity controls

You are correct, the answer is A.

A. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA.

B. Both encryption methods support digital signatures.

C. Both encryption methods are used for public key encryption and distribution.

D. Both ECC and RSA offer message integrity controls.

During an IS audit, what is the BEST way for an IS auditor to evaluate the implementation of segregation of duties within an IT department?

A. Discuss it with the IT managers.

Incorrect B. Review the job descriptions of the IT functions.

C. Research past IS audit reports.

D. Evaluate the organizational structure.

You answered B. The correct answer is A.

A. Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department.

B. Job descriptions may not be the best source of information because they could be outdated or what is documented in the job descriptions may be different from what is actually performed.

C. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned.

D. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?

A. Power line conditioners

Incorrect B. Surge protective devices

C. Alternative power supplies

D. Interruptible power supplies

You answered B. The correct answer is A.

A. Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment.

B. Surge protection devices protect against high-voltage bursts.

C. Alternative power supplies are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available.

D. An interruptible power supply would cause the equipment to come down whenever there was a power failure.

Which of the following is the GREATEST risk to the effectiveness of application system controls?

A. Removal of manual processing steps

B. Inadequate procedure manuals

C. Collusion between employees

Incorrect D. Unresolved regulatory compliance issues

You answered D. The correct answer is C.

A. Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls.

B. The lack of documentation is a problem on many systems, but not a serious risk in most cases.

C. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented.

D. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.

Which of the following is an advantage of prototyping?

A. The finished system normally has strong internal controls.

Correct B. Prototype systems can provide significant time and cost savings.

C. Change control is often less complicated with prototype systems.

D. It ensures that functions or extras are not added to the intended system.

You are correct, the answer is B.

A. Prototyping often has poor internal controls because the focus is primarily on functionality, not on security.

B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.

C. Change control becomes much more complicated with prototyping.

D. Prototyping often leads to functions or extras being added to the system that were not originally intended.

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision?

A. Technical skills and knowledge within the organization related to sourcing and software development

Incorrect B. Privacy requirements as applied to the data processed by the application

C. Whether the legacy system being replaced was developed in-house

D. The users not devoting reasonable time to define the functionalities of the solution

You answered B. The correct answer is A.

A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application.

B. Privacy regulations would apply to both solutions.

C. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make vs. buy decision.

D. Unclear business requirements (functionalities) will similarly affect either development process, but are not the primary factor influencing the make vs. buy decision.

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?

A. System administrators use shared accounts which never expire at the hot site.

Correct B. Disk space utilization data is not kept current.

C. Physical security controls at the hot site are less robust than at the main site.

D. Servers at the hot site do not have the same specifications as at the main site.

You are correct, the answer is B.

A. While it is not a best practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space.

B. Not knowing how much disk space is in use and, therefore, how much is needed at the disaster recovery site could create major issues in the case of a disaster.

C. Physical security controls are important and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed.

D. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.

Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested?

A. A snapshot

Incorrect B. Tracing and tagging

C. Logging

D. Mapping

You answered B. The correct answer is D.

A. A snapshot records the flow of designated transactions through logic paths within programs.

B. Tracing and tagging shows the trail of instructions executed during an application.

C. Logging is the activity of recording specific tasks for future review.

D. Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.

When auditing a proxy-based firewall, an IS auditor should:

A. verify that the firewall is not dropping any forwarded packets.

B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and Internet protocol (IP) addresses.

C. verify that the filters applied to services such as hypertext transmission protocol (HTTP) are effective.

Incorrect D. test whether routing information is forwarded by the firewall.

You answered D. The correct answer is C.

A. The firewall will permit or deny traffic according to its rules. It should drop unacceptable traffic.

B. Address Resolution Protocol (ARP) tables are used by a switch to map media access control (MAC) addresses to IP addresses. This is not a proxy firewall function.

C. A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between MAC and IP addresses is a task for protocols such as address resolution protocol (ARP)/reverse address resolution protocol (RARP).

D. A proxy-based firewall is not used to forward routing information.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor’s PRIMARY suggestion for a postimplementation focus should be to:

A. assess whether the planned cost benefits are being measured, analyzed and reported.

B. review control balances and verify that the system is processing data accurately.

C. review the impact of program changes made during the first phase on the remainder of the project.

Incorrect D. determine whether the system’s objectives were achieved.

You answered D. The correct answer is C.

A. While all choices are valid, the postimplementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project.

B. The review should assess whether the control is working correctly, but should focus on the problems that led to project overruns in budget and time.

C. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects.

D. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

When developing a risk management program, what is the FIRST activity to be performed?

A. Threat assessment

B. Classification of data

Correct C. Inventory of assets

D. Criticality analysis

You are correct, the answer is C.

A. The assets need to be identified first. A listing of the threats that can affect the assets is a later step in the process.

B. Data classification is required for defining access controls and in criticality analysis, but the assets (including data) need be identified before doing classification.

C. Identification of the assets to be protected is the first step in the development of a risk management program.

D. Criticality analysis is a later step in the process after the assets have been identified.

When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk?

Incorrect A. There is no registration authority (RA) for reporting key compromises.

B. The certificate revocation list (CRL) is not current.

C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures.

D. Subscribers report key compromises to the certificate authority (CA).

You answered A. The correct answer is B.

A. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA).

B. If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities.

C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures; therefore, this is not a risk.

D. Subscribers reporting key compromises to the CA is not a risk because reporting this to the CA enables the CA to take appropriate action.

The IS auditor has been informed by the security administrator that the virus scanner is updated in real time. The IS auditor confirms that the virus scanner has been configured to update automatically. What is the NEXT step for the IS auditor to confirm that the control is effective?

A. Confirm the current version of the virus signature file with the vendor.

Incorrect B. Review the log files, and confirm that the virus signature file was updated.

C. Request a confirmation from the security administrator about the most recent update to the virus signature file.

D. The IS auditor’s work is adequate, and no further work is required.

You answered B. The correct answer is A.

A. The IS auditor is able to use externally provided information to confirm that the most recent vendor-provided virus signature file has been automatically updated in the scanner.

B. Reviewing the log files and confirming that the virus signature file was updated only suggests that an update was performed, but not that this is the latest version. The latest version of the virus signature file available should be installed in real time.

C. Confirmation is requested from the security administrator about the most recent update to the virus signature file, and the information is provided internally by the security administrator. It is not as reliable as that from an external source.

D. Inspection only indicates that the control has been implemented and not necessarily that it is operating effectively.

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?

A. Certificate revocation list (CRL)

B. Certification practice statement (CPS)

Incorrect C. Certificate policy (CP)

D. PKI disclosure statement (PDS)

You answered C. The correct answer is B.

A. The certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date.

B. The certification practice statement (CPS) is the how-to document used in policy-based public key infrastructure (PKI).

C. The certificate policy (CP) sets the requirements that are subsequently implemented by the CPS.

D. The PKI disclosure statement (PDS) covers critical items such as the warranties, limitations and obligations that legally bind each party.

Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines (E-1 lines in Europe), microwaves and/or coaxial cables to access the local communication loop is:

A. last-mile circuit protection.

B. long-haul network diversity.

Incorrect C. diverse routing.

D. alternative routing.

You answered C. The correct answer is A.

A. The method of providing telecommunication continuity through the use of many recovery facilities, providing redundant combinations of local carrier T-1s, microwave and/or coaxial cable to access the local communication loop in the event of a disaster, is called last-mile circuit protection. This protects the link from the organization to the telecommunication provider—often known as the last mile in the telecommunication service description.

B. Providing diverse long-distance network availability utilizing T-1 circuits among major long-distance carriers is called long-haul network diversity. This ensures long-distance access should any one carrier experience a network failure. This does not apply to the local communication loop.

C. The method of routing traffic through split-cable facilities or duplicate-cable facilities is called diverse routing. This is done by the telecommunication carriers and does not usually refer to diversity of the local loop.

D. Alternative routing is the method of routing information via an alternative medium such as copper cable or fiber optics. Each of the options in the question is a form of alternate routing, but this question asked specifically about the local loop or last mile.

An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern to the IS auditor?

A. The owner of the system was not present at the time of the evidence retrieval.

B. The system was powered off by an investigator.

Correct C. There are no documented logs of the transportation of evidence.

D. The contents of the random access memory (RAM) were not backed up.

You are correct, the answer is C.

A. The owner of the system may be present at the time of evidence retrieval, but this is not absolutely necessary. In some cases, the owner could be the subject of the investigation.

B. In most cases, it is required that the investigator power off the machine to create a forensic image of the hard drive, so this is not an issue. Prior to powering off the machine, the investigator would normally photograph what is on the screen of the computer and identify what documents are open and any other information that may be relevant. It is important that the investigator power off the machine rather than performing a shutdown procedure. Many operating systems perform a cleanup of temporary files during shutdown, which potentially would destroy valuable evidence.

C. It is very important that evidence be handled properly through a documented chain of custody and never modified improperly in a physical or, more important, logical manner. The goal of this process is to be able to testify truthfully in court that the technical investigator did not modify the data in any improper manner. If the investigator does not have sufficient documentation of the handling of manual or digital evidence, the defense will try to prevent the admission of evidence based on the fact that it may have been tampered with or modified. Note that legal requirements for digital evidence preservation could vary from country to country, so local laws should be taken into consideration.

D. Depending on the type of system being accessed, it may not be possible to capture an image of the contents of random access memory (RAM).

Which of the following message services provides the STRONGEST evidence that a specific action has occurred?

A. Proof of delivery

Correct B. Nonrepudiation

C. Proof of submission

D. Message origin authentication

You are correct, the answer is B.

A. Proof of delivery can be manipulated by the receiver and is not a trustworthy form of evidence.

B. Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation.

C. Proof of submission is a weak form of evidence that is not as trusted as nonrepudiation.

D. Message origination authentication will only confirm the source of the message and does not confirm the specific action that has been completed.

Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts?

A. Synchronize (SYN) flood attacks

Incorrect B. Social engineering

C. Buffer overflow attacks

D. Malicious code attacks

You answered B. The correct answer is D.

A. A synchronize (SYN) attack is a denial-of-service (DoS) attack on a particular network service and does not attempt to log on to administrator accounts.

B. Social engineering will help in discovering passwords, but it is separate from brute force attacks.

C. A buffer overflow attack is an attack on application coding errors, but will not directly result in multiple logon failures.

D. Malicious code, including brute force, password cracking and Trojans, commonly attempts to log on to administrator accounts.

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend?

Correct A. Implement a properly documented process for application role change requests.

B. Hire additional staff to provide a segregation of duties (SoD) for application role changes.

C. Implement an automated process for changing application roles.

D. Document the current procedure in detail, and make it available on the enterprise intranet.

You are correct, the answer is A.

A. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application.

B. While it is preferred that a strict segregation of duties (SoD) be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes.

C. An automated process for managing application roles may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application.

D. Making the existing process available on the enterprise intranet would not provide any value to protect the system.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:

A. rules.

Correct B. decision trees.

C. semantic nets.

D. dataflow diagrams.

You are correct, the answer is B.

A. Rules refer to the expression of declarative knowledge through the use of if-then relationships.

B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached.

C. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes.

D. A dataflow diagram is used to map the progress of data through a system and examine logic, error handling and data management.

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)?

Correct A. Business processes owners

B. IT management

C. Senior business management

D. Industry experts

You are correct, the answer is A.

A. Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs.

B. While IT management must be involved, they may not be fully aware of the business processes that need to be protected.

C. While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected.

D. The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment?

Incorrect A. An inventory of critical assets

B. An identification of vulnerabilities

C. A listing of threats

D. A determination of acceptable downtime

You answered A. The correct answer is D.

A. An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA).

B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA.

C. A listing of threats is relevant both in a risk assessment and a BIA.

D. A determination of acceptable downtime is made only in a BIA.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?

A. Manually copy files to accomplish replication.

B. Review changes in the software version control system.

Incorrect C. Ensure that developers do not have access to the backup server.

D. Review the access control log of the backup server.

You answered C. The correct answer is B.

A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another.

B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions.

C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk.

D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor’s GREATEST concern?

A. Restoration testing for backup media is not performed; however, all data restore requests have been successful.

B. The policy for data backup and retention has not been reviewed by the business owner for the past three years.

C. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually.

Incorrect D. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

You answered D. The correct answer is C.

A. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past data restore requests have been successful.

B. Lack of review of the data backup and retention policy may be of a concern if systems and business processes have changed in the past three years. The IS auditor should perform additional procedures to verify the validity of existing procedures. In addition, lack of this control does not introduce a risk of unauthorized leakage of information.

C. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company’s reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider.

D. Failed backup alerts that are not followed up on and resolved imply that certain data or files are not backed up. This is a concern if the files/data being backed up are critical in nature, but, typically, marketing data files are not regulated in the same way as medical transcription files. Lack of this control does not introduce a risk of unauthorized leakage of sensitive information.

Which of the following should be an IS auditor’s PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed?

A. The time and cost implications caused by the change

B. The risk that regression tests will fail

C. Users not agreeing with the change

Incorrect D. The project team not having the skills to make the necessary change

You answered D. The correct answer is A.

A. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost.

B. A change in scope does not necessarily impact the risk that regression tests will fail.

C. An impact study will not determine whether users will agree with a change in scope.

D. Conducting an impact study could identify a lack of resources such as the project team lacking the skills necessary to make the change; however, this is only part of the impact on the overall time lines and cost to the project due to the change.

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

Incorrect A. the security controls of the application may not meet requirements.

B. the application may not meet the requirements of the business users.

C. the application technology may be inconsistent with the enterprise architecture (EA).

D. the application may create unanticipated support issues for IT.

You answered A. The correct answer is C.

A. While security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. While the use of standard supported technology may be more secure, this is not the primary benefit of the EA.

B. When selecting an application, the business requirements as well as the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they would be more likely to choose a solution that fit their business process the best with less emphasis on how compatible and supportable the solution would be in the enterprise, and this would not be a concern.

C. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system (OS) that is not part of the EA for the business, this would increase the cost and complexity of the solution and ultimately deliver less value to the business.

D. While any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?

Correct A. Staging and job setup

B. Supervisory review of logs

C. Regular backup of tapes

D. Offsite storage of tapes

You are correct, the answer is A.

A. If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape.

B. Supervisory review of logs is a detective control that would not prevent loading of the wrong tapes.

C. Regular tape backup is not related to bypassing tape header records.

D. Offsite storage of tapes would not prevent loading the wrong tape because of bypassing header records.

The goal of IT risk analysis is to:

A. enable the alignment of IT risk management with enterprise risk management (ERM).

Correct B. enable the prioritization of risk responses.

C. satisfy legal and regulatory compliance requirements.

D. identify known threats and vulnerabilities to information assets.

You are correct, the answer is B.

A. Aligning IT risk management with enterprise risk management (ERM) is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment.

B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses.

C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy legal and regulatory compliance requirements.

D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the vectors of likelihood and impact to facilitate the prioritization of risk responses.

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization?

Incorrect A. Actions on log files should be tracked in another log.

B. Write access to audit logs should be disabled.

C. Only select personnel should have rights to view or delete audit logs.

D. Backups of audit logs should be performed periodically.

You answered A. The correct answer is C.

A. Having additional copies of log file activity would not prevent the original log files from being deleted.

B. For servers and applications to operate correctly, write access cannot be disabled.

C. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted.

D. Frequent backups of audit logs would not prevent the logs from being deleted.

An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web sites for the company. Which of the following choices would be the HIGHEST risk?

Incorrect A. Expired digital certificates

B. Self-signed digital certificates

C. Using the same digital certificate for multiple web sites

D. Using 56-bit digital certificates

You answered A. The correct answer is B.

A. An expired certificate leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower.

B. Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack.

C. Using the same digital certificate is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites.

D. 56-bit digital certificates may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

A top-down approach to the development of operational policies helps ensure:

A. that they are consistent across the organization.

B. that they are implemented as a part of risk assessment.

C. compliance with all policies.

Incorrect D. that they are reviewed periodically.

You answered D. The correct answer is A.

A. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.

B. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization.

C. A top-down approach, of itself, does not ensure compliance.

D. A top-down approach, of itself, does not ensure that policies are reviewed.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:

Incorrect A. validation controls.

B. internal credibility checks.

C. clerical control procedures.

D. automated systems balancing.

You answered A. The correct answer is D.

A. Input and output validation controls are certainly valid controls, but will not detect and report lost transactions.

B. Internal credibility checks are valid controls to detect errors in processing, but will not detect and report lost transactions.

C. A clerical procedure could be used to summarize and compare inputs and outputs; however, an automated process is less susceptible to error.

D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

Incorrect A. An audit clause is present in all contracts.

B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs).

C. The contractual warranties of the providers support the business needs of the organization.

D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

You answered A. The correct answer is C.

A. All other choices are important, but the first step is to ensure that the contracts support the business—only then can an audit process be valuable.

B. All service level agreements (SLAs) should be measureable and reinforced through key performance indicators (KPIs)—but the first step is to ensure that the SLAs are aligned with business requirements.

C. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business.

D. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

The PRIMARY purpose of an IT forensic audit is:

A. to participate in investigations related to corporate fraud.

Correct B. the systematic collection and analysis of evidence after a system irregularity.

C. to assess the correctness of an organization’s financial statements.

D. to preserve evidence of criminal activity.

You are correct, the answer is B.

A. Forensic audits are not limited to corporate fraud.

B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings.

C. Assessing the correctness of an organization’s financial statements is not the primary purpose of most forensic audits.

D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?

A. Delete all copies of the unauthorized software.

B. Inform the auditee of the unauthorized software, and follow up to confirm deletion.

C. Report the use of the unauthorized software and the need to prevent recurrence to auditee management.

Incorrect D. Warn the end users about the risk of using illegal software.

You answered D. The correct answer is C.

A. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing the unauthorized software.

B. The IS auditor should report the violation and request a response, but the nature of the response—whether to delete the software or not (perhaps license it instead)—is a decision of management.

C. The use of unauthorized or illegal software should be prohibited by an organization. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. For example, software piracy can result in exposure and severe fines.

D. Auditors must report material findings to management for action. Informing the users of risk is not the primary responsibility of the IS auditor.

Which of the following is the MOST likely benefit of implementing a standardized infrastructure?

Correct A. Improved cost-effectiveness of IT service delivery and operational support

B. Increased security of the IT service delivery center

C. Reduced level of investment in the IT infrastructure

D. Reduced need for testing future application changes

You are correct, the answer is A.

A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support.

B. A standardized infrastructure results in a more homogeneous environment, which is more prone to attacks.

C. While standardization can reduce support costs, the transition to a standardized kit can be expensive; therefore, the overall level of IT infrastructure investment is not likely to be reduced.

D. A standardized infrastructure may simplify testing of changes, but it does not reduce the need for such testing.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?

A. Undocumented approval of some project changes

B. Faulty migration of historical data from the old system to the new system

Incorrect C. Incomplete testing of the standard functionality of the ERP subsystem

D. Duplication of existing payroll permissions on the new ERP subsystem

You answered C. The correct answer is B.

A. Undocumented changes (leading to scope creep) is a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system.

B. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount.

C. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing (and therefore probably well-tested) system.

D. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts?

Correct A. Ensure that the IT security risk assessment has a clearly defined scope.

B. Require the IT security officer to approve each risk rating during the workshop.

C. Suggest that the IT security officer accept the business unit risk and rating.

D. Select only commonly accepted risk with the highest submitted rating.

You are correct, the answer is A.

A. The IT risk assessment should have a clearly defined scope to be efficient and meet the objectives of risk identification. The IT risk assessment should include relationships with risk assessments in other areas, if appropriate.

B. It is most likely that the IT security officer is not in a position to approve risk ratings, and the results of the workshop may need to be compiled and analyzed following the workshop, making approval during the workshop improbable.

C. The facilitator of the workshop should encourage input from all parties without causing embarrassment or intimidation. However, the IT security officer is not expected to accept risk—that is a senior management function.

D. The purpose of a workshop is to brainstorm and draw out the input of all participants, not just to address commonly accepted risk.

Emergency changes that bypass the normal change control process are MOST acceptable if:

Correct A. management reviews and approves the changes after they have occurred.

B. the changes are reviewed by a peer at the time of the change.

C. the changes are documented in the change control system by the operations department.

D. management has preapproved all emergency changes.

You are correct, the answer is A.

A. Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur.

B. Although peer review provides some accountability, management should review and approve all changes, even if that review and approval must occur after the fact.

C. Documenting the event does not replace the need for a review and approval process to occur.

D. It is not a good control practice for management to ignore its responsibility by preapproving all emergency changes in advance without reviewing them. Unauthorized changes could then be made without management’s knowledge.

When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization’s business processes?

A. Business continuity self-audit

B. Resource recovery analysis

C. Risk assessment

Incorrect D. Gap analysis

You answered D. The correct answer is C.

A. Business continuity self-audit is a tool for evaluating the adequacy of the business continuity plan (BCP), but not for gaining an understanding of the business.

B. Resource recovery analysis is a tool for identifying the components necessary for a business resumption strategy, but not for gaining an understanding of the business.

C. Risk assessment and business impact assessment are tools for understanding the business as a part of BCP.

D. The role gap analysis can play in BCP is to identify deficiencies in a plan, but not for gaining an understanding of the business.

Which of the following is the MOST efficient way to test the design effectiveness of a change control process?

Incorrect A. Test a sample population of change requests

B. Test a sample of authorized changes

C. Interview personnel in charge of the change control process

D. Perform an end-to-end walk-through of the process

You answered A. The correct answer is D.

A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design.

B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls.

C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it.

D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.

An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan?

A. Executive management

Correct B. IT management

C. Board of directors

D. Steering committee

You are correct, the answer is B.

A. Although executive management’s approval is essential, the IT department is responsible for managing system resources and their availability as related to disaster recovery (DR).

B. Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management’s approval would be most important to verify that the system resources will be available in the event that a disaster event is triggered.

C. The board of directors may review and approve the DRP, but the IT department is responsible for managing system resources and their availability as related to DR.

D. The steering committee would determine the requirements for disaster recovery (recovery time objective [RTO] and recovery point objective [RPO]); however, the IT department is responsible for managing system resources and their availability as related to DR.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should:

A. conclude that the project is progressing as planned because dates are being met.

B. question the project manager further to identify whether overtime costs are being tracked accurately.

C. conclude that the programmers are intentionally working slowly to earn extra overtime pay.

Correct D. investigate further to determine whether the project plan may not be accurate.

You are correct, the answer is D.

A. Even though the project is on time and budget, there may be problems with the project plan because considerable amounts of unplanned overtime have been required.

B. There is a possibility that the project manager has hidden some costs to make the project look better; however, the real problem may be with whether the project plan is realistic, not just the accounting.

C. It is possible that the programmers are trying to take advantage of the time system, but if the overtime has been required to keep the project on track it is more likely that the time lines and expectations of the project are unrealistic.

D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded.

An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is:

Correct A. continuous improvement.

B. quantitative quality goals.

C. a documented process.

D. a process tailored to specific projects.

You are correct, the answer is A.

A. An organization would have reached the highest level of the software CMM at level 5, optimizing.

B. Quantitative quality goals can be reached at level 4 and below.

C. A documented process is executed at level 3 and below.

D. A process tailored to specific projects can be achieved at level 2 or below.

What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)?

A. The processes of the external agency should be subjected to an IS audit by an independent agency.

Incorrect B. Employees of the external agency should be trained on the security procedures of the organization.

C. Any access by an external agency should be limited to the demilitarized zone (DMZ).

D. The organization should conduct a risk assessment and design and implement appropriate controls.

You answered B. The correct answer is D.

A. The processes of the external agency are not of concern here. It is the agency’s interaction with the organization that needs to be protected. Auditing their processes would not be relevant in this scenario.

B. Training the employees of the external agency may be one control procedure, but could be performed after access has been granted.

C. Sometimes an external agency may require access to the processing facilities beyond common areas. For example, an agency that undertakes maintenance of servers may require access to the main server room.

D. Physical access of information processing facilities (IPFs) by an external agency introduces additional threats into an organization. Therefore, a risk assessment should be conducted and controls designed accordingly.

Which audit technique provides the BEST evidence of the segregation of duties in an IS department?

A. Discussion with management

B. Review of the organization chart

C. Observation and interviews

Incorrect D. Testing of user access rights

You answered D. The correct answer is C.

A. Management may not be aware of the detailed functions of each employee in the IS department, and they may not be aware whether the controls are being followed. Therefore, discussion with the management would provide only limited information regarding segregation of duties.

B. An organization chart would not provide details of the functions of the employees or whether the controls are working correctly.

C. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IS staff, the auditor can get an overview of the tasks performed.

D. Testing of user rights would provide information about the rights they have within the IS systems, but would not provide complete information about the functions they perform.

Due to changes in IT, the disaster recovery plan (DRP) of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested?

A. Catastrophic service interruption

B. High consumption of resources

Incorrect C. Total cost of the recovery may not be minimized

D. Users and recovery teams may face severe difficulties when activating the plan

You answered C. The correct answer is A.

A. If a new disaster recovery plan (DRP) is not tested, the possibility of a catastrophic service interruption that the organization cannot recover from is the most critical of all risk.

B. A DRP that has not been tested may lead to a higher consumption of resources than expected, but that is not the most critical risk.

C. An untested DRP may be inefficient and lead to extraordinary costs, but the most serious risk is the failure of critical services.

D. Testing educates users and recovery teams so that they can effectively execute the DRP, but the most critical risk is the failure of core business services.

When are errors in the process of granting logical access to a financial accounting application MOST likely to be identified?

Incorrect A. During an IS audit

B. After implementation of an identity management solution

C. During account reconciliations

D. During periodic review of access by the business owner

You answered A. The correct answer is D.

A. While an IS audit may identify instances of inappropriate access, it should be the business owner who would identify that issue first.

B. Presence of an identity management application is not a prerequisite for carrying out a review of the access list.

C. Account reconciliations assess the validity, correctness or appropriateness of the account balance at a specific point in time, but do not review user access privileges.

D. Periodic review of the access list by the business owner should determine whether errors in granting access have occurred.

During a postimplementation review, which of the following activities should be performed?

Incorrect A. User acceptance testing (UAT)

B. Return on investment (ROI) analysis

C. Activation of audit trails

D. Updates of the state of enterprise architecture (EA) diagrams

You answered A. The correct answer is B.

A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps during the development phase), not after the implementation.

B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered.

C. The audit trail should be activated during the implementation of the application.

D. While updating the enterprise architecture (EA) diagrams is a best practice, it would not normally be part of a postimplementation review.

Which of the following can be used to help ensure confidentiality of transmitted data? Encrypting the:

Incorrect A. message digest with the sender’s private key.

B. session key with the sender’s public key.

C. message with the receiver’s private key.

D. session key with the receiver’s public key.

You answered A. The correct answer is D.

A. This will ensure authentication and nonrepudiation.

B. This will make the message accessible to only the sender.

C. Ideally, a sender cannot have access to a receiver’s private key.

D. Access to the session key can only be obtained using the receiver’s private key.

An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources (HR) department. Which of the following should be the GREATEST concern to an IS auditor?

A. The service level agreement (SLA) ensures strict limits for uptime and performance.

Incorrect B. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA.

C. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud provider.

D. The cloud provider’s data centers are in multiple cities and countries.

You answered B. The correct answer is D.

A. While this application may have strict requirements for availability, it is assumed that the service level agreement (SLA) would contain these same elements; therefore, this is not a concern.

B. The right-to-audit clause is good to have, but there are limits on how a cloud service provider may interpret this requirement. The task of reviewing and assessing all the controls in place at a multinational cloud provider would likely be a costly and time-consuming exercise; therefore, such a requirement may be of limited value.

C. Because the SLA would normally specify uptime requirements, the means used to achieve those goals (which would include the specific disaster recovery plan (DRP) capabilities of the provider) are typically not reviewed in-depth by the customer, nor are they typically specified in a SLA.

D. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply.

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to:

A. acknowledge receipt of electronic orders with a confirmation message.

B. perform reasonableness checks on quantities ordered before filling orders.

Correct C. verify the identity of senders and determine if orders correspond to contract terms.

D. encrypt electronic orders.

You are correct, the answer is C.

A. Acknowledging the receipt of electronic orders with a confirming message is good practice, but will not authenticate orders from customers.

B. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company’s orders, not the authenticity of its customers’ orders.

C. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.

D. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.

Which of the following BEST encrypts data on mobile devices?

Correct A. Elliptical curve cryptography (ECC)

B. Data encryption standard (DES)

C. Advanced encryption standard (AES)

D. The Blowfish algorithm

You are correct, the answer is A.

A. Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for encrypting mobile devices.

B. Data encryption standard (DES) uses less processing power when compared with advanced encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices.

C. AES is a symmetric algorithm and has the problem of key management and distribution. ECC is an asymmetric algorithm and is better suited for a mobile environment.

D. The use of the Blowfish algorithm consumes too much processing power.

Which of the following provides the GREATEST assurance of message authenticity?

A. The hash code is derived mathematically from the message being sent.

Correct B. The hash code is encrypted using the sender’s private key.

C. The hash code and the message are encrypted using the secret key.

D. The sender attains the recipient’s public key and verifies the authenticity of its digital certificate with a certificate authority.

You are correct, the answer is B.

A. The hash itself proves integrity, but unless it is protected by signing it with a private key it can be altered in transit.

B. Encrypting the hash code using the sender’s private key provides assurance of the authenticity of the message and prevents anyone from being able to alter the hash code.

C. Encrypting the hash and the message will provide confidentiality of the message and protect the hash from alteration, but will not provide proof of origin or authenticity of the sender because the secret key is shared by both the sender and receiver.

D. If a sender uses the receiver’s public key, that will provide confidentiality, but it will not ensure authenticity of the sender.

An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to:

A. review the integrity of system access controls.

B. accept management’s statement that effective access controls are in place.

Correct C. stress the importance of having a system control framework in place.

D. review the background checks of the accounts payable staff.

You are correct, the answer is C.

A. Reviewing the system access controls is important but system access controls are preventive in nature and will not detect malfeasance by staff.

B. An auditor should not accept management’s statement without validating the controls and explaining the associated risk.

C. Experience has demonstrated that reliance purely on preventive controls is dangerous. Preventive controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed. Intelligent design should permit additional detective and corrective controls to be established that do not have high ongoing costs, e.g., automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined previously, may not sufficiently compensate for other control weaknesses. In this situation, the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risk to the organization and work with management to have these corrected.

D. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.

If a database is restored using before-image dumps, where should the process begin following an interruption?

A. Before the last transaction

B. After the last transaction

Incorrect C. As the first transaction after the latest checkpoint

D. As the last transaction before the latest checkpoint

You answered C. The correct answer is A.

A. If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken.

B. The last transaction will not have updated the database and must be reprocessed.

C. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures.

D. Program checkpoints are irrelevant in this situation. Checkpoints are used in application failures.

An IS auditor reviewing the information security policies should verify whether information security management roles and responsibilities are communicated to which of the following?

Incorrect A. Functional heads

B. Organizational users

C. The IT steering committee

D. IS security management

You answered A. The correct answer is B.

A. The responsibility to follow information security policies is an obligation for all users, not just functional heads.

B. All of the roles and responsibilities relating to IS security management should be defined. Documented responsibilities and accountabilities must be established and communicated to all enterprise users. The responsibilities may be defined by position (based on organizational structure), but should include all enterprise users.

C. Everyone must be aware of, and follow, policies, not just the IT steering committee.

D. It would not be sufficient to communicate the IS security policies to only the select groups noted in the other options because the policies relate to the entire enterprise.

Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC systems?

A. Using a password-protected screen saver

B. Using auto logoff when a user leaves the system

Incorrect C. Terminating a user session at predefined intervals

D. Switching off the monitor so the screen is blank

You answered C. The correct answer is A.

A. A password-protected screen saver with a proper time interval is the best measure to prevent unauthorized access to unattended end-user systems.

B. There are tools that will lock out a machine when a user steps away from their desk, and those would be suitable here; however, those tools are a more expensive solution, involving smart cards and extra hardware, than a password-protected screen saver.

C. Terminating user sessions is often done for remote login (periodic re-authentication) or after a certain amount of inactivity on a web session, but that would not work effectively as an internal control, except as a screen saver.

D. Switching off the monitor would not be a solution because the monitor could simply be switched on.

A risk assessment is being performed on an application that is beginning to be developed. What is MOST important to determine prior to recommending security controls?

A. Role-based access controls (RBACs)

Incorrect B. Current privacy laws

C. Data classification

D. The data hosting location

You answered B. The correct answer is C.

A. Role-based access controls (RBACs) would be determined after the data have been classified to ensure that the data are protected appropriately.

B. Understanding current privacy laws is important, but understanding the type of data is most important because privacy laws may not apply. To ensure that appropriate controls are applied, a data classification structure needs to be in place first.

C. Data classification is most important because without a good understanding of the type of data contained within the application, security controls may not be appropriate. Data classification is the assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise.

D. Determining the data location, such as a cloud service provider or an offshore vendor, may increase or decrease the needed security controls, but this would be reliant on the type of data.

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that:

A. a clear business case has been approved by management.

B. corporate security standards will be met.

C. users will be involved in the implementation plan.

Incorrect D. the new system will meet all required user functionality.

You answered D. The correct answer is A.

A. The first concern of an IS auditor should be to ensure that the proposal meets the needs of the business, and this should be established by a clear business case.

B. Compliance with security standards is essential, but it is too early in the procurement process for this to be an IS auditor’s first concern.

C. Having users involved in the implementation process is essential, but it is too early in the procurement process for this to be an IS auditor’s first concern.

D. Meeting the needs of the users is essential, and this should be included in the business case presented to management for approval.

Which of the following choices would be the BEST source of information when developing a risk-based audit plan?

Incorrect A. Process owners identify key controls.

B. System custodians identify vulnerabilities.

C. Peer auditors understand previous audit results.

D. Senior management identify key business processes.

You answered A. The correct answer is D.

A. While process owners should be consulted to identify key controls, senior management would be a better source to identify business processes, which are more important.

B. System custodians would be a good source to better understand the risk and controls as they apply to specific applications; however, senior management would be a better source to identify business processes, which are more important.

C. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope, or if the key business processes have changed and/or new business processes have been introduced, then this would not contribute to the development of a risk-based audit plan.

D. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the:

Incorrect A. IS department implement control mechanisms to prevent unauthorized software installation.

B. security policy be updated to include specific language regarding unauthorized software.

C. IS department prohibit the download of unauthorized software.

D. users obtain approval from an IS manager before installing nonstandard software.

You answered A. The correct answer is B.

A. An IS auditor’s obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IS department cannot implement controls in the absence of the authority provided through policy.

B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IS department to implement technical controls.

C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives.

D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?

Correct A. Resuming critical processes

B. Recovering sensitive processes

C. Restoring the site

D. Relocating operations to an alternative site

You are correct, the answer is A.

A. The resumption of critical processes has the highest priority because it enables business processes to begin immediately after the interruption and not later than the maximum tolerable period of disruption (MTPD) or maximum tolerable downtime (MTD).

B. Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority.

C. Repairing and restoring the site to original status and resuming the business operations are time consuming operations and are not the highest priority.

D. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time consuming process; moreover, relocation may not be required.

Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings?

A. Retest the control to validate the finding.

Incorrect B. Engage a third party to validate the finding.

C. Include the finding in the report with the department manager’s comments.

D. Revalidate the supporting evidence for the finding.

You answered B. The correct answer is D.

A. Retesting the control would normally occur after the evidence has been revalidated.

B. While there are cases where a third party may be needed to perform specialized audit procedures, an IS auditor should first revalidate the supporting evidence to determine whether there is a need to engage a third party.

C. Before putting a disputed finding or management response in the audit report, the IS auditor should take care to review the evidence used in the finding to ensure audit accuracy.

D. Conclusions drawn by an IS auditor should be adequately supported by evidence, and any compensating controls or corrections pointed out by a department manager should be taken into consideration. Therefore, the first step would be to revalidate the evidence for the finding. If, after revalidating and retesting, there are unsettled disagreements, those issues should be included in the report.

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?

A. Maximum acceptable downtime metrics have not been defined in the contract.

B. The IT department does not manage the relationship with the cloud vendor.

C. The help desk call center is in a different country, with different privacy requirements.

Correct D. Company-defined security policies are not applied to the cloud application.

You are correct, the answer is D.

A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, HR applications are usually not mission-critical and, therefore, maximum acceptable downtime is not the most significant concern in this scenario.

B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.

C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy.

D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.

An organization bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems?

A. Parallel testing

B. Pilot testing

C. Sociability testing

Incorrect D. Integration testing

You answered D. The correct answer is C.

A. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and computing the results in parallel. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions.

B. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see whether the new system operates satisfactorily in one place before implementing it at other locations.

C. The purpose of sociability testing is to ensure that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interface with other systems, as well as changes to the desktop in a client-server or web development.

D. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. In this case, the tests are not necessarily between systems that interact with one another so sociability testing is a better answer.

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems?

A. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled.

Correct B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.

C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected.

D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

You are correct, the answer is B.

A. Totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system, but rather considers only the sales system.

B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap.

C. Checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded).

D. A date/time stamp does not help account for transactions that are missing or incomplete by the accounting and delivery department.

An IS auditor discovers that, in many cases, a username and password are the same, which is contrary to policy. What is the BEST recommendation?

A. Modify the enterprise’s security policy.

Incorrect B. Educate users about the risk of weak passwords.

C. Require a periodic review of matching user IDs and passwords for detection and correction.

D. Change the system configuration to enforce strong passwords.

You answered B. The correct answer is D.

A. Changing the enterprise’s security policy provides information to users, but does little to enforce this control.

B. Educating users about the risk of weak passwords will not enforce the policy.

C. Requiring a periodic review of matching user IDs and passwords for detection and ensuring correction is a detective control.

D. The best control is a preventive control through validation at the time the password is created or changed.

A lower recovery time objective (RTO) results in:

A. higher disaster tolerance.

Correct B. higher cost.

C. wider interruption windows.

D. more permissive data loss.

You are correct, the answer is B.

A. Disaster tolerance relates the length of time that critical business processes can be interrupted. A higher disaster tolerance allows for a longer outage and, therefore, longer recovery time.

B. Recovery time objective (RTO) is based on the acceptable down time in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies.

C. The lower the disaster tolerance, the narrower the interruption windows. The interruption window is the length of the outage of critical processes.

D. Permissive data loss relates to recovery point objective (RPO), not disaster tolerance.

While planning an IS audit, an assessment of risk should be made to provide:

Correct A. reasonable assurance that the audit will cover material items.

B. definite assurance that material items will be covered during the audit work.

C. reasonable assurance that all items will be covered by the audit.

D. sufficient assurance that all items will be covered during the audit work.

You are correct, the answer is A.

A. ISACA IS Audit and Assurance Guideline 2202 on Risk Assessment in Planning states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.

B. Definite assurance that material items will be covered during the audit work is an impractical proposition.

C. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as primarily it is material items that need to be covered, not all items.

D. Sufficient assurance that all items will be covered is not as important as ensuring that the audit will cover all material items.

Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a:

Incorrect A. feedback error control.

B. block sum check.

C. forward error control.

D. cyclic redundancy check.

You answered A. The correct answer is C.

A. In feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred.

B. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. This is a detection method, not an error correction method.

C. Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors.

D. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted. This is a detection method, not an error correction method.

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

Incorrect A. the security controls of the application may not meet requirements.

B. the application may not meet the requirements of the business users.

C. the application technology may be inconsistent with the enterprise architecture (EA).

D. the application may create unanticipated support issues for IT.