Wednesday 2 March 2016

CISA Question Bank-2



Please note below  questions are easily available from the net. Same has been collated domain wise for easy reference of CISA aspirants.


CISA Question Bank-2



1. The development of an IS security policy is ultimately the responsibility of the:
A. IS department.
B. security committee.
C. security administrator.
D. board of directors.
The correct answer is:
D. board of directors.
Explanation:
Normally, the designing of an information systems security policy is the responsibility of top
management or the board of directors. The IS department is responsible for the execution of the
policy, having no authority in framing the policy. The security committee also functions within
the broad security policy framed by the board of directors. The security administrator is
responsible for implementing, monitoring and enforcing the security rules that management has
established and authorized.
..........................................................................................................
2. To minimize costs and improve service levels an outsourcer should seek which of the
following contract clauses?
A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics
The correct answer is:
B. Gain-sharing performance bonuses
Explanation:
Because the outsourcer will share a percentage of the achieved savings, gain-sharing
performance bonuses provide a financial incentive to go above and beyond the stated terms of
the contract and can lead to cost savings for the client. Refresh frequencies and penalties for
noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly,
tying charges to variable cost metrics would not encourage the outsourcer to seek additional
efficiencies that might benefit the client.
..........................................................................................................
3. Involvement of senior management is MOST important in the development of:
A. strategic plans.
B. IS policies.
C. IS procedures.
D. standards and guidelines.
The correct answer is:
A. strategic plans.
Explanation:
Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives.
Involvement of senior management is critical to ensuring that the plan adequately addresses the
established goals and objectives. IS policies, procedures, standards and guidelines are all
structured to support the overall strategic plan.
..........................................................................................................
4. An IS auditor should be concerned when a telecommunication analyst:
A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data
transfer rates.
D. recommends network balancing procedures and improvements.
The correct answer is:
A. monitors systems performance and tracks problems resulting from program changes.
Explanation:
The responsibilities of a telecommunications analyst include reviewing network load
requirements in terms of current and future transaction volumes (choice B), assessing the impact
of network load or terminal response times and network data transfer rates (choice C), and
recommending network balancing procedures and improvements (choice D). Monitoring systems
performance and tracking problems as a result of program changes (choice A) would put the
analyst in a self-monitoring role.
..........................................................................................................
5. The output of the risk management process is an input for making:
A. business plans.
B. audit charters.
C. security policy decisions.
D. software design decisions.
The correct answer is:
C. security policy decisions.
Explanation:
The risk management process is about making specific, security-related decisions, such as the
level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management
process.
..........................................................................................................
6. The risks associated with electronic evidence gathering would MOST likely be reduced
by an e-mail:
A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.
The correct answer is:
C. archive policy.
Explanation:
With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is
possible without disclosing other confidential e-mail records. Security and/or audit policies
would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
..........................................................................................................
7. An IT steering committee should review information systems PRIMARILY to assess:
A. whether IT processes support business requirements.
B. if proposed system functionality is adequate.
C. the stability of existing software.
D. the complexity of installed technology.
The correct answer is:
A. whether IT processes support business requirements.
Explanation:
The role of an IT steering committee is to ensure that the IS department is in harmony with the
organization's mission and objectives. To ensure this, the committee must determine whether IS
processes support the business requirements. Assessing proposed additional functionality and
evaluating software stability and the complexity of technology are too narrow in scope to ensure
that IT processes are, in fact, supporting the organization's goals.
..........................................................................................................
8. An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A. the existing IT environment.
B. the business plan.
C. the present IT budget.
D. current technology trends.
The correct answer is:
B. the business plan.
Explanation:
The IT strategic plan exists to support the organization's business plan. To evaluate the IT
strategic plan, the IS auditor would first need to familiarize him/herself with the business plan.
..........................................................................................................
9. As an outcome of information security governance, strategic alignment provides:
A. security requirements driven by enterprise requirements.
B. baseline security following best practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.
The correct answer is:
A. security requirements driven by enterprise requirements.
Explanation:
Information security governance, when properly implemented, should provide four basic
outcomes. They are strategic alignment, value delivery, risk management and performance
measurement. Strategic alignment provides input for security requirements driven by enterprise
requirements. Value delivery provides a standard set of security practices, i.e., baseline security
following best practices or institutionalized and commoditized solutions. Risk management
provides an understanding of risk exposure.
..........................................................................................................
10. A team conducting a risk analysis is having difficulty projecting the financial losses that
could result from a risk. To evaluate the potential losses, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.
The correct answer is:
C. apply a qualitative approach.
Explanation:
The common practice, when it is difficult to calculate the financial losses, is to take a qualitative
approach, in which the manager affected by the risk defines the financial loss in terms of a
weighted factor (e.g., one is a very low impact to the business and five is a very high impact). An
ROI is computed when there is predictable savings or revenues that can be compared to the
investment needed to realize the revenues. Amortization is used in a profit and loss statement,
not in computing potential losses. Spending the time needed to define exactly the total amount is
normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses
derived from erosion of public image due to a hack attack), that situation is not likely to change,
and at the end of the day, the result will be a not well-supported evaluation.
..........................................................................................................
11. The IT balanced scorecard is a business governance tool intended to monitor IT
performance evaluation indicators other than:
A. financial results.
B. customer satisfaction.
C. internal process efficiency.
D. innovation capacity.
The correct answer is:
A. financial results.
Explanation:
Financial results have traditionally been the sole overall performance metric. The IT balanced
scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance
evaluation indicators other than financial results. The IT BSC considers other key success
factors, such as customer satisfaction, innovation capacity and processing.
..........................................................................................................
12. Establishing the level of acceptable risk is the responsibility of:
A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.
The correct answer is:
B. senior business management.
Explanation:
Senior management should establish the acceptable risk level, since they have the ultimate or
final responsibility for the effective and efficient operation of the organization. Choices A, C and
D should act as advisors to senior management in determining an acceptable risk level.
..........................................................................................................
13. Which of the following is the MOST critical for the successful implementation and
maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a
security policy
C. Enforcement of security rules by providing punitive actions for any violation of security
rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer
through access control software
The correct answer is:
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
Explanation:
Assimilation of the framework and intent of a written security policy by the users of the system
is critical to the successful implementation and maintenance of the security policy. A good
password system may exist, but if the users of the system keep passwords written on his/her
table, the password is of little value. Management support and commitment is no doubt
important, but for successful implementation and maintenance of security policy, educating the
users on the importance of security is paramount. The stringent implementation, monitoring and
enforcing of rules by the security officer through access control software, and provision for
punitive actions for violation of security rules are also required along with the user's education
on the importance of security.
..........................................................................................................
14. To ensure an organization is complying with privacy requirements, the IS auditor
should FIRST review:
A. the IT infrastructure.
B. the organization's policies, standards and procedures.
C. legal and regulatory requirements.
D. the adherence to organizational policies, standards and procedures.
The correct answer is:
C. legal and regulatory requirements.
Explanation:
To ensure that the organization is complying with privacy issues, an IS auditor should address
legal and regulatory requirements first. To comply with legal and regulatory requirements,
organizations need to adopt the appropriate infrastructure. After understanding the legal and
regulatory requirements, the IS auditor should evaluate organizational policies, standards and
procedures to determine whether they adequately address the privacy requirements, and then
review the adherence to these specific policies, standards and procedures.
..........................................................................................................
15. Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
The correct answer is:
D. Compensating controls
Explanation:
Compensating controls are internal controls that are intended to reduce the risk of an existing or
potential control weakness that may arise when duties cannot be appropriately segregated.
Overlapping controls are two controls addressing the same control objective or exposure Since
primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is
difficult to install overlapping controls. Boundary controls establish the interface between the
would-be user of a computer system and the computer system itself, and are individual-based,
not role-based, controls. Access controls for resources are based on individuals and not on roles.
..........................................................................................................
16. Which of the following is the MOST important function to be performed by IS
management when a service has been outsourced?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider's performance
The correct answer is:
D. Monitoring the outsourcing provider's performance
Explanation:
In an outsourcing environment, the company is dependent on the performance of the service
provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure
that services are delivered to the company as required. Payment of invoices is a finance function,
which would be completed per contractual requirements. Participating in systems design is a
byproduct of monitoring the outsourcing provider's performance, while renegotiating fees is
usually a one-time activity.
..........................................................................................................
17. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
The correct answer is:
B. define key performance indicators.
Explanation:
A definition of key performance indicators is required before implementing an IT balanced
scorecard. Choices A, C and D are objectives.
..........................................................................................................
18. The MOST likely effect of the lack of senior management commitment to IT strategic
planning is:
A. a lack of investment in technology.
B. a lack of a methodology for systems development.
C. the technology not aligning with the organization's objectives.
D. an absence of control over technology contracts.
The correct answer is:
C. the technology not aligning with the organization's objectives.
Explanation:
A steering committee should exist to ensure that the IT strategies support the organization's
goals. The absence of an information technology committee or a committee not composed of
senior managers would be an indication of a lack of top-level management commitment. This
condition would increase the risk that IT would not be aligned with the organization's strategy.
..........................................................................................................
19. Which of the following would BEST provide assurance of the integrity of new staff?
A. Background screening
B. References
C. Bonding
D. Qualifications listed on a resumé
The correct answer is:
A. Background screening
Explanation:
A background screening is the primary method for assuring the integrity of a prospective staff
member. References are important and would need to be verified, but they are not as reliable as
background screening. Bonding is directed at due-diligence compliance, not at integrity, and
qualifications listed on a résumé may not be accurate.
..........................................................................................................
20. Which of the following is the GREATEST risk of an inadequate policy definition for
ownership of data and systems?
A. User management coordination does not exist.
B. Specific user accountability cannot be established.
C. Unauthorized users may have access to originate, modify or delete data.
D. Audit recommendations may not be implemented.
The correct answer is:
C. Unauthorized users may have access to originate, modify or delete data.
Explanation:
Without a policy defining who has the responsibility for granting access to specific systems,
there is an increased risk that one could gain (be given) system access when they should not have
authorization. By assigning authority to grant access to specific users, there is a better chance
that business objectives will be properly supported.
..........................................................................................................
21. Effective IT governance will ensure that the IT plan is consistent with the
organization's:
A. business plan.
B. audit plan.
C. security plan.
D. investment plan.
The correct answer is:
A. business plan.
Explanation:
To govern IT effectively, IT and business should be moving in the same direction, requiring that
the IT plans are aligned with an organization's business plans. The audit and investment plans are
not part of the IT plan, and the security plan should be at a corporate level.
..........................................................................................................
22. Which of the following is a function of an IS steering committee?
A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information's processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users
The correct answer is:
C. Approving and monitoring major projects, the status of IS plans and budgets
Explanation:
The IS steering committee typically serves as a general review board for major IS projects and
should not become involved in routine operations; therefore, one of its functions is to approve
and monitor major projects, the status of IS plans and budgets. Vendor change control is an
outsourcing issue and should be monitored by IS management. Ensuring a separation of duties
within the information's processing environment is an IS management responsibility. Liaising
between the IS department and the end users is a function of the individual parties and not a
committee.
..........................................................................................................
23. A long-term IS employee with a strong technical background and broad managerial
experience has applied for a vacant position in the IS audit department. Determining
whether to hire this individual for this position should be based on the individual's
experience and:
A. the length of service since this will help ensure technical competence.
B. age as training in audit techniques may be impractical.
C. IS knowledge since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.
The correct answer is:
D. ability, as an IS auditor, to be independent of existing IS relationships.
Explanation:
Independence should be continually assessed by the auditor and management. This assessment
should consider such factors as changes in personal relationships, financial interests, and prior
job assignments and responsibilities. The fact that the employee has worked in IS for many years
may not in itself ensure credibility. The audit department's needs should be defined and any
candidate should be evaluated against those requirements. The length of service will not ensure
technical competency. Evaluating an individual's qualifications based on the age of the
individual is not a good criterion and is illegal in many parts of the world.
..........................................................................................................
24. Which of the following programs would a sound information security policy MOST
likely include to handle suspected intrusions?
A. Response
B. Correction
C. Detection
D. Monitoring
The correct answer is:
A. Response
Explanation:
A sound IS security policy will most likely outline a response program to handle suspected
intrusions. Correction, detection and monitoring programs are all aspects of information security,
but will not likely be included in an IS security policy statement.
..........................................................................................................
25. An organization has outsourced its software development. Which of the following is the
responsibility of the organization's IT management?
A. Paying for provider services
B. Participating in systems design with the provider
C. Managing compliance with the contract for the outsourced services
D. Negotiating contractual agreement with the provider
The correct answer is:
C. Managing compliance with the contract for the outsourced services
Explanation:
Actively managing compliance with the contract terms for the outsourced services is the
responsibility of IT management. Payment of invoices is a finance responsibility. Negotiation of
the contractual agreement would have already taken place and is usually a shared responsibility
of the legal department and other departments, such as IT.
..........................................................................................................
26. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy
supports the organizations' business objectives by determining if IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.
The correct answer is:
B. plans are consistent with management strategy.
Explanation:
Determining if the IS plan is consistent with management strategy relates IS/IT planning to
business plans. Choices A, C and D are effective methods for determining the alignment of IS
plans with business objectives and the organization's strategies.
..........................................................................................................
27. Which of the following is the PRIMARY objective of an IT performance measurement
process?
A. Minimize errors.
B. Gather performance data.
C. Establish performance baselines.
D. Optimize performance.
The correct answer is:
D. Optimize performance.
Explanation:
An IT performance measurement process can be used to optimize performance, measure and
manage products/services, assure accountability, and make budget decisions. Minimizing errors
is an aspect of performance, but not the primary objective of performance management.
Gathering performance data is a phase of the IT measurement process and would be used to
evaluate the performance against previously established performance baselines.
..........................................................................................................
28. Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally
accessed
D. Creation of an applications traffic matrix showing protection methods
The correct answer is:
B. Identification of network applications to be externally accessed
Explanation:
Identification of the applications required across the network should be identified first. After
identification, depending on the physical location of these applications in the network and the
network model, the person in charge will be able to understand the need for and possible
methods of controlling access to these applications. Identifying methods to protect against
identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having
identified the applications, the next step is to identify vulnerabilities (weaknesses) associated
with the network applications. The next step is to analyze the application traffic and create a
matrix showing how each type of traffic will be protected.
..........................................................................................................
29. Many organizations require an employee to take a mandatory vacation (holiday) of a
week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater
productivity.
B. reduce the opportunity for an employee to commit an improper or illegal act.
C. provide proper cross-training for another employee.
D. eliminate the potential disruption caused when an employee takes vacation one day at a
time.
The correct answer is:
B. reduce the opportunity for an employee to commit an improper or illegal act.
Explanation:
Required vacations/holidays of a week or more duration in which someone other than the regular
employee performs the job function is often mandatory for sensitive positions. This reduces the
opportunity to commit improper or illegal acts, and during this time it may be possible to
discover any fraudulent activity that was taking place. Choices A, C and D could all be
organizational benefits from a mandatory vacation policy, but they are not the reason why the
policy is established.
..........................................................................................................
30. In reviewing the IS short-range (tactical) plan, the IS auditor should determine
whether:
A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. there is a strategic information technology planning methodology in place.
D. the plan correlates business objectives to IS goals and objectives.
The correct answer is:
A. there is an integration of IS and business staffs within projects.
Explanation:
The integration of IS and business staff in projects is an operational issue and should be
considered while reviewing the short-range plan. A strategic plan would provide a framework for
the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.
..........................................................................................................
31. An organization acquiring other businesses continues using its legacy EDI systems and
uses three separate value-added network (VAN) providers. No written VAN agreements
exist. The IS auditor should recommend that management:
A. obtains independent assurance of the third-party service providers.
B. sets up a process for monitoring the service delivery of the third party.
C. ensures that formal contracts are in place.
D. considers agreements with third-party service providers in the development of
continuity plans.
The correct answer is:
C. ensures that formal contracts are in place.
Explanation:
Written agreements would assist management in ensuring compliance with external
requirements. While management should obtain independent assurance of compliance, this
cannot be achieved until there is a contract in place. One aspect of managing third-party services
is to provide monitoring; however, this cannot be achieved until there is a contract. Ensuring that
VAN agreements are available for review may assist in the development of continuity plans, if
they are deemed critical IT resources. However, this cannot be achieved until a contract is in
place.
..........................................................................................................
32. Which of the following goals would you expect to find in an organization's strategic
plan?
A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.
The correct answer is:
D. Become the supplier of choice for the product offered.
Explanation:
Strategic planning sets corporate or departmental objectives into motion. Comprehensive
planning helps ensure an effective and efficient organization. Strategic planning is time- and
project-oriented, but also must address and help determine priorities to meet business needs.
Long- and short-range plans should be consistent with the organization's broader plans for
attaining their goals. Choice D represents a business objective that is intended to focus the
overall direction of the business and would thus be a part of the organization's strategic plan. The
other choices are project-oriented and do not address business objectives.
..........................................................................................................
33. Assessing IT risks is BEST achieved by:
A. evaluating threats associated with existing IT assets and IT projects.
B. using the firm's past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.
The correct answer is:
A. evaluating threats associated with existing IT assets and IT projects.
Explanation:
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or
quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the
risk assessment process, but by themselves not sufficient. Basing an assessment on past losses
will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and
strategic environment. There are also likely to be problems with the scope and quality of the loss
data available to be assessed. Comparable organizations will have differences in their IT assets,
control environment and strategic circumstances. Hence, their loss experience cannot be used to
directly assess organizational IT risk. Control weaknesses identified during audits will be
relevant in assessing threat exposure and further analysis may be needed to assess threat
probability. Depending on the scope of the audit coverage, it is possible that not all of the critical
IT assets and projects will have recently been audited and there may not be a sufficient
assessment of strategic IT risks.
..........................................................................................................
34. An IS auditor was hired to review e-business security. The IS auditor's first task was to
examine each existing e-business application looking for vulnerabilities. Which would be
the next task?
A. Report the risks to the CIO and CEO immediately.
B. Examine e-business application in development.
C. Identify threats and likelihood of occurrence.
D. Check the budget available for risk management.
The correct answer is:
C. Identify threats and likelihood of occurrence.
Explanation:
The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and
the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report
should be delivered to the CEO. The report should include the findings along with priorities and
costs.
..........................................................................................................
35. Which of the following IT governance best practices improves strategic alignment?
A. Supplier and partner risks are managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediate between the imperatives of business and technology
The correct answer is:
D. Top management mediate between the imperatives of business and technology
Explanation:
Top management mediating between the imperatives of business and technology is an IT
strategic alignment best practice. Supplier and partner risks being managed is a risk management
best practice. A knowledge base on customers, products, markets and processes being in place is
an IT value delivery best practice. An infrastructure being provided to facilitate the creation and
sharing of business information is an IT value delivery and risk management best practice.
..........................................................................................................
36. Which of the following would be a compensating control to mitigate risks resulting
from an inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations
The correct answer is:
D. Batch control reconciliations
Explanation:
Batch control reconciliations are an example of compensating controls. Other examples of
compensating controls are transaction logs, reasonableness tests, independent reviews and audit
trails, such as console logs, library logs and job accounting date. Sequence checks and check
digits are data validation edits, and source documentation retention is an example of a data file
control.
..........................................................................................................
37. The lack of adequate security controls represents a(n):
A. threat.
B. asset.
C. impact.
D. vulnerability.
The correct answer is:
D. vulnerability.
Explanation:
The lack of adequate security controls represents a vulnerability, exposing sensitive information
and data to the risk of malicious damage, attack or unauthorized access by hackers, resulting in
loss of sensitive information, which could lead to the loss of goodwill for the organization. A
succinct definition of risk is provided by the Guidelines for the Management of IT Security
published by the International Organization for Standardization (ISO), which defines risk as the
“Potential that a given threat will exploit the vulnerability of an asset or group of assets to cause
loss or damage to the assets.” The various elements of the definition are vulnerability, threat,
asset and impact. Lack of adequate security functionality in this context is a vulnerability.
..........................................................................................................
38. IT control objectives are useful to IS auditors, as they provide the basis for
understanding the:
A. desired result or purpose of implementing specific control procedures.
B. best IT security control practices relevant to a specific entity.
C. techniques for securing information.
D. security policy.
The correct answer is:
A. desired result or purpose of implementing specific control procedures.
Explanation:
An IT control objective is defined as the statement of the desired result or purpose to be achieved
by implementing control procedures in a particular IT activity. They provide the actual
objectives for implementing controls and may or may not be the best practices. Techniques are
the means of achieving an objective, and a security policy is a subset of IT control objectives.
..........................................................................................................
39. To support an organization's goals, the IS department should have:
A. a low-cost philosophy.
B. long- and short-range plans.
C. leading-edge technology.
D. planned to acquire new hardware and software.
The correct answer is:
B. long- and short-range plans.
Explanation:
To ensure its contribution to the realization of an organization's overall goals, the IS department
should have long- and short-range plans that are consistent with the organization's broader plans
for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate
how each of the objectives would be achieved. Choice D could be a part of the overall plan but
would be required only if hardware or software is needed to achieve the organizational goals.
..........................................................................................................
40. An IS auditor finds that not all employees are aware of the enterprise's information
security policy. The IS auditor should conclude that:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information
B. information security is not critical to all functions.
C. IS audit should provide security training to the employees.
D. the audit finding will cause management to provide continuous training to staff.
The correct answer is:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information
Explanation:
All employees should be aware of the enterprise's information security policy to prevent
unintentional disclosure of sensitive information. Training is a preventive control. Security
awareness programs for employees can prevent unintentional disclosure of sensitive information
to outsiders.
..........................................................................................................
41. The general ledger setup function in an enterprise resource planning (ERP) system
allows for setting accounting periods. Access to this function has been permitted to users in
finance, the warehouse and order entry. The MOST likely reason for such broad access is
the:
A. need to change accounting periods on a regular basis.
B. requirement to post entries for a closed accounting period.
C. lack of policies and procedures for the proper segregation of duties.
D. need to create/modify the chart of accounts and its allocations.
The correct answer is:
C. lack of policies and procedures for the proper segregation of duties.
Explanation:
Setting of accounting periods is one of the critical activities of the finance function. Granting
access to this function to warehouse and order entry personnel could be a result of a lack of
proper policies and procedures for the adequate segregation of duties. Accounting periods should
not be changed at regular intervals, but established permanently. The requirement to post entries
for a closed accounting period is a risk. If necessary, this should be done by someone in the
finance or accounting area. The need to create/modify the chart of accounts and its allocations is
the responsibility of the finance department and is not a function that should be performed by
warehouse or order entry personnel.
..........................................................................................................
42. A comprehensive and effective e-mail policy should address the issues of e-mail
structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.
The correct answer is:
B. retention.
Explanation:
Besides being a good practice, laws and regulations may require that an organization keep
information that has an impact on the financial statements. The prevalence of lawsuits in which
e-mail communication is held in the same regard as the official form of classic "paper" makes the
retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is
the property of the organization, and an e-mail policy should address the retention of messages,
considering both known and unforeseen litigation. The policy should also address the destruction
of e-mails after a specified time to protect the nature and confidentiality of the messages
themselves. Addressing the retention issue in the e-mail policy would facilitate recovery,
rebuilding and reuse.
..........................................................................................................
43. A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organization.
B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.
The correct answer is:
A. that they are consistent across the organization.
Explanation:
Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring
consistency across the organization and consistency with other policies. The bottom-up approach
to the development of operational policies is derived as a result of risk assessment. A top-down
approach of itself does not ensure compliance and development does not ensure that policies are
reviewed.
..........................................................................................................
44. When developing a risk management program, the FIRST activity to be performed is
a(n):
A. threat assessment.
B. classification of data.
C. inventory of assets.
D. criticality analysis.
The correct answer is:
C. inventory of assets.
Explanation:
Identification of the assets to be protected is the first step in the development of a risk
management program. A listing of the threats that can affect the performance of these assets and
criticality analysis are later steps in the process. Data classification is required for defining
access controls and in criticality analysis.
..........................................................................................................
45. A probable advantage to an organization that has outsourced its data processing
services is that:
A. needed IS expertise can be obtained from the outside.
B. greater control can be exercised over processing.
C. processing priorities can be established and enforced internally.
D. greater user involvement is required to communicate user needs.
The correct answer is:
A. needed IS expertise can be obtained from the outside.
Explanation:
Outsourcing is a contractual arrangement whereby the organization relinquishes control over part
or all of the information processing to an external party. This is frequently done to acquire
additional resources or expertise that is not obtainable from inside the organization.
..........................................................................................................
46. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines
The correct answer is:
A. Accountability for the corporate security policy
Explanation:
Accountability cannot be transferred to external parties. Choices B, C and D can be performed
by outside entities as long as accountability remains within the organization.
..........................................................................................................
47. When segregation of duties concerns exist between IT support staff and end users, what
would be a suitable compensating control?
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs
C. Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity
The correct answer is:
B. Reviewing transaction and application logs
Explanation:
Only reviewing transaction and application logs directly addresses the threat posed by poor
segregation of duties. The review is a means of detecting inappropriate behavior and also
discourages abuse, because people who may otherwise be tempted to exploit the situation are
aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be
exploited via logical access to data and computing resources rather than physical access. Choice
C is a useful control to ensure IT staff are trustworthy and competent but does not directly
address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users
from gaining system access, but the issue with a lack of segregation of duties is more the misuse
(deliberately or inadvertently) of access privileges that have officially been granted.
..........................................................................................................
48. Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
D. Effective performance incentives
The correct answer is:
C. Security awareness programs
Explanation:
Because social engineering is based on deception of the user, the best countermeasure or defense
is a security awareness program. The other choices are not user-focused.
..........................................................................................................
49. An IS auditor reviewing an organization that uses cross-training practices should assess
the risk of:
A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.
The correct answer is:
C. one person knowing all parts of a system.
Explanation:
Cross-training is a process of training more than one individual to perform a specific job or
procedure. This practice helps decrease the dependence on a single person and assists in
succession planning. This provides for the backup of personnel in the event of an absence and,
thereby, provides for the continuity of operations. However, in using this approach, it is prudent
to have first assessed the risk of any person knowing all parts of a system and the related
potential exposures. Cross-training reduces the risks addressed in choices A, B and D.
..........................................................................................................
50. When performing a review of the structure of an electronic funds transfer (EFT)
system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another country.
Based on this information, which of the following conclusions should be the main concern
of the IS auditor?
A. There could be a question with regards to the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distances.
D. There could be different auditing norms.
The correct answer is:
A. There could be a question with regards to the legal jurisdiction.
Explanation:
In the funds transfer process, when the processing scheme is centralized in a different country,
there could be legal issues of jurisdiction that might affect the right to perform a review in the
other country. The other choices, though possible, are not as relevant as the issue of legal
jurisdiction.
..........................................................................................................
51. When an information security policy has been designed, it is MOST important that the
information security policy be:
A. stored offsite.
B. written by IS management.
C. circulated to users.
D. updated frequently.
The correct answer is:
C. circulated to users.
Explanation:
To be effective, an information security policy should reach all members of the staff. Storing the
security policy offsite or in a safe place may be desirable, but is of little value if its contents are
not known to the organization's employees. The information security policy should be written by
business unit managers including, but not exclusively, IS managers. Updating the information
security policy is important but will not assure its dissemination.
..........................................................................................................
52. Which of the following would an IS auditor consider to be the MOST important when
evaluating an organization's IS strategy? That it:
A. has been approved by line management.
B. does not vary from the IS department's preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.
The correct answer is:
D. supports the business objectives of the organization.
Explanation:
Strategic planning sets corporate or department objectives into motion. Both long-term and
short-term strategic plans should be consistent with the organization's broader plans and business
objectives for attaining these goals. Answer A is incorrect since line management prepared the
plans.
..........................................................................................................
53. Is it appropriate for an IS auditor from a company that is considering outsourcing its
IS processing to request and review a copy of each vendor's business continuity plan?
A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and
assist his/her company in implementing a complementary plan.
B. Yes, because based on the plan, the IS auditor will evaluate the financial stability of the
service bureau and its ability to fulfill the contract.
C. No, because the backup to be provided should be specified adequately in the contract.
D. No, because the service bureau's business continuity plan is proprietary information.
The correct answer is:
A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and
assist his/her company in implementing a complementary plan.
Explanation:
The primary responsibility of the IS auditor is to assure that the company assets are being
safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable
service bureaus will have a well-designed and tested business continuity plan.
..........................................................................................................
54. The advantage of a bottom-up approach to the development of organizational policies is
that the policies:
A. are developed for the organization as a whole.
B. are more likely to be derived as a result of a risk assessment.
C. will not conflict with overall corporate policy.
D. ensure consistency across the organization.
The correct answer is:
B. are more likely to be derived as a result of a risk assessment.
Explanation:
A bottom-up approach begins by defining operational-level requirements and policies, which are
derived and implemented as the result of risk assessments. Enterprise-level policies are
subsequently developed based on a synthesis of existing operational policies. Choices A, C and
D are advantages of a top-down approach for developing organizational policies. This approach
ensures that the policies will not be in conflict with overall corporate policy and ensure
consistency across the organization.
..........................................................................................................
55. The rate of change in technology increases the importance of:
A. outsourcing the IS function.
B. implementing and enforcing good processes.
C. hiring personnel willing to make a career within the organization.
D. meeting user requirements.
The correct answer is:
B. implementing and enforcing good processes.
Explanation:
Change requires that good change management processes be implemented and enforced.
Outsourcing the IS function is not directly related to the rate of technological change. Personnel
in a typical IS department are highly qualified and educated, usually they do not feel their jobs
are at risk and are prepared to switch jobs frequently. Although meeting user requirements is
important, it is not directly related to the rate of technological change in the IS environment.
..........................................................................................................
56. When an employee is terminated from service, the MOST important action is to:
A. hand over all of the employee's files to another designated employee.
B. complete a backup of the employee's work.
C. notify other employees of the termination.
D. disable the employee's logical access.
The correct answer is:
D. disable the employee's logical access.
Explanation:
There is a probability that a terminated employee may misuse access rights; therefore, disabling
the terminated employee's logical access is the most important action to take. All the work of the
terminated employee needs to be handed over to a designated employee; however, this should be
performed after implementing choice D. All the work of the terminated employee needs to be
backed up and the employees need to be notified of the termination of the employee, but this
should not precede the action in choice D.
..........................................................................................................
57. In an organization where an IT security baseline has been defined, the IS auditor
should FIRST ensure:
A. implementation.
B. compliance.
C. documentation.
D. sufficiency.
The correct answer is:
D. sufficiency.
Explanation:
The auditor should first evaluate the definition of the minimum baseline level by ensuring the
sufficiency of controls. Documentation, implementation and compliance are further steps.
..........................................................................................................
58. An IS auditor reviewing an outsourcing contract of IT facilities would expect it to
define the:
A. hardware configuration.
B. access control software.
C. ownership of intellectual property.
D. application development methodology.
The correct answer is:
C. ownership of intellectual property.
Explanation:
Of the choices, the hardware and access control software is generally irrelevant as long as the
functionality, availability and security can be affected, which are specific contractual obligations.
Similarly, the development methodology should be of no real concern. The contract must,
however, specify who owns the intellectual property (i.e., information being processed,
application programs). Ownership of intellectual property will have a significant cost and is a
key aspect to be defined in an outsourcing contract.
..........................................................................................................
59. Which of the following would MOST likely indicate that a customer data warehouse
should remain in-house rather than be outsourced to an offshore operation?
A. Time zone differences could impede communications between IT teams.
B. Telecommunications cost could be much higher in the first year.
C. Privacy laws could prevent cross-border flow of information.
D. Software development may require more detailed specifications.
The correct answer is:
C. Privacy laws could prevent cross-border flow of information.
Explanation:
Privacy laws prohibiting the cross-border flow of personally identifiable information would
make it impossible to locate a data warehouse containing customer information in another
country. Time zone differences and higher telecommunications costs are more manageable.
Software development typically requires more detailed specifications when dealing with offshore
operations.
..........................................................................................................
60. Which of the following would provide a mechanism whereby IS management can
determine if the activities of the organization have deviated from the planned or expected
levels?
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
The correct answer is:
B. IS assessment methods
Explanation:
Assessment methods provide a mechanism, whereby IS management can determine if the
activities of the organization have deviated from planned or expected levels. These methods
include IS budgets, capacity and growth planning, industry standards/benchmarking, financial
management practices, and goal accomplishment. Quality management is the means by which
the IS department processes are controlled, measured and improved. Management principles
focus on areas such as people, change, processes and security. Industry standards/benchmarking
provide a means of determining the level of performance provided by similar information
processing facility environments
..........................................................................................................
61. IT governance is PRIMARILY the responsibility of the:
A. chief executive officer.
B. board of directors.
C. IT steering committee.
D. audit committee.
The correct answer is:
B. board of directors.
Explanation:
IT governance is primarily the responsibility of the executives and shareholders (as represented
by the board of directors). The chief executive officer is instrumental in implementing IT
governance per the directions of the board of directors. The IT steering committee monitors and
facilitates deployment of IT resources for specific projects in support of business plans. The
audit committee reports to the board of directors and should monitor the implementation of audit
recommendations.
..........................................................................................................
62. A local area network (LAN) administrator normally would be restricted from:
A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.
The correct answer is:
C. having programming responsibilities.
Explanation:
A LAN administrator should not have programming responsibilities but may have end-user
responsibilities. The LAN administrator may report to the director of the IPF or, in a
decentralized operation, to the end-user manager. In small organizations, the LAN administrator
may also be responsible for security administration over the LAN.
..........................................................................................................
63. An IS auditor performing a general controls review of IS management practices
relating to personnel should pay particular attention to:
A. mandatory vacation policies and compliance.
B. staff classifications and fair compensation policies.
C. staff training.
D. the functions assigned to staff.
The correct answer is:
D. the functions assigned to staff.
Explanation:
When performing a general controls review, it is important for an IS auditor to pay attention to
the issue of segregation of duties, which is affected by vacation/holiday practices. Mandatory
vacation policies and compliance may vary depending on the country and industry. Staff
classifications and fair compensation policies may be a morale issue, not a controls issue. Staff
training is desirable, but not as critical as an appropriate segregation of duties.
..........................................................................................................
64. An IS auditor should expect which of the following items to be included in the request
for proposal (RFP) when IS is procuring services from an independent service provider
(ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
The correct answer is:
A. References from other customers
Explanation:
The IS auditor should look for an independent verification that the ISP can perform the tasks
being contracted. References from other customers would provide an independent, external
review and verification of procedures and processes the ISP follows—issues which would be of
concern to the IS auditor. Checking references is a means of obtaining an independent
verification that the vendor can perform the services it says it can. A maintenance agreement
relates more to equipment than to services, and a conversion plan, while important, is less
important than verification that the ISP can provide the services they propose.
..........................................................................................................
65. Giving responsibility to business units for the development of applications would
MOST likely lead to:
A. significantly reduced data communications needs.
B. the exercise of a lower level of control.
C. the exercise of a higher level of control.
D. an improved segregation of duties.
The correct answer is:
B. the exercise of a lower level of control.
Explanation:
By developing applications in business units, the users now in charge of the applications would
be able to circumvent controls. Choices A, C and D are not related to, nor can they be directly
assumed to result from, moving IS functions to business units; in fact, in some cases, the
opposite can be assumed. For example, because business unit people do not have experience
developing applications, they are more likely to write inefficient code that may use more
bandwidth and, therefore, increase data communications needs.
..........................................................................................................
66. The management of an organization has decided to establish a security awareness
program. Which of the following would MOST likely be a part of the program?
A. Utilization of an intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees
The correct answer is:
D. Training provided on a regular basis to all current and new employees
Explanation:
Utilizing an intrusion detection system to report on incidents that occur is an implementation of a
security program and is not effective in establishing a security awareness program. Choices B
and C do not address awareness. Training is the only choice that is directed at security
awareness.
..........................................................................................................
67. In an organization, the responsibilities for IT security are clearly assigned and enforced
and an IT security risk and impact analysis is consistently performed. This represents
which level of ranking in the information security governance maturity model?
A. Optimized
B. Managed
C. Defined
D. Repeatable
The correct answer is:
B. Managed
Explanation:
Boards of directors and executive management can use the information security governance
maturity model to establish rankings for security in their organizations. The ranks are
nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT
security in an organization are clearly assigned and enforced and an IT security risk and impact
analysis is consistently performed, it is said to be "managed and measurable."
..........................................................................................................
68. Which of the following is a mechanism for mitigating risks?
A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)
The correct answer is:
A. Security and control practices
Explanation:
Risks are mitigated by implementing appropriate security and control practices. Insurance is a
mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and
contracts and SLAs are mechanisms of risk allocation.
..........................................................................................................
69. Which of the following provides the best evidence of the adequacy of a security
awareness program?
A. The number of stakeholders including employees trained at various levels
B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices
The correct answer is:
D. Periodic reviews and comparison with best practices
Explanation:
The adequacy of security awareness content can best be assessed by determining whether it is
periodically reviewed and compared to industry best practices. Choices A, B and C provide
metrics for measuring various aspects of a security awareness program, but do not help assess the
content.
..........................................................................................................
70. The PRIMARY objective of an audit of IT security policies is to ensure that:
A. they are distributed and available to all staff.
B. security and control policies support business and IT objectives.
C. there is a published organizational chart with functional descriptions.
D. duties are appropriately segregated.
The correct answer is:
B. security and control policies support business and IT objectives.
Explanation:
Business orientation should be the main theme in implementing security. Hence, an IS audit of
IT security policies should primarily focus on whether the IT and related security and control
policies support business and IT objectives. Reviewing whether policies are available to all is an
objective, but distribution does not ensure compliance. Availability of organizational charts with
functional descriptions and segregation of duties might be included in the review, but are not the
primary objective of an audit of security policies.
..........................................................................................................
71. From a control perspective, the key element in job descriptions is that they:
A. provide instructions on how to do the job and define authority.
B. are current, documented and readily available to the employee.
C. communicate management's specific job performance expectations.
D. establish responsibility and accountability for the employee's actions.
The correct answer is:
D. establish responsibility and accountability for the employee's actions.
Explanation:
From a control perspective, a job description should establish responsibility and accountability.
This will aid in ensuring that users are given system access in accordance with their defined job
responsibilities. The other choices are not directly related to controls. Providing instructions on
how to do the job and defining authority addresses the managerial and procedural aspects of the
job. It is important that job descriptions are current, documented and readily available to the
employee, but this in itself is not a control. Communication of management's specific
expectations for job performance outlines the standard of performance and would not necessarily
include controls.
..........................................................................................................
72. An IS steering committee should:
A. include a mix of members from different departments and staff levels.
B. ensure that IS security policies and procedures have been executed properly.
C. have formal terms of reference and maintain minutes of its meetings.
D. be briefed about new trends and products at each meeting by a vendor.
The correct answer is:
C. have formal terms of reference and maintain minutes of its meetings.
Explanation:
It is important to keep detailed steering committee minutes to document the decisions and
activities of the IS steering committee, and the board of directors should be informed about those
decisions on a timely basis. Choice A is incorrect because only senior management, or high staff
levels should be members of this committee because of its strategic mission. Choice B is not a
responsibility of this committee but the responsibility of the security administrator. Choice D is
incorrect because a vendor should be invited to meetings only when appropriate.
..........................................................................................................
73. The initial step in establishing an information security program is the:
A. development and implementation of an information security standards manual.
B. performance of a comprehensive security control review by the IS auditor.
C. adoption of a corporate information security policy statement.
D. purchase of security access control software.
The correct answer is:
C. adoption of a corporate information security policy statement.
Explanation:
A policy statement reflects the intent and support provided by executive management for proper
security and establishes a starting point for developing the security program.
..........................................................................................................
74. Which of the following would an IS auditor consider the MOST relevant to short-term
planning for the IS department?
A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs
The correct answer is:
A. Allocating resources
Explanation:
The IS department should specifically consider the manner in which resources are allocated in
the short term. Investments in IT need to be aligned with top management strategies, rather than
focusing on technology for technology's sake. Conducting control self-assessments and
evaluating hardware needs are not as critical as allocating resources during short-term planning
for the IS department
..........................................................................................................
75. Effective IT governance requires organizational structures and processes to ensure
that:
A. the organization's strategies and objectives extend the IT strategy.
B. the business strategy is derived from an IT strategy.
C. it governance is separate and distinct from the overall governance.
D. the IT strategy extends the organization's strategies and objectives.
The correct answer is:
D. the IT strategy extends the organization's strategies and objectives.
Explanation:
Effective IT governance requires that board and executive management extend governance to IT
and provide the leadership, organizational structures and processes that ensure that the
organization's IT sustains and extends the organization's strategies and objectives and that the
strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that
extends the organizational objectives, not the opposite. IT governance is not an isolated
discipline; it must become an integral part of the overall enterprise governance.
..........................................................................................................
76. Which of the following should be included in an organization's IS security policy?
A. A list of key IT resources to be secured
B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features
The correct answer is:
B. The basis for access authorization
Explanation:
The security policy provides the broad framework of security, as laid down and approved by
senior management. It includes a definition of those authorized to grant access and the basis for
granting the access. Choices A, B and C are more detailed than that which should be included in
a policy.
..........................................................................................................

5 comments: