Which of the following findings would be of greatest concern to an IS auditor during a review of logical access to an application?

An accuracy measure for a biometric system is:

-false-acceptance rate (FAR).

After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol (VoIP) technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?

-Role-based access control (RBAC)

The BEST overall quantitative measure of the performance of biometric control devices is:

-equal-error rate (EER).

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that:

-the users may not remember to manually encrypt the data before transmission.

A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center?

-A process for promptly deactivating lost or stolen badges exists.

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do?

-Report the identified condition.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?

-Staff have to type "[PHI]" in the subject field of email messages to be encrypted.

During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:

-enrollment.

Electromagnetic emissions from a terminal represent a risk because they:

-can be detected and displayed.

The FIRST step in data classification is to:

-establish ownership.

From a control perspective, the PRIMARY objective of classifying information assets is to:

-establish guidelines for the level of access controls that should be assigned.

A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it?

-Physically destroy the hard disk.

A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft?

-Session time out is not activated.

.

If inadequate, which of the following would be the MOST likely contributor to a denial-of-service (DoS) attack?

-Router configuration and rules

The implementation of access controls FIRST requires:

-an inventory of IS resources.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:

 -fraud can be detected more quickly.

An IS auditor discovers a potential material finding. The BEST course of action is to:

 -perform additional testing.

An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult?

 -Project sponsors

An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor's report?

 -Both fire suppression systems present a risk of suffocation when used in a closed room.

An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of:

 -substantive testing.

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:

 -lower confidence coefficient, resulting in a smaller sample size.

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?

 -To detect data transposition errors

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern?

 -The implementation phase of the project has no backout plan.

An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect?

 -Inherent risk

An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following?

 -Wire transfer procedures

An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:

 -nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity.

An IS auditor notes that daily reconciliation of visitor access card inventory is not carried out as mandated. During testing, the IS auditor did not find that access cards were missing. In this context, the IS auditor should:

 -report the lack of daily reconciliation as an exception.

An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. The IS auditor should conclude that this is:

-not an adequate control.

The IS auditor observes that the latest security-related software patches for a mission-critical system were released two months ago, but IT personnel have not yet installed the patches. The IS auditor should:

 -review the patch management policy and determine the risk associated with this condition.

An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern?

 -The battery room does not contain hydrogen sensors.

An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:

 -system administrators use shared login credentials.

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that:

-the organizational impact of the project has not been assessed.

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?

 -Walk-through

The MOST effective biometric control system is the one:

 -which has the lowest EER.

The MOST likely explanation for a successful social engineering attack is:

 -that people make judgment errors.

A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response?

 -Assessment of the risk and identification of compensating controls

An organization bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems?

 -Sociability testing

An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy?

 -Web content filter

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?

 -The guest network is not segregated from the production network.

An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation?

-Physically secure wireless access points to prevent tampering.

An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?

-The firewall is placed on top of the commercial operating system with all default installation options.

An organization with a history of strong internal controls allows for the use of universal serial bus (USB) drives to transfer data between offices. Which of the following is the GREATEST risk associated with the use of these devices?

 -Theft of the devices

An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?

 -False-acceptance rate (FAR)

The PRIMARY purpose of a postimplementation review is to ascertain that:

 -project objectives have been met.

The project steering committee is ultimately responsible for:

-project deliverables, costs and timetables.

The purpose of a mantrap controlling access to a computer facility is PRIMARILY to:

 -prevent piggybacking.

The responsibility for authorizing access to a business application system belongs to the:

 -data owner.

The responsibility for authorizing access to application data should be with the:

-data owner.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?

-Load testing

The risk of dumpster diving is BEST mitigated by:

 -implementing security awareness training.

The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:

 -symmetric encryption.

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to:

 -mandate a strong password policy.

Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?

 -Users should never write down their PIN.

Value delivery from IT to the business is MOST effectively achieved by:

 -aligning the IT strategy with the enterprise strategy.

What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?

 -Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.

What is the BEST approach to mitigate the risk of a phishing attack?

-User education

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

-It detects risk sooner.

When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the:

-hardware is protected against power surges.

When conducting a penetration test of an IT system, an organization should be MOST concerned with:

-restoring all systems to the original state.

When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that:

-business requirements were met.

When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor?

-All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.

Which of the following BEST encrypts data on mobile devices?

-Elliptical curve cryptography (ECC)

Which of the following BEST ensures that business requirements are met prior to implementation?

-User acceptance testing (UAT)

Which of the following BEST ensures that users have uninterrupted access to a critical, heavily utilized web-based application?

-Load balancing

Which of the following BEST ensures uninterrupted operations in an organization with IT operation centers in several countries?

-Employee training on the business continuity plan (BCP)

Which of the following BEST helps ensure that deviations from the project plan are identified?

-Project performance criteria

Which of the following BEST helps prioritize the recovery of IT assets when planning for a disaster?

-Business impact analysis (BIA)

Which of the following can be used to help ensure confidentiality of transmitted data? Encrypting the:

-session key with the receiver's public key.

Which of the following does a lack of adequate controls represent?

-A vulnerability

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?

-Power line conditioners

Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?

-Unauthorized report copies can be printed.

Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?

-To collect evidence while transactions are processed

Which of the following is in the BEST position to approve changes to the audit charter?

-Audit committee

Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment?

-Approval from the information asset owner

Which of the following is the BEST indicator that a newly developed system will be used after it is in production?

-User acceptance testing (UAT)

Which of the following is the BEST method of controlling scope creep in a system development project?

-Establishing a software baseline

Which of the following is the BEST method to ensure that critical IT system failures do not recur?

-Perform root cause analysis.

Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service?

-Agreed-on key performance metrics

Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?

-Interview a sample of employees.

Which of the following is the BEST way to satisfy a two-factor user authentication?

-A smart card requiring the user's personal identification number (PIN)

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing?

-Data leakage

Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to:

-minimize the impact of an adverse event.

Which of the following is the MOST effective control over visitor access to a data center?

-Visitors are escorted.

Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information?

-Destroying

Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day?

-Implementing a fault-tolerant disk-to-disk backup solution

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle?

-Adequate involvement of stakeholders

Which of the following is the MOST important security consideration to an organization that wants to reduce its IS infrastructure by using servers provided by a platform as a service (PaaS) vendor?

-Review the need for encryption of stored and transmitted application data.

Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?

-There is a high probability of a significant impact on operations.

Which of the following is the MOST reliable form of single factor personal identification?

-Iris scan

Which of the following is the MOST reliable sender authentication method?

-Digital certificates

Which of the following is the responsibility of information asset owners?

-Assignment of criticality levels to data

Which of the following methods BEST mitigates the risk of disclosing confidential information through the use of social networking sites?

-Providing security awareness training

Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?

-Dry-pipe sprinklers

Which of the following provides the GREATEST assurance for database password encryption?

-Advanced encryption standard (AES)

Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?

-Server utilization data

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?

-Beta testing

Which of the following would be BEST prevented by a raised floor in the computer machine room?

-Damage of wires around computers and servers

While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor?

-Confidentiality of customer data

Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience??

• Professional standards

Which of the following is an effective preventive control to ensure that a database administrator complies with the custodianship of the enterprise's data?

Which of these is the most effective control over a guest wireless ID given to the vendor staff?

Which of the following is the first step in an IT risk assessment for a risk based audit?

Which of the following is the best way to determine the effectiveness of a security awareness and training program?