1. An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of: Show
A. variable sampling. The correct answer is: You did not answer the question. Explanation: Area: 1 2. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks? A. Inherent The correct answer is: You did not answer the question. Explanation: Area: 1 3. Senior management has requested that an IS auditor assist the departmental
management in the implementation of necessary controls. The IS auditor should: A. refuse the assignment since it is not the role of the IS auditor. The correct answer is: You did not answer the question. Explanation: Area: 1 4. Overall business risk for a particular threat can be expressed as: A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. The correct answer is: You did not answer the question. Explanation: Area: 1 5.
Which of the following is a substantive test? A. Checking a list of exception reports The correct answer is: You did not answer the question. Explanation: Area: 1 6. The use of statistical sampling procedures
helps minimize: A. sampling risk. The correct answer is: You did not answer the question. Explanation: Area: 1 7. Which of the following is a benefit of a risk-based approach to audit planning? Audit: A. scheduling may be performed months in advance. The correct answer is: You did not answer the question. Explanation: Area: 1 8. The PRIMARY objective of an IS audit function is to: A. determine whether everyone uses IS resources according to their job description. The correct answer is: You did not answer the question. Explanation: Area: 1 9. An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions
should the IS auditor take? A. Personally delete all copies of the unauthorized software. The correct answer is: You did not answer the question. Explanation: Area: 1 10. A key element in a risk analysis is: A. audit planning. The correct answer is: You did not answer the question. Explanation: Area: 1 11. An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. The correct answer is: You did not answer the question. Explanation: Area: 1 12. In a risk-based audit approach, an IS auditor, in addition to risk, would be influenced by: A. the
availability of CAATs. The correct answer is: You did not answer the question. Explanation: Area: 1 13. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures: A. information assets are overprotected. The correct answer is: You did not answer the question. Explanation: Area: 1 14. Which of the following sampling methods is MOST useful when testing for compliance? A. Attribute sampling The correct answer is: You did not answer the question. Explanation: Area: 1 15. The PRIMARY purpose of an audit charter is to: A. document the audit process used
by the enterprise. The correct answer is: You did not answer the question. Explanation: Area: 1 16. Which of the following is the MOST likely reason why e-mail
systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available. The correct answer is: You did not answer the question. Explanation: Area: 1 17. The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n): A. control procedure. The correct answer is: You did not answer the question. Explanation: Area: 1 18. An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor: A. implemented a specific control during the development of the
application system. The correct answer is: You did not answer the question. Explanation: Area: 1 19. The PRIMARY advantage of a
continuous audit approach is that it: A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. The correct answer
is: You did not answer the question. Explanation: Area: 1 20. Which of the following is an objective of a control self-assessment (CSA) program? A.
Concentration on areas of high risk The correct answer is: You did not answer the question. Explanation: Area: 1 21. Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? A. A substantive test of program library controls The correct answer is: You did not answer the question. Explanation: Area: 1 22. The
PRIMARY purpose of audit trails is to: A. improve response time for users. The correct answer is: You did not answer the question. Explanation: Area: 1 23. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of: A. inherent risk. The correct answer is: You did not answer the question. Explanation: Area: 1 24. In a risk-based audit approach, an IS auditor should FIRST complete a(n): A. inherent risk assessment. The correct answer is: You did not answer the question. Explanation: Area: 1 25. With regard to sampling, it can be said that: A. sampling is generally applicable when the population relates to an intangible or
undocumented control. The correct answer is: You did not answer the question. Explanation: Area: 1 26. Which of the following processes describes risk assessment? Risk assessment is: A. subjective. The correct answer is: You did not answer the question. Explanation: Area: 1 27. The
responsibility, authority and accountability of the IS audit function is appropriately documented in an audit charter and MUST be: A. approved by the highest level of management. The correct answer is: You did not answer the question. Explanation: Area: 1 28. Reviewing management’s long-term strategic plans helps the IS auditor: A. gain an understanding of an organization’s goals and
objectives. The correct answer is: You did not answer the question. Explanation: Area: 1 29. An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review: A. the controls already in place. The correct answer is: You did not answer the question. Explanation: A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase. Area: 1 30. In planning an audit, the MOST critical step is the
identification of the: A. areas of high risk. The correct answer is: You did not answer the question. Explanation: Area: 1 31. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: A can identify high-risk areas
that might need a detailed review later. The correct answer is: You did not answer the question. Explanation: Area: 1 32. The extent to which data will be collected during an IS audit should be determined based on the: A. availability of critical and required information. The correct answer is: You did not answer the question. Explanation: Area: 1 33. When implementing continuous monitoring systems, an IS auditor’s first step is to identify: A. reasonable target thresholds. The correct answer is: You did not answer the question. Explanation: Area: 1 34. While planning an audit, an
assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items. The correct answer is: You did not answer the question. Explanation: Area: 1 35. The PRIMARY role of an IS auditor during the system design phase of an application development project is to: A. advise on specific and detailed control procedures. The correct answer is: You did not answer the question. Explanation: Area: 1 36. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task? A.
CASE tools The correct answer is: You did not answer the question. Explanation: Area: 1 37. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines? A. Domain integrity test The correct answer is: You did not answer the question. Explanation: Area: 1 38. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant? A. The application owner was unaware of several changes applied to the application by the IT department. The correct answer is: You did not answer the question. Explanation: Area: 1 39. An IS
auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern? A. There are a number of external modems connected to the network. The correct answer is: You did not answer the question. Explanation: Area: 1 40. In a critical server, an IS
auditor discovers a Trojan horse that was produced by a known virus that exploits a vulnerability of an operating system. Which of the following should an IS auditor do FIRST? A. Investigate the virus’s author. The correct answer is: You did not answer the question. Explanation: Area: 1 41. Which of the following is the PRIMARY advantage of using computer forensic software for investigations? A. The preservation of the chain of custody for electronic evidence The correct answer
is: You did not answer the question. Explanation: Area: 1 42. An IS auditor has imported data from the client’s database. The next step-confirming whether the imported data are complete-is performed by: A. matching control totals of the imported data to control totals of the original data. The correct answer is: You did not answer the question. Explanation: Area: 1 43. The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? A. Test data The
correct answer is: You did not answer the question. Explanation: Area: 1 44. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: A. create the procedures document. The correct answer is: You did not answer the question. Explanation: IS auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance. Area: 1 45. Which of the following is the GREATEST challenge in using test data? A. Ensuring the program version
tested is the same as the production program The correct answer is: You did not answer the question. Explanation: Area: 1 46. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. A. identify and
assess the risk assessment process used by management. The correct answer is: You did not answer the question. Explanation: Area: 1 47. Which of the following should be of MOST concern to an IS auditor? A. Lack of reporting of a successful attack on the network The correct answer is: You did not answer the question. Explanation: Area: 1 48. During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the: A. systems programmer. The correct answer is: You did not answer the question. Explanation: Area: 1 49. Which of the following normally would be the MOST reliable evidence for an auditor? A. A confirmation letter received from a third party verifying an account balance The
correct answer is: You did not answer the question. Explanation: Area: 1 50. Which of the following BEST describes an integrated test facility? A.
A technique that enables the IS auditor to test a computer application for the purpose of verifying correct processing The correct answer is: You did not answer the question. Explanation: Area: 1 51. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware: A. of the point at which controls are exercised as data flow through the system. The correct answer is: You did not answer the question. Explanation: Area: 1 52. An IS auditor discovers evidence of fraud perpetrated with a manager’s user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS
auditor should conclude that the: A. manager’s assistant perpetrated the fraud. The correct answer is: You did not answer the question. Explanation: Area: 1 53. Which audit technique provides the BEST evidence of the segregation of duties in an IS department? A. Discussion with management The correct
answer is: You did not answer the question. Explanation: Area: 1 54. During a review of
a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use: A. test data to validate data input. The correct
answer is: You did not answer the question. Explanation: Area: 1 55. Which of the following would be the BEST population to take a sample from when testing program changes? A. Test library listings The correct answer is: You did not answer the question. Explanation: Area: 1 56. An integrated test facility is considered a useful audit tool because it: A. is a cost-efficient approach to auditing application controls. The correct answer is: You did not answer the question. Explanation: Area: 1 57. To identify the value of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use: A. test data. The
correct answer is: You did not answer the question. Explanation: Area: 1 58. Data flow diagrams are used by IS auditors to: A. order data hierarchically. The correct answer is: You did not answer the question. Explanation: Area: 1 59. Which of the following forms of evidence for the auditor would be considered the MOST reliable? A. An oral statement from the auditee The correct answer is: You did not answer the question. Explanation: Area: 1 60. An IS auditor reviews an organizational chart PRIMARILY for: A. an understanding of workflows. The correct answer is: You did not answer the question. Explanation: Area: 1 61. An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review? A. Availability of online network documentation The correct answer is: You did not answer the question. Explanation: Area: 1 62. Which of the following steps would an IS auditor normally perform FIRST in a data center security review? A. Evaluate physical access test results. The correct answer is: You did not answer the question. Explanation: Area: 1 63. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely: A. evaluate the record retention plans for off-premises storage. The correct answer is: You did not answer the question. Explanation: Area: 1 64. Which of the following is an advantage of an integrated test facility (ITF)? A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. The correct answer is: You did not answer the question. Explanation: Area: 1 65. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required? A. Integrated test facility (ITF) The correct answer is: You did not answer the question. Explanation: Area: 1 66. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit? A. Design further tests of the calculations that are in error. The correct answer is: You did not answer the question. Explanation: Area: 1 67. The BEST method of proving the accuracy of a system tax calculation is by: A. detailed visual review and analysis of the source code of the calculation programs. The correct answer is: You did not answer the question. Explanation: Area: 1 68. An IS auditor performing a review of an application’s controls would evaluate the: A. efficiency of the application in meeting the business processes. The correct answer is: You did not answer the question. Explanation: Area: 1 69. When communicating audit results, IS auditors should remember that ultimately they are responsible to: A. senior management and/or the audit committee. The correct answer is: You did not answer the question. Explanation: Area: 1 70. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: A. include the finding in the final report,
because the IS auditor is responsible for an accurate report of all findings. The correct answer is: You did not answer the question. Explanation: Area: 1 71. During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should: A. record the observations
separately with the impact of each of them marked against each respective finding. The correct answer is: You did not answer the question. Explanation: Area: 1 72. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of: A. facilitator. The correct answer is: You did not answer the question. Explanation: Area: 1 73. An IS auditor reviewing the effectiveness of IT
controls found a prior audit report, without workpapers. How should the IS auditor proceed? A. Suspend the audit until work papers are available. The correct answer is: You did not answer the question. Explanation: Area: 1 74. When developing a risk-based audit strategy, an IS auditor
should conduct a risk assessment to ensure that: A. controls needed to mitigate risks are in place. The correct answer is: You did not answer the question. Explanation: Area: 1 75. In cases where there is disagreement, during an exit interview, regarding the impact of a finding, the IS auditor should: A. ask the auditee to sign a release form accepting full legal responsibility. The correct answer is: You did not answer the question. Explanation: Area: 1 76. The success of control self-assessment (CSA) highly depends on: A. having line managers assume a portion of
the responsibility for control monitoring. The correct answer is: You did not answer the question. Explanation: Area: 1 77. To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: A. schedule the audits and monitor the time spent on each audit. The correct answer is: You did not answer the question. Explanation: Area: 1 78. In an audit of an
inventory application, which approach would provide the BEST evidence that purchase orders are valid? A. Testing whether inappropriate personnel can change application parameters The correct answer is: You did not answer the question. Explanation: Area: 1 79. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling,
when: A. the probability of error must be objectively quantified. The correct answer is: You did not answer the question. Explanation: Area: 1 80. Which of the following online auditing techniques is most effective for the early detection of errors or irregularities? A. Embedded audit module The correct answer is: You did not answer the question. Explanation: Area: 1 81. When assessing the design of network monitoring controls, an IS auditor should FIRST review network: A. topology diagrams. The correct answer is: You did not answer the question. Explanation: Area: 1 82. While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor’s next step? A. Observe the response mechanism. The correct answer is: You did not answer the question. Explanation: Area: 1 83. An IT steering committee should review information systems PRIMARILY to assess: A. whether IT processes support business requirements. The correct answer is: You did not answer the question. Explanation: Area: 2 84. The MOST likely effect of the lack of senior management commitment to IT strategic planning is: A. a lack of investment in technology. The correct answer is: You did not answer the question. Explanation: Area: 2 85. Which of the following is a function of an IS steering committee? A. Monitoring vendor-controlled change control and testing The correct answer is: You did not answer the question. Explanation: Area: 2 86. An IS
steering committee should: A. include a mix of members from different departments and staff levels. The correct answer is: You did not answer the question. Explanation: Area: 2 87. Involvement of senior management is MOST important in the development of: A. strategic plans. The correct answer is: You did not answer the question. Explanation: Area: 2 88. Effective IT governance will ensure that the IT plan is consistent with
the organization’s: A. business plan. The correct answer is: You did not answer the question. Explanation: Area: 2 89. Establishing the level of acceptable risk is the responsibility of: A. quality assurance management. The correct answer is: You did not answer the question. Explanation: Area: 2 90. IT governance is PRIMARILY the responsibility of the: A. chief executive officer. The correct answer is: You did not answer the question. Explanation: Area: 2 91. From a control perspective, the key element in job descriptions is that they: A. provide instructions on how to do the job and define authority. The correct answer is: You did not answer the question. Explanation: Area: 2 92. Which of the following would BEST provide assurance of the integrity of new staff? A. Background screening The correct answer is: You did not answer the question. Explanation: Area: 2 93. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties? A. Sequence
check The correct answer is: You did not answer the question. Explanation: Area: 2 94. When an employee is terminated from service, the MOST important action is to: A. hand over all of the employee’s files to another designated employee. The correct answer is: You did not answer the question. Explanation: Area: 2 95. The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results. The correct answer is: You did not answer the question. Explanation: Area: 2 96. The general ledger setup function in an enterprise resource planning (ERP) system allows for setting accounting periods. Access to this function has been permitted to users in finance, the warehouse and order entry. The MOST likely reason for such broad access is the: A. need to change accounting periods on a regular basis. The correct answer is: You did not answer the question. Explanation: Area: 2 97. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. ensure the employee maintains a good quality of life, which will lead to greater productivity. The correct answer is: You did not answer the question. Explanation: Area: 2 98. A local area network (LAN) administrator normally would be restricted from: A.
having end-user responsibilities. The correct answer is: You did not answer the question. Explanation: Area: 2 99. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the
individual’s experience and: A. the length of service since this will help ensure technical competence. The correct answer is: You did not answer the question. Explanation: Area: 2 100. An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. The correct answer is: You did not answer the question. Explanation: Area: 2 101. Before
implementing an IT balanced scorecard, an organization must: A. deliver effective and efficient services. The correct answer is: You did not answer the question. Explanation: Area: 2 102. To support an organization’s goals, the IS department should have: A. a low-cost philosophy. The correct answer is: You did not answer the question. Explanation: Area: 2 103. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether: A. there is an integration of IS and business staffs within projects. The correct answer is: You did not answer the question. Explanation: Area: 2 104. Which of the following would an IS auditor
consider the MOST relevant to short-term planning for the IS department? A. Allocating resources The correct answer is: You did not answer the question. Explanation: Area: 2 105. Which of the following goals would you expect to find in an organization’s strategic plan? A. Test a new accounting
package. The correct answer is: You did not answer the question. Explanation: Area: 2 106. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it: A. has been approved by line management. The
correct answer is: You did not answer the question. Explanation: Area: 2 107. An IS auditor reviewing an organization’s IT strategic plan should FIRST review: A. the existing IT environment. The correct answer is: You did not answer the question. Explanation: Area: 2 108. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy supports the organizations’ business objectives by determining if IS: A. has all the personnel and equipment it needs. The correct answer is: You did not answer the question. Explanation: Area: 2 109. The advantage of a bottom-up approach to the development of organizational policies is that the policies: A. are developed for the organization as a whole. The correct answer is: You did not answer the question. Explanation: Area: 2 110. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. The correct answer is: You did not answer the question. Explanation: Area: 2 111. The PRIMARY objective of an audit of IT security policies is to ensure that: A. they are distributed and available to all staff. The correct answer is: You did not answer the question. Explanation: Area: 2 112. The rate of change in technology increases the importance of: A. outsourcing the IS function. The correct answer is: You did not answer the question. Explanation: Area: 2 113. An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that: A.
this lack of knowledge may lead to unintentional disclosure of sensitive information The correct answer is: You did not answer the question. Explanation: Area: 2 114. When an information security policy has been designed, it is MOST important that the information security policy
be: A. stored offsite. The correct answer is: You did not answer the question. Explanation: Area: 2 115. The development of an IS security policy is ultimately the responsibility of the: A. IS department. The correct answer is: You did not answer the question. Explanation: Area: 2 116. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response The correct answer
is: You did not answer the question. Explanation: Area: 2 117. Which of the following should be included in an organization’s IS
security policy? A. A list of key IT resources to be secured The correct answer is: You did not answer the question. Explanation: Area: 2 118. Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications The correct answer is: You did not answer the question. Explanation: Area: 2 119. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Utilization of an intrusion detection system to report incidents The correct answer is: You did not answer the question. Explanation: Area: 2 120. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties The correct answer is: You did not answer the question. Explanation: Area: 2 121. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A. recovery. The correct answer is: You did not answer the question. Explanation: Area: 2 122. In an organization where an IT security baseline has been defined, the IS auditor should FIRST ensure: A. implementation. The correct answer is: You did not answer the question. Explanation: Area: 2 123. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review: A. the IT infrastructure. The
correct answer is: You did not answer the question. Explanation: Area: 2 124. IT control objectives are useful to IS auditors, as they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. The correct answer is: You did not answer the question. Explanation: Area: 2 125. The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. The correct answer is: You did not answer the question. Explanation: Area: 2 126. An IS auditor performing a general controls review of IS management practices relating to personnel should pay particular attention to: A. mandatory vacation policies and compliance. The correct answer is: You did not answer the question. Explanation: Area: 2 127. An organization acquiring other businesses continues using its legacy EDI systems and uses three separate value-added network (VAN) providers. No written VAN agreements exist. The IS auditor should recommend that management: A. obtains independent assurance of the third-party service providers. The correct answer is: You did not answer the question. Explanation: Area: 2 128. Which of the following is
the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider The correct answer is: You did not answer the question. Explanation: Area: 2 129. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan? A. Yes, because the IS auditor will evaluate the adequacy of the service bureau’s plan and assist his/her company in implementing a complementary plan. The correct answer is: You did not answer the question. Explanation: Area: 2 130. A probable advantage to an organization that has outsourced its data processing services is that: A. needed IS expertise can be obtained from the outside. The correct answer is: You did not answer the question. Explanation: Area: 2 131. An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. The
correct answer is: You did not answer the question. Explanation: Area: 2 132. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based
on this information, which of the following conclusions should be the main concern of the IS auditor? A. There could be a question with regards to the legal jurisdiction. The correct answer is: You did not answer the question. Explanation: Area: 2 133. An organization has outsourced its
software development. Which of the following is the responsibility of the organization’s IT management? A. Paying for provider services The correct answer is: You did not answer the question. Explanation: Area: 2 134. An IS auditor should expect which of the
following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A. References from other customers The correct answer is: You did not answer the question. Explanation: Area: 2 135. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A. destruction policy. The correct answer is: You did not answer the question. Explanation: Area: 2 136. The output of the risk management process is an input for making: A. business plans. The correct answer is: You did not answer the question. Explanation: Area: 2 137. An IS auditor was hired to
review e-business security. The IS auditor’s first task was to examine each existing e-business application looking for vulnerabilities. Which would be the next task? A. Report the risks to the CIO and CEO immediately. The correct answer is: You did not answer the question. Explanation: Area: 2 138. Which of the following is a mechanism
for mitigating risks? A. Security and control practices The correct answer is: You did not answer the question. Explanation: Area: 2 139. When developing a risk management program, the FIRST activity to be performed is a(n): A. threat assessment. The correct answer is: You did not answer the question. Explanation: Area: 2 140. A team conducting a risk analysis is having
difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should: A. compute the amortization of the related assets. The correct answer is: You did not answer the question. Explanation: Area: 2 141. The lack of adequate security controls represents a(n): A. threat. The correct answer is: You did not answer the question. Explanation: Area: 2 142. Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors. The correct answer is: You did not answer the question. Explanation: Area: 2 143. Which of the following would provide a
mechanism whereby IS management can determine if the activities of the organization have deviated from the planned or expected levels? A. Quality management The correct answer is: You did not answer the question. Explanation: Area: 2 144. As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterprise requirements. The correct answer
is: You did not answer the question. Explanation: Area: 2 145. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model? A.
Optimized The correct answer is: You did not answer the question. Explanation: Area: 2 146. Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. The correct answer is: You did not answer the question. Explanation: Area: 2 147. Effective IT governance requires organizational structures and processes to ensure that: A. the
organization’s strategies and objectives extend the IT strategy. The correct answer is: You did not answer the question. Explanation: Area: 2 148. Assessing IT risks is BEST achieved by: A. evaluating threats associated with existing IT assets and IT projects. The correct answer
is: You did not answer the question. Explanation: Area: 2 149. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A. Restricting physical access
to computing equipment The correct answer is: You did not answer the question. Explanation: Area: 2 150. Giving responsibility to business units for the development of applications would MOST likely lead to: A. significantly reduced data communications needs. The correct answer is: You did not answer the question. Explanation: Area: 2 151. A top-down approach to the development of operational policies will help ensure: A. that they
are consistent across the organization. The correct answer is: You did not answer the question. Explanation: Area: 2 152. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. The correct answer is: You did not answer the question. Explanation: Area: 2 153. Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated? A. Overlapping controls The correct answer is: You did not answer the question. Explanation: Area: 2 154. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A. Time zone differences could impede communications between IT teams. The correct answer is: You did not answer the question. Explanation: Area: 2 155. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A. O/S and hardware refresh frequencies The correct answer is: You did not answer the question. Explanation: Area: 2 156. When an organization is outsourcing their information security function, which of the following should be kept in the organization? A. Accountability for the corporate security policy The correct answer is: You did not answer the question. Explanation: Area: 2 157. Which of the following reduces the
potential impact of social engineering attacks? A. Compliance with regulatory requirements The correct answer is: You did not answer the question. Explanation: Area: 2 158. Which of the following provides the best evidence of the adequacy of a security awareness program? A. The number of stakeholders including employees trained at various levels The correct answer is: You did not answer the question. Explanation: Area: 2 159. When auditing the proposed acquisition of a new computer system, the IS auditor should FIRST establish that: A. a clear business case has been approved by management. The correct answer is: You did not answer the question. Explanation: Area: 3 160. The quality assurance group is typically responsible for: A. ensuring that the output received from system processing is complete. The correct answer is: You did not answer the question. Explanation: Area: 3 161. Which of the following risks could result from inadequate software baselining? A. Scope creep The correct answer is: You did not answer the question. Explanation: Area: 3 162. Which of the following would be the MOST likely to ensure that business requirements are met during software development? A. Adequate training The correct answer is: You did not answer the question. Explanation: Area: 3 163. The request for proposal (RFP) for the acquisition of an application system would MOST likely be approved by the: A. project steering committee. The correct answer is: You did not answer the question. Explanation: Area: 3 164. Procedures to prevent scope creep should be baselined in which of the following systems development life cycle (SDLC) phases? A. Development The correct answer is: You did not answer the question. Explanation: Area: 3 165. Assumptions while planning an IS project involve a high degree of risk because they are: A. based on known constraints. The correct answer is: You did not answer the question. Explanation: Area: 3 166. Which of the following is a strength of the program evaluation review technique (PERT) over other techniques? PERT: A. considers different scenarios for planning and control projects. The correct answer is: You did not answer the question. Explanation: Area: 3 167. The most common reason for the failure of
information systems to meet the needs of users is that: A. user needs are constantly changing. The correct answer is: You did not answer the question. Explanation: Area: 3 168. Which of the following groups should assume ownership of a systems development project and the resulting system? A. User management The correct answer is: You did not answer the question. Explanation: Area: 3 169. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization’s quality manual. To meet critical deadlines the project team proposes to fast track the
validation and verification processes, commencing some elements before the previous deliverable is complete. Under these circumstances, the IS auditor would MOST likely: A. report this as a critical finding to senior management. The correct answer is: You did not answer the question. Explanation: Area: 3 170. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of system development projects? A. User management The
correct answer is: You did not answer the question. Explanation: Area: 3 171. In planning a software development project, which of the following is the MOST difficult to determine? A. Project slack times The correct answer
is: You did not answer the question. Explanation: Area: 3 172. The PRIMARY reason for separating the test and development environments is to: A. restrict access to systems under test. The correct answer is: You did not answer the question. Explanation: Area: 3 173. An employee is responsible for updating daily the interest rates in a finance application, including interest rate
exceptions for preferred customers. Which of the following is the BEST control to ensure that all rate exceptions are approved? A. A supervisor must enter his/her password before a rate exception is validated. The correct answer is: You did not answer the question. Explanation: Area: 3 174. An enterprise has
established a steering committee to oversee its e-business program. The steering committee would MOST likely be involved in the: A. documentation of requirements. The correct answer is: You did not answer the question. Explanation: Area: 3 175. Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of
the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis The correct answer is: You did not answer the question. Explanation: Area: 3 176. An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. The
correct answer is: You did not answer the question. Explanation: Area: 3 177.
The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. The correct answer is: You did not answer the question. Explanation: Area: 3 178. The use of a GANTT chart can: A. aid in scheduling project tasks. The correct answer is: You did not answer the question. Explanation: Area: 3 179. Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. The correct answer is: You did not answer the question. Explanation: Area: 3 180. Which of the following is a control weakness that can jeopardize a system replacement project? A. The project initiation document has not been updated to reflect changes in the system scope. The correct answer is: You did not answer the question. Explanation: Area: 3 181. The IS auditor
finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? A. Program evaluation review technique (PERT) The correct answer is: You did not answer the question. Explanation: Area: 3 182. Which of the following phases represents the optimum point for software baselining to occur? A. Testing The correct answer is: You did not answer the question. Explanation: Area: 3 183. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing? A. Unit testing The correct answer is: You did not answer the question. Explanation: Area: 3 184. Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. The correct
answer is: You did not answer the question. Explanation: Area: 3 185. The responsibility for designing, implementing and maintaining a system of internal control lies with: A. the IS auditor. The correct answer is: You did not answer the question. Explanation: Area: 3 186. A data validation edit that matches input data to an occurrence rate is a: A. limit check. The correct answer is: You did not answer the question. Explanation: Area: 3 187.
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. The correct answer is: You did not answer the question. Explanation: Area: 3 188. Before implementing controls, management should FIRST ensure that the controls: A. satisfy a requirement in addressing a risk issue. The correct answer is: You did not answer the question. Explanation: Area: 3 189. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is: A. sequence check. The correct answer
is: You did not answer the question. Explanation: Area: 3 190. Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. The correct answer is: You did not answer the question. Explanation: Area: 3 191. Which of the following is a check (control) for completeness? A. Check digits The correct answer is: You did not answer the question. Explanation: Area: 3 192. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A. Check digit The correct answer is: You did not answer the question. Explanation: Area: 3 193. Which of the following types of controls is designed to provide the ability to verify data and record values through the stages of application
processing? A. Range checks The correct answer is: You did not answer the question. Explanation: Area: 3 194. The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. The correct answer is: You did not answer the question. Explanation: Area: 3 195. To reduce the possibility of losing
data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. The correct answer is: You did not answer the question. Explanation: Area: 3 196. Functional acknowledgements are used: A. as an audit trail for EDI transactions. The correct answer is: You did not answer the question. Explanation: Area: 3 197. The impact of EDI on internal
controls will be: A. that fewer opportunities for review and authorization will exist. The correct answer is: You did not answer the question. Explanation: Area: 3 198. Which of the following is
MOST effective in controlling application maintenance? A. Informing users of the status of changes The correct answer is: You did not answer the question. Explanation: Area: 3 199. A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of: A. validation controls. The correct answer is: You did not answer the question. Explanation: Area: 3 200. In a data warehouse, data quality is achieved by: A. cleansing. The correct answer is: You did not answer the question. Explanation: Area: 3 201. Sales orders are automatically numbered sequentially at each of a retailer’s multiple outlets. Small orders are processed directly at the outlets, with large orders sent to a central production facility. The MOST appropriate control to ensure that all orders transmitted to production are received and processed would be to: A. send and reconcile transaction counts and totals. The correct answer is: You did not answer the question. Explanation: Area: 3 202. Using test data as part of a
comprehensive test of program controls in a continuous online manner is called a(n): A. test data/deck. The correct answer is: You did not answer the question. Explanation: Area: 3 203. Which of the following ensures completeness and
accuracy of accumulated data? A. Processing control procedures The correct answer is: You did not answer the question. Explanation: Area: 3 204. A control that detects transmission errors by appending calculated bits onto the
end of each segment of data is known as a: A. reasonableness check. The correct answer is: You did not answer the question. Explanation: Area: 3 205. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data? A. Data The correct answer is: You did not answer the question. Explanation: Area: 3 206. Which of the following data validation edits is effective in detecting transposition and transcription errors? A. Range check The correct answer is: You did not answer the question. Explanation: Area: 3 207. Which of the following is the GREATEST risk when implementing a data warehouse? A. Increased response time on the production systems The correct answer
is: You did not answer the question. Explanation: Area: 3 208. An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures, the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other, more
complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that: A. users participate in the review and approval process. The correct answer is: You did not answer the question. Explanation: Area: 3 209. Which of the following is critical to the selection and
acquisition of the correct operating system software? A. Competitive bids The correct answer is: You did not answer the question. Explanation: Area: 3 210. A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet
these objectives? A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies The
correct answer is: You did not answer the question. Explanation: Area: 3 211. An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. The correct answer is: You did not answer the question. Explanation: Area: 3 212. Which of the following is often an advantage of using prototyping for systems development? A. The finished system will have adequate controls. The correct answer is: You did not answer the question. Explanation: Area: 3 213. An IS auditor that participates in the testing stage of a software development project establishes that the individual modules perform correctly. The IS auditor should: A. conclude that the individual modules running as a group will be correct. The correct answer is: You did not answer the question. Explanation: Area: 3 214. During the audit of an acquired software package, the IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request
for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. The correct answer is: You did not answer the question. Explanation: Area: 3 215. Who of the following is ultimately responsible for
providing requirement specifications to the software development project team? A. Team leader The correct answer is: You did not answer the question. Explanation: Area: 3 216. Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software? A. System testing The correct
answer is: You did not answer the question. Explanation: Area: 3 217. Regression testing is the process of testing a program to determine if: A.
the new code contains errors. The correct answer is: You did not answer the question. Explanation: Area: 3 218. A debugging tool, which reports on the sequence of steps executed by a program, is called a(n): A. output analyzer. The correct answer is: You did not answer the question. Explanation: Area: 3 219. Which of the following Capability Maturity Model levels ensures achievement of basic project management controls? A.
Repeatable (level 2) The correct answer is: You did not answer the question. Explanation: Area: 3 220. An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? A. Controls the proliferation of multiple versions of programs The correct answer is: You did not answer the question. Explanation: Area: 3 221. When selecting software, which of the following business and technical issues is the MOST
important to be considered? A. Vendor reputation The correct answer is: You did not answer the question. Explanation: Area: 3 222. Which of the following facilitates program maintenance? A. More cohesive and loosely coupled programs The correct answer
is: You did not answer the question. Explanation: Area: 3 223. What data should be used for regression testing? A. Different data than used in the previous test The correct answer is: You did not answer the question. Explanation: Area: 3 224. During unit testing, the test strategy applied is: A. black box. The correct answer is: You did not answer the question. Explanation: Area: 3 225. Which of the following is the most important element
in the design of a data warehouse? A. Quality of the metadata The correct answer is: You did not answer the question. Explanation: Area: 3 226. Ideally, stress testing should be carried out in a: A. test environment using test data. The correct answer is: You did not answer the question. Explanation: Area: 3 227. Which of the following represents a typical prototype of an interactive application? A. Screens and process programs The
correct answer is: You did not answer the question. Explanation: Area: 3 228. Which of the following is an object-oriented technology characteristic
that permits an enhanced degree of security over data? A. Inheritance The correct answer is: You did not answer the question. Explanation: Area: 3 229. Which of the following BEST describes the objectives of following a standard system development methodology? A. To ensure that appropriate staffing is assigned and to provide a method of controlling costs and schedules The correct answer is: You did not answer the question. Explanation: Area: 3 230. Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Black box test The correct answer is: You did not answer the question. Explanation: Area: 3 231. The primary purpose of a system test is to: A. test the generation of the designed control totals. The correct answer is: You did not answer the question. Explanation: Area: 3 232. The phases and deliverables of a system development life cycle (SDLC) project should be determined: A. during the initial planning stages of the project. The correct answer is: You did not answer the question. Explanation: Area: 3 233. Which of
the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality? A. Function point analysis The correct answer is: You did not answer the question. Explanation: Area: 3 234. When implementing an
application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions The correct answer is: You did not answer the question. Explanation: Area: 3 235. Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. The correct answer is: You did not answer the question. Explanation: Area: 3 236. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs: A. can lack the lower-level detail commands necessary to perform data intensive operations. The correct answer is: You did not answer the question. Explanation: Area: 3 237. A decision support system (DSS): A. is aimed at solving highly structured problems. The correct answer is: You did not answer the question. Explanation: Area: 3 238. An advantage of using sanitized live transactions in test data is that: A. all transaction types will be included. The correct answer is: You did not answer the question. Explanation: Area: 3 239. An IS auditor’s PRIMARY concern when application developers wish to use a copy of yesterday’s production transaction file for volume tests is that: A. users may prefer to use contrived data for
testing. The correct answer is: You did not answer the question. Explanation: Area: 3 240. Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine if the system is cost-effective The correct answer is: You did not answer the question. Explanation: Area: 3 241. If an
application program is modified and proper system maintenance procedures are in place, which of the following should be tested? The: A. integrity of the database. The correct answer is: You did not answer the question. Explanation: Area: 3 242. The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: A. rules. The correct answer is: You did not answer the question. Explanation: Area: 3 243. Peer reviews to detect software errors during a program development activity are called: A. emulation techniques. The
correct answer is: You did not answer the question. Explanation: Area: 3 244. Testing the connection of two or more system components that pass information from one area to another is: A. pilot testing. The correct answer is: You did not answer the question. Explanation: Area: 3 245. An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. The correct answer is: You did not answer the question. Explanation: Area: 3 246. Which of the following is MOST likely to occur when a system development project is in the middle of the programming/coding phase? A. Unit tests The correct answer is: You did not answer the question. Explanation: Area: 3 247. A distinguishing feature of fourth-generation languages (4GLs) is portability, which means? A. Environmental independence The correct answer is: You did not answer the question. Explanation: Area: 3 248. During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study The correct answer is: You did not answer the question. Explanation: Area: 3 249. The use of object-oriented design and development techniques would MOST likely: A. facilitate the ability to reuse modules. The correct answer is: You did not answer the question. Explanation: Area: 3 250. Which of the following development methods most heavily relies on the usage of a prototype that can be updated continually to meet changing user or business requirements? A.
Data-oriented system development (DOD) The correct answer is: You did not answer the question. Explanation: Area: 3 251. Which of the following should be included in a feasibility study for a project to
implement an EDI process? A. The encryption algorithm format The correct answer is: You did not answer the question. Explanation: Area: 3 252. When reviewing the quality of an IS department’s development process, the IS auditor finds that he/she does not use any formal, documented
methodology and standards. The IS auditor’s MOST appropriate action would be to: A. complete the audit and report the finding. The correct answer is: You did not answer the question. Explanation: Area: 3 253. Which of the following testing methods is MOST effective during the initial phases of prototyping? A. System The correct answer is: You did not answer the question. Explanation: Area: 3 254. When a new system is to be implemented within a short time frame, it is MOST
important to: A. finish writing user manuals. The correct answer is: You did not answer the question. Explanation: Area: 3 255. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-date data. The correct answer is: You did not answer the question. Explanation: Area: 3 256. The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. The correct answer is: You did not answer the question. Explanation: Area: 3 257. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. The correct answer is: You did not answer the question. Explanation: Area: 3 258. The purpose of debugging programs is to: A. generate random data that can be used to test programs before implementing them. The correct answer is: You did not answer the question. Explanation: Area: 3 259. The difference between white box testing and black box testing is that white box testing: A. involves the IS auditor. The correct answer is: You did not answer the question. Explanation: Area: 3 260. Which is the first software capability maturity model (CMM) level to include a standard software development process? A. Initial (level
1) The correct answer is: You did not answer the question. Explanation: Area: 3 261. Which of the following tasks occurs during the research stage of the benchmarking process? A. Critical processes are identified. The correct answer is: You did not answer the question. Explanation: Area: 3 262. Which of the following systems or tools can recognize
that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems The correct answer is: You did not answer the question. Explanation: Area: 3 263. A data warehouse is: A. object-oriented. The correct answer is: You did not answer the question. Explanation: Area: 3 264. Functionality is a characteristic associated with evaluating the quality of software products
throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. The correct answer is: You did not answer the question. Explanation: Area: 3 265. The
MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically: A. result in a correct capture of requirements. The correct answer is: You did not answer the question. Explanation: Area: 3 266. During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. The correct answer is: You did not answer the question. Explanation: Area: 3 267. An organization planning to purchase a software package asks the IS auditor for a risk assessment. Which of the following is the MAJOR risk? A. Unavailability of the source code The correct answer is: You did not answer the question. Explanation: Area: 3 268. The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: A. facilitates user involvement. The
correct answer is: You did not answer the question. Explanation: Area: 3 269. An IS auditor reviewing a proposed application
software acquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. The correct answer is: You did not answer the question. Explanation: Area: 3 270. When implementing an acquired system in a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact the desktop environment? A. Sociability
testing The correct answer is: You did not answer the question. Explanation: Area: 3 271. The GREATEST benefit in implementing an expert system is the: A. capturing of the knowledge and experience
of individuals in an organization. The correct answer is: You did not answer the question. Explanation: Area: 3 272. Which of the following types of testing
would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing The correct answer is: You did not answer the question. Explanation: Area: 3 273. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee’s discretion. The correct answer is: You did not answer the question. Explanation: Area: 3 274. Good quality software is BEST achieved: A. through thorough testing. The correct answer is: You did not answer the question. Explanation: Area: 3 275. Which of the following is an implementation risk within the process of decision support systems? A. Management control The correct answer is: You did not answer the question. Explanation: Area: 3 276. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? A. Pilot The correct
answer is: You did not answer the question. Explanation: Area: 3 277. When auditing the conversion of an accounting system
an IS auditor should verify the existence of a: A. control total check. The correct answer is: You did not answer the question. Explanation: Area: 3 278. An IS auditor performing an application maintenance audit would review the log of program changes for the: A. authorization of program changes. The correct answer is: You did not answer the question. Explanation: Area: 3 279. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration. The
correct answer is: You did not answer the question. Explanation: Area: 3 280. An objective of a postimplementation review of a new or extensively modified business application system is to: A.
determine whether test data covered all scenarios. The correct answer is: You did not answer the question. Explanation: Area: 3 281. Which of the following is used to ensure that batch data is completely and accurately transferred between two systems? A. Control
total The correct answer is: You did not answer the question. Explanation: Area: 3 282. In an electronic fund transfer (EFT) system, which of the following controls would be useful in detecting a duplication of messages? A. Message authentication code The correct answer is: You did not answer the question. Explanation: Area: 3 283. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors? A. Sequence check The correct answer is: You did not answer the question. Explanation: Area: 3 284. During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend? A. Implement data backup and recovery procedures. The correct answer is: You did not answer the question. Explanation: Area: 3 285. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A. Log all table update transactions. The correct answer is: You did not answer the question. Explanation: Area: 3 286. A financial institution is using an expert system for managing credit limits. An IS auditor reviewing the system should be MOST concerned with the: A. validation of data inputs into the system. The correct answer is: You did not answer the question. Explanation: Area: 3 287. Responsibility and reporting lines cannot always be established when auditing automated systems since: A. diversified control makes ownership irrelevant. The correct answer is: You did not answer the question. Explanation: Area: 3 288. When assessing the portability of a database application,
the IS auditor should verify that: A. a structured query language (SQL) is used. The correct answer is: You did not answer the question. Explanation: Area: 3 289. In an online transaction processing system, data integrity is maintained by ensuring that a transaction is
either completed in its entirety or not at all. This principle of data integrity is known as: A. isolation. The correct answer is: You did not answer the question. Explanation: Area: 3 290. Which of the following would help to ensure the portability of an application connected to a database? The: A. verification of database import and export procedures. The correct answer is: You did not answer the question. Explanation: Area: 3 291.
A single digitally signed instruction was given to a financial institution to credit a customer’s account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits? A. Encrypting the hash of the payment instruction with the public key of the financial institution The correct answer is: You did not answer the question. Explanation: Area: 3 292. Business units are concerned about the performance of a newly implemented system. Which of the following should the IS auditor recommend? A. Develop a baseline and monitor system usage. The correct answer is: You did not answer the question. Explanation: Area: 3 293. In an artificial intelligence system, access to which of the following components should be strictly controlled? A. Inference engine The correct answer is: You did not answer the question. Explanation: Area: 3 294. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor’s main concern about the new process? A. Are key controls in place to
protect assets and information resources? The correct answer is: You did not answer the question. Explanation: Area: 3 295. An IS auditor assigned to audit a reorganized process should FIRST review which of the following? A. A map of existing controls The correct answer is: You did not answer the question. Explanation: Area: 3 296. An IS auditor evaluating data integrity in a transaction-driven system environment should review atomicity to determine whether: A. the database survives failures (hardware or software). The correct answer is: You did not answer the question. Explanation: Area: 3 297. A retail company recently installed data warehousing client software at geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. Which of the following will be affected the MOST? A. Data availability The correct answer is: You did not answer the question. Explanation: Area: 3 298. A company has implemented a new client-server enterprise resource planning (ERP) system.
Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? A. Verifying production to customer orders The correct answer is: You did not answer the question. Explanation: Area: 3 299. As a business process reengineering (BPR) project takes hold it is expected that: A. business priorities will remain stable. The correct answer is: You did not answer the question. Explanation: Area: 3 300. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system? A. Investigate the author. The correct answer
is: You did not answer the question. Explanation: Area: 3 301. A programmer included a routine into a payroll application to search for his/her own payroll
number. As a result, if this payroll number does not appear during the payroll run, a routine will generate and place random numbers onto every paycheck. This routine is known as: A. scavenging. The correct answer is: You did not answer the question. Explanation: Area: 3 302. When two or more systems are integrated, input/output controls must be reviewed by the IS auditor in the: A. systems receiving the output of other systems. The correct answer is: You did not answer the question. Explanation: Area: 3 303. An IS
auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the: A. EDI trading partner agreements. The correct answer is: You did not answer the question. Explanation: Area: 3 304. A tax calculation program maintains several hundred tax rates. The BEST control to ensure that tax rates entered into the program are accurate is: A. an independent
review of the transaction listing. The correct answer is: You did not answer the question. Explanation: Area: 3 305.
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. The correct answer is: You did not answer the question. Explanation: Area: 3 306. A company has recently upgraded its purchase system to
incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification The correct answer is: You did not answer the question. Explanation: Area: 3 307. Which of the following is a control to compensate for a programmer having access to accounts payable production data? A. Processing controls such as range checks and logic edits The correct answer is: You did not answer the question. Explanation: Area: 3 308. Once an organization has finished the business process reengineering (BPR) of all its critical operations, the IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. The correct answer is: You did not answer the question. Explanation: Area: 3 309. An IS auditor performing a review of the EFT operations of a retailing company would verify that the customers credit limit is checked before funds are transferred by reviewing the EFT: A. system’s interface. The correct answer
is: You did not answer the question. Explanation: Area: 3 310. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input
forms. The correct answer is: You did not answer the question. Explanation: Area: 3 311. Prices are charged on the basis of a standard master file rate that changes as the volume increases. Any exceptions must be manually approved. What is the MOST effective automated control to help ensure that all price exceptions are approved? A. All amounts are displayed back to the data entry clerk, who must verify them visually. The correct answer is: You did not answer the question. Explanation: Area: 3 312. Which of the following represents the GREATEST potential risk in an EDI environment? A.
Transaction authorization The correct answer is: You did not answer the question. Explanation: Area: 3 313. Which of the following is the MOST critical and contributes the MOST to the quality of data in a data warehouse? A. Accuracy
of the source data The correct answer is: You did not answer the question. Explanation: Area: 3 314. After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress The
correct answer is: You did not answer the question. Explanation: Area: 3 315. Which of the following is the FIRST step in a business process reengineering (BPR) project? A. Defining the areas to be reviewed The correct answer is: You did not answer the question. Explanation: Area: 3 316. During a postimplementation review, which of the following tools would an IS auditor use to get the picture of the
internal memory’s content at different stages in the program execution? A. Memory dump The correct answer is: You did not answer the question. Explanation: Area: 3 317. Which of the following activities should an IS auditor perform to evaluate the reliability of a
software? A. Review the number of failed login attempts. The correct answer is: You did not answer the question. Explanation: Area: 3 318. Which of the following would be a risk specifically associated with the agile development process? A. Lack of documentation The correct answer is: You did not answer the question. Explanation: Area: 3 319.
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A. reliable products are guaranteed. The correct answer is: You did not answer the question. Explanation: Area: 3 320. Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices The correct answer is: You did not answer the question. Explanation: Area: 3 321. When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget The correct answer is: You did not answer the question. Explanation: Area: 3 322. An IS auditor reviewing a project, where
quality is a major concern, should use the project management triangle to explain that a(n): A. increase in quality can be achieved, even if resource allocation is decreased. The correct answer is: You did not answer the question. Explanation: Area: 3 323. The PRIMARY benefit of integrating total quality management (TQM) into a software development project is: A. comprehensive documentation. The correct answer is: You did not answer the question. Explanation: Area: 3 324. Which of the following
is a characteristic of timebox management? It: A. is not suitable for prototyping or rapid application development (RAD). The correct answer is: You did not answer the question. Explanation: Area: 3 325. The waterfall life cycle model of software development is most appropriately used when: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will
operate. The correct answer is: You did not answer the question. Explanation: Area: 3 326. An IS auditor is conducting a review of an application system after users have completed acceptance testing. What should be the IS auditor’s major concern? A. Determining whether test objectives were documented The correct answer is: You did not answer the question. Explanation: Area: 3 327. Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? A. A sufficient quantity of data for each test case The correct answer is: You did not answer the question. Explanation: Area: 3 328. Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? A. Project database The correct answer is: You did not answer the question. Explanation: Area: 3 329. An organization donating used
computers should ensure that: A. the computers were not used to store confidential data. The correct answer is: You did not answer the question. Explanation: Area: 3 330. Documentation of a business case used in an IT development project should be retained until: A. the end of the system’s life cycle. The correct answer is: You did not answer the question. Explanation: Area: 3 331. During the review of a web-based software development project, the IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A. buffer overflow. The correct answer is: You did not answer the question. Explanation: Area: 3 332. When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? A. Use of a cryptographic hashing algorithm The
correct answer is: You did not answer the question. Explanation: Area: 3 333. Which of the
following reports should an IS auditor use to check compliance with a service level agreement’s (SLA) requirement for uptime? A. Utilization reports The correct answer is: You did not answer the question. Explanation: Area: 4 334. A benefit of quality of
service (QoS) is that the: A. entire network’s availability and performance will be significantly improved. The correct answer is: You did not answer the question. Explanation: Area: 4 335. For an online transaction processing system, transactions per second is a measure of: A. throughput. The correct answer is: You did not answer the question. Explanation: Area: 4 336. Which of the following is MOST important when assessing services
provided by an Internet service provider (ISP)? A. Performance reports generated by the ISP The correct answer is: You did not answer the question. Explanation: Area: 4 337. Which of the following would normally be found in application run manuals? A. Details of source documents The
correct answer is: You did not answer the question. Explanation: Area: 4 338. Which of the following
procedures would MOST effectively detect the loading of illegal software packages onto a network? A. The use of diskless workstations The correct answer is: You did not answer the question. Explanation: Area: 4 339. An IS auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late-night shift a month as the senior computer operator. The MOST appropriate course of action for the IS auditor is to: A. advise senior management of the risk involved. The correct answer is: You did not answer the question. Explanation: Area: 4 340. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: A. the setup is geographically dispersed. The correct answer is: You did not answer the question. Explanation: Area: 4 341. To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review? A. System access log files The correct answer is: You did not answer the question. Explanation: Area: 4 342. A Ping command is used to measure: A.
attenuation. The correct answer is: You did not answer the question. Explanation: Area: 4 343. Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. A system downtime log The correct answer is: You did not answer the question. Explanation: Area: 4 344. Which of the following is the MOST
effective means of determining which controls are functioning properly in an operating system? A. Consulting with the vendor The correct answer is: You did not answer the question. Explanation: Area: 4 345. Capacity monitoring software is used to ensure: A. maximum use of available capacity. The correct answer is: You did not answer the question. Explanation: Area: 4 346. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? A.
Sensitive data can be read by operators. The correct answer is: You did not answer the question. Explanation: Area: 4 347. Applying a retention date on a file will ensure that: A. data cannot be read until the date is set. The correct answer is: You did not answer the question. Explanation: Area: 4 348. Which of the following can be used to verify output results and control totals by matching them against the input data and control totals? A. Batch header forms The correct answer is: You did not answer the question. Explanation: Area: 4 349. Which of the following would an IS auditor expect to find in a console log? A. Names of system users The correct answer is: You did not answer the question. Explanation: Area: 4 350. A network diagnostic tool that monitors and records network information is a(n): A. online monitor. The correct answer is: You did not answer the question. Explanation: Area: 4 351. Which of the following will help detect changes made by an intruder to the system log of a server? A. Mirroring the system log on another server The
correct answer is: You did not answer the question. Explanation: Area: 4 352. During an audit of the tape management system at a data center, an IS auditor discovered that parameters are set to bypass or ignore the labels written on tape header records. The IS auditor also determined that effective staging and job setup procedures were in place. In this situation, the IS auditor should conclude that the: A.
tape headers should be manually logged and checked by the operators. The correct answer is: You did not answer the question. Explanation: Area: 4 353. IT operations for a large organization have been outsourced. An IS auditor
reviewing the outsourced operation should be MOST concerned about which of the following findings? A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations. The correct answer is: You did not answer the question. Explanation: Area: 4 354. An organization has outsourced IT operations to a service provider. The organization’s IS auditor makes the following observations:
Which of the following should the IS auditor recommend be done immediately? A. Improve the backup of critical systems. The correct answer is: You did not answer the question. Explanation: Area: 4 355. Which of the following BEST ensures the integrity of a server’s operating system? A.
Protecting the server in a secure location The correct answer is: You did not answer the question. Explanation: Area: 4 356. An IS auditor detected that several PCs connected to the Internet have a low security level that is allowing for the free recording of cookies. This creates a risk because cookies locally store: A. information about the Internet site. The correct answer is: You did not answer the question. Explanation: Area: 4 357. Which of the following is the MOST probable cause for a mail server being used to send spam? A. Installing an open relay server The correct answer is: You did not answer the question. Explanation: Area: 4 358. The MOST
significant security concern when using flash memory (e.g., USB removable disk) is that the: A. contents are highly volatile. The correct answer is: You did not answer the question. Explanation: Area: 4 359. The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in: A. loss of confidentiality. The correct answer is: You did not answer the question. Explanation: Area: 4 360. Web and e-mail filtering tools are PRIMARILY valuable to an organization because they: A.
protect the organization from viruses and nonbusiness materials. The correct answer is: You did not answer the question. Explanation: Area: 4 361. Which of the following is the GREATEST risk
related to the monitoring of audit logs? A. Logs are not backed up periodically. The correct answer is: You did not answer the question. Explanation: Area: 4 362. An organization wants to enforce data
integrity principles and achieve faster performance/execution in a database application. Which of the following design principles should be applied? A. User (customized) triggers The correct answer is: You did not answer the question. Explanation: Area: 4 363. To share data in a multivendor network environment, it is essential to implement program-to-program communication. With respect to program-to-program communication features, that can be implemented in this environment, which of the following makes implementation and
maintenance difficult? A. User isolation The correct answer is: You did not answer the question. Explanation: Area: 4 364. An IS auditor is reviewing the database administration (DBA) function to ascertain whether adequate
provision has been made for controlling data. The IS auditor should determine that the: A. function reports to data processing operations. The correct answer is: You did not answer the question. Explanation: Area: 4 365. Which of the following is a control over database administration activities? A. A database checkpoint to restart processing after a system failure The correct answer is: You did not answer the question. Explanation: Area: 4 366. To maximize the performance of a large database in a parallel
processing environment, which of the following is used for separating indexes? A. Disk partitioning The correct answer is: You did not answer the question. Explanation: Area: 4 367. Which of the following will prevent dangling tuples in a database? A. Cyclic integrity The correct answer is: You did not answer the question. Explanation: Area: 4 368. The objective of concurrency control in a database system is to: A. restrict updating of the database to authorized users. The correct answer is: You did not answer the question. Explanation: Area: 4 369. A referential integrity constraint consists
of: A. ensuring the integrity of transaction processing. The correct answer is: You did not answer the question. Explanation: Area: 4 370. Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures The correct answer is: You did not answer the question. Explanation: Area: 4 371. The database
administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of: A. loss of audit trails. The correct answer is: You did not answer the question. Explanation: Area: 4 372. An independent software program that connects two otherwise separate applications sharing computing resources across heterogeneous technologies is known as: A. middleware. The correct answer is: You did not answer the question. Explanation: Area: 4 373. IS management has recently informed the IS auditor of its decision to disable certain referential integrity controls in the payroll system to provide users with a faster report generator. This will MOST likely increase the risk of: A. data entry by unauthorized users. The correct answer is: You did not answer the question. Explanation: Area: 4 374. Following a reorganization of a company’s legacy database, it was discovered that records were accidentally deleted. Which of the following controls would have MOST effectively detected this occurrence? A. Range check The correct answer
is: You did not answer the question. Explanation: Area: 4 375. The method of
routing traffic through split-cable facilities or duplicate-cable facilities is called: A. alternative routing. The correct answer is: You did not answer the question. Explanation: Area: 4 376. Which of the following is widely accepted as one of the critical components in networking management? A. Configuration management The correct answer is: You did not answer the question. Explanation: Area: 4 377.
An IS auditor needs to link his/her microcomputer to a mainframe system that uses binary synchronous data communications with block data transmission. However, the IS auditor’s microcomputer, as presently configured, is capable of only asynchronous ASCII character data communications. Which of the following must be added to the IS auditor’s computer to enable it to communicate with the mainframe system? A. Buffer capacity and parallel port The correct answer is: You did not answer the question. Explanation: Area: 4 378. The interface that allows access to lower- or higher-level network services is called: A. firmware. The correct answer is: You did not answer the question. Explanation: Area: 4 379. Which of the following controls will detect MOST effectively the presence of bursts of errors in network transmissions? A. Parity check The correct answer is: You did not answer the question. Explanation: Area: 4 380. Which of the following types of firewalls provide the GREATEST degree and granularity of control? A. Screening router The correct answer is: You did not answer the question. Explanation: Area: 4 381. Which of the following reports is a measure of telecommunication transmissions and determines whether transmissions are completed accurately? A. Online monitor
reports The correct answer is: You did not answer the question. Explanation: Area: 4 382. Which of the following is MOST directly affected by network performance monitoring tools? A. Integrity The correct answer is: You did not answer the question. Explanation: Area: 4 383. In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? A. Automated logging of changes to development libraries The correct answer is: You did not answer the question. Explanation: Area: 4 384. Checking for authorized software baselines is an activity addressed within which of the following? A. Project management The correct answer is: You did not answer the question. Explanation: Area: 4 385. Vendors have released patches fixing security flaws in their software.
Which of the following should the IS auditor recommend in this situation? A. Assess the impact of patches prior to installation. The correct answer is: You did not answer the question. Explanation: Area: 4 386. A programmer, using firecall IDs, as provided
in the manufacture’s manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening? A. Deactivation The correct answer is: You did not answer the question. Explanation: Area: 4 387. One of the purposes of library control software is to allow: A. programmers access to production source and object libraries. The correct answer is: You did not answer the question. Explanation: Area: 4 388. An organization is moving its application maintenance in-house from an outside source. Which of the following should be the main concern of an IS auditor? A. Regression testing The correct answer is: You did not answer the question. Explanation: Area: 4 389. Which of the following controls would be MOST effective in ensuring that production source code and object code are
synchronized? A. Release-to-release source and object comparison reports The correct answer is: You did not answer the question. Explanation: Area: 4 390. Change management procedures are established by IS management to: A. control the movement of applications from the test environment to the production environment. The correct answer is: You did not answer the question. Explanation: Area: 4 391. Which of the following is a control to detect an unauthorized change in a production
environment? A. Denying programmers access to production data The correct answer is: You did not answer the question. Explanation: Area: 4 392. In regard to moving an application program from the test environment to the production environment, the BEST control would be provided by having the: A.
application programmer copy the source program and compiled object module to the production libraries. The correct answer is: You did not answer the question. Explanation: Area: 4 393. Utilizing audit software
to compare the object code of two programs is an audit technique used to test program: A. logic. The correct answer is: You did not answer the question. Explanation: Area: 4 394. An IS auditor
reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? A. Allow changes to be made only with the DBA user account. The correct answer is: You did not answer the question. Explanation: Area: 4 395. Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization’s change control procedures? A. Review software migration records and verify approvals. The correct answer is: You did not answer the question. Explanation: Area: 4 396. An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should
be the IS auditor’s next action? A. Analyze the need for the structural change. The correct answer is: You did not answer the question. Explanation: Area: 4 397. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity? A. Comparing source code The correct answer is: You did not answer the question. Explanation: Area: 4 398. Which of the following should be done by an IS auditor when a source code comparison indicates modifications were made? A. Determine whether modifications were authorized. The correct answer is: You did not answer the question. Explanation: Area: 4 399. After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools? A. Differential reporting The
correct answer is: You did not answer the question. Explanation: Area: 4 400. The FIRST step in managing the risk of a cyberattack is to: A. assess the vulnerability impact. The correct answer is: You did not answer the question. Explanation: Area: 4 401. Which of the following is the MOST effective method for dealing with the spreading of a network
worm that exploits a vulnerability in a protocol? A. Install the vendor’s security fix for the vulnerability. The correct answer is: You did not answer the question. Explanation: Area: 4 402. Which of the following is the BEST control to detect internal attacks on IT resources? A. Checking of activity logs The correct answer is: You did not answer the question. Explanation: Area: 4 403. Which of the following network components is PRIMARILY set up to serve as
a security measure by preventing unauthorized traffic between different segments of the network? A. Firewalls The correct answer is: You did not answer the question. Explanation: Area: 4 404. To evaluate the referential integrity of a database, an IS auditor should review the: A. composite keys. The correct answer is: You did not answer the question. Explanation: Area: 4 405. Which of the following operating system mechanisms checks each request by a subject (user
process) to access and use an object (e.g., file, device, program) to ensure that the request complies with a security policy? A. Address Resolution Protocol The correct answer is: You did not answer the question. Explanation: Area: 4 406. Which of the following is an operating system access control function? A. Logging user activities The correct answer is: You did not answer the question. Explanation: Area: 4 407. An IS auditor is PRIMARILY
concerned about electromagnetic emissions from a cathode ray tube (CRT) because they may: A. cause health disorders (such as headaches) and diseases. The correct answer is: You did not answer the question. Explanation: Area: 4 408. A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? A. Most employees use laptops. The correct answer is: You did not answer the question. Explanation: Area: 4 409. An IS auditor is performing a network security
review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer’s payment information. The IS auditor should be MOST concerned, if a hacker: A. compromises the Wireless Application Protocol (WAP) gateway. The correct answer is: You did not answer the question. Explanation: Area: 4 410. Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? A. Filters The correct answer is: You did not answer the question. Explanation: Area: 4 411. In a database management system (DBMS), the location of data and the method of accessing the data are provided by the: A. data dictionary. The
correct answer is: You did not answer the question. Explanation: Area: 4 412. In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users? A. Diskless workstations The correct answer is: You did not answer the question. Explanation: Area: 4 413. When reviewing system parameters, an IS auditor’s PRIMARY concern should be that: A. they are set to meet security and performance requirements. The correct answer is: You did not answer the question. Explanation: Area: 4 414. By establishing a network session through an appropriate application, a sender transmits a message by breaking it into packets, but the packets may reach the receiver out of sequence. Which OSI layer addresses the out-of-sequence message through segment sequencing? A. Network layer The correct answer is: You did not answer the question. Explanation: Area: 4 415. Which of the following is a control over component communication failure/errors? A. Restricting operator access and maintaining audit trails The correct answer is: You did not answer the question. Explanation: Area: 4 416. An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable? A. Electromagnetic interference (EMI) The correct answer is: You did not answer the question. Explanation: Area: 4 417. Analysis of which of the following would MOST likely enable the IS auditor to determine if an unapproved program attempted to access sensitive data? A. Abnormal job termination reports The
correct answer is: You did not answer the question. Explanation: Area: 4 418. In a LAN environment, which of the following minimizes the risk of data corruption during transmission? A. Using end-to-end encryption for data communication The correct answer is: You did not answer the question. Explanation: Area: 4 419. Congestion control is BEST handled by which OSI layer? A. Data link layer The correct answer is: You did not answer the question. Explanation: Area: 4 420. Utility programs that assemble software modules needed to execute a machine instruction application program version are: A. text editors. The correct answer is: You did not answer the question. Explanation: Area: 4 421. Which of the following line media would provide the BEST security for a telecommunication network? A. Broadband network digital transmission The correct answer is: You did not answer the question. Explanation: Area: 4 422. Which of the following types of firewalls would BEST protect a network from an Internet attack? A. Screened subnet firewall The correct answer is: You did not answer the question. Explanation: Area: 4 423. Neural networks are effective in detecting fraud, because they can: A. discover new trends since they are inherently linear. The correct answer is: You did not answer the question. Explanation: Area: 4 424. Which of the following translates e-mail formats from one network to another, so the message can travel through all the networks? A. Gateway The correct answer is: You did not answer the question. Explanation: Area: 4 425. The following question refers to the diagram. A.
No firewalls are needed. The correct answer is: You did not answer the question. Explanation: Area: 4 426. The following question refers to the diagram. A. Intelligent hub The correct answer is: You did not answer the question. Explanation: Area: 4 427. The following question refers to the diagram. A. Virus attack The correct answer is: You did not answer the question. Explanation: Area: 4 428. A universal serial bus (USB) port: A. connects the network without a network card. The correct answer is: You did not answer the question. Explanation: Area: 4 429. Which of the following would enable an enterprise to provide
its business partners access to its intranet (i.e., extranet) across the Internet? A. Virtual private network The correct answer is: You did not answer the question. Explanation: Area: 4 430. An organization provides information to its supply chain
partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? A. A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall. The correct answer is: You did not answer the question. Explanation: Area: 4 431. In an EDI process, the device which transmits and receives electronic documents is the: A. communications handler. The correct answer is: You did not answer the question. Explanation: Area: 4 432. Which of the following hardware devices relieves the central computer from performing network control, format conversion and message handling tasks? A. Spool The correct answer is: You did not answer the question. Explanation: Area: 4 433. Which of the following systems-based approaches would a financial processing company employ to monitor spending patterns to identify abnormal patterns and report them? A. A neural network The correct answer is: You did not answer the question. Explanation: Area: 4 434. Which of the ISO/OSI model layers provides for routing packets between nodes? A. Data link The correct answer is: You did not answer the question. Explanation: Area: 4 435. In a TCP/IP-based network, an IP address specifies a: A. network connection. The correct answer is: You did not answer the question. Explanation: Area: 4 436. Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device? A. Router The correct answer is: You did not answer the question. Explanation: Area: 4 437. In a client-server architecture, a domain name service (DNS) is MOST important, because it
provides the: A. address of the domain server. The correct answer is: You did not answer the question. Explanation: Area: 4 438. In a web server,
a common gateway interface (CGI) is MOST often used as a(n): A. consistent way for transferring data to the application program and back to the user. The correct answer is: You did not answer the question. Explanation: Area: 4 439. Receiving an EDI transaction and passing it through the communication’s interface stage usually
requires: A. translating and unbundling transactions. The correct answer is: You did not answer the question. Explanation: Area: 4 440. Which of the following would be considered an essential feature of a network management system? A. A graphical interface to map the network topology The correct answer is: You did not answer the question. Explanation: Area: 4 441. The most likely error to occur when implementing a firewall is: A. incorrectly configuring the access lists. The correct answer is: You did not answer the question. Explanation: Area: 4 442. Which of the following LAN physical layouts is subject to total loss if one device fails? A. Star The correct answer is: You did not answer the question. Explanation: Area: 4 443. When reviewing the implementation of a LAN, the IS auditor should FIRST review the: A. node list. The correct answer is: You did not answer the question. Explanation: Area: 4 444. When reviewing a firewall, which of the following should be of MOST concern to an IS auditor? A. A well-defined security policy The correct answer is: You did not answer the question. Explanation: Area: 4 445. Which of the following would be the MOST secure firewall system? A. Screened-host firewall The correct answer is: You did not answer the question. Explanation: Area: 4 446. Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)? A. Circuit
gateway The correct answer is: You did not answer the question. Explanation: Area: 4 447. Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organization? A. A program that deposits a virus on a client machine The correct answer is: You did not answer the question. Explanation: Area: 4 448. Which of the following protocols would be involved in the implementation of a router and an interconnectivity device monitoring system? A. Simple Network Management Protocol The correct answer
is: You did not answer the question. Explanation: Area: 4 449. A critical function of a firewall is to act as
a: A. special router that connects the Internet to a LAN. The correct answer is: You did not answer the question. Explanation: Area: 4 450. Java applets and ActiveX controls are distributed executable programs that execute in the background of a
web browser client. This practice is considered reasonable when: A. a firewall exists. The correct answer is: You did not answer the question. Explanation: Area: 4 451. In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future
scalability? A. Appliances The correct answer is: You did not answer the question. Explanation: Area: 4 452. Which of the following types of transmission media provide the BEST security against unauthorized access? A. Copper wire The correct
answer is: You did not answer the question. Explanation: Area: 4 453. Which of the following is the BEST audit procedure to determine if a firewall
is configured in compliance with an organization’s security policy? A. Review the parameter settings. The correct answer is: You did not answer the question. Explanation: Area: 4 454. To determine how data are accessed across different platforms in a heterogeneous environment, an IS auditor should FIRST review: A. business software. The correct answer is: You did not answer the question. Explanation: Area: 4 455. An
organization has outsourced its help desk. Which of the following indicators would be the best to included in the SLA? A. Overall number of users supported The correct answer is: You did not answer the question. Explanation: Area: 4 456. A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. The IS auditor should conclude
that: A. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. The correct answer is: You did not answer the question. Explanation: Area: 4 457. During the requirements definition phase for a database application, performance is listed as a top priority. To access the DBMS files, which of the following technologies should be recommend for optimal I/O performance? A. Storage area network (SAN) The correct answer is: You did not answer the question. Explanation: Area: 4 458. An organization is negotiating a service level
agreement (SLA) with a vendor. Which of the following should occur FIRST? A. Develop a feasibility study. The correct answer is: You did not answer the question. Explanation: Area: 4 459. The BEST way to minimize the risk of communication failures in an e-commerce environment would be to use: A. compression software to minimize transmission duration. The
correct answer is: You did not answer the question. Explanation: Area: 4 460. An IS auditor reviewing an organization’s data file control procedures finds that transactions are applied to the most current files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of: A. source documentation retention. The correct answer is: You did not answer the question. Explanation: Area: 4 461. Which of the following is the MOST critical when evaluating the delivery of IT services? A. Tools used to record and analyze incidents The correct answer is: You did not answer the question. Explanation: Area: 4 462.
Which of the following propagation problems do wired and wireless transmissions have in common? A. Cross-talk The correct answer is: You did not answer the question. Explanation: Area: 4 463. The purpose of code signing is to provide assurance that: A. the software has not been subsequently modified. The correct answer is: You did not answer the question. Explanation: Area: 4 464. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated? A. Consistency The correct answer is: You did not answer the question. Explanation: Area: 4 465. Which of the following is the BEST method for preventing exploitation of system vulnerabilities? A. Log monitoring The correct answer is: You did not answer the question. Explanation: Area: 4 466. Reverse proxy technology for web servers should be deployed if: A. http servers’ addresses must be hidden. The correct answer is: You did not answer the question. Explanation: Area: 4 467.
Which of the following BEST limits the impact of server failures in a distributed environment? A. Redundant pathways The correct answer is: You did not answer the question. Explanation: Area: 4 468. Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users? A. System analysis The correct answer is: You did not answer the question. Explanation: Area: 5 469. Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. The correct answer is: You did not answer the question. Explanation: Area: 5 470. The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can: A. make unauthorized changes to the database directly, without an audit trail. The correct answer is: You did not answer the question. Explanation: Area: 5 471. Who is principally responsible for periodically reviewing users’ access to systems? A. Computer operators The correct answer is: You did not answer the question. Explanation: Area: 5 472. To determine who has been given permission to use a particular system resource, the IS auditor
should review? A. Activity lists The correct answer is: You did not answer the question. Explanation: Area: 5 473. Which of the following is the MOST effective control when granting temporary access to vendors? A. Vendor access corresponds to the service level agreement (SLA). The correct answer is: You did not answer the question. Explanation: Area: 5 474. During a logical access controls review, the IS auditor observes that user
accounts are shared. The GREATEST risk resulting from this situation is that: A. an unauthorized user may use the id to gain access. The correct answer is: You did not answer the question. Explanation: Area: 5 475. An IS auditor observed that some data entry operators leave their
computers in the midst of data entry without logging off. Which of the following controls should be suggested to prevent unauthorized access? A. Encryption The correct answer is: You did not answer the question. Explanation: Area: 5 476. Which of the following satisfies a two-factor user authentication? A. Iris scanning plus fingerprint scanning The correct answer is: You did not answer the question. Explanation: Area: 5 477. A callback system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and: A. dials back to the user machine based on the user id and password and using a telephone number from its database. The correct answer is: You did not answer the question. Explanation: Area: 5 478. The MOST effective method of preventing unauthorized use of data files is: A. automated file entry. The correct answer is: You did not answer the question. Explanation: Area: 5 479. Which of the following is the MOST effective control procedure for security of a stand-alone small business computer environment? A. Supervision of computer usage The
correct answer is: You did not answer the question. Explanation: Area: 5 480. Which of the following physical access controls would provide the highest degree of security over unauthorized access? A. Bolting door lock The correct answer is: You did not answer the question. Explanation: Area: 5 481.
Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility? A. Security awareness The correct answer is: You did not answer the question. Explanation: Area: 5 482. Which of the following is a benefit of using a callback device? A. Provides an audit trail. The correct answer is: You did not answer the question. Explanation: Area: 5 483. When reviewing an organization’s logical access security, which of the following should be of MOST concern to an IS auditor? A. Passwords are not shared. The correct answer is: You did not answer the question. Explanation: Area: 5 484. Passwords should be: A. assigned by the security administrator for first time logon. The correct answer is: You did not answer the question. Explanation: Area: 5 485. When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator? A. Read access to data The correct answer is: You did not answer the question. Explanation: Area: 5 486. To prevent unauthorized entry to the data maintained
in a dial-up, fast response system, an IS auditor should recommend: A. online terminals be placed in restricted areas. The correct answer is: You did not answer the question. Explanation: Area: 5 487. An IS auditor conducting an access control review in a client-server
environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that: A. exposure is greater, since information is available to unauthorized users. The correct answer is: You did not answer the question. Explanation: Area: 5 488. Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to: A.
change the company’s security policy. The correct answer is: You did not answer the question. Explanation: Area: 5 489.
The PRIMARY objective of a logical access control review is to: A. review access controls provided through software. The correct answer is: You did not answer the question. Explanation: Area: 5 490. Naming conventions for system resources are important for access control
because they: A. ensure that resource names are not ambiguous. The correct answer is: You did not answer the question. Explanation: Area: 5 491. Which of the following exposures could be caused by a line grabbing technique? A. Unauthorized data access The correct answer is: You did not answer the question. Explanation: Area: 5 492. Electromagnetic emissions from a terminal represent an exposure because they: A. affect noise pollution. The
correct answer is: You did not answer the question. Explanation: Area: 5 493. Security administration procedures require read-only access to: A. access control
tables. The correct answer is: You did not answer the question. Explanation: Area: 5 494. A MAJOR risk of using single sign-on (SSO) is that it: A. has a single authentication point. The correct answer is: You did not answer the question. Explanation: Area: 5 495. With the help of the security officer, granting access to data is the responsibility of: A. data owners. The correct answer is: You did not answer the question. Explanation: Area: 5 496. The FIRST step in data classification is to: A. establish ownership. The
correct answer is: You did not answer the question. Explanation: Area: 5 497. During the review of a biometrics system operation, the IS auditor should FIRST review the stage of: A. enrollment. The correct answer is: You did not answer the question. Explanation: Area: 5 498. Which of the following provides the framework for designing and developing logical access
controls? A. Information systems security policy The correct answer is: You did not answer the question. Explanation: Area: 5 499. A hacker could obtain passwords without the use of computer tools or programs through the technique of: A. social engineering. The correct answer is: You did not answer the question. Explanation: Area: 5 500. The reliability of an application system’s audit trail may be questionable if: A. user IDs are recorded in the audit trail. The
correct answer is: You did not answer the question. Explanation: Area: 5 501. Which of the following user profiles should be of MOST concern to the IS auditor, when performing an audit of an EFT system? A. Three users with the ability to capture
and verify their own messages The correct answer is: You did not answer the question. Explanation: Area: 5 502. An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as: A. critical. The correct answer is: You did not answer the question. Explanation: Area: 5 503. The implementation of access controls FIRST requires: A. a classification of IS resources. The correct answer is: You did not answer the question. Explanation: Area: 5 504. Which of the following is an example of the defense in-depth security principle? A. Using two firewalls of different vendors to consecutively check the incoming network traffic The correct answer is: You did not answer the question. Explanation: Area: 5 505. Which of the following would be the BEST access control procedure? A. The data owner formally authorizes access and an administrator implements the user authorization tables. The correct answer is: You did not answer the question. Explanation: Area: 5 506. Which of the following would MOST effectively reduce social engineering incidents? A. Security awareness training The correct answer is: You did not answer the question. Explanation: Area: 5 507. An information security policy stating that “the display of passwords must be masked or suppressed” addresses which of the following attack
methods? A. Piggybacking The correct answer is: You did not answer the question. Explanation: Area: 5 508. To ensure compliance within security policy requiring that passwords be a combination of letters and numbers, the IS auditor should recommend that: A. the company policy be changed. The correct answer is: You did not answer the question. Explanation: Area: 5 509. An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor’s main concern should be that: A. more than one individual can claim to be a specific user. The correct answer is: You did not answer the question. Explanation: Area: 5 510. An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures The correct answer is: You did not answer the question. Explanation: Area: 5 511. The information security policy that states “each individual must have their badge read at every controlled door” addresses which of the following attack
methods? A. Piggybacking The correct answer is: You did not answer the question. Explanation: Area: 5 512. Which of the following presents an
inherent risk, with no distinct identifiable preventive controls? A. Piggybacking The correct answer is: You did not answer the question. Explanation: Area: 5 513. Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database? A. Signature-based The correct answer is: You did not answer the question. Explanation: Area: 5 514. The MOST important difference between hashing and encryption is that hashing: A. is
irreversible. The correct answer is: You did not answer the question. Explanation: Area: 5 515. Which of the following cryptography options would increase overhead/cost? A. The encryption is symmetric rather than asymmetric. The
correct answer is: You did not answer the question. Explanation: Area: 5 516. The MOST important key success factor in planning a penetration test is: A. the documentation of the planned testing procedure. The correct answer is: You did not answer the question. Explanation: Area: 5 517. Which of the following virus prevention techniques can be implemented through hardware? A. Remote booting The correct answer is: You did not answer the question. Explanation: Area: 5 518. Which of the following append themselves to files as a protection against viruses? A. Behavior blockers The correct answer is: You did not answer the question. Explanation: Area: 5 519. Which of the following acts as a decoy to detect active Internet attacks? A. Honeypots The correct answer is: You did not answer the question. Explanation: Area: 5 520. A certificate
authority (CA) can delegate the processes of: A. revocation and suspension of a subscriber’s certificate. The correct answer is: You did not answer the question. Explanation: Area: 5 521. Which of the following results in a denial-of-service attack? A. Brute-force attack The correct answer is: You did not answer the question. Explanation: Area: 5 522. Which of the following is an advantage of elliptic curve encryption over RSA encryption? A. Computation speed The correct answer is: You did not answer the question. Explanation: Area: 5 523. Which of the
following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? A. Secure Sockets Layer (SSL) The correct answer is: You did not answer the question. Explanation: Area: 5 524. The risk of gaining unauthorized access through social engineering can BEST be addressed by: A. security awareness programs. The correct answer is: You did not answer the question. Explanation: Area: 5 525. To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST
effective method would be to create a message digest by applying a cryptographic hashing algorithm against: A. the entire message, enciphering the message digest using the sender’s private key, enciphering the message with a symmetric key and enciphering the key by using the receiver’s public key. The correct answer is: You did not answer the question. Explanation: Area: 5 526. Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? A. Server antivirus software The correct answer is: You did not answer the question. Explanation: Area: 5 527. Which of the following would be
of MOST concern to an IS auditor reviewing a VPN implementation? Computers on the network that are located: A. on the enterprise’s facilities. The correct answer is: You did not answer the question. Explanation: Area: 5 528. The PRIMARY reason for using digital signatures is to ensure data: A. confidentiality. The correct answer is: You did not answer the question. Explanation: Area: 5 529. The PKI element that manages the certificate life cycle, including certificate directory maintenance and
certificate revocation list (CRL) maintenance and publication, is the: A. certificate authority (CA). The correct answer is: You did not answer the question. Explanation: Area: 5 530. Which of the following is an example of a passive attack initiated through the Internet? A. Traffic analysis The correct answer is: You did not answer the question. Explanation: Area: 5 531. Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: A. feedback error control. The
correct answer is: You did not answer the question. Explanation: Area: 5 532. A malicious code that changes itself with each file it infects is called a: A. logic bomb. The correct answer is: You did not answer the question. Explanation: Area: 5 533. An accuracy measure for a biometric system is: A. system response time. The correct answer is: You did not answer the question. Explanation: Area: 5 534. The security level of a private key system depends on the number of: A. encryption key bits. The correct answer is: You did not answer the question. Explanation: Area: 5 535. Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? A. Overwriting the tapes The correct answer is: You did not answer the question. Explanation: Area: 5 536. Which of the following can consume valuable network bandwidth? A. Trojan horses The correct answer is: You did not answer the question. Explanation: Area: 5 537. The review of router access control lists should be conducted during a(n): A. environmental review. The correct answer is: You did not answer the question. Explanation: Area: 5 538. Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? A. Analyzer The correct answer is: You did not answer the question. Explanation: Area: 5 539. When a PC that has been used for the storage of confidential data is sold on the open market, the: A. hard disk should be demagnetized. The correct answer
is: You did not answer the question. Explanation: Area: 5 540. Which of the following concerns associated with the World Wide Web would be addressed by a firewall? A. Unauthorized access from outside the organization The correct answer is: You did not answer the question. Explanation: Area: 5 541. A digital signature contains a message digest to: A. show if the message has been altered after transmission. The correct answer is: You did not answer the question. Explanation: Area: 5 542. Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? A. Registration authority The correct answer is: You did not answer the question. Explanation: Area: 5 543. A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that
complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). The correct answer is: You did not answer the question. Explanation: Area: 5 544. Which of the following is the MOST effective technique for providing security during data transmission? A. Communication log The correct answer is: You did not answer the question. Explanation: Area: 5 545. Digital signatures require the: A. signer to have a public key and the receiver to have a private key. The correct answer is: You did not answer the question. Explanation: Area: 5 546. In the ISO/OSI model, which of the
following protocols is the FIRST to establish security for the user application? A. Session layer The correct answer is: You did not answer the question. Explanation: Area: 5 547. The feature of a
digital signature that ensures the sender cannot later deny generating and sending the message is: A. data integrity. The correct answer is: You did not answer the question. Explanation: Area: 5 548. An IS auditor doing penetration testing during
an audit of Internet connections would: A. evaluate configurations. The correct answer is: You did not answer the question. Explanation: Area: 5 549. Which of the following should concern an IS auditor when reviewing security in a client-server environment? A. Protecting data using an encryption technique The correct answer is: You did not answer the question. Explanation: Area: 5 550. Which of the following can identify attacks and penetration attempts to a network? A. Firewall The correct answer is: You did not answer the question. Explanation: Area: 5 551. Which of the following is a technique that could be used to capture network user passwords? A. Encryption The correct answer is: You did not answer the question. Explanation: Area: 5 552. Which of the following controls would BEST detect intrusion? A. User ids and user privileges are granted through authorized procedures. The correct answer is: You did not answer the question. Explanation: Area: 5 553. Which of the following is the MOST important objective of data protection? A. Identifying persons who need access to information The
correct answer is: You did not answer the question. Explanation: Area: 5 554. Which of the following
is a feature of an intrusion detection system (IDS)? A. Gathering evidence on attack attempts The correct answer is: You did not answer the question. Explanation: Area: 5 555. An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of
various system resources. The correct answer is: You did not answer the question. Explanation: Area: 5 556. The creation of an electronic signature: A. encrypts the message. The
correct answer is: You did not answer the question. Explanation: Area: 5 557. Which of the following is the MOST effective type of antivirus software? A. Scanners The correct answer is: You did not answer the question. Explanation: Area: 5 558. When using public key encryption to secure data
being transmitted across a network: A. both the key used to encrypt and decrypt the data are public. The correct answer is: You did not answer the question. Explanation: Area: 5 559. The technique used to ensure security in virtual private networks (VPNs) is: A. encapsulation. The correct answer
is: You did not answer the question. Explanation: Area: 5 560. During an audit of a telecommunications system, the IS
auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: A. encryption. The correct answer is: You did not answer the question. Explanation: Area: 5 561. An Internet-based attack using password sniffing can: A. enable one party to act as if they are another party. The correct answer is: You did not answer the question. Explanation: Area: 5 562. Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? A. Proxy server The correct answer is: You did not answer the question. Explanation: Area: 5 563. During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, the IS auditor must prove that which of the following is used? A. A biometric, digitalized and encrypted parameter with the customer’s public
key The correct answer is: You did not answer the question. Explanation: Area: 5 564. When planning an audit of a network setup, the IS auditor should give highest priority to obtaining which of the following network documentation? A. Wiring and schematic diagram The correct answer is: You did not answer the question. Explanation: Area: 5 565. Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient? A. The recipient uses his/her private key to decrypt the secret key. The correct answer is: You did not answer the question. Explanation: Area: 5 566. Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key
is widely distributed to the customers, is MOST likely to provide comfort to the: A. customer over the authenticity of the hosting organization. The correct answer is: You did not answer the question. Explanation: Area: 5 567. E-mail message authenticity and confidentiality is BEST achieved by signing the message using the: A. sender’s private key and encrypting the message using the receiver’s public key. The correct answer is: You did not answer the question. Explanation: Area: 5 568. An organization is considering
connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway The correct answer is: You did not answer the question. Explanation: Area: 5 569. Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? A. Virtual private network The correct answer is: You did not answer the question. Explanation: Area: 5 570. The potential for unauthorized system access by way of terminals or workstations within an organization’s facility is increased when: A. connecting points are available in the facility to connect laptops to the network. The correct answer is: You did not answer the question. Explanation: Area: 5 571. Which of the following functions is
performed by a virtual private network (VPN)? A. Hiding information from sniffers on the net The correct answer is: You did not answer the question. Explanation: Area: 5 572. Applying a digital signature to data traveling in a network provides: A. confidentiality and integrity. The correct answer is: You did not answer the question. Explanation: Area: 5 573. Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key
infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but the certificate authorities are not. The correct answer
is: You did not answer the question. Explanation: Area: 5 574. Which of the following implementation modes would provide the GREATEST amount of security for outbound data connecting to the Internet? A. Transport mode with authentication header (AH) plus encapsulating security payload (ESP) The correct answer is: You did not answer the question. Explanation: Area: 5 575. Which of the following is the MOST reliable sender authentication method? A. Digital signatures The
correct answer is: You did not answer the question. Explanation: Area: 5 576. Which of the following provides the GREATEST assurance of message authenticity? A. The prehash code is derived mathematically from the message being sent. The correct answer is: You did not answer the question. Explanation: Area: 5 577. Which of the following Internet security threats could compromise integrity? A. Theft of data from the client The correct answer is: You did not answer the question. Explanation: Area: 5 578. Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner’s server? A. The organization does not have control over encryption. The correct answer is: You did not answer the question. Explanation: Area: 5 579. If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? A. Router configuration and rules The correct answer is: You did not answer the question. Explanation: Area: 5 580. The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: A. symmetric encryption. The correct answer is: You did not answer the question. Explanation: Area: 5 581. The PRIMARY goal of a web site certificate is: A. authentication of the web site that will be surfed. The correct answer is: You did not answer the question. Explanation: Area: 5 582. IS auditors in performing detailed network assessments and access control reviews should FIRST: A. determine the points of entry. The correct answer
is: You did not answer the question. Explanation: Area: 5 583. The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment: A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. The correct answer is: You did not answer the question. Explanation: Area: 5 584. The most common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. The correct answer is: You did not answer the question. Explanation: Area: 5 585. Which of the following provides nonrepudiation services for e-commerce
transactions? A. Public key infrastructure (PKI) The correct answer is: You did not answer the question. Explanation: Area: 5 586.
Confidential data residing on a PC are BEST protected by: A. a password. The correct answer is: You did not answer the question. Explanation: Area: 5 587. While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus? A. A scan of all floppy disks before use The correct
answer is: You did not answer the question. Explanation: Area: 5 588. Which of the following message services provides the strongest
evidence that a specific action has occurred? A. Proof of delivery The correct answer is: You did not answer the question. Explanation: Area: 5 589. A manufacturer has been purchasing materials and supplies for its business
through an e-commerce application. Which of the following should this manufacturer rely on to prove that the transactions were actually made? A. Reputation The correct answer is: You did not answer the question. Explanation: Area: 5 590. The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure: A. only the sender and receiver are able to encrypt/decrypt the data. The correct answer is: You did not answer the question. Explanation: Area: 5 591.
The role of the certificate authority (CA) as a third party is to: A. provide secured communication and networking services based on certificates. The correct answer is: You did not answer the question. Explanation: Area: 5 592. Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments? A. The buyer is assured that neither the merchant nor any other party can misuse his/her credit card data. The correct answer is: You did not answer the question. Explanation: Area: 5 593. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects
traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A. alert the appropriate staff. The correct answer is: You did not answer the question. Explanation: Area: 5 594. An IS auditor should be MOST
concerned with what aspect of an authorized honeypot? A. The data collected on attack methods. The correct answer is: You did not answer the question. Explanation: Area: 5 595. Which of the following should be a concern to an IS auditor reviewing a wireless network? A. 128-bit-static-key WEP (Wired Equivalent Privacy) encryption is enabled. The correct answer is: You did not answer the question. Explanation: Area: 5 596. To detect attack attempts that the firewall is
unable to recognize, the IS auditor should recommend placing a network intrusion detection system (IDS) between the: A. firewall and the organization’s network. The correct answer is: You did not answer the question. Explanation: Area: 5 597. Which of the following ensures a sender’s authenticity and an e-mail’s confidentiality? A. Encrypting the hash of the message with the sender’s private key and thereafter encrypting the hash of the message with the receiver’s public key The correct answer is: You did not answer the question. Explanation: Area: 5 598. An efficient use of PKI should encrypt the: A. entire message. The correct answer is: You did not answer the question. Explanation: Area: 5 599. Which of the following cryptographic systems is MOST appropriate for bulk data encryption and small devices such as smart cards? A. DES The
correct answer is: You did not answer the question. Explanation: Area: 5 600. Disabling which of the following would make wireless local area networks more secure against unauthorized
access? A. MAC (Media Access Control) address filtering The correct answer is: You did not answer the question. Explanation: Area: 5 601. Which of the following is
BEST suited for secure communications within a small group? A. Key distribution center The correct answer is: You did not answer the question. Explanation: Area: 5 602. Which of the following is the MOST important action in recovering from a cyberattack? A. Creation of an incident response team The correct answer is: You did not answer the question. Explanation: Area: 5 603. What method might an IS auditor utilize to test wireless security at branch office locations? A. War dialing The correct answer is: You did not answer the question. Explanation: Area: 5 604. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? A. Statistical-based The correct answer is: You did not answer the question. Explanation: Area: 5 605. The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of the following audit recommendations
should the IS auditor suggest? A. Relocate the shutoff switch. The correct answer is: You did not answer the question. Explanation: Area: 5 606. When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: A. hardware
is protected against power surges. The correct answer is: You did not answer the question. Explanation: Area: 5 607. Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? A. Halon gas The correct answer is: You did not answer the question. Explanation: Area: 5 608. Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical
power? A. Power line conditioners The correct answer is: You did not answer the question. Explanation: Area: 5 609. A dry-pipe fire extinguisher system is a system that uses: A. water, but in which water does not enter the pipes until a fire has been detected. The correct answer is: You did not answer the question. Explanation: Area: 5 610. An IS auditor
inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with CO2, the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor’s report? A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. The correct answer is: You did not answer the question. Explanation: Area: 5 611. What is a risk associated with attempting to control physical access to sensitive areas, such as computer rooms, using card keys or locks? A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. The correct answer is: You did not answer the question. Explanation: Area: 5 612. An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST
important? A. False-acceptance rate (FAR) The correct answer is: You did not answer the question. Explanation: Area: 5 613. The MOST effective control for addressing the risk of piggybacking is: A. a single entry point with a receptionist. The correct answer is: You did not answer the question. Explanation: Area: 5 614. The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate. The correct answer is: You did not answer the question. Explanation: Area: 5 615. Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. The correct answer
is: You did not answer the question. Explanation: Area: 5 616. In a public key infrastructure, a registration authority: A. verifies information supplied by the subject requesting a certificate. The correct answer is: You did not answer the question. Explanation: Area: 5 617. Confidentiality of the data transmitted in a wireless LAN is BEST protected, if the session is: A. restricted to
predefined MAC addresses. The correct answer is: You did not answer the question. Explanation: Area: 5 618. Which of the following provides the MOST relevant information for
proactively strengthening security settings? A. Bastion host The correct answer is: You did not answer the question. Explanation: Area: 5 619. Over the long term, which of the following has the greatest potential to improve the security incident response process? A. A walk-through review of incident response procedures The correct answer is: You did not answer the question. Explanation: Area: 5 620. When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following? A. Number of nonthreatening events identified as threatening The correct answer is: You did not answer the question. Explanation: Area: 5 621. Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following? A. Logic bombs The
correct answer is: You did not answer the question. Explanation: Area: 5 622. Validated digital signatures in an e-mail software application will: A. help detect spam. The correct answer is: You did not answer the question. Explanation: Area: 5 623. In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication
Header (AH) protocol because it provides: A. connectionless integrity. The correct answer is: You did not answer the question. Explanation: Area: 5 624.
An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks? A. Denial-of-service The correct answer is: You did not answer the question. Explanation: Area: 5 625. IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile
devices within the organization. This will increase the risk of which of the following attacks? A. Port scanning The correct answer is: You did not answer the question. Explanation: Area: 5 626. Which of the following encryption techniques will BEST protect a wireless network from a man-in-the-middle attack? A. 128-bit wired equivalent privacy (WEP) The correct answer is: You did not answer the question. Explanation: Area: 5 627. The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) The correct answer is: You did not answer the question. Explanation: Area: 5 628. Which of the following antispam filtering techniques would BEST prevent a valid, variable-length e-mail message containing a heavily weighted spam keyword from being labeled as spam? A. Heuristic (rule-based) The correct answer is: You did not answer the question. Explanation: Area: 5 629. Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? A. Certificate revocation list (CRL) The correct answer is: You did not answer the question. Explanation: Area: 5 630. The use of residual biometric information to gain unauthorized access is an example of which of the following attacks? A. Replay The correct answer is: You did not answer the question. Explanation: Area: 5 631. Active radio frequency ID (RFID) tags are subject to which of the following exposures? A. Session hijacking The correct answer is: You did not answer the question. Explanation: Area: 5 632. When conducting a penetration test of an organization’s internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network? A. Use the IP address of an existing file server or domain controller. The correct answer is: You did not answer the question. Explanation: Area: 5 633. Two-factor authentication can be circumvented through which
of the following attacks? A. Denial-of-service The correct answer is: You did not answer the question. Explanation: Area: 5 634. An organization can ensure that the recipients of e-mails from its employees can authenticate the identity of the sender by: A. digitally signing all e-mail messages. The correct answer is: You did not answer the question. Explanation: Area: 5 635. Sending a message and a message hash encrypted by the sender’s private key
will ensure: A. authenticity and integrity. The correct answer is: You did not answer the question. Explanation: Area: 5 636. Which of the following is a general operating system access control function? A. Creating database profiles The correct answer is: You did not answer the question. Explanation: Area: 5 637. Which of the following BEST restricts users to those functions needed to perform their duties? A. Application level access control The correct answer is: You did not answer the question. Explanation: Area: 5 638.
Which of the following is a passive attack to a network? A. Message modification The correct answer is: You did not answer the question. Explanation: Area: 5 639. Which of the following would BEST maintain
the confidentiality of data transmitted over a network? A. Data are encrypted before transmission. The correct answer is: You did not answer the question. Explanation: Area: 5 640. An organization has a mix of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security. The IS auditor recommends replacing the nonupgradeable access points. Which of the following would BEST justify the IS auditor’s recommendation? A. The new
access points with stronger security are affordable. The correct answer is: You did not answer the question. Explanation: Area: 5 641. For a discretionary access control to be effective, it must: A. operate within the
context of mandatory access controls. The correct answer is: You did not answer the question. Explanation: Area: 5 642.
An investment advisor e-mails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: A. encrypting the hash of the newsletter using the advisor’s private key. The
correct answer is: You did not answer the question. Explanation: Area: 5 643. An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. The correct answer is: You did not answer the question. Explanation: Area: 5 644. An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk? A. Kerberos The correct answer is: You did not answer the question. Explanation: Area: 5 645. A virtual private network (VPN) provides data confidentiality by using: A. Secure Sockets Layer (SSL) The correct answer is: You did not answer the question. Explanation: Area: 5 646. A firm is considering using biometric fingerprint identification on all PCs that access critical data. This requires: A. that a registration process be executed for all
accredited PC users. The correct answer is: You did not answer the question. Explanation: Area: 5 647. Which of the following would BEST support 24/7 availability? A. Daily backup The correct answer is: You did not answer the question. Explanation: Area: 6 648. The PRIMARY purpose of implementing Redundent Array of Inexpensive Disks (RAID) level 1 in a file
server is to: A. achieve performance improvement. The correct answer is: You did not answer the question. Explanation: Area: 6 649. Which of the following is the MOST important criterion for the selection of a location for an offsite storage facility for IS backup files? The offsite facility must be: A. physically
separated from the data center and not subject to the same risks. The correct answer is: You did not answer the question. Explanation: Area: 6 650. If a database is restored using before-image dumps, where should the process be started following an interruption? A. Before the last transaction The correct answer is: You did not answer the question. Explanation: Area: 6 651. In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? A. Maintaining system software parameters The correct answer is: You did not answer the question. Explanation: Area: 6 652. As updates to an
online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files? A. The previous day’s backup file and the current transaction tape The correct answer is: You did not answer the question. Explanation: Area: 6 653. An offsite information processing facility: A. should have the same amount of physical access restrictions as the primary processing site. The correct answer is: You did not answer the question. Explanation: Area: 6 654. An IS auditor performing a
review of the backup processing facilities should be MOST concerned that: A. adequate fire insurance exists. The correct answer is: You did not answer the question. Explanation: Area: 6 655. Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist? A. Reviewing program code The correct answer is: You did not answer the question. Explanation: Area: 6 656. A company performs full backup of data and programs on a regular basis. The primary purpose of this practice is to: A. maintain data integrity in the applications. The correct answer is: You did not answer the question. Explanation: Area: 6 657. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and
recovery and the offsite storage vault? A. There are three individuals with a key to enter the area. The correct answer is: You did not answer the question. Explanation: Area: 6 658. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. The correct answer is: You did not answer the question. Explanation: Area: 6 659. When developing a backup strategy, the FIRST step is to: A. identify the data. The correct answer is: You did not answer the question. Explanation: Area: 6 660. To provide protection for media backup stored at an offsite location, the storage site should be: A. located on a different floor of the building. The correct answer is: You did not answer the question. Explanation: Area: 6 661. Which of the following ensures the availability of transactions in the event of a disaster? A. Send tapes hourly containing transactions offsite. The correct answer is: You did not answer the question. Explanation: Area: 6 662. IS management has decided to install a level 1 Redundant Array of
Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: A. upgrading to a level 5 RAID. The correct answer is: You did not answer the question. Explanation: Area: 6 663. A structured walk-through test of a disaster recovery plan involves: A. representatives from each of the functional areas coming together to go over the plan. The correct answer is: You did not answer the question. Explanation: Area: 6 664. In a contract with a hot, warm or cold site, contractual provisions should cover which of the following considerations? A. Physical security measures The correct answer is: You did not answer the question. Explanation: Area: 6 665. Which of the following is the GREATEST concern when an organization’s backup facility is at a warm site? A. Timely availability of hardware The correct answer is: You did not answer the question. Explanation: Area: 6 666.
Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? A. A hot site maintained by the business The correct answer is: You did not answer the question. Explanation: Area: 6 667. The PRIMARY purpose of a business impact analysis (BIA) is to: A provide a plan for resuming operations after a disaster. The correct answer is: You did not answer the question. Explanation: Area: 6 668. After implementation of a disaster recovery plan (DRP), predisaster and post-disaster operational cost for an organization will: A. decrease. The correct answer is: You did not answer the question. Explanation: Area: 6 669. Which of the following is the MOST reasonable option for recovering a noncritical system? A. Warm site The
correct answer is: You did not answer the question. Explanation: Area: 6 670. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual
resources, which of the following is the MOST cost-effective test of the DRP? A. Full operational test The correct answer is: You did not answer the question. Explanation: Area: 6 671. An organization’s disaster recovery plan should address early recovery of: A. all information systems processes. The correct answer is: You did not answer the question. Explanation: Area: 6 672. An advantage of the use of hot sites as a backup alternative is that: A. the costs associated with hot sites are low. The correct answer is: You did not answer the question. Explanation: Area: 6 673. Which of the following is a practice that should be incorporated into the plan for testing disaster recovery procedures? A. Invite client participation. The correct answer is: You did not answer the question. Explanation: Area: 6 674. Disaster recovery planning addresses the: A. technological aspect of business continuity planning. The correct answer is: You did not answer the question. Explanation: Area: 6 675. This questions refers to the following information.
The IS auditor’s report should recommend that: A. the deputy CEO be censured for his/her failure to approve the plan. The correct answer is: You did not answer the question. Explanation: Area: 6 676. This questions
refers to the following information.
The basis of an organization’s disaster recovery plan is to reestablish live processing at an alternative site where a similar, but not identical, hardware configuration is already established. The IS auditor should: A. take no
action as the lack of a current plan is the only significant finding. The correct answer is: You did not answer the question. Explanation: Area: 6 677. Disaster recovery planning for a company’s computer system usually focuses on: A. operations turnover procedures. The correct answer is: You did not answer the question. Explanation: Area: 6 678. Of the following, the MAIN purpose for periodically testing offsite facilities is to: A. ensure the integrity of the data in the database. The correct answer is: You did not answer the question. Explanation: Area: 6 679. A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster
recovery plan for the communications processor? A. Offsite storage of daily backups The correct answer is: You did not answer the question. Explanation: Area: 6 680. Facilitating telecommunications continuity by providing redundant combinations of local carrier T-1 lines, microwaves and/or coaxial cables to access the local communication loop is: A. last-mile circuit
protection. The correct answer is: You did not answer the question. Explanation: Area: 6 681. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A. Developments may result in hardware and software incompatibility. The correct answer is: You did not answer the question. Explanation: Area: 6 682. Which of the following would BEST ensure continuity of a wide area network (WAN)
across the organization? A. Built-in alternative routing The correct answer is: You did not answer the question. Explanation: Area: 6 683. An IS auditor reviewing an organization’s IS disaster recovery plan should verify that it is: A. tested every six months. The correct answer is: You did not answer the question. Explanation: Area: 6 684. There are several methods of providing telecommunications continuity. The method of routing traffic through split cable or duplicate cable facilities is: A. alternative routing. The correct answer is: You did not answer the question. Explanation: Area: 6 685. Which of the following is MOST important to provide for in a disaster recovery plan? A. Backup of compiled object programs The correct answer is: You did not answer the question. Explanation: Area: 6 686. The responsibilities of a disaster recovery relocation team include: A. obtaining, packaging and shipping media and records to the recovery facilities, as well as establishing and overseeing an offsite storage schedule. The correct answer is: You did not answer the question. Explanation: Area: 6 687. While reviewing the business continuity plan of an organization, the IS auditor observed that the organization’s data and software files are backed up on a periodic basis. Which characteristic of an effective plan does this demonstrate? A. Deterrence The correct answer is: You did not answer the question. Explanation: Area: 6 688.
Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored. The correct answer is: You did not answer the question. Explanation: Area: 6 689. Which of the following must exist to ensure the viability of a duplicate information processing facility? A. The site is near the primary site to ensure quick and efficient recovery. The correct answer is: You did not answer the question. Explanation: Area: 6 690. An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment is a: A. cold site. The correct answer is: You did not answer the question. Explanation: Area: 6 691. A disaster recovery plan (DRP) for an
organization should: A. reduce the length of the recovery time and the cost of recovery. The correct answer is: You did not answer the question. Explanation: Area: 6 692. A disaster recovery plan (DRP) for an organization’s financial system specifies that the recovery point
objective (RPO) is no data loss and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution? A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs The correct answer is: You did not answer the question. Explanation: Area: 6 693. A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? A. Reciprocal agreement with another
organization The correct answer is: You did not answer the question. Explanation: Area: 6 694. The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely: A. increase. The correct answer is: You did not answer the question. Explanation: Area: 6 695. Which of the following tasks should be performed FIRST when preparing a disaster recovery plan? A. Develop a recovery strategy. The correct answer is: You did not answer the question. Explanation: Area: 6 696. Which of the following
provides the BEST evidence of an organization’s disaster recovery readiness? A. The disaster recovery plan The correct answer is: You did not answer the question. Explanation: Area: 6 697. Which of the following would have the HIGHEST priority in a business continuity plan (BCP)? A. Resuming
critical processes The correct answer is: You did not answer the question. Explanation: Area: 6 698. After completing the business impact analysis (BIA) which of the following is the next step in the business continuity planning process? A. Test and maintain the plan. The correct answer is: You did not answer the question. Explanation: Area: 6 699. Which of the following is an appropriate test method to apply to a business
continuity plan (BCP)? A. Pilot The correct answer is: You did not answer the question. Explanation: Area: 6 700. An IS auditor has audited a business continuity plan (BCP). Which of the following findings is the MOST critical? A. Nonavailability of an alternate private branch exchange (PBX) system The correct answer is: You did not answer the question. Explanation: Area: 6 701. As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis? A. Organizational risks,
such as single point-of-failure and infrastructure risk The correct answer is: You did not answer the question. Explanation: Area: 6 702. Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility? A. Verify compatibility with the hot site. The correct answer is: You did not answer the question. Explanation: Area: 6 703. Which of the following would contribute MOST to an effective business continuity plan (BCP)? The BCP: A. document is circulated to all interested parties. The correct answer is: You did not answer the question. Explanation: Area: 6 704. The FIRST step in developing a business continuity plan (BCP) is to: A. classify the importance of systems. The correct answer is: You did not answer the question. Explanation: Area: 6 705. To develop a successful business continuity plan, end-user involvement is critical
during which of the following phases? A. Business recovery strategy The correct answer is: You did not answer the question. Explanation: Area: 6 706. Which of the following processes is the FIRST step in developing a business continuity and disaster
recovery plan for an organization? A. Alternate site selection The correct answer is: You did not answer the question. Explanation: Area: 6 707. Which of the following would an IS auditor consider
to be the MOST important to review when conducting a business continuity audit? A. A hot site is contracted for and available as needed. The correct answer is: You did not answer the question. Explanation: Area: 6 708. The PRIMARY objective of business continuity and disaster recovery plans should be to: A. safeguard critical IS assets. The correct answer is: You did not answer the question. Explanation: Area: 6 709. After a full operational contingency test, the IS auditor performs a review of the recovery steps. He concludes that the time it took for the technological environment and systems to return to full-functioning exceeded the required critical recovery time. Which of the following should the auditor recommend? A. Perform an integral review of the recovery tasks. The correct answer is: You did not answer the question. Explanation: Area: 6 710. Which of the following is a continuity plan test that uses actual resources to simulate a system crash to cost-effectively obtain evidence about the plan’s effectiveness? A. Paper test The correct answer
is: You did not answer the question. Explanation: Area: 6 711. While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: A. shadow file processing. The
correct answer is: You did not answer the question. Explanation: Area: 6 712. Which of the following is the BEST method for determining the criticality of each application
system in the production environment? A. Interview the application programmers. The correct answer is: You did not answer the question. Explanation: Area: 6 713. Depending on the complexity of an organization’s business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects
of business continuity and disaster recovery. In such an environment, it is essential that: A. each plan be consistent with one another. The correct answer is: You did not answer the question. Explanation: Area: 6 714. A hot site should be implemented as a recovery strategy when the: A. disaster tolerance is low. The correct answer is: You did not answer the question. Explanation: Area: 6 715. In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy? A. Disaster tolerance is high. The correct
answer is: You did not answer the question. Explanation: Area: 6 716. During a business continuity audit the IS auditor found that the business continuity plan (BCP) covered only critical processes. The IS auditor should: A. recommend that the BCP cover all business processes. The correct answer is: You did not answer the question. Explanation: Area: 6 717. An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next? A. Obtain senior management sponsorship. The correct answer is: You did not answer the question. Explanation: Area: 6 718. When auditing a disaster recovery plan (DRP) for a critical business area, the IS auditor finds that it does not cover all the systems. Which of the following is MOST appropriate action for the IS auditor? A. Alert
management and evaluate the impact of not covering all systems. The correct answer is: You did not answer the question. Explanation: Area: 6 719. An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be
the BEST course of action for the IS auditor? A. Recommend that an additional comprehensive BCP be developed. The correct answer is: You did not answer the question. Explanation: Area: 6 720. Network Data Management Protocol (NDMP) technology should be used for backup if: A. A network attached storage (NAS) appliance is
required. The correct answer is: You did not answer the question. Explanation: Area: 6 721. An organization currently using tape backups takes one weekly full backup and daily incremental backups. They recently augmented their tape backup procedures with a backup-to-disk solution. This is appropriate because: A. fast synthetic backups for offsite storage are supported. The correct answer is: You did not answer the question. Explanation: Area: 6 722. When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding
of the organization’s business processes? A. Business continuity self-audit The correct answer is: You did not answer the question. Explanation: Area: 6 723. Which of the following should be of MOST concern to an IS auditor
reviewing the BCP? A. The disaster levels are based on scopes of damaged functions, but not on duration. The correct answer is: You did not answer the question. Explanation: Area: 6 724. During an audit of a business continuity plan (BCP), the IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled
FIRST? A. Evacuation plan The correct answer is: You did not answer the question. Explanation: Area: 6 725. Which of the following should be the MOST important criterion in evaluating a backup solution for sensitive data that must be retained for a long period of time due to regulatory requirements? A. Full backup
window The correct answer is: You did not answer the question. Explanation: Area: 6 Which of the following should be an auditor's primary concern after discovering that the scope of an IS project has changed and impact study has not been performed?The IS auditor's MAIN concern should be that the: complexity and risk associated with the project have been analyzed.
Which of the following is the best approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Requirements should be tested in terms of importance and frequency of use.
Which of the following has the most significant impact on the success of an application systems implementation?The overall organizational environment has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools.
|