Académique Documents
Professionnel Documents
Culture Documents
support management policies and procedures. The test will assist the
auditor to:-confirm that the control is operating as designed.
Note: Compliance tests can be used to test the existence and effectiveness
of a defined process. Understanding the objective of a compliance test is
important. IS auditors want reasonable assurance that the controls they are
relying on are effective. An effective control is one that meets management
expectations and objectives.
The FIRST step in execution of a problem management mechanism should
be:-exception reporting.
Note: While all of the choices above are desirable in a software tool
evaluated for auditing an data mining purposes, the most critical
requirement is that the tool will work effectively on the systems of the
organization being audited.
After completing the business impact analysis (BIA), what is the NEXT step
in the business continuity planning (BCP) process?-Develop recovery
strategies.
Note: Once the BIA is completed, the next phase in the BCP development is
to identify the various recovery strategies and select the most appropriate
strategy for recovering from a disaster that will meet the time lines and
priorities defined through the BIA.
In a small organization, an employee performs computer operations and,
when the situation demands, program modifications. Which of the following
should the IS auditor recommend?-Procedures that verify that only approved
program changes are implemented.
Note: An IS auditor must consider recommending a better process. An IS
auditor should recommend a formal change control process that manages
and could detect changes to production source and object code, such as
code comparisons, so the changes can be reviewed on a regular basis by a
third party. This would be a compensating control process.
A small organization has only one database administrator (DBA). The DBA
has root access to the UNIX server, which hosts the database application.
How should segregation of duties (SoD) be enforced in this scenario?-Ensure
that the database logs are forwarded to a UNIX server where the DBA does
not have root access.
Note: By creating logs that the DBA cannot erase or modify, segregation of
duties is enforced.
An IS auditor reviewing database controls discovered that changes to the
database during normal working hours were handled through a standard set
of procedures. However, changes made after normal hours required only an
abbreviated number of steps. In this situation, which of the following would
be considered an adequate set of compensating controls?-Use the DBA
account to make changes, log the changes and review the change log the
following day.
Note: The use of a DBA account is normally set up to log all changes made
and is most appropriate for changes made outside of normal hours. The use
of a log, which records the changes, allows changes to be reviewed.
Because of an abbreviated number of steps are used, this represents an
adequate set of compensating controls.
An IS auditor reviewing the IT project management process is reviewing a
feasibility study for a critical project to build a new data center. The IS
auditor is MOST concerned about the fact that:-the organizational impact of
the project has not been assessed.
Note: The feasibility study determines the strategic benefits of the project.
Therefore, the result of the feasibility study determines the organizational
impact a comparison report of costs, benefits, risk, etc. The project
portfolio is a part of measuring the organizational strategy.
A company has contracted with an external consulting firm to implement a
commercial financial system to replace its existing system developed in
house. In reviewing the proposed development approach, which of the
following would be of GREATEST concern?-A quality plan is not part of the
contracted deliverables.
Note: A quality plan is an essential element of all projects. It is critical that
the contracted supplier be required to produce such a plan. The quality plan
for the proposed development contract should be comprehensive and
encompass all phases of the development and include which business
functions will be included and when.
Which of the following provides the GREATEST assurance of message
authenticity?-The hash code is encrypted using the sender's private key.
Note: Encrypting the hash code using the sender's private key provides
assurance of the authenticity of the message and prevents anyone from
being able to alter the hash code.
Which of the following disaster recovery testing techniques is the MOST
efficient way to determine the effectiveness of the plan?-Preparedness tests
Note: Testing backups provides assurance that the backup data are reliable
and will be available when needed. Without backup data, the organization is
not addressing the risk of availability.
The specific advantage of white box testing is that it:-determines procedural
accuracy or conditions of a program's specific logic paths.
Note: Verification will ensure that produced products match the orders in the
customer order system.
During an assessment of software development practices, an IS auditor finds
that open source software components were used in an application designed
for a client. What is the GREATEST concern the auditor would have about the
use of open source software?-The organization and client must comply with
open source software license terms.
Note: There are many types of open source software licenses and each has
different terms and conditions. Some open source software licensing allows
use of the open source software component freely, but requires that the
completed software product must also allow the same rights. This is known
as viral licensing, and if the development organization is not careful, its
products could violate licensing terms by selling the product for profit. The
IS auditor should be most concerned with open source software licensing
compliance to avoid unintended intellectual property risk or legal
consequences.
The PRIMARY reason for using digital signatures is to ensure data:-integrity.
Note: Attribute sampling is the method used for compliance testing. In this
scenario, the operation of a control is being evaluated, and therefore the
attribute of whether each purchase order was correctly authorized would be
used to determine compliance with the control.
While conducting an audit of a service provider, an IS auditor observes that
the service provider has outsourced a part of the work to another provider.
Because the work involves confidential information, the IS auditor's PRIMARY
concern should be that the:-requirement for protecting confidentiality of
information could be compromised.
Note: Digital signatures for the sender are attested by the certificate
authority and can be verified by the recipient; therefore, repudiation is not
possible. Additionally, the digital signature mechanism ensures the integrity
of the message content by creating a oneway hash at both the source and
destination and then comparing the two.
Email message authenticity and confidentiality is BEST achieved by signing
the message using the:-sender's private key and encrypting the message
using the receiver's public key.
Note: By signing the message with the senders private key, the receiver
can verify its authenticity using the senders public key. Encrypting with the
receivers public key provides confidentiality.
An organization's IS audit charter should specify the:-role of the IS audit
function.
Note: Of the given choices, this is the most suitable answer. The disaster
recovery plan (DRP) includes a hot site that is located sufficiently away from
the main data center and will allow recovery in the event of a major
disaster. Not having realtime backups may be a problem depending on
recovery point objective (RPO).
A hot site should be implemented as a recovery strategy when the:-disaster
tolerance is low.
Note: Disaster tolerance is the time gap during which the business can
accept nonavailability of IT facilities. If this time gap is low, recovery
strategies that can be implemented within a short period of time, such as a
hot site, should be used.
Which of the following types of penetration tests simulates a real attack and
is used to test incident handling and response capability of the target?-
Doubleblind testing
Note: Establishing a link between the requesting entity and its public key is
a function of a registration authority. This may or may not be performed by a
CA; therefore, this function can be delegated.
Which of the following goals would you expect to find in an organization's
strategic plan?-Become the supplier of choice for the product offered.
Note: Becoming the supplier of choice for the product is a strategic business
objective that is intended to focus the overall direction of the business and
would, thus, be a part of the organizations strategic plan.
Which of the following is the MOST important critical success factor (CSF) of
implementing a riskbased approach to the IT system life cycle?-Adequate
involvement of stakeholders
Note: The most important critical success factor (CSF) is the adequate
involvement and support of the various quality assurance, privacy, legal,
audit, regulatory affairs or compliance teams in high regulatory risk
situations. Some IT system changes may, based on risk ratings, require
signoff from key stakeholders before proceeding.
Which one of the following could be used to provide automated assurance
that proper data files are being used during processing?-Internal labeling,
including file header records
Note: The most critical factor to consider is to limit the access granted to
individuals to only the duties required for their jobs. Insider attacks may be
initiated by employees, consultants and/or contractors of an organization.
Insiderrelated risk is the most difficult risk to defend against because
insiders typically have been granted some physical and logical access to
systems, applications and networks. Remote access to corporate networks
and data also is common, due to technology such as virtual private
networks (VPNs) and smart phones, and poses a great threat to corporate
data. There is a need to put into place strong and effective controls to
mitigate this risk, the most basic of which is limiting access to what users
need to do their jobs.
Which of the following choices is the MOST effective control that should be
implemented to ensure accountability for application users accessing
sensitive data in the human resource management system (HRMS) and
among interfacing applications to the HRMS?-Audit trails
Note: Audit trails capture which user, at what time, and date, along with
other details, has performed the transaction and this helps in establishing
accountability among application users.
Which of the following is the BEST control to mitigate the risk of pharming
attacks to an Internet banking application?-Domain name system (DNS)
server security hardening
Note: The pharming attack redirects the traffic to an unauthorized web site
by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it
is necessary to eliminate any known vulnerability that could allow DNS
poisoning. Older versions of DNS software are vulnerable to this kind of
attack and should be patched.
The PRIMARY purpose of an IT forensic audit is:-the systematic collection
and analysis of evidence after a system irregularity.
Note: Any false site will not be able to encrypt using the private key of the
real site, so the customer would not be able to decrypt the message using
the public key.
Which of the following should be an IS auditor's PRIMARY concern after
discovering that the scope of an IS project has changed and an impact study
has not been performed?-The time and cost implications caused by the
change
Note: Any scope change might have an impact on duration and cost of the
project; that is the reason why an impact study is conducted and the client
is informed of the potential impact on the schedule and cost.
Which of the following would an IS auditor use to determine if unauthorized
modifications were made to production programs?-Compliance testing
Note: Data are the most important of all options listed, and without data, a
business cannot recover.
When auditing a proxybased firewall, an IS auditor should:-verify that the
filters applied to services such as hypertext transmission protocol (HTTP) are
effective.
Note: There will always be humanerror risk that staff members forget to
type certain words in the subject field. The organization should have
automated encryption set up for outgoing email for employees working with
protected health care information (PHI) to protect sensitive information.
Which of the following would an IS auditor consider the MOST relevant to
shortterm planning for an IT department?-Allocating resources
Note: Encrypting the transactions with the recipient's public key will provide
confidentiality via asymmetric cryptography. The recipient will then decrypt
with a personal private key.
Which of the following should be of GREATEST concern to an IS auditor
reviewing the business continuity plan (BCP) of an organization?-A team of
IT and information security staff conducted the business impact analysis
(BIA)
Note: To be effective, the BIA should be conducted with input from a wide
array of stakeholders. The business requirements included within the BIA are
integral in defining meantimetorepair and the data point recovery.
Without business stakeholder input, these critical requirements may not be
correctly defined, leading to critical assets being overlooked.
In a public key infrastructure (PKI), a registration authority:-verifies
information supplied by the subject requesting a certificate
Note: It has often been said that people are the weakest link in the security
chain and social engineering is a technique used to exploit human
vulnerabilities to obtain confidential or sensitive organization information.
This technique can be used to gain unauthorized access to the organization
facilities and manipulate people to divulge sensitive information e.g. a
social engineer may walk into company facilities, obtain confidential papers
or information left on employees' desks and printers, and even pose as a
member of the help desk team to obtain user passwords.
Assignment of process ownership is essential in system development project
because it:-ensures that the system design is based on business needs.
Note: The involvement of process owners will ensure that the system will be
designed according to the needs of the business processes that depend on
system functionality. A signoff on the design by the process owners is
crucial before development begins.
The BEST filter rule for protecting a network from being used as an amplifier
in a denialofservice (DoS) attack is to deny all:-outgoing traffic with IP
source addresses external to the network.
Note: Outgoing traffic with an IP source address different than the internal IP
range in the network is invalid. In most of the cases, it signals a denialof
service (DoS) attack originated by an internal user or by a previously
compromised internal machine; in both cases, applying this filter will stop
the infected machine from participating in the attack.
Which of the following would help to ensure the portability of an application
connected to a database?-Usage of a structured query language (SQL)
Note: The use of structured query language (SQL) facilitates portability
because it is an industry standard used by many systems.
An IS auditor has discovered that a new patch is available for an application,
but the IT department has decided that the patch is not needed because
other security controls are in place. What should the IS auditor recommend?-
Assess the overall risk, then decide whether to deploy the patch
Note: While it is important to ensure that the systems are properly patched,
a risk assessment needs to be performed to determine the likelihood and
probability of the vulnerability being exploited. Therefore, the patch would
be applied only if the risk of circumventing the existing security controls is
great enough to warrant it.
Which of the following would BEST describe encrypting and decrypting data
using an asymmetric encryption algorithm?-Use the receiver's private key to
decrypt data encrypted by the receiver's public key.
Note: The purpose of the test is to test the backup plan. When the backup
systems are not working then the plan cannot be counted on in a real
disaster. This is the most serious problem.
Which of the following BEST helps ensure that deviations from the project
plan are identified?-Project performance criteria
Note: Both costs have to be minimized, and the strategy for which the sum
of the costs is the lowest is the optimal strategy.
In the process of evaluating program change controls, an IS auditor would
use source code comparison software to:-examine source program changes
without information from IS personnel.
Note: The help desk function is a serviceoriented unit. The users must sign
off before an incident can be regarded as closed.
In a riskbased IS audit, where both inherent and control risk have been
assessed as high, an IS auditor would MOST likely compensate for this
scenario by performing additional:-substantive testing
Note: Because both the inherent and control risk are high in this case,
additional testing would be required. Substantive testing obtains audit
evidence on the completeness, accuracy, or existence of activities or
transactions during the audit period.
The ultimate purpose of IT governance is to:-encourage optimal use of IT.
Note: The risk that could be most likely encountered in a SaaS environment
is speed and availability issues, due to the fact that SaaS relies on the
Internet for connectivity.
Which technique would BEST test for the existence of dual control when
auditing the wire transfer systems of a bank?-Observation
Note: Dual control requires that two people carry out an operation. The
observation technique would help to ascertain whether two individuals do
indeed get involved in execution of the operation and an element of
oversight exists. It would also be obvious if one individual is masquerading
and filling in the role of the second person.
Who should review and approve system deliverables as they are defined
and accomplished to ensure the successful completion and implementation
of a new business system application?-User management
Note: The goal of the meeting is to confirm the factual accuracy of the audit
findings and present an opportunity for management to agree on or respond
to recommendations for corrective action.
Which of the following preventive controls BEST helps secure a web
application?-Developer training
Note: Of the given choices, teaching developers to write secure code is the
best way to secure a web application.
What is the BEST way to verify that a digital signature is valid?-Verify that
the sender's public key certificate is from a trusted certificate authority (CA)
Note: Digital signatures are enabled by using the sender's private key. The
CA binds the identity of the public key with sender's private key to enable
the identification of the sender.
Validated digital signatures in an email software application will:-help detect
spam.