1. Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
2. An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:
A. implemented a specific control during the development of the application system.
B. designed an embedded audit module exclusively for auditing the application system.
C. participated as a member of the application system project team, but did not have operational responsibilities.
D. provided consulting advice concerning application system best practices.
3. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
4. With regard to the evidence gathered during a computer forensic investigation, an IS auditor should be MOST concerned with:
5. Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable to the review
D. Reviewing prior IS audit reports
6. During the course of an audit, an IS auditor observes that duties are not properly segregated. Under such a circumstance, the IS auditor should look for:
A. overlapping controls.
B. preventive controls.
C. compensating controls.
D. logical access controls.
7. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
8. To assist an organization in planning for IT investments, the IS auditor should recommend the use of:
A. project management tools.
B. an object oriented architecture.
C. tactical planning.
D. enterprise architecture.
9. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
10. IT governance ensures that an organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
11. An IS auditor should ensure that IT governance performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.
12. Which of the following would be included in an IS strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
13. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization’s quality manual. To meet critical deadlines the project team proposes to fast track the validation and verification processes, commencing some elements before the previous deliverable is complete. Under these circumstances, the IS auditor should:
A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project.
C. report to IS management the team’s failure to follow quality procedures.
D. report the risks associated with fast tracking to the project steering committee.
14. Which of the following risks could result from inadequate software baselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. Inadequate controls
15. Which of the following is critical to the selection and acquisition of the correct operating system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
16. When conducting a review of business process reengineering, an IS auditor found that a key preventive control had been removed. The IS auditor should:
A. inform management of the finding and determine whether management is willing to accept the potential material risk of not having that preventive control.
B. determine if a detective control has replaced the preventive control during the process and, if it has, not report the removal of the preventive control.
C. recommend that this and all control procedures that existed before the process was reengineered be included in the new process.
D. develop a continuous audit approach to monitor the effects of the removal of the preventive control.
17. To assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor's PRIMARY concern is that the data should be:
18. An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with:
A. selection and configuration phases.
B. feasibility and requirements phases.
C. implementation and testing phases.
D. nothing; replacement is not required.
19. An IS auditor is performing a project review to identify whether a new application has met business objectives. Which of the following test reports offers the most assurance that business objectives are met?
A. User acceptance
20. When reviewing input controls, an IS auditor observes that in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:
A. not be concerned since there may be other compensating controls to mitigate the risks.
B. ensure that overrides are automatically logged and subject to review.
C. verify whether all such overrides are referred to senior management for approval.
D. recommend that overrides not be permitted.
21. Capacity monitoring software is MAINLY used to ensure:
A. maximum use of available capacity.
B. that future acquisitions meet user needs.
C. concurrent use by a large number of users.
D. continuity of efficient operations.
22. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?
A. Sensitive data can be read by operators.
B. Data can be amended without authorization.
C. Unauthorized report copies can be printed.
D. Output can be lost in the event of system failure.
23. The database administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of:
A. loss of audit trails.
B. redundancy of data.
C. loss of data integrity.
D. unauthorized access to data.
24. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:
A. the setup is geographically dispersed.
B. the network servers are clustered in a site.
C. a hot site is ready for activation.
D. diverse routing is implemented for the network.
25. When reviewing a service level agreement for an outsourced computer center, an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.
B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business needs.
D. audit access to the computer center is allowed under the agreement.
26. An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A. program changes have been authorized.
B. only thoroughly tested programs are released.
C. modified programs are automatically moved to production.
D. source and executable code integrity is maintained.
27. Which of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments?
A. User satisfaction
B. Goal accomplishment
D. Capacity and growth planning
28. Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system
C. A smart card requiring the user's PIN
D. User ID along with password
29. Naming conventions for system resources are important for access control because they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources.
C. ensure that user access to resources is clearly and uniquely identified.
D. ensure that internationally recognized names are used to protect resources.
30. Which of the following would MOST effectively reduce social engineering incidents?
A. Security awareness training
B. Increased physical security measures
C. E-mail monitoring policy
D. Intrusion detection systems
31. To protect a VoIP infrastructure against a denial-of-service attack, it is MOST important to secure the:
A. access control servers.
B. session border controllers.
C. backbone gateways.
D. intrusion detection system.
32. Which of the following acts as a decoy to detect active Internet attacks?
D. Traffic analysis
33. Which of the following BEST provides access control to payroll data being processed on a local server?
A. Logging access to personal information
B. Using separate passwords for sensitive transactions
C. Using software that restricts access rules to authorized staff
D. Restricting system access to business hours
34. Which of the following is the MOST effective anti-virus control?
A. Scanning e-mail attachments on the mail server
B. Restoring systems from clean copies
C. Disabling floppy drives
D. An online antivirus scan with up-to-date virus definitions
35. An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
36. An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious?
A. The security officer also serves as the database administrator.
B. Password controls are not administered over the client-server environment.
C. There is no business continuity plan for the mainframe system's noncritical applications.
D. Most local area networks do not back up file-server-fixed disks regularly.
37. A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one menu option in an application. The BEST control to mitigate the risk of unauthorized manipulation of data is to:
A. delete the utility software and install it as and when required.
B. provide access to the utility on a need-to-use basis.
C. provide access to the utility to user management.
D. define access so that the utility can be executed only in the menu option.
38. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that:
A. maximum unauthorized access would be possible if a password is disclosed.
B. user access rights would be restricted by the additional security parameters.
C. the security administrator's workload would increase.
D. user access rights would be increased.
39. An element of an information security program is the monitoring, detection and prevention of hacking activities and alerting the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose?
A. Intrusion detection systems
D. Proxy servers
40. To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:
A. secure shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor support contract.
41. Which of the following concerns about the security of an electronic message would be addressed by digital signatures?
A. Unauthorized reading
C. Unauthorized copying
42. Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?
A. Digital signature
B. Data Encryption Standard
C. Virtual private network
D. Public key encryption
43. To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.
44. In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable complete recovery of a critical database?
A. Daily data backup to tape and storage at a remote site
B. Real-time replication to a remote site
C. Hard disk mirroring to a local server
D. Real-time data backup to the local storage area network (SAN)
45. A PRIMARY objective of testing a business continuity plan (BCP) is to:
A. familiarize employees with the BCP.
B. ensure that all residual risks are addressed.
C. exercise all possible disaster scenarios.
D. identify limitations of the BCP.
46. A structured walk-through test of a disaster recovery plan involves:
A. representatives from each of the functional areas coming together to go over the plan.
B. all employees who participate in the day-to-day operations coming together to practice executing the plan.
C. moving the systems to the alternate processing site and performing processing operations.
D. distributing copies of the plan to the various functional areas for review.
47. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test
48. Data mirroring should be implemented as a recovery strategy when:
A. recovery point objective is low.
B. recovery point objective is high.
C. recovery time objective is high.
D. disaster tolerance is high.
49. The window of time for recovery of information processing capabilities is based on the:
A. criticality of the processes affected.
B. quality of the data to be processed.
C. nature of the disaster.
D. applications that are mainframe-based.
50. In a business continuity plan which of the following notification directories is the MOST important?
A. Equipment and supply vendors
B. Insurance company agents
C. Contract personnel services
D. A prioritized contact list
Senin, 08 Juni 2009
1. Which of the following is a benefit of a risk-based approach to audit planning? Audit:
- Adsense (1)
- Audit (2)
- Audit Process (2)
- Auditor IT (2)
- Belajar (1)
- Bisnis (1)
- Bisnis Online (3)
- Blog (1)
- Books (1)
- CISA (3)
- Freeware (1)
- Ibadah (1)
- Inspirasi (1)
- Internet (1)
- Internet Income (1)
- Internet Marketing (4)
- Islam (1)
- kata mutiara (1)
- Komputer (1)
- Motivasi (1)
- Pay Per Lead (1)
- Pemrograman (1)
- Powerbuilder (1)
- Tips and Trik Pemrograman (1)
- Tutorial (1)