4

A financial institution has recently developed and installed a new deposit system which interfaces
with their customer website and their automated teller machines (ATMs). During the project, the
development team and the business continuity team maintained good communication and the
business continuity plan (BCP) was updated to include the new system. A suitable BCP test to
perform at this point in time would be:
SELECT THE CORRECT ANSWER
using actual resources to simulate a system crash.
a detailed paper walk-through of the plan.
a penetration test for the website interface application.
performing a failover of the system at the designated secondary site.

Correct Option: A
EXPLANATION
The basic mechanics of recovery for the new system must be understood and the recovery
infrastructure has to be put in place. This can be done only by involving actual resources in a
simulated recovery exercise which would test the new recovery infrastructure under controlled
conditions. Other choices are not correct.

9
The MOST important point of consideration for an IS auditor while reviewing an enterprise's
project portfolio is that it
SELECT THE CORRECT ANSWER
does not exceed the existing IT budget.
is aligned with the investment strategy.
has been approved by the IT steering committee.
is aligned with the business plan.

Correct Option: D
EXPLANATION
Portfolio management takes a holistic view of an enterprise's overall IT strategy, which in turn,
should be aligned with the business strategy. A business plan would provide the justification for each
of the projects in the project portfolio, which would be the major consideration for an IS auditor. Not
every enterprise has an IT steering committee.

13
While copying files from a USB, a user hosted a virus into the network. Which of the following
would MOST effectively detect the existence of the virus?
SELECT THE CORRECT ANSWER
USB ports
Central virus checker on network file server
Scheduled scans of network drives
A virus monitor on the user's personal computer

Correct Option: D
EXPLANATION
The most effective way to DETECT a virus would be through real-time antivirus monitoring at the
user's desktop which would detect the virus before it gets transferred to the system/network. All
others are controls intended to prevent a computer virus from infecting the system.

16
Which of the following is the MAJOR advantage of a component-based development approach?
SELECT THE CORRECT ANSWER
Manages disparate data types.
Manages multi tier architecture
Links disparate software
Supports multiple development environments

Correct Option: D
EXPLANATION
Components written in one technology interact with components written in other technologies or
systems, thereby increasing the speed of development. The other choices are not benefits of
component-based development.

21
An IS auditor finds that user acceptance testing of a new application is being disturbed as defect
fixes are implemented by the project team. Which of the following would be the BEST
recommendation for an IS auditor to make?
SELECT THE CORRECT ANSWER
Use a different user acceptance environment
Ensure coders are not fixing defects during user testing
Implement a configuration control tool
Halt testing until system is fully developed

Correct Option: A
EXPLANATION
A distinct development environment is normally required to ensure the integrity of production code.
It is important that the development and testing codes be kept distinct.

28
An organization has a combination of access points that cannot be upgraded to stronger security
and newer access points that have advanced wireless security. The organization has decided to
replace the non-upgradeable access points even though expensive. Which of the following would
BEST justify this choice?
SELECT THE CORRECT ANSWER
The new access points would have current inbuilt security
The old access points would not match up to the new points
The organization's security would be as strong as its weakest vulnerabilities
New access points would be robust

Correct Option: C
EXPLANATION
The old access points should be rejected and replaced with products having strong security, as they
are prone to security weaknesses that could be taken advantage of by attackers and make the entire
network weak based on their own vulnerabilities.

29
An IS auditor would find which of the following most alarming in the development and
documentation of business continuity measures by an organization?
SELECT THE CORRECT ANSWER
The organization uses good practice guidelines and has external advisors for disaster recovery
The business continuity capabilities are planned around a carefully selected set of scenarios which
describes events that might happen with a reasonable probability
Recovery constraints are not taken into account during the recovery phase
The warm site identified is in a remote place with no proper roads for access

Correct Option: B
EXPLANATION
Scenario planning for business continuity should not be used as it is not possible to plan and
document actions for every conceivable scenario. Planning for just selected scenarios limits events
that could cause an organization to break down.

34
An IS auditor performing a data center review for a large company discovers that the data center
has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during
short-term outages and a diesel generator to provide long-term power backup. Which of the
following items would cause the IS auditor the GREATEST concern?
SELECT THE CORRECT ANSWER
The service contract on the diesel generator is not current
The battery room does not contain hydrogen sensors
The door to the battery room is kept locked
The battery room is next to the diesel generator yard

Correct Option: B
EXPLANATION
Lead-acid batteries emit hydrogen, a highly explosive gas and therefore hydrogen detectors are a
compensating control which would notify data center personnel of a possible gas build up so they
could take the suitable actions.

35
The PRIMARY objective of testing a business continuity plan is to
SELECT THE CORRECT ANSWER
meet regulatory requirement of testing
ensure that all remaining risks are addressed
ensure organization recovers rapidly from a disaster
identify limitations of the business continuity plan

Correct Option: D
EXPLANATION
Testing the business continuity plan ensures that any limitations are exposed immediately.

37
An IS auditor performing an access control review should be concerned MAINLY with the:
SELECT THE CORRECT ANSWER
Access logs for various systems
authorization and authentication of the user prior to granting access to system resources
process and procedures governing data usage
Data owners and access rights

Correct Option: B
EXPLANATION
The authorization and authentication of users is the most major aspect in access control review as it
is a preventive control. Weak controls at this level can affect all other features.
41
A manufacturing firm wants to automate its invoice payment system. Objectives state that the
system should require considerably less time for review and authorization and the system should
be capable of identifying errors that require follow up. Which of the following would BEST meet
these objectives?
SELECT THE CORRECT ANSWER
Purchase of an automated Supplier Chain management system
Purchase of an automated ERP
Establishing an electronic data interchange (EDI) system of electronic business documents and
transactions with key suppliers, computer to computer, in a standard format
Reviewing the system requirements and building a custom made solution

Correct Option: C
EXPLANATION
EDI, when properly implemented with agreements with trading partners' transaction standards,
controls over network security mechanisms in conjunction with application controls, is best suited to
identify and follow up on errors more quickly. There would be fewer needs for review and
authorization.

45

Management observed that the initial phase of a multiphase implementation was behind schedule
and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for
a post implementation focus should be to:
SELECT THE CORRECT ANSWER
assess whether the planned cost benefits are being measured, analyzed, and reported
review control balances and verify that the system is processing data accurately
review subsequent program change requests for the first phase
determine whether the system's objectives were achieved

Correct Option: C
EXPLANATION
Since management is aware that the project had problems, reviewing the subsequent fixes will
provide insight into the types and potential causes of the project issues. This will help to identify
whether IT has adequately planned for those issues in the subsequent phases. While all choices are
valid, the post implementation focus and primary objective should be assuring that the issues of the
initial phase are addressed.

48
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
SELECT THE CORRECT ANSWER
Black box test
Load and stress testing
Regression testing
White box testing

Correct Option: A
EXPLANATION
A black box test is a dynamic analysis tool for testing software modules in a consistent manner as a
single entity consisting of numerous modules and also with the user data that flows across software
modules.

50
An IS auditor finds that an enterprise does not restrict the use, nor have a policy addressing the
use, of universal serial bus (USB) storage devices. Which of the following would be MOST
important for the IS auditor to recommend?
SELECT THE CORRECT ANSWER
Implementing security software to prevent the use of USB ports for data transfer
Introducing a policy to address the use of portable drives
Implementing a virtual private network (VPN) solution to ensure encrypted sessions during
transmission of data
Disabling USB ports on all machines

Correct Option: A
EXPLANATION
The best method to prevent the use of portable media is through a hardware or software solution.
Since the enterprise does not have a policy to address the use of portable drives, it is possible that
management did not consider the risks associated with their use. Because of the portable nature of
these drives, they are prone to being misplaced or lost. Option B is not correct because, while a
policy would address use, it is not a strong enough method to prevent use. If there were an
indication that management accepts the risks, then this would be the correct answer. Management
should first understand the risks associated with the drives, and a decision should be made as to
how risks will be controlled. Option C is not correct because a VPN solution does not address the use
of portable media. A VPN is used for a secure method of remote access to a private network. Option
D is not correct because it is not practical to disable all USB ports because they may be used for a
mouse, local printer, or other legitimate device.

51
Which is the MOST significant control that the IS auditor should look for to ensure system
availability while appraising the effectiveness of the organization's change management process?
SELECT THE CORRECT ANSWER
A proper configuration management control tool exists
System capacity is adequate
Test plans and procedures exist and are closely followed
Systems have enough surplus capacity

Correct Option: C
EXPLANATION
The most important control for ensuring system availability is to implement a comprehensive set of
testing plans and procedures which are regularly followed.

58
Which of the following factors is the most important to consider when establishing governance of
enterprise IT?
SELECT THE CORRECT ANSWER
The enterprise's risk appetite
The IT strategic plan
The enterprise's organizational structure
The current IT process capability maturity

Correct Option: C
EXPLANATION
The enterprise's organizational structure is the key factor to be considered in defining requirements
and objectives, and in driving the establishment of IT governance. Factors such as centralization
versus decentralization or enterprises with shared services play a significant role.

60
After consulting with senior management, an organization's IT department decided that all IT
hardware would be replaced three years from the procurement date. The MOST likely reason for
doing this is to:
SELECT THE CORRECT ANSWER
manage IT assets in a cost-effective manner
keep pace with new cost-effective technologies
ensure that existing capacity can meet all users' needs
ensure that IT hardware is covered by the manufacturer warranty

Correct Option: A
EXPLANATION
IT assets perform cost-effectively within their economic life cycle. The costs of maintaining IT assets
rise significantly after those assets have been operating for some time due to increased wear and
tear and costs to replace parts. This is the most likely reason for replacing IT hardware after a
specific period of time. Keeping pace with new cost-effective technologies, ensuring that existing
capacity meets current users' demands and ensuring warranty coverage for hardware are not the
most likely reasons for assigning a standard asset life.

62
What is the IPsec mode that hides the network address?
SELECT THE CORRECT ANSWER
Transport
Encrypted security payload
Tunnel
VPN

Correct Option: C
EXPLANATION
The IPsec tunnel mode will hide the network address and route the packet by using the address of
the ISP.

71
It is important that organizations ensure their security efforts are effective and measurable. Which
of the following is not a common method used to track the effectiveness of security efforts?
SELECT THE CORRECT ANSWER
Service level agreement
Return on investment
Balanced scorecard system
Provisioning system

Correct Option: D
EXPLANATION
Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements,
achieving return on investment (ROI), meeting set baselines, and providing management with a
dashboard or balanced scorecard system. These are ways to determine how useful the current
security solutions and architecture are performing.

74
Which of these should be assessed after the likelihood of a loss event has been determined?
SELECT THE CORRECT ANSWER
The magnitude of impact
Risk tolerance
The replacement cost of assets
The book value of assets
Correct Option: A
EXPLANATION
Disaster recovery is driven by risk, which is a combination of likelihood and consequences. Once
likelihood has been determined, the next step is to determine the magnitude of impact.

75
The Safe Harbor Privacy Framework was created to:
SELECT THE CORRECT ANSWER
Ensure that personal information should be collected only for a stated purpose by lawful and fair
means, and with the knowledge or consent of the subject
Provide a streamlined means for U.S. organizations to comply with the European privacy laws
For the federal government to release to citizens the procedures of how records are collected,
maintained, used, and distributed
None of the above

Correct Option: B
EXPLANATION
The U.S. approach to privacy protection relies on industry-specific legislations, regulations, and self-
regulations, whereas the European Union relies on comprehensive privacy regulations. To bridge the
different privacy approaches, the U.S. Department of Commerce and the European Commission
developed a Safe Harbor Framework.

77
When corporate standards change due to new technology, which of these is MOST likely to be
impacted?
SELECT THE CORRECT ANSWER
Organizational policies
Risk assessment approach
Control objectives
System security baselines

Correct Option: D
EXPLANATION
Since the security baselines are set by standards, it is most likely that a change in some standards
will necessitate a review and possible changes in baseline security

81
What is COBIT, and how does it impact the development of information security systems and
security programs?
SELECT THE CORRECT ANSWER
Lists of standards, procedures, and policies for security program development
Current version of ISO 17799
A framework developed to deter organizational internal fraud
Open standards for control objectives

Correct Option: D
EXPLANATION
The Control Objectives for Information and Related Technology (COBIT) is a framework developed by
the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute
(ITGI). It defines the goals for controls that should be used to properly manage IT and ensure IT maps
to business needs.

83
Which of the following components is established during the initial steps of developing a risk
management program?
SELECT THE CORRECT ANSWER
Management acceptance and support
Information security policies and standards
A management committee to provide oversight for the program
The context and purpose of the program

Correct Option: D
EXPLANATION
An initial requirement is to determine the organization's purpose for creating an information
security risk management program, determine the desired outcomes, and define its objectives.

87
A user's digital identity is commonly made up of several elements beyond only the user name.
Which of these is NOT commonly used to make up a user's identity?
SELECT THE CORRECT ANSWER
Entitlements
Traits
Figures
Attributes

Correct Option: C
EXPLANATION
A user's identity is commonly a collection of attributes such as department, role in the company;
entitlements such as authority, rights; and traits such as biometric information, and so on.

89
Which of the following best describes the difference between the role of the ISO/IEC 27000 series
and COBIT?
SELECT THE CORRECT ANSWER
The COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000
series provide the objectives of the individual security controls.
The ISO/IEC 27000 series provide a high-level overview of security program requirements, while
COBIT provides the objectives of the individual security controls.
COBIT is process oriented, and the ISO/IEC standard is solution oriented.
The ISO/IEC standard is process oriented, and COBIT is solution oriented.

Correct Option: B
EXPLANATION
The ISO/IEC 27000 series provide a high-level overview of security program requirements, while
COBIT provides the objectives of the individual security controls. COBIT provides the objectives that
the real-world implementations (controls) you chose to put in place need to meet.

90
Which of the following provides a true characteristic of a fault tree analysis?
SELECT THE CORRECT ANSWER
Fault trees are assigned qualitative values to faults that can take place over a series of business
processes.
Fault trees are assigned failure mode values.
Fault trees are labeled with actual numbers pertaining to failure probabilities.
Fault trees are used in a stepwise approach to software debugging.

Correct Option: C
EXPLANATION
Fault tree analysis follows this general process. First, an undesired effect is taken as the root, or top,
event of a tree of logic. Then, each situation that has the potential to cause that effect is added to
the tree as a series of logic expressions. Fault trees are then labeled with actual numbers pertaining
to failure probabilities

98

Due care can be defined as:

Minimum care during audit

Average care during audit

Extraordinary care during audit

Correct Option: A (B is correct )

99
Why is an audit committee set up?
SELECT THE CORRECT ANSWER
To augment the auditing skills
To coordinate, govern, and manage the audit
To review and ensure proper assurance
To review the audit activities on a regular basis

Correct Option: C
EXPLANATION
An audit committee is set up to review and challenge the assurances made, and maintain a working
equation with management and auditors.

102
The IS auditor has reviewed application security and found several inadequacies. Which of the
following can the IS team use to fix this without recurring issues?
SELECT THE CORRECT ANSWER
Review configuration builder for the latest security software before release
Run a regression test before putting the final version into production
Include stringent coding conditions
Include pair programming practices

Correct Option: B
EXPLANATION
To ensure the bugs are not introduced before a system goes into production, the IS team must run a
regression test to ensure the controls are not mitigated in a development environment prior to
implementation in production.
106
Object-oriented database management systems normally indicate database capabilities
with object-oriented programming capabilities. For which of the following data types are they
designed?
SELECT THE CORRECT ANSWER
Fixed length
Access with joins
Variable
Tabular implementation

Correct Option: C (object oriented database is designed for variable database activity.)
EXPLANATION
Object-oriented database management systems can manipulate data with variable data formats,
unlike relational databases that are tabular in implementation.

107
An IS auditor has undertaken a review of the configuration parameters in a software development
project. Why is this review done?
SELECT THE CORRECT ANSWER
Changes must be properly studied for impact analysis
Change settings must set the minimum requirements for adequate and essential security
Change requests should be approved by the Change Control Board (CCB)
The configuration management system reveals different directories where controls are not well
managed

Correct Option: B
EXPLANATION
Change security settings define the accountability and integrity of data. Beyond this, changes should
be studied for impact analysis and properly approved by the Change Control Board. Evidence of
inadequate security is revealed through the study of folders under configuration management.

109

Software systems need to be tested at various stages to ensure they are fit for use. In a target
environment, what type of testing is undertaken to ensure the system is not in conflict with other
systems?
SELECT THE CORRECT ANSWER
Integration

Sociability

System
White-box

Correct Option: B
EXPLANATION
Sociability testing tests a software system in the target environment. All other tests are run to
ensure the software systems and its functions are fit for use.

113
What type of metrics or measurement for IT services would be the most ideal type in terms of
optimum management?
SELECT THE CORRECT ANSWER
External
Service
Internal
Performance

Correct Option: A
EXPLANATION
External measurements report how the customer would review the delivery of IT services.
Performance and service metrics report on the external view of system availability, capacity
management, turn around time to resolve problems, and so on. Metrics should reveal the IT
requirements of end users, not only internal metrics.

119
An organization is looking to connect their workstations across all departments. Which of the
following choices is their IT team likely to take as the best option?
SELECT THE CORRECT ANSWER
Fiber optics
Unshielded Twisted Pair
Shielded Twisted Pair
Coaxial cable

Correct Option: B
EXPLANATION
The unshielded twisted-pair known as UTP would be the best choice. Shielded twisted-pair is usually
used in an area prone to electronic noise where it would be more resistant. Coaxial cables are
defunct for connecting workstations. Currently, fiber optics are commonly used to connect servers.

120
During data backup, which of the following would require special handling?
SELECT THE CORRECT ANSWER
System files
Library files
Application Files
Database files

Correct Option: D
EXPLANATION
Special back up procedures must be followed to ensure data integrity of database files which could
be open. Typically, users must exit out of the database prior to backup. Otherwise, files are copied to
a shadow database or second system where backups are executed without conflict.

122
An IS auditor is undertaking an IS controls audit. Which of the following would be most significant
document?
SELECT THE CORRECT ANSWER
IT networks and firewall documents
Organizational blueprint showing entry and exit into the unit
Quality and Human Resource manual
IS asset inventory and register

Correct Option: B
EXPLANATION
Change security setting defines the accountability and integrity of the data. Beyond this, changes
must be studied for impact analysis and be properly approved by the change control board. Evidence
of inadequate security would be revealed through study of folders under configuration
management. Therefore, organizational blueprint is an important document for an IS audit.

26
An IS auditor is considered to provide the best evidence. Which of the following could be termed
as best evidence?
SELECT THE CORRECT ANSWER
Subjective
Internal
Factual
Objective

Correct Option: D
EXPLANATION
Objective evidence is the best evidence as it is unbiased, factual, and proves the point indicating the
relationship to the audit area.
128
Auditors are expected to be meticulous and unbiased during evaluation of audit evidence. They
apply professional judgment with an attitude of professional skepticism to prevent negligence.
Which of the following best indicates the application of professional judgement?
SELECT THE CORRECT ANSWER
Secrecy
Due care
Confidentiality
Ethics

Correct Option: B
EXPLANATION
Due care in professional judgement means concern given to protect from a loss. The minimum level
of attention needed to prevent fraud or neglect is known as due care.

131
Which of the following conditions is likely to represent a control failure and therefore be a
concern to the auditor?
SELECT THE CORRECT ANSWER
A policy without an underlying standard of monitoring and enforcement
A policy based on guidelines
A general policy intended to be a catchall for things not specifically mentioned
Use of the guideline with monitoring, but no formal policy

Correct Option: A
EXPLANATION
A policy without the standards of enforcement is practically worthless. Monitoring is required to
determine whether the standard is being met or violated. The lack of monitoring and enforcement is
a serious concern to the auditor.

133
Which of the following represents the biggest concern with regard to controls?
SELECT THE CORRECT ANSWER
Identification of individuals
Authorization
Access rights
Independence

Correct Option: B
EXPLANATION
Authorization must be separated from all other functions. Changes in activities require separate
authorization using the concept of separation of duties or compensating controls. The objective is to
prevent an individual from violating an internal control. All control deviations should generate an
audit trail, along with awareness of the deviation by management.

134

Which of the following is the best definition of user identity?

Claim

Authority

Job role

Correct Option: B
EXPLANATION
The user identity is a claim made by the user. This claim of identity must be verified against a known
record by using the authentication process. Authentication is a one-time match attempt to
determine whether access should be granted. A mismatch would result in denied access.

137

Which of the following is the best demonstration of the auditor independence requirement?
SELECT THE CORRECT ANSWER
Provide an external audit and help the client fix the system

Audit and advise without fixing or designing the solution

Audit as an internal participant

Audit and advise in the detailed design of the solution

Correct Option: B
EXPLANATION
The auditor must be careful to remain neutral and free of potential conflict during the audit process.
Providing general advice to aid clients is encouraged, but the auditor must be careful not to
participate in the detailed design or remediation of the problem. To do so would violate the
independence objective.

138
Management is required to implement internal controls for the organization. Which of the
following represents a systematic process of mandatory steps required to accomplish the
objective?
SELECT THE CORRECT ANSWER
Policies
Guidelines
Procedures
Baselines

Correct Option: A
EXPLANATION
Policies provide a "cookbook" recipe of steps necessary to ensure compliance in support of
management's objective. The hierarchy is management's high-level policy, supported by a mid-level
standard, which is supported by a lower-level procedure. Compliance to procedures is mandatory.

141

Which of the following types of downloadable programs is known to present the most serious
security risk?
SELECT THE CORRECT ANSWER
VB script

ActiveX

Java

Servlet

Correct Option: B
EXPLANATION
ActiveX is more dangerous because the Authenticode method of digitally signing a program does not
protect against malicious software nor does it protect the user from poorly written programs.
Malicious ActiveX programs can subvert security of the operating system.

142

Compensating controls are primarily intended to compensate for what issue?

Separation

Training

Contractors
Correct Option: B
EXPLANATION
Compensating controls are primarily intended for separate authorization, specifically separation of
job duties. It may not be possible to have separation of duties because of a small staff.
Compensating controls-including audit logs, job rotation, and audit and supervisory review-ensure
that all activities are visible to another employee or manager to prevent misuse.

144

Following the evidence rule, what could the auditor use to best determine that a given policy is
actually being used?
SELECT THE CORRECT ANSWER
Presence of the policy manual

Minutes of meetings

Enforcement emails

User awareness

Correct Option: C
EXPLANATION
The presence of emails regarding enforcement of the policy would be the best determination that a
policy is in use. A second choice might be a random sampling of user awareness, followed by the
minutes of meetings where the policy was discussed.

147

Which of the following is a true statement pertaining to data encryption when it is used to protect
data?
SELECT THE CORRECT ANSWER
It verifies the integrity and accuracy of the data.

It requires careful key management.

It does not require much system overhead in resources.

It requires keys to be escrowed.

Correct Option: B
EXPLANATION
Data encryption always requires careful key management. Most algorithms are so strong today it is
much easier to go after key management rather than to launch a brute force attack. Hashing
algorithms are used for data integrity, encryption does require a good amount of resources, and
keys do not have to be escrowed for encryption.
148

Which is the best description of remote journaling?

SELECT THE CORRECT ANSWER

Backing up transaction logs to an offsite facility

Capturing and saving transactions to two mirrored servers in-house

Capturing and saving transactions to different media types

Correct Option: B
EXPLANATION

Remote journaling is a technology used to transmit data to an offsite facility, but this usually only
includes moving the journal or transaction logs to the offsite facility, not the actual files.