System Availability? Select The Correct Answer

9
Which of the following controls would be the MOST effective to ensure and maintain continuous
system availability?
SELECT THE CORRECT ANSWER
Appropriate authorization of system changes
Access to users on a need-to-know basis
Appropriately documented changes
Near real-time monitoring
Correct Option: A
EXPLANATION
Authorizing all changes effectively prevents a potential change that may affect system availability.
Authorization is generally based on successful testing and is put into production after acceptance by
a business user. Access to users on a need-to-know basis is a good preventive control, but does not
prevent the application of unauthorized changes to the system that may affect availability.
Appropriate documentation of change control procedures is recommended, but does not prevent
availability. Monitoring is a detective control and does not prevent availability.
13
An IS auditor is tasked to review the adequacy of an organization's technology recovery strategy.
Which of the following factors would the auditor PRIMARILY review?
Recovery time objective (RTO)
Business impact analysis (BIA)
Ability to recover from severe disaster
Recovery point objective (RPO)
Correct Option: B
EXPLANATION
The BIA identifies the financial, operational and service impacts that may result from a disruption in
a business process or IT service and therefore the BIA is the primary driver for the technology
recovery strategy. RTO is the requirement for how quickly a business process or an IT service must
be restored after a disaster. The ability to recover from all types of incidents should be reviewed
rather than the ability to recover from only the severe disaster scenario. The RPO is the point in time
to which an organization must recover data.
15
When performance issues are discovered during an assessment of the organization's network, the
MOST efficient way for the IS auditor to proceed is to examine the:
antivirus controls that have been put in place
protocols used on the network
network topology
configuration of network devices
Correct Option: C
EXPLANATION
By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of
potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the
network which may require more detailed analysis. The other choices require more time to assess
and are secondary to understanding the overall architecture of the network.
21
When evaluating the control self-assessment (CSA) completed by the Chief Risk Officer (CRO) of an
IT organization, what would be of the GREATEST concern to the IS auditor?
The CRO reports directly to the Chief Information Officer (CIO)
Some IT managers have indicated that the CSA training workshops were inadequate
The CRO reports directly to the board of directors
The CSA process was only recently adopted by the organization
Correct Option: A
EXPLANATION
If the CRO reports to the CIO, there is a risk that the CRO's objectivity has been impaired. Ideally, the
CRO should report to the board of directors or to the Chief Executive Officer (CEO). Although it is
important that everyone involved in conducting CSAs has received adequate training, the greater
concern would be if the individuals responsible were not completely objective. Although it does take
time for an organization to develop the expertise to perform adequate CSAs and a recently adopted
CSA process would require greater scrutiny, the greater concern would be if the individuals
responsible were not completely objective. The IS auditor should review the outcomes of the
assessment to ensure that all material risks have been identified. The auditor should ascertain
whether the CSA was developed by following the correct organizational procedures (e.g., planning,
implementation and monitoring).
23
Web application developers sometimes use hidden fields on web pages to save information about
a client session. This technique is used, in some cases, to store session variables that enable
persistence across web pages, such as maintaining the contents of a shopping cart on a retail web
site application. The MOST likely web-based attack due to this practice is:
parameter tampering
cross-site scripting
cookie poisoning
stealth commanding
Correct Option: A (Parameter tempering attack is likely
EXPLANATION
Web application developers sometimes use hidden fields to save information about a client session
or to submit hidden parameters, such as the language of the end user, to the underlying application.
Since hidden form fields do not display in the browser, developers may feel safe passing unvalidated
data in the hidden fields (to be validated later). This practice is not safe since an attacker can
intercept, modify, and submit requests which can discover information or perform functions that the
web developer never intended. The malicious modification of web application parameters is known
as parameter tampering. Cross-site scripting involves the compromise of the web page to redirect
users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of
a cross-site scripting attack since these fields are static content that cannot ordinarily be modified to
create this type of attack. Web applications use cookies to save session state information on the
client machine so that the user does not need to log on every time a page is visited. Cookie
poisoning refers to the interception and modification of session cookies in order to impersonate the
user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. Stealth
commanding is the hijacking of a web server by the installation of unauthorized code. While the use
of hidden forms may increase the risk of server compromise, the most common server exploits
involve vulnerabilities of the server operating system or web server.
30
An enterprise's Chief Information Officer (CIO) is concerned that a high number of defects are
typically found in software projects once the system being developed enters the testing phase of
the project, which has resulted in delays. Which of the following is a suitable option that could be
used to correct this situation?
Mandate that all testing be undertaken by a dedicated test team
Build the system in smaller, shorter increments
Adopt sequential development techniques that tie the type of testing to the development
Require formal sign-off on all project deliverables
Correct Option: B
EXPLANATION
Building a system in smaller, shorter increments-with working software as the output of every
increment-can expose quality problems earlier in the overall project life cycle. Use of professional
testers can contribute to testing efficiency and possibly to effectiveness by exposing serious defects
earlier; however, this option does not address the fundamental problem of defects being introduced
in upstream phases of the project before testing commences. A sequential development technique,
such as the 'V' model, is a serial approach to software development-i.e., the project is organized in
sequential phases of requirements definition, design, build and test-but it will not directly address
defects introduced in the upstream phases before testing begins. Formal sign-off does not ensure
that the signatory has fully understood the document being reviewed or that it is complete.
40
An IS auditor is auditing a new implementation of ERP in an organization and is concerned about
segregation of duties not being followed. What can the auditor do?
Construct security roles matrix to identify potential conflicts in authorization
Review security rights in ERP
Reviewing the ERP documentation
Review other ERP instances of violation of segregation of duties
Correct Option: A
EXPLANATION
The IS auditor could best build a matrix that identifies conflicts in authorization in the ERP. This
would help in identifying violations in segregation of duties.
41
An IS auditor is reviewing several production systems as part of audit scope. Which of the below
would the auditor use to verify unauthorized modifications in production programs?
Production system logs review
Forensic analysis
Compliance testing
Detective controls
Correct Option: C
EXPLANATION
The IS auditor could use compliance testing to verify that the change management process has been
applied consistently and that only authorized modifications were made to production programs.
43
The MOST important component of a privacy policy is:
Notifications
Warranties
Liabilities
Geographic coverage
Correct Option: A
EXPLANATION
Privacy policies must contain notifications and opt-out provisions; they are a high-level management
statement of direction. They do not necessarily address warranties, liabilities or geographic
coverage, which are more specific
49
The Sarbanes-Oxley Act necessitates the board of an organization to:
register public accounting firms
establish or adopt, by rule, auditing, quality control, ethics, independence, and other standards
related to preparation of the audit reports for issuers
conduct inspections of accounting firms
All of these
Correct Option: D
EXPLANATION
The Sarbanes-Oxley Act of 2002, sponsored by Paul Sarbanes and Michael Oxley, changed federal
securities law significantly. It requires all financial reports to include an Internal Controls Report that
show a company's financial data, accurate and adequate controls are in place to safeguard financial
data and need to be audited by a SOX auditor.
50
The Cyber Security Enhancement Act as incorporated into the Homeland Security Act of 2002:
demands life sentences for those hackers who recklessly endanger lives
requires ISPs to hand over records
does not outlaw publications such as details of PGP
None of the above
Correct Option: B
EXPLANATION
The Act amended the USA PATRIOT Act to further loosen restrictions on Internet service providers
(ISPs) as to when, and to whom, they can voluntarily release information about subscribers.
58
Which of the following choices is the MOST likely cause of significant inconsistencies in system
configurations?
Lack of procedures
Inadequate governance
Poor standards
Insufficient training
Correct Option: B
EXPLANATION
Governance is the rules the organization operates by and the oversight to ensure compliance as well
as feedback mechanisms that provide assurance that the rules are followed. A failure of one or more
processes is likely to be the reason that system configurations are inconsistent.
60
The MOST important element(s) to consider when developing a business case for a project is/are:
Feasibility and value proposition
Resource and time requirements
Financial analysis of benefits
Alignment with organizational objectives
Correct Option: A
EXPLANATION
Feasibility, and whether the value proposition makes sense will be major considerations if a project
has to proceed.
61
The enactment of policies and procedures for preventing hacker intrusions is an example of an
activity that belongs to:
Risk management
Compliance
IT management
Governance
Correct Option: D
EXPLANATION
Governance is concerned with implementing adequate mechanisms for ensuring that organizational
goals and objectives can be achieved. Policies and procedures are common governance mechanisms.
62
Which of the following choices is a necessary attribute of an effective information security
governance framework?
An organizational structure with minimal conflicts of interest, sufficient resources, and defined
responsibilities
Organizational policies and guidelines in line with predefined procedures
Business objectives aligned with a predefined security strategy
Security guidelines that address multiple facets of security such as strategy, regulatory compliance,
and controls
Correct Option: A
EXPLANATION
An information security framework will help ensure the protection of information assets from
confidentiality, integrity and availability perspectives. Organizational structures that minimize
conflicts of interest are important for this to work effectively.
64
Maturity levels are an approach to determine the extent that sound practices have been
implemented in an organization based on outcomes. Another approach developed to achieve
essentially the same result is:
Controls applicability statements
Process performance and capabilities
Probabilistic Risk Assessment (PRA)
Factor Analysis of Information Risk (FAIR)
Correct Option: B
EXPLANATION
Process performance and capabilities provides a more detailed perspective of maturity levels and
serves essentially the same purpose.
66
Which of these would be the best type of controls to focus on managing and monitoring inside a
specific unit of the organization?
Deterrent controls
Pervasive controls
Departmental controls
System controls
Correct Option: B
EXPLANATION
The direction and behavior of a unit is defined by Pervasive controls that cut across all their activities
to create a cooperative environment.
68
Which of the following factors should be considered when establishing governance of enterprise
IT?
The enterprise's risk appetite
The IT strategic plan
The enterprise's organizational structure
The current IT process capability maturity
Correct Option: C
EXPLANATION
The enterprise's organizational structure is the key factor to be considered in defining requirements
and objectives, and in driving the establishment of IT governance. Factors such as centralization
versus decentralization or enterprises with shared services play a significant role.
71
Which of the following best provides an internal control environment?
Processes that ensure specific outcomes
Procedures that prescribe specific tasks
Automated processes that avoid human error
Roles and responsibilities that establish accountability
Correct Option: A
EXPLANATION
Processes that ensure specific outcomes constitute a strong internal control environment.
73
Which one of the following analyses best describes the intent of security metrics from a
governance standpoint?
Security management performance compared to business objectives
The overall security posture of an enterprise at any given time period
The risk present in the enterprise
Security incidents with which the enterprise has dealt
Correct Option: A
EXPLANATION
The purpose of security metrics is to measure security performance against business objectives;
therefore, this option best describes the intent.
74
Which of the following enhances the oversight of the board of directors over the effectiveness of
IS internal controls?
Continuous auditing
An audit committee
Independent annual IS audits
Periodic reports from the chief information officer (CIO)
Correct Option: B
EXPLANATION
To perform an effective oversight role on management, it is essential the board of directors receives
independent and reliable feedback and evidence. This is possible through an audit committee.
78
Which of the following most likely makes the decision on a request by a business unit to
implement an application that is not on the enterprise's list of approved technology standards?
The IS audit committee
The enterprise investment committee
The IT steering committee
The IT architecture review board
Correct Option: D (It architecture review board is likely to take decision on request by business unit)
EXPLANATION
The IT architecture review board is the correct answer. One of the roles of the IT architecture review
board is to enforce architecture compliance and to consider exception or dispensation requests.
83
Which of the following does the RFP process mainly considers as a major concern?
The RFP planning process is not needed for organizations that have a strong internal programming
capability
The proposals of the vendor go through an objective review to ensure their alignment with the
objectives of the organization
The vendor has to agree to escrow the program code in order to safeguard the buyer. This is needed
in case the vendor terminates the operation process
The RFP process needs a substantial commitment in opposition with a request for information (RFI)
Correct Option: B
EXPLANATION
Each proposal has to go through an objective review to figure out whether the offer is in proper
alignment with the organizational objectives. RFP review is the formal process that is supposed to be
handled as a project.
84
Which SDLC phase makes use of Function Point Analysis (FPA)?
SDLC phase 3: System Design
SDLC phase 5: Implementation
SDLC phase 4: Development
SDLC phase 1: Feasibility Study
Correct Option: D
EXPLANATION
Function Point Analysis (FPA) helps in estimating the effort needed to develop the software. FPA is
used during SDLC phase 1 which is the Feasibility Study phase, to formulate estimates by calculating
the multiplication of the number of inputs and outputs against a mathematical factor.
85
When is a project's management oversight needed?
When the percentage of time, scope, or cost vary above 5 percent from the estimate
At the time of the feasibility study being inconclusive
To validated if the total benefits of the program meet the anticipated projection
When major changes show up in assumptions, methodology, or requirements
Correct Option: D
EXPLANATION
Management oversight review is important in case of an anticipation that the estimates are not right
by more than 10 percent. It is also needed if major changes appear in the used assumptions,
methodology, or requirements.
91
Which of the following methods are referred by the programming software modules that use a
time-box style of management?
Spiral
Lower case
Agile
Fourth-generation (4GL)
Correct Option: C
EXPLANATION
Agile uses time-box management for quick iterations of software prototypes. This is made possible
by small associations of talented programmers.
92
How long a full system accreditation normally lasts?
One year
Two years
Nine months
As long as the system is used
Correct Option: A
EXPLANATION
Full accreditation runs for one year. Annual renewal is needed. Management must re-accredit
systems on a yearly basis. Temporary or restricted accreditation lasts only for 90 or 180 days.
95
In regard with the software escrow, which of the following is the most significant issue.
The vendor has to use a subcontractor for safely storing the original development software
The software comprises intellectual value that is communicated to the client
The client can only use the software and not own it, unless more amount is paid
Escrow will take up the commercial software if the vendor sells the rights to another vendor
Correct Option: C
EXPLANATION
The client can only use the software and does not have the right of ownership. The client may
request for software escrow to gain full rights over the software if the vendor runs out of business.
97
Which of the following tests is the best method of assessing the logic used in software of a
programming script is:
Black-box
Regression
User acceptance
Crystal box
Correct Option: D
EXPLANATION
Crystal-box which is also called white-box testing helps in reviewing the logic in software that is
formulated using a programming script. The script is still readable till the time it is not compiled.
Compiled programs can be tested using a black-box method.
98
In the SDLC model, the software certification testing actually occurs in:
Phase 3 (System Design)
Phase 3 (System Design) and phase 4 (Development)
Phase 5 (Implementation)
Phase 4 (Development) and phase 5 (Implementation)
Correct Option: D
EXPLANATION
Software certification testing starts during phase 4 that is the development phase and continues into
phase 5, that is, Implementation testing.
106
Which of the following communications methods charges only for the data transmitted, not the
distance covered?
Packet-switched
Circuit-switched
Session-switched
Data-switched
Correct Option: A
EXPLANATION
Packet-switched data transmissions are charged only for the data transmitted, not the distance
covered. Circuit-switched transmissions are charged by the distance covered. The other two options
are simply distracters.
110
What is the principal issue regarding the use of biometrics?
Implementation cost
User acceptance
Enrollment process
System accuracy
Correct Option:B
EXPLANATION
User acceptance is the primary issue to the widespread use of biometrics. Some individuals regard
the use of biometrics as an invasion of privacy or express health concerns related to using the
system.
112
Which of the following is a type of data transmission often used with Internet video signals?
Unicasting
Broadcasting
Multicasting
Pinging
Correct Option: C
EXPLANATION
Multicasting is used to transmit packets to multiple systems simultaneously and is often used with
video. Unit testing is transmitting packets to only a single-destination system.
115
What does the term multiprocessing refer to?
Multiple people
Multiple computers
Multiple CPUs
Multiple programs
Correct Option: C
EXPLANATION
The computer contains multiple central processing units (CPUs) that make the computer capable of
running different jobs at the same time. Multiple people on the computer refers to a multiuser
system.
116
Which of the following choices represents the best description of a proxy firewall?
Packet filter
Intrusion detection
Circuit level
Sixth generation
Correct Option: C
EXPLANATION
The proxy firewall is designed to execute a request on behalf of the user without granting direct
access. The proxy runs on the firewall. A proxy selectively filters and relays service requests between
the internal and external networks. There is no direct connection between the internal and external
network, other than the proxy software program.
120
During a review of electronic data interchange (EDI) transactions, an IS auditor finds unauthorized
transactions. Most likely, the auditor would recommend to improve the:
Physical controls for terminals
EDI trading partner agreements
Program change control procedures
Authentication techniques to send and receive messages
Correct Option: D
EXPLANATION
Authentication techniques to send and receive messages have an important role to play to minimize
the exposure to transactions that are unauthorized. An EDI trading partner agreement helps in
minimizing exposure to legal issues.
123
The first point at which control totals should be applied to reduce the possibility of data loss
during processing is:
In transit to the computer
During data preparation
Between related computer runs
During the data return to the user department
Correct Option: B
EXPLANATION
During data preparation, the control totals should be applied to reduce the possibility of data loss as
it creates control at the earliest point.
132
The biometric with the lowest false-acceptance rate (FAR) and highest reliability is:
Face recognition
Palm scan
Hand geometry
Retina scan
Correct Option: D
EXPLANATION
Retina scan is the best and reliable technology as it maps the capillary pattern of the retina of an eye
using the optical technology. Palm scanning includes the user to place a hand on a scanner, which
captures the physical characteristics of the palm. One of the ancient techniques is Hand geometry,
which takes care of the three dimensional perspective by measuring the physical characteristics of
the hands and fingers of the user. The biometric techniques of palm and hand are not unique in the
geometry data. With face biometrics, the images are captured for common facial characteristics.
This means that users who look similar can fool the device.
137
When responding to a crisis, the qualifications of the incident commander are:
First responder
Member of management
First person on scene
Trained crisis manager
Correct Option: C
EXPLANATION
The incident commander is the first person on the scene, irrespective of the position or rank.
According to the situation, with less or more experience, the incident commander may be relieved.
Throughout the crisis, the incident commander will change.
141
The most important issue to be considered with respect to insurance coverage is:
Premiums can be very costly
Salvage, and not replacement, may be dictated
Insurance can pay for all recovery costs
Coverage must consist of all business assets
Correct Option: B
EXPLANATION
Salvage to save money may be dictated by the insurance company. It increases the delay prior to
recovery. Any replacement purchases that the company makes may not be covered under
reimbursement.
142
Digital signatures provide additional electronic messages protection to determine:
Message sender verification
Message deletion
Message read by unauthorized party
Message modification
Correct Option:A
EXPLANATION
Digital signatures assures authentication of the email sender. They utilize the sender's private key for
verifying identity.
148
The primary concern of the auditor when auditing the use of encryption is:
Strength of encryption algorithm
The control of management over the encryption use
The sizes of key used in the encryption and decryption process
The use of the correct encryption method for compliance
Correct Option: B
EXPLANATION
How management controls the encryption use is the most important concern. It needs to be
checked if the encryption is managed under a complete life-cycle governing the creation of keys,
keys storage, proper authorization of keys, the correct use of keys using the correct algorithm, the
keys usage tracking, keys reuse or archival, keys retirement, and finally their destruction once all
legal obligations are met.
149
The backup method that should be used on computer files before a forensic investigation is:
Differential
Bit stream
Full
Logical
Correct Option: B
EXPLANATION
Also known as physical imaging, the only backup method for recording the deleted files with the
swap and slack space contents is bit stream imaging. Rest other methods do not consider important
files required as evidence.
150
The hierarchy of controls from highest level to lowest level is represented as:
Detailed, pervasive, application, detailed
Pervasive, general, application, detailed
General, pervasive, detailed, application
Application, general, detailed, pervasive
Correct Option: C
EXPLANATION
General controls show the highest controls class applicable to all within a company. Pervasive
controls signify the required protection necessary when the technology is being used. In all
departments that use computers, IS controls are pervasive. Irrespective of the in-charge, these
controls need to make sure availability and integrity. Detailed controls stipulate the execution
procedure. Application controls work at the lowest level and govern its use or built into the
software. If the higher-level controls are absent, application controls are compromised.

System Availability? Select The Correct Answer

Uploaded by

Copyright:

Available Formats

You might also like

System Availability? Select The Correct Answer

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

System Availability? Select The Correct Answer

Uploaded by

Copyright:

Available Formats

9

You might also like