1.Which of the following would not be used by executive mangement for IT governance?

Executive Management would used the key IT governance practices including the IT balanced
Scorecard, a risk management process, as well as a working with strategy committees

Last Year Audit Reports

Risk Management Process

Strategy Committee

IT Balanced Scorecard

The overall set of responsibilites and practices used by an organization management to provide
stategic direction, including risk and organizational resources is commmonly referred to as:

Governance is defined as the system by which business corporations are directed and controlled The
system includes strategic direction, risk management, and resource allocation

IT Management

Risk Assessment

Organizational Scorecard

The foundation of IT governance is simply;

IT Governance is about the stewardship of technology resources in an organization in respect to

strategic business goals

Alignment of IT and shareholder expectations

Results of Executive Strategy Sessions

Alignment of IT and Business

Risk Management

Which of the following is an IT Governance Framework developed by ISACA?

COBIT is a generally accepted framework for IT security and control practices. The COBIT framework
was intiated by ITACA, and knowledge of COBIT is not specifically tested on the CITA exam

The information Security Management Maturity Model (ITM3)

COBIT

ITO/IEC 27001

ITIL
 Why is Audit important to successful IT Governance?

Audit is the organizational entity that monitors compliance with the organization established controls

Audit monitors compliance and can remediate items that fail the organization standards.

With new federal regulations, executive management must be accountable to stakeholders.

Audit monitors compliance and can make recommendations towards successful IT Governance.

Audit is intrinsic and persuasive in all successful organizations.

Which of the following describes the IT Governance focus area called performance management?

Performance measurement is one of the IT Governance Focus Areas outlined in COBIT. Performance
Management, Resource Management, Value Delivery, Risk Management, and Strategic Alignment

Completing projects and translating strategic into action items.

Understanding the enterprise tolerance for risk.

Adjusting and aligning IT operations wih the enterprise operations.

Managing knowledge and infrastructure.

A process driving evaluation technique applied to IT Governance is known as what?

IT Balanced Scorecard is used to assess IT functionss and processes in light of IT Governance as well as
report on performance, capabilities, and risks

IT Dashboard

IT Balanced Scorecard

IT Key Perfomance Indicators (KPI)

Enterprise Goal Setting

A high level document that represents an organizations tone or philosophy towards governance is
known as what?

Policies communicate a clear and coherent environment or standard. Procedures and controls then flow
from the content of the policy

Procedure

Vision Quest

Balanced Scorecard

Policy
 Broad enterprise policies should be aligned with which of the following?

The organization policies must always be in harmony with the business objectives. Customer
satisfaction and mission statements are important, but they do not create environment of the
organization. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

The customer satisfaction index

Audit Committee Charter

Business Objectives

The Company Mission Statement

Whick of the following is not found on a standard IT balanced scorecard?

When applying a balanced scorecard to IT, the three layer structure included Mission, Strategies, and
Measures

Investments

Mission

Measures

Strategies

Information security governance is the responsibility of which group?

Information security governance includes physical security, the security of technology as well as privacy
of information. It must be driving by COOs, CEOs, CTOs, and other members of executive management

Employee Leadership

External Auditing Firms

Executive Management

Internal Auditors

Which of the following should not be enforced from the executive or board level down through the
organization?

If executive management does not establish and reinforce the need for information security
governance, the organization security posture will be compromised.
&lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

Corporate Policies

Penalties for noncompliance

Support of business strategies and objectives

Exceptions to policies
 Development of strategic plans for IT usually take what duration?

Developing strategic plans for IT involved aligning technology projects with the goals and onjectives of
the organization as a whole. This generally take 3-5 years

1-2 years

1-3 years

3-5 years

3-7 years

Which of the following committees reviews and approves sourcing strategies such as insourcing or
outsourcing, offshoring of functions as well as resource allocation?

An organization information security strategy is defined and maintained by a steering committee. Many
organization will refer to this committee by different names, but ITACA has gernally defined this
committee as a steering committee

Steering Committee

Standards and Ethics Committee

Audit Committee

Governance Committee

What committee supports the development and implementation of the enterprise information
security management program?

The IT auditor will need understand the responsibilties of the steering committee and identify the group
that performs those functions. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

Standards and Ethics Committee

Goverance Committee

Steering Committee

Enterprise Security Committee

Which of the following are high-level documents that represent the corporate philosphy of an
organization?

Policies should flow the executive management and be as clear and concisely written as possible

Standards

Policies

Statements of Work

Confidentality Clauses
 When should an employee sign an acceptable use policy?

Acceptable use policies define appropriate and inappropriate use of computers and other information
systems, and protect both the employee and the employer

Before receiving access to computer systems

Upon successful reference checks conducted by the Human Resources Group

At the signing of a non-compete or non-dosclosure agreement

Before the Internal Review Board meeting

Which of the following most clearly defines &amp;apos;procedures&amp;apos;?

Procedures are the &amp;apos;workhorses&amp;apos; of policies. The contained detailed steps on

how to to implement a policy

Detailed checklists or steps that define how to implement a policy

High level documents that communicate business strategies

Detailed checklists that define how to implement standards

High level documents that define how users behavior while on the Internet

Which of the following would be an acceptable response to a risk?

Risk mangement involves identifying vulnerabilities and and threats, and they deciding what
countermeasures to take to reduce the risk, if any

Refuse

Avoid

Ignore

Reframe

Effective risk management begins with which of the following?

Understanding the organization appetite risk is the foundation to building a risk management program
tailored to the organization business goals

Presenting the Board of Directors with a "Get Out of Jail free Card"

Practicing and refining risk migitation procedures

Rejecting all risks except the most familiar ones

Understanding the organization appetite for risk

 An organization chooses to implement the scanning of employee security badges at entrances to the
buildings. The organization choose to implement this control after a non-employee walked into the
building and stole five laptops. This control is an example of what type of risk management action?

The organization has determined a vulnerability at the entrances to its buildings. The threat is that non-
employees may steal equipment. The organization has choosen to mitigate the risk by installing badge
scanners at the entrances. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

Avoidance

Acceptance

Deflection

Mitigation

Which of the following best describes a threat?

A threat is defined as &amp;quot;any circumstances or events with the potential to cause harm to an
information resource&amp;quot;

Characteristics of information resources that can be exploited

Inaccurate classification of information resources

Harmful circumstances surrounding information resources

Information resources with poor passwords

What are countermeasures?

Countermeasures or safeguards are designed to reduce vulnerabilites within a system.

Countermeasures can be such things as new devices, updated procedures, or new actions

New controls designed to reduce vulnerabilities

Controls that received the lowest score on the external auditor report

Last minutes controls suggested by the chief security officer

New controls defined in the last regulatory update

Which of the following best describes qualitative risk analysis methods?

Qualitative Analysis uses words to describe the likehood of an event, and can be quite subjective

Financial numbers

High, Medium, or Low

Historic records and experiments

Industry best practices

 Which of the following is NOT a way to mitigate internal fraud?

Human Resource Management is the organization policies and procedures concerning an organzitaion
personnel. An auditor may be asked to review controls that help prevent internal fraud

Employee of the month programs

Separation of duties

Mandatory vacations

Job rotation

Which of the following documents would an auditor request to review the organization vacation
policies?

Employee handkbooks are generlaly distrinuted to employees when they are hired. Employee
handbooks usually contain policies such as security policies, aceptable use policies, and vacation policies

Conflict of interest agreement

Employee handbook

Employee performance evaluations

Noncompete agreement

Which of the following is not a sourcing practice for information system functions?

When an organization is evaluating how to deliver information systems, it may choose insourced,
outsourced, or a hybrid of both

Outsourced

Composite Sourced

Insourced

Hybrid

An organization decides to operate a held desk center overseas, yet provide second level support
from its American headquarters. This is an example of :

This example highlights a hybrid sourcing agreement with most help center staffing located overseas,
will level two support being provided from the USA headquarters

Outsourcing

Insourcing

Hybrid Sourcing

Globization Sourcing
 An auditor has been hired to review the organization decision to move its information systems to a
cloud-based solution. Which of the following would not be an advantage of this outsourcing agreement?

Outsourcing agreements can yield possible advantages as well as disadvantages. An auditor should be
aware of this distinctions

Money is saved due to economies of scale with software

The vendor responds within the timeframe of the SLA

Internal staff is already assigned to a higher priority project

The vendor has decided regulatory compliance controls are unnecessary

With an outsourcing agreement, what services as the gatekeeper or the instrument of control?

The contract is way that organizations manage those information resources controlled and managed by
an outsourced vendor. &lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

Contract

Nondisclosure agreement

Warranty

Regulatory Requirements

A cloud computing vendor that provides a cloud infrastructure with programming interfaces and
tools supported by that vendor is providing :

There are three main cloud computing models the auditor needs to be familiar with. Software as a
service (Saas), Infrastructure as a service (IaaS), and Platform as a Service
(PaaS)&lt;/font&gt;&lt;/p&gt;&lt;/textformat&gt;</correctAnswerFeedback>

Software as a service (SaaS)

Cloud as a Service (CaaS)

Infrastructure as a service (IaaS)

Platform as a Service (PaaS)

With an outsourcing agreement in place between an organization and a cloud service provider, what
remains the responsibility of the organization?

An organization may choose to outsource because of pressure on profit margins, cost reductions in IT
services, or for other stategic decisions. Even though the service is outsourced, the risk management
and accountability remain with the organization

Help desk staffing

Service delivery

Third-party audit reports

 Accountability

A community cloud deployment model best be described as:

Community Clouds can be shared by several organizations to achieve a decrease in IT service delivery
costs. This deployment model may not scale like a public cloud model

A shared pool or resources that supports a shared mission or interest

Secure cloud services provisioned solely for one organization

A cloud-bursting model that allows for load balancing between clouds and communities

A marketing term from an organization selling cloud services

A cloud services vendor has an information security team, a compliance team, and an customer
service team. Who has the ultimate responsibility for information security?

The organization will want to esablish relationships with members of the the cloud vendor teams, and
understand responsibilities for information security, but ultimately the risks and responsibilites reside
with the organization

Information security team

Compliance team

Customer service team

The organization that hired the cloud services vendor

An auditor is evaluating an IT organization quality management. Which of the following

characteristics will she be lookng for?

Quality Management involves well documented processes that are controlled, measured, and improved
upon. The most popular quality management standard is the ISO 9001:2000

Predictable, measurable, repeatable

Flexible, measurable, repeatable

Predictable, measurable, unmatched

Measurable, quantifiable, quantitative

When an organization defines job responsibilities with the goal of reducing potential damage from
the actions of any one person, this is knowns as;

Segregation of duties helps a business reduce or eliminate risks of unauthorized access, modification of
data, improper use of systems, to name a few business risks

Conflict Resolution

CIA Triad

Segregation of Duties
 Mandatory Vacations

In one small business, there is only a single IT person who has full administrative rights to the
information systems. The business owner wants to implement a compensating control to address this
risk. Which of following would you recommend?

Contracting with a third-party to establish audit trails on the systems allows the organization to have a
detective control in place and have accountability with the in house IT staff member. The goal of this
control is accountability, and logging plus third party review services will help to achieve those goals

Provide multiple business owners administrative rights

Contract with a third-party to establish audit trails on the systems

Contract with a third-party to perform a pentration test to determine if the systems are functioning
correctly

Run a background check on the individual

Which of the following roles, when combined with the role of Systems Analyst, may create a
potential segregation of duties control weakness?

The organizational role of Systems Analyst should not be combined with the role of Support Manager as
this combination of job responsibilities may create a potential control weakness. ISACA has provided a
very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam

Support Manager

Application Programmer

Data Entry

Network Administrator

Which of the following roles, when combined with the role of Network Administrator, may create a
potential segregation of duties control weakness?

The organizational role of Network Administrator should not be combined with the role of Database
Administrator as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam

Systems Administrator

Database Administrator

Security Administrator

Quality Assurance
 Which of the following roles, when combined with the role of End User, may create a potential
segregation of duties control weakness?

The organizational role of End User should not be combined with the role of Network Administrator as
this combination of job responsibilities may create a potential control weakness. ISACA has provided a
very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam

Control Group

Data Entry

Network Administrator

Security Administrator

Which of the following roles, when combined with the role of Support Manager, may create a
potential segregation of duties control weakness?

The organizational role of Support Manager should not be combined with the role of Application
Programmer as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam

Computer Operator

Security Administrator

Quality Assurance

Application Programmer

Which of the following roles, when combined with the role of Database Administrator, may create a
potential segregation of duties control weakness?

The organizational role of Database Administrator should not be combined with the role of Computer
Operator as this combination of job responsibilities may create a potential control weakness. ISACA has
provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam

Computer Operator

Systems Analyst

Security Administrator

Quality Assurance

Which of the following roles, when combined with the role of Security Administrator, may create a
potential segregation of duties control weakness?

The organizational role of Security Administrator should not be combined with the role of Systems
Programmer as this combination of job responsibilities may create a potential control weakness. ISACA
has provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam

Support Manager

Systems Programmer

End User

Quality Assurance

Which of the following roles, when combined with the role of Systems Programmer, may create a
potential segregation of duties control weakness?

The organizational role of Systems Programmer should not be combined with the role of Quality
Assurance as this combination of job responsibilities may create a potential control weakness. ISACA has
provided a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very
familiar with prior to taking the CISA exam

Systems Analyst

Network Administrator

Quality Assurance

Systems Programmer

Which of the following roles, when combined with the role of System Administrator, may create a
potential segregation of duties control weakness?

The organizational role of System Administrator should not be combined with the role of Control Group
as this combination of job responsibilities may create a potential control weakness. ISACA has provided
a very helpful Segregation of Duties Control Matrix that the CISA candidate should be very familiar with
prior to taking the CISA exam

Systems Analyst

End User

Network Administrator

Control Group

Which of the following help the IS auditor by providing a map to retrace the flow of a transaction?

Audit trails help the IS auditor by providing a map to retrace the flow of a transaction. The other review
functions listed are still valued review functions that the auditor should consider, however they serve
other purposes in an organization

Audit trail

Reconciliation

Exception Reporting
 Supervisory Reviews

Which of the following types of independent verification increases the level of confidence that the
application processed successfully and the data are in proper balance?

Reconciliation is a type of independent verification increases the level of confidence that the application
processed successfully and the data are in proper balance. The other review functions listed are still
valued review functions that the auditor should consider, however they serve other purposes in an
organization

Audit trail

Reconciliation

Exception Reporting

Supervisory Reviews

Which of the following should be handled at the supervisory level and require evidence noting that it
has been handled properly?

Exception reporting should be handled at the supervisory level and require evidence noting that it has
been handled properly. The other review functions listed are still valued review functions that the
auditor should consider, however they serve other purposes in an organization

Audit trail

Reconciliation

Exception Reporting

Supervisory Reviews

Which of the following are particularly important when duties in a small organization cannot be
appropriately segregated?

Independent reviews are particularly important when duties in a small organization cannot be
appropriately segregated. The other review functions listed are still valued review functions that the
auditor should consider, however they serve other purposes in an organization

Audit Trail

Independent Reviews

Exception Reporting

Supervisory Reviews

When reviewing which of the following the IS auditor should be able to determine who initiated the
transaction, time of day and date of entry, type of entry, and other similar fields?

When reviewing audit trails the IS auditor should be able to determine who initiated the transaction,
time of day and date of entry, type of entry, and other similar fields. The other review functions listed
are still valued review functions that the auditor should consider, however they serve other purposes in
an organization

Audit Trail

Independent Reviews

Exception Reporting

Supervisory Reviews