CISA Domain-4 Qus.

1. What type of metrics or measurement for IT services would be the most ideal type in terms of
optimum management?
A. External
B. Service
C. Internal
D. Performance

ANSWER: A

3. The IS team is building IS control objectives for an organization. Which of the below would
not be included?

A. Disaster recovery plan

B. Asset Data Owners and Register
C. Business Continuity plan
D. IS individual system threats

ANSWER: D
Explanation: IS control objectives protect the organization from loss due to IS control failures.
So, the team would not review individual system threats that are undertaken by individuals as
part of risk management.

5. After a disaster, it is imperative for the organizational members to not only move to the BCP
site but also stay behind at the recovery site to monitor recovery operations. Who are these
members?
A. Top management
B. BCP team
C. Administration team
D. Emergency management team members

ANSWER: D
Explanation: The employees who are designated as Recovery team including its leaders, shift
supervisors and operators work to continue operations until recovery is fully restored.
6. An organization which has large number of suppliers wants to have an online update of the
material supply. Therefore, it wishes to provide limited network access to its suppliers. Which of
these options would be chosen?
A. Extranet
B. Dedicated line
C. Internet
D. Intranet

ANSWER: A
Explanation: When limited access to corporate systems and networks are required, an extranet
can be used which separates the internal systems from access. An intranet refers to the internal
network.

9. Which protocol is considered the Internet backbone and is a routable protocol?

A. IP
B. NetBIOS
C. OSI model
D. TCP

ANSWER: A
Explanation: IP or Internet Protocol is considered the Internet backbone, being a major routable
protocol TCP is typically layered on top of IP and results in reliable sessions. The NetBIOS
protocol from Microsoft is not suited to routing a broadcasting technique as it is based on layer
2 technology while OSI model is used to understand the layers in network communications.

10. Mandatory Access Controls (MAC) use labels. What happens when the label processing is
bypassed?
A. Override MAC security
B. Overcome RAS security
C. Resist RBAC security
D. Implement DAC security

ANSWER: A
Explanation: A Mandatory access control or MAC system uses labels to enforce security policies.
Bypassing label processing would imply that security controls are over ridden in mandatory
access control (MAC).

11. Governance needs to be measurable and derive metrics to understand degree of success
and possible improvements. Which metric below is commonly used as a historical score?
A. RAG indicators
B. Key performance indicator
C. Balanced scorecard
D. Risk Heat Map

ANSWER: B
Explanation: The key performance indicator known as KPI is generated as a historical score using
quantifiable measurements and indicate performance typically over time periods such as every
quarter in a year.

13. Management is eventually responsible for putting in place appropriate and proper internal
controls. This includes ensuring right personnel gain physical and logical access. Which of the
below methods are used to ascertain the user’s identity?
A. Verification
B. Authentication
C. Scanning
D. Reference mapping
ANSWER: B
Explanation: Authentication compares the user’s claim to a known reference in a single search
and is therefore the best method to determine user’s identity.

15. Communication lines are imperative in an IS organization and they should be available all the
time if possible. What are the issues regarding communication lines that are permanently
switched on?

A. Cost of operation probably is higher

B. There is an increased risk of system attack
C. Controls are required to prevent accidentally disabling the service
D. An investment in special communication hardware is required

ANSWER: B
Explanation: Systems that are always on will be more likely to suffer malicious attack. Standard
telephone circuits are turned off when not in use, which limits the window of opportunity for an
attacker. Communication lines that are always on provide 24-hour opportunity for the attacker.
Examples of “always on” services include DSL, T-1 leased lines, primary rate ISDN, frame relay,
and ATM.

16. Which type of network device directs data packet transmission through the Internet?
A. Hub
B. Router
C. Repeater
D. Modem
ANSWER: B
Explanation: The function of the router is to route data packets throughout the network by
using the routing path designated by the network administrator. A router may use dynamic
routing software to ease the administrator burden. Static software routes are the safest to use.
Dynamic routes may be automatically updated by other network devices. Dynamic routing can
pose a security risk if the source of the routing update is not known and trusted.

19. Who is formally assigned, trained, equipped with appropriate tools, and are ready to drop
anything they might be doing whenever they are called?
A. Incident responder
B. IT governance manager
C. System developer
D. Decision support analyst

ANSWER: A
Explanation: An incident response team requires properly trained people to be available 24/7 to
respond to any incident that may occur. A formally designated incident response team (IRT)
ensures the right people with expertise look into the problem.

21. Which of the following is true concerning the roles of data owner, data user, and data
custodian?
A. The data user implements controls as necessary
B. The data custodian is responsible for specifying acceptable usage
C. The data owner specifies controls
D. The data custodian specifies security classification

ANSWER: C
Explanation: The data owner specifies controls, is responsible for acceptable use, and appoints
the data custodian. The data users will comply with acceptable use and report violations. The
data custodian will protect information and ensure its availability. The custodian will also
provide support to the users.

32. This address is manufactured or burned into network equipment and is totally unique.
A. Domain name
B. IP
C. Street address
D. MAC

ANSWER: D
Explanation: The 48-bit MAC address is a serial number manufactured into network equipment.
Its purpose is to ensure the machine is unique on the network. It is possible to override the MAC
address by setting a locally defined MAC address. Locally defined addresses are used to facilitate
parts replacement in higher-security environments that use the MAC address as part of the
security settings.

33. Terminal emulation software is useful for which of the following?

A. Updating a database
B. Simulating an aircraft flight
C. Accessing a network device
D. Configuring a server or network device through a serial port

ANSWER: D
Explanation: Terminal emulation software provides a command-line screen to access a serial
port and is often used to configure network devices. The command line offers the highest level
of access when compared to menus and restricted user interfaces. The command line allows the
use of special command arguments that can change the system behavior.

35. Which of the following choices represents the best description of a proxy firewall?
A. Packet filter
B. Intrusion detection
C. Circuit level
D. Sixth generation

ANSWER: C
Explanation: The proxy firewall is designed to execute a request on behalf of the user without
granting direct access. The proxy runs on the firewall. A proxy selectively filters and relays
service requests between the internal and external networks. There is no direct connection
between the internal and external network, other than the proxy software program.

40. Which of the following is used to create a digital signature?

A. Symmetric key
B. Public key
C. Private key
D. Digital certificate

ANSWER: C
Explanation: The sender uses their private key to encrypt a message digest (file hash). The
encryption message digest becomes a digital signature that can be verified by decrypting it with
the sender’s public key. DS is created using sender private Key.
41. Which of the following is not a virtual private network (VPN) technology?

A. Secure Sockets Layer

B. IPsec
C. Secure Shell
D. Remote authentication server

ANSWER: D
Explanation: The remote authentication server is used to authenticate if the user is genuine. It
does not provide the encryption necessary for a virtual private network. The other three options
are valid VPN methods. (SSL, IPsec & Secure shell)

45. Which of these best ensures permanency of a wide area network (WAN) across the
organization?
A. Built-in alternative routing
B. Ensure daily backup of the entire system
C. A service provider providing a WAN with stringent SLA
D. Have all the servers continuously mirrored

ANSWER: A
Alternative routing ensures the network continues when a server loses connection, or if a link is
disconnected, as the message rerouting can be made automatic.

47. Which among these minimizes the risk of communication failures in an e-commerce
environment?

A. Encrypted and secure data

B. Successful delivery receipts
C. Firewall with packet filter
D. Leased asynchronous transfer mode lines

ANSWER: D
Leased asynchronous transfer mode lines avoid using public and shared infrastructures from the
carrier or the Internet service provider with numerous communication failures.

49. Which of the following is a type of data transmission often used with Internet video signals?
A. Unicasting
B. Broadcasting
C. Multicasting
D. Pinging
ANSWER: C
Explanation: Multicasting is used to transmit packets to multiple systems simultaneously and is
often used with video. Unit testing is transmitting packets to only a single-destination system.

50. An IS auditor reviewing the operating system integrity of a server would PRIMARILY:

A. verify that user programs do not invoke privileged programs and services
B. determine whether administrator accounts have proper password controls
C. ensure that file permissions are correct on configuration files
D. verify that programs or services running on the server are from valid sources

Answer: A
If user-level programs affect privileged programs or services, then changes to system parameters
and operating system (OS) integrity issues may ensue. Privilege escalation attack happen when an
unapproved user is able to achieve actions.

51. Which of the following RAID levels does not improve fault tolerance?
A. RAID level 0
B. RAID level 1
C. RAID level 2
D. RAID level 5

ANSWER: A
Explanation: RAID level 0 can create an image of large logical drives by combing several small
disk drives, but it does not increase redundancy. RAID 0 is normally used in combination with
other levels to improve performance and redundancy. RAID 1 (full duplication on two sets) is the
highest margin of safety. RAID 5 stripes data, using less raw disk space.

56. During an IS audit, the IS auditor discovers that a wireless network is used within the
enterprise's headquarters. What is the FIRST thing the auditor should check?
A. The signal strength outside of the building
B. The configuration settings
C. The number of clients connected
D. The IP address allocation mechanism

Answer B.
The IS auditor should first check the configuration settings for the current network layout and
connectivity and then, based on this, decide whether the security requirements are adequate.
The signal strength outside of the building would not be of concern if proper encryption and
security settings are in effect. The number of clients connected is not usually a major concern,
from a security perspective. The IP address allocation mechanism is not a security risk.
60. A security manager who needs to develop a solution to allow his company’s mobile devices
to be authenticated in a standardized and centralized manner using digital certificates. The
applications these mobile clients use require a TCP connection. Which of the following is the
best solution to implement?

A. SESAME using PKI

B. RADIUS using EAP
C. Diameter using EAP
D. RADIUS using TTLS

ANSWER: C

Diameter is a protocol that has been developed to build upon the functionality of RADIUS and
to overcome many of its limitations. Diameter is a AAA protocol that provides the same type of
functionality as RADIUS and TACACS+ and also provides more flexibility and capabilities,
including working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote
access, IP mobility, and policy control.

61.
A security manager for a credit card processing organization uses internal DNS servers, which
are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company
also relies upon DNS servers provided by their service provider. He has found out that attackers
have been able to manipulate several DNS server caches, which point employee traffic to
malicious websites. Which of the following best describes the solution this company should
implement?

A. IP Sec
B. PKI
C. DNSSEC
D. MAC-based security

ANSWER: C

Explanation: DNSSEC (DNS security, which is part of the many current implementations of DNS
server software) works within a PKI and uses digital signatures, which allows DNS servers to
validate the origin of a message to ensure that it is not spoofed and potentially malicious. If
DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the
digital signature on the message before accepting the information to make sure the response is
from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS
server would discard it because the message would not contain a valid digital signature. DNSSEC
allows DNS servers to send and receive only authenticated and authorized messages between
themselves, and thwarts the attacker s goal of poisoning a DNS cache table.
62. Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the
suite provides different functionality. Which of the following is not a function or characteristic
of IPSec?

A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers

ANSWER: B
Explanation: IPSec is a protocol used to provide VPNs that use strong encryption and
authentication functionality. It can work in two different modes: tunnel mode (payload and
headers are protected) or transport mode (payload protection only). IPSec works at the network
layer, not the data link layer.

63. A typical PKI infrastructure would have which of the following transactions?
i. Receiver decrypts and obtains session key
ii. Sender requests receiver’s public key
iii. Public key is sent from a public directory
iv. Sender sends a session key encrypted with receiver’s public key

A. 4, 3, 2, 1
B. 2, 1, 3, 4
C. 2, 3, 4, 1
D. 2, 4, 3, 1

ANSWER: C
Explanation: The sender would need to first obtain the receiver s public key, which could be
from the receiver or a public directory. The sender needs to protect the symmetric session key
as it is being sent, so she encrypts it with the receiver s public key. The receiver decrypts the
session key with his private key.

64.
Instead of managing and maintaining different types of security products and solutions, the IT
manager wants to purchase a product that combines many technologies into one appliance.
This must comprise of a centralized control, a streamlined maintenance, and a reduction in
stove pipe security solutions. Which of the following would best fit the needs?
A. Dedicated appliance
B. Centralized hybrid firewall applications
C. Hybrid IDS\IPS integration
D. Unified threat management
ANSWER: D
Explanation: The list of security solutions for companies include, and is not limited to, firewalls,
antimalware, anti-spam, IDS\IPS, content filtering, data leak prevention, VPN capabilities,
continuous monitoring, and reporting. Unified Threat Management (UTM) appliance products
have been developed that provide all (or many) of these functionalities into a single network
appliance. The goals of UTM are simplicity, streamlined installation and maintenance,
centralized control, and the ability to understand a network s security from a holistic point of
view.

66. Employees in the company have received several e-mail messages from unknown sources
that try and entice her to click a specific link using a “Click Here” approach. Which of the
following best describes the most likely taking place in this situation?
A. DNS pharming attack
B. Embedded hyperlink is obfuscated
C. Malware back-door installation
D. Bi-directional injection attack

ANSWER: B
Explanation: HTML documents and e-mails allow users to attach or embed hyperlinks in any
given text, such as the Click Here links you commonly see in e-mail messages or webpages.
Attackers misuse hyperlinks to deceive unsuspecting users into clicking rogue links. The most
common approach is known as URL hiding.

67. The network administrator of a large retail company has Ethernet-based distributed
networks throughout the northwest region of the United States and would like to move to an
Ethernet-based multipoint communication architecture that can run over their service
provider’s IP/MPLS network. Which of the following would be the best solution for these
requirements?

A. Metro-Ethernet
B. L2TP/IPSec
C. Virtual Private LAN Services
D. SONET

ANSWER: C
Explanation: Virtual Private LAN Services (VPLS) is a multipoint layer 2 virtual private network
that connects two or more customer devices using Ethernet bridging techniques. In other
words, VPLS emulates a LAN over a managed IP/MPLS network. VPLS is a way to provide
Ethernet-based multipoint-to-multipoint communication over IP/MPLS networks.
68. Which of the following multiplexing technologies analyzes statistics related to the typical
workload of each input device and makes real-time decisions on how much time each device
should be allocated for data transmission?

A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing

ANSWER: D
Explanation: Statistical time-division multiplexing (STDM) transmits several types of data
simultaneously across a single transmission line. STDM technologies analyze statistics related to
the typical workload of each input device and make real-time decisions on how much time each
device should be allocated for data transmission.

(statistical time division multiplexing analyses statistical related to the typical workload of each
input devices and makes real-time decision on how much time each device should be allocated)

69. Which of the following best describes the difference between hierarchical storage
management (HSM) and storage area network (SAN) technologies?

A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.
C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement
this technology.

ANSWER: A
Explanation: Hierarchical storage management (HSM) provides continuous online backup
functionality. It combines hard disk technology with the cheaper and slower optical or tape
jukeboxes. Storage area network (SAN) is made up of several storage systems that are
connected together to form a single backup network.

70. Which of the following is an XML-based protocol that defines the schema of how web
service communication takes place over HTTP transmissions?

A. Service-Oriented Protocol
B. Active X Protocol
C. Simple Object Access Protocol
D. JVEE
ANSWER: C
Explanation: SOAP is an XML-based protocol that encodes messages in a web service
environment. SOAP actually defines an XML schema or a structure of how communication is will
take place. The SOAP XML schema defines how objects communicate directly.

71. A company that relies heavily on one specific operating system which is used in the
employee workstations and is embedded within devices that support the automated production
line software. It is discovered the operating system has a vulnerability that could allow an
attacker to force applications to not release memory segments after execution. Which of the
following best describes the type of threat this vulnerability introduces?

A. Injection attacks
B. Memory corruption
C. Denial of service
D. Software locking

ANSWER: C
Explanation: Attackers have identified programming errors in operating systems that allow them
to starve the system of its own memory. This means the attackers exploit a software
vulnerability that ensures that processes do not properly release their memory resources.
Memory is continually committed and not released, and the system is depleted of this resource
until it can no longer function. This is an example of a denial-of-service attack.

72. What is the purpose of the Logical Link Control (LLC) layer in the OSI model?

A. Provides a standard interface for the network layer protocol

B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals

ANSWER: A
Explanation: The data link layer has two sublayers: the Logical Link Control (LLC) and Media
Access Control (MAC) layers. The LLC provides a standard interface for whatever network
protocol is being used. This provides an abstraction layer so the network protocol does not need
to be programmed to communicate with all of the possible MAC level protocols (Ethernet,
Token Ring, WLAN, FDDI, and so on.).
73. Which of the following best describes why classless inter domain routing (CIDR) was
created?

A. To allow IPv6 traffic to tunnel through IPv4 networks

B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization’s need
D. To allow IPv6 to tunnel IPSec traffic

ANSWER: C
Explanation: A Class B address range is usually too large for most companies, and a class C
address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes
as necessary. CIDR is the method to specify more flexible IP address classes.

75. Which of the following is the best definition of minutiae?

A. Characteristics data
B. Detailed log data
C. High-definition scan
D. Minutes of meeting

ANSWER: A
Explanation: Minutiae is the collection of characteristics used in biometric data about a specific
user (a user’s biometric template). The process converts a high-resolution scan into a tiny count
of unique characteristics.

Minutiae is characterstics of data

76. Why should the transportation and tracking of backup media be given a high priority?
A. Backup media has a limited shelf life.
B. Backups should be transported in a locked storage box.
C. Backup media contains the organization’s secrets.
D. Use of encryption eliminates transportation and tracking issues.

ANSWER: C
Explanation: Backup media must be tracked because it contains the utmost secrets of any
organization. Media leaving the facility must be kept in locked storage boxes at all times.
Tracking is required during transit to confirm its departure time and arrival. Some regulations
require the use of encrypted backup tapes to protect the standing data. Remember, encrypting
data increases security. Managing encryption requires more-involved handling procedures.
77. Which of the following VPN methods will transmit data across the local network in plain text
without encryption?
A. Secure Sockets Layer (SSL)
B. IPsec
C. Transport Layer Security (TLS)
D. Layer 2 Tunneling Protocol (L2TP)

ANSWER: B
Explanation: IPsec uses encryption between the VPN gateways. Data transmitted from the
gateway to the local computer is not encrypted.

(IpSec transfer data in plain text (bcoz it creates tunnel)

78. Which encryption system is primarily used in private industry for transportation rather than
storage?
A. Symmetric-key encryption
B. Asymmetric-key encryption
C. Secret keys
D. Public keys

ANSWER: B
Explanation: Asymmetric-key encryption, also known as public-key encryption, is typically used
for the transmission of data (electronic transportation). The other options are closely related
distracters.

79. What priority would the BC/DR planner at a manufacturing company place upon warranty
repair services for clients during a recovery?

A. Core process
B. Discretionary process
C. Critical function
D. Supporting process

ANSWER: B
Explanation: Providing warranty repair services is discretionary and would be discontinued
during recovery. Core processes, such as sales, generate direct revenue. Supporting processes
such as invoicing also help the core process bring in money. Everything else may be
discontinued or shut down during recovery

80. When can a warm site be used for recovery?

A. When the downtime is acceptable to the business without breaching any legal requirements
B. When it’s not profitable to operate a hot site
C. When the recovery is of high priority
D. When the actual recovery exceeds the recovery time objective

ANSWER: A
Explanation: The warm site is acceptable to the business when the downtime is acceptable
without breaching any legal requirements. Making a profit is not the reason for using a warm
site.

81. Which of the following methods of testing BC/DR plans is not acceptable?

A. Desktop
B. Modular
C. Full interruption
D. Unannounced

ANSWER: D
Explanation: Unannounced testing is not acceptable because of the potential to create
additional harm. Some people are not able to deal with the extra stress or may exercise the
wrong response and create a real emergency.

82. When, and at what frequency should the media updates and announcements be made
during an incident?

A. From the CEO when new events occur

B. From the local disaster relief official in charge
C. From the PIO at regular intervals
D. From a senior manager or company officer

ANSWER: C
Explanation: All media updates and announcements should be handled by the public
information officer (PIO) during the event. This is necessary to prevent misinformation or
confusion. Providing information at regular intervals helps promote trust and confidence.

83. What is the best method for testing the effectiveness of specific recovery procedures?

A. Ask the participants their opinion of the exercise

B. Observe the procedure as it’s being executed
C. Time the procedure’s execution and compare it to the RTO
D. Follow the manufacturer/vendor’s recommended procedures

ANSWER: C
Explanation: The best method from the options provided is to compare the elapsed time to
execute the procedure against their stated recovery time objective (RTO). Participant opinions
are important for buy-in; however, some opinions may be too optimistic or too pessimistic.
Observing the procedure being executed will help determine its odds of being successfully
completed. What really matters is that recovery occurs within its specific time window since
other processes are depending on it.

84. Who is the incident commander?

A. First person on the scene

B. Manager or executive of the organization
C. Member of the police or fire department
D. A person with special training

ANSWER: A
Explanation: The first person on the scene is the incident commander, even if it’s a child who
calls the police, ambulance, or fire department. The person on the scene directs all efforts until
relieved by a more qualified person. Anyone can be an incident commander for which no special
training is required.

85. Which of the following is not a recommended criterion for invocation of the BC/DR plan?

A. Financial loss
B. Duration of outage is unknown
C. Cost of activation
D. Scope of problem cannot be determined

ANSWER: C
Explanation: Cost of activating is not an acceptable criterion for invocation of the BC/DR plan.
The plan should always be activated if the conditions are met. Conditions requiring invocation of
the plan include estimated financial loss, duration of outage, and the inability to determine
the loss or scope of impact.

86. Which of these is the primary output from the business impact analysis (BIA)?

A. Identification of alternate revenue opportunities

B. Analysis of dependencies and areas of overreliance
C. High-level understanding of definitions
D. Low-level blueprint of the business process

ANSWER: D
Explanation: A low-level blueprint (or schematic) of the business process is the primary output
from the business impact analysis (BIA). If performed correctly, the BIA will provide high-quality
supporting detail for the other possible answer choices.

87. Which of the following definitions is the best example of an RTO?

A. Target point of optimum data recovery
B. Target time for the user to be processing again
C. Target service level at a particular point in time
D. Target for recovery to be completed
ANSWER: B
Explanation: The recovery time objective (RTO) is the deadline for when the user must be
processing again. IT is expected to have completed the necessary level of technical recovery.
The user is able to resume processing work unless that RTO has failed.

88. At a minimum, when should the BIA be updated and the BC/DR plan be exercised (tested)?

A. Semi-annually
B. Annually
C. When resources allow
D. Every two years

ANSWER: B
Explanation: Every organization should exercise the BC/DR plan at least once per year. Some
regulations, such as Gramm-Leach-Bliley, require live recovery exercises at least once every 90
days (quarterly). The BIA should be updated at least annually or whenever a change occurs to
the strategy, the organizational structure, or the business process protected by the plan.

89. Who should be the actual leader of business continuity planning?

A. Chief executive officer (CEO)

B. Chief financial officer (CFO)
C. Chief information officer (CIO)
D. Chief operating officer (COO)

ANSWER: A
Explanation: The chief executive officer (CEO) should be the actual leader of business continuity
planning. The second choice is the chief operating officer (COO) as the official delegate of the
CEO function. The CEO and COO have the agenda of generating revenue. They can force the
cooperation of all others in the organization. The CFO is the third choice. The CIO is the worst of
these choices because of the CIO’s distance from revenue activities and limited scope of
authority.

90. What is the biggest difference between disaster planning and business continuity planning?
A. Disaster plans are usually specific to a department
B. Business continuity plans are run by IT
C. Business continuity plans span department boundaries
D. Disaster planning is an extension of facility plans

ANSWER: C
Explanation: Business continuity plans are focused on the processes for generating revenue.
This is the biggest difference when compared to rebuilding in disaster recovery. Plans of the
various departments such as IT, facilities, manufacturing, and sales may become smaller
components of the final BC plan. All decisions and activities are determined by the revenue
generated, not by the desires or goals of the department.

91. An organization needs to implement the right type of fencing in an area where there is no
foot traffic or observation capabilities and has decided to implement a Perimeter Intrusion
Detection and Assessment System. Which of the following is not a characteristic of this type of
fence?
1. It has sensors located on the wire mesh and at the base of the fence.
2. It cannot detect if someone attempts to cut or climb the fence.
3. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected.
4. It can cause many false alarms.

A. 1
B. 2
C. 3,4
D. 1,2, 4

ANSWER: B
Explanation: Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing
that has sensors located on the wire mesh and at the base of the fence. It is used to detect if
someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off
an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.

92. Which of the following best fits the description that requires some assembly and can be
operational within days?

A. Redundant site
B. Warm site
C. Hot site
D. Cold site

ANSWER: B
Explanation: A warm site is a building preconfigured with utility services and may hold some
equipment. Hardware will usually need to be shipped in and assembled. Telephone circuits will
need to be switched over to the warm site and data loaded from backup tapes. Recovery time is
measured in days.

93. News media attention should be

A. Directed to a single designated spokesperson

B. Used to create awareness of the crisis and warn the public
C. Restricted to prevent any information from being released
D. Allowed full access to interview staff

ANSWER: A
Explanation: All inquiries and statements should be from the designated public information
officer (PIO), the spokesperson for the organization. The PIO uses predefined scripts to deliver
messages that have been vetted to ensure a positive image for the organization.

94. What factors signal if the business continuity plan needs to be updated?

A. Time and market conditions

B. Personnel changes
C. Significant changes in business objectives or direction
D. All of the above

ANSWER: D
Explanation: The plan should be reviewed quarterly and updated at least annually. Updates
should occur after each test, changes in personnel, or changes in business direction. Plans are
often updated for changes in key customers and products.

95. What is the best example of why plan testing is important?

A. To prove the plan worked the first time

B. To find and correct problems
C. To show the team that is not pulling their own weight
D. To verify that everyone shows up at the recovery site

ANSWER: B
Explanation: Plans are tested to train the staff in carrying out their work. The intention is to find
problems and correct any mistakes. A secondary benefit is to demonstrate improvement in the
response and recovery efforts.

96. Which of the following should be considered when setting your business continuity strategy?

A. Recovery time objectives

B. Alternate sites available
C. Testing time available at alternate sites
D. All of the above

ANSWER: D
Explanation: The strategy will be selected based on information obtained during the risk
assessment and business impact analysis. All options should be considered when selecting the
business continuity strategy.

97. What is the process to activate the business continuity plan?

A. Members of the organization call the recovery site to activate.
B. Management designates decision criteria and appoints authorized personnel.
C. The facility manager receives a severe threat warning.
D. The senior manager on duty makes the decision.

ANSWER: B
Explanation: The purpose of planning is to establish decision criteria in advance. After the
criteria are met, the plan will be activated by the appointed personnel. The alternate site
invocation process allows a preauthorized manager to activate the alternate site. Invocation of
the alternate site will cost money and should occur only when it is required.

98. What is the fundamental difference between disaster recovery and business continuity?

A. Disaster recovery is focused on natural disasters; business continuity deals with man-made
events.
B. Business continuity is focused on ensuring that none of the services are interrupted; disaster
recovery deals with restoring services.
C. Disaster recovery is focused on rebuilding; business continuity deals with revenue to continue
in the market.
D. Business continuity is focused on protecting the IT investment; disaster recovery applies to
the entire organization.

ANSWER: C
Explanation: Business continuity is intended to ensure that critical processes are restored in a
timely manner and that revenue is not interrupted. With revenue, the organization will acquire
the money necessary to survive.

99. What indicators are used to identify the anticipated level of recovery and loss at a given
point in time?

A. RPO and RTO

B. RTO and SDO
C. RPO and ITO
D. SDO and IRO

ANSWER: A
Explanation: The recovery point objective (RPO) indicates the fallback position and duration of
loss that has occurred. A valid RPO example is to recover by using backup data from last night’s
backup tape, meaning the more recent transactions have been lost. The recovery time objective
(RTO) indicates a point in time where the restored data should be available for the user.

100. What is the principal reason to use a hot site?

A. Expensive and configured for use

B. May not be available during a crisis
C. Expensive and have to install/configure the new equipment
D. Expensive and prevents us from using other warm or cold site alternatives

ANSWER: A
Explanation: The hot site is expensive; however, it offers a better chance for recovery because it
is already configured for use.

101. Expand the term MAO?

A. Minimum acceptable outage

B. Maximum acceptable outage
C. Minimum available on-hand
D. Maximum available overnight

ANSWER: B
Explanation: MAO is the maximum acceptable outage that can occur before critical deadlines
are missed or recovery is no longer feasible because of the amount of time lapsed. May be
referred to as maximum tolerable downtime (MTD).

102. Name one of the purposes of creating the business continuity plan.

A. To maximize the number of decisions made during an incident

B. To minimize decisions needed during a crisis
C. To lower business insurance premiums
D. To provide guidance for federal regulations

ANSWER: B
Explanation: The plan minimizes decisions needed during the crisis. Possible options would have
been researched and decisions made in advance by management. The recovery staff is expected
to follow the directions contained in the plan.

103. How often should a business continuity plan be tested?

A. At least every ten years
B. Only when the infrastructure or environment changes
C. At least every two years
D. Whenever there are significant changes in the organization and annually

ANSWER: D
Explanation: The plans should be tested if there have been substantial changes to the company
or the environment. They should also be tested at least once a year.

104. During a recovery procedure test, one important step is to maintain records of important
events that happen during the test. What other step is just as important?

A. Schedule another test to address issues that were identified during that procedure.
B. Make sure someone is prepared to talk to the media with the appropriate responses.
C. Report the events to management.
D. Identify essential business functions.

ANSWER: C
Explanation: When recovery procedures are carried out, the outcome of those procedures
should be reported to the individuals who are responsible for this type of activity, which is
usually some level of management. If the procedures worked properly, management should
know it, and if problems were encountered, management should definitely be made aware of
them. Members of management are the ones who are responsible overall for fixing the recovery
system and will be the ones to delegate this work and provide the necessary funding and
resources.

105. Which of the following is the best way to ensure the company’s backup tapes can be
restored and used at a warm site?

A. Retrieve the tapes from the offsite facility, and verify the equipment at the original site can
read them.
B. Ask the offsite vendor to test them, and label the ones that were properly read.
C. Test them on the vendor’s machine, which won’t be used during an emergency.
D. Inventory each tape kept at the vendor’s site twice a month.

ANSWER: A
Explanation: A warm site is a facility that will not be fully equipped with the company s main
systems. The goal of using a warm site is that, if a disaster takes place, the company will bring its
systems with it to the warm site. If the company cannot bring the systems with it because they
are damaged, the company must purchase new systems that are exactly like the original
systems. So, to properly test backups, the company needs to test them by recovering the data
on its original systems at its main site.

107. During an audit, the CISA reviews the Key Wrapping policy and is also assured by the
system administrator that cryptographic key wrapping is used for operating systems, database
field-level encryption, storage device-level encryption, and so on. What factor below contributes
to make the environment secure through Key wrapping?

A. Increased strength of the key

B. Rotating the encryption key
C. Testing the encryption algorithm
D. Obscuring the encryption key

ANSWER: D
Explanation: For safety, all encryption keys are re-encrypted with a different algorithm using a
different key. Key wrapping is intended to protect the actual encryption key from discovery or
harm. The key wrapping technique is used in key storage and during key exchange.
108. During an audit where scope includes server environments, an IS auditor would be ensured
with which of the below BEST providing the highest degree of server access control?
A. A mantrap-monitored entryway to the server room
B. Host-based intrusion detection combined with CCTV
C. Network-based intrusion detection
D. A fingerprint scanner facilitating biometric access control

ANSWER: D
Explanation: A fingerprint scanner facilitating biometric access control can provide the highest
degree of server room access control.

110. During an audit, an IS auditor is informed by the IT team that security has been provided
through a Firewall and DMZ to protect the host from an outside attack. Upon examination, the
auditor finds the ports the firewall allows connect to services such WWW, SMTP, NetBIOS, and
SQL. What would be the primary concern of the auditor?

A. A No concern as protection is adequate

B. Vulnerabilities in the firewall
C. Vulnerabilities in the DMZ
D. Deficiency on application layer security and unpatched server software

ANSWER: D
Explanation: Unpatched server software, poorly written application, and script code indicates
vulnerabilities within the application. In a pure seven-layer model, defense against this at the
lower levels as the controls at lower layers would only be able to address their respective layer
of protocol, and not issues that occur above.

111. An IS auditor has been asked to closely review network management as primary part of
audit scope. What is the first step to be reviewed?

A. A graphical map of the network topology

B. Security administrator access to systems
C. Systems logs of all hosts providing application services
D. Administrator access to systems

ANSWER: A
Explanation: Understanding existing network assets is the first step in planning an audit
encompassing all aspects of the deployed network components including detailed
documentation of the network topology and IP addressing employed at interface level as well as
providing information by device, location and site. A graphical interface to the map of the
network topology is therefore essential for the IS auditor to obtain a clear understanding of
network management.
114. The IT team has reviewed various options for confidentiality and finally agreed the SSL
network protocol would be most appropriate. Why is this true?

A. It provides symmetric encryption such as RSA

B. It provides asymmetric encryption such as Data Encryption Standard, or DES
C. It provides asymmetric encryption such as Advanced Encryption Standard, or AES
D. It provides symmetric encryption such as Data Encryption Standard, or DES

ANSWER: D
Explanation: The SSL protocol provides confidentiality through symmetric encryption such as
Data Encryption Standard, or DES.

116. In a Defense development unit, the access controls need to be extremely strong. A
biometrics sensor has been proposed. Why was it proposed?

A. Creates new biometric template data each time it's used

B. Compares biometric data samples
C. Detects intrusion into the biometric template database
D. Checks for the presence of an authorized user

ANSWER: A
Explanation: Biometric sensors create a new data template every time the sensor is used.
Initially, the user's unique biometric data template is saved to the database and with every
subsequent use, the sensor creates a brand new data template, which is compared to the
database by the template matcher. If it matches, the user is correctly authenticated.

117. An IS team is debating on implementing intrusion detection and prevention systems (IDPS),
but many members believe the firewall systems are adequate. What factors could lean towards
implementing the IDPS?

A. Firewalls always report attacks to the IDPS

B. Firewall blocks attacks, but IDPS provides information if the firewall was successful
C. IDPS notifies the system administrator about all actual attacks
D. IDPS logs and notifies the system administrator of all suspected attacks

ANSWER: D
Explanation: The IDPS preserves the transaction log and alerts of any suspected attacks. The
IDPS can also use statistics or signature files to determine whether an attack has occurred.

120. The audit team has been informed by the Operations team that encryption keys have been
provided for sensitive data. However, the auditors are still concerned about the keys being
susceptible to attack. Before recording the observation, what should the auditors check for
prevention of such attacks?

A. Key wrapping
B. Key generation
C. Symmetric-key algorithm
D. Asymmetric-key algorithm
ANSWER: A
Explanation: Key wrapping is used to protect encryption keys from disclosure. Otherwise,
encryption keys would be susceptible to the same attacks as data.

121. The IS team is reviewing various VPN methods for data transmission across local networks.
They want to rule out any method that uses plain text without encryption. Which method would
they exclude?

A. Secure Sockets Layer (SSL)

B. Transport Layer Security (TLS)
C. Layer 2 Tunneling Protocol (L2TP)
D. IPsec

ANSWER: D
Explanation: IPsec uses encryption between the VPN gateways. However, data transmitted from
the gateway to the local computer is not encrypted.

122. During an audit, the CISA wants to use a fast method for discovering the hosts on the
network and identify all available service ports. What method can be used?

A. Host enumeration with port scanning

B. Vulnerability scanning with port scanning
C. Penetration testing and host enumeration
D. File mount logs with vulnerability scanning

ANSWER: A
Explanation: Host enumeration provides a fast method for discovering all the hosts on the
network. Vulnerability scanning will only identify all the available service ports on the host
computers.

123. The IS team is reviewing VPN methods to transmit the payload and hide internal network
addresses with encryption. Which of the below methods would they use?

A. Secure Sockets Layer (SSL)

B. IPsec transport
C. Transport Layer Security (TLS)
D. IPsec tunnel

ANSWER: D
Explanation: The IPsec tunnel hides the messages and prevents identification of the sender and
recipient while the messages travel across the public Internet by encrypting both the payload
and local network addresses.

124. A new E Commerce site has been set up in an existing organization. The CEO has asked the
IS team to provide a recommendation on an encryption system is primarily for data
transportation which is expected to be heavy. What is their best recommendation?
A. Symmetric-key encryption
B. Asymmetric-key encryption
C. Secret keys
D. Public keys

ANSWER: B
Explanation: Asymmetric-key encryption or public-key encryption is typically used for the
transmission of data.

125. The IT team has detected that a malicious software which had revealed itself as an auto
date utility has subverted the kernel, bypassed operating system security and has installed itself.
Which of these does it refer?

A. Worm
B. Root kit
C. Denial of service
D. Virus

ANSWER: B
Explanation: Root kits are malicious software designed to subvert the operating system security,
installed itself and completely compromised the system.

126. The IT team has recommended a DMZ for the organization for internet communications.
The top management wishes to understand its purpose. What would be the best explanation?

A. Demilitarized refers to a safe zone that is protected from all Internet attacks
B. Protected subnet implemented using a fifth-generation firewall
C. Controls for communication allowing access to internal production servers
D. Subnet that is semi-protected and allows external access

ANSWER: D
Explanation: A DMZ or demilitarized zone is also called a perimeter network and is a physical or
logical sub-network that contains and exposes an organization's external-facing services to a
larger and untrusted network like the Internet. The purpose of a DMZ is to complement an extra
layer of security to an organization's local area network (LAN)

128. The IS internal team is undertaking a review to decide what kind of key and encryption
method should be used. They need a cost effective method with least overhead. Which of the
given methods would they rule out?
A. Long Advance Encryption Standard (AES) key
B. Long Data Encryption Standard (DES) key
C. Long symmetric encryption key
D. Long asymmetric encryption key

ANSWER: D
Explanation: Options A, B, and C are single shared symmetric keys with less overhead and costs.
Choice D is a long asymmetric encryption key or public key encryption which would increase
encryption overhead and cost.

130. An organization that is performing extensive maintenance operations over the internet for
its partners has commissioned an audit to provide assurance about data security. During the
audit, the IS auditor requested evidence of data control and the IS team remarked that PKI
technology was being used for cryptography. Why should the audit team feel reassured by PKI
usage?

A. PKI is a combination of public-key cryptography and digital certificates and two factor
authentication
B. PKI is a combination of public-key cryptography and two-factor authentication
C. PKI is a combination of public-key cryptography and digital certificates
D. PKI is a combination of digital certificates and two-factor authentication

ANSWER: C
Explanation: PKI uses a combination of public-key cryptography and digital certificates to
provide some of the strongest overall control over data confidentiality, reliability, and integrity
for Internet transactions.

131. ABC Inc. offers a number of services through its web site. During one day, senior executives
of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to
unauthorized individuals on the Internet. Post-incident investigations revealed that ABC Inc.'s
key servers were infected with a Trojan. The incident occurred after deployment of a newly
acquired module from a software vendor, which was tested on test servers in accordance with
functional specifications. The incident had gone unnoticed for a period of about four weeks. A
potential cause of the leak may have been malware embedded in the new module. Which of the
following operational controls should have detected the incident sooner?

A. Intrusion detection system (IDS)

B. Vulnerability scan process
C. Firewall rule set review
D. Access control monitoring

ANSWER: A
Explanation: An IDS should detect network behavior anomalies, which may have led to earlier
detection. Vulnerability scanning identifies software vulnerabilities, but it does not detect
malware. Reviewing the firewall rule-set is an important activity, but it won’t help detect a data
leak. While access control monitoring may help determine access to various information assets,
malware may bypass the established access control process and would thus not be detected.

135. A perpetrator who wants to gain access and gather information on encrypted data
transmitted over the network would use __________.

A. shoulder surfing
B. spoofing
C. traffic analysis
D. sniffing

ANSWER: C
Explanation: Traffic analysis is a passive attack when messages are encrypted whereby an
intruder determines the nature of the traffic flow between defined hosts. By analyzing session
length, frequency and message length, the intruder is able to assess the type of communication
being undertaken.

136. To arrange for protection for media backup stored at an offsite location, the storage site
should be:

A. located in a remote site

B. accessible only to top management
C. backed up daily
D. protected from unauthorized access.

ANSWER: D
Explanation: The offsite storage site should always be secure against unauthorized access and
have at the minimum, the same security requirements as the primary site.

141. An IS auditor performing a telecommunications audit at a government research facility

noticed that some network connections used fiber-optic cable while others used conventional
unshielded twisted pair (UTP) copper cable. Which of the following is the GREATEST risk of using
UTP cable?

A. Performance issues may occur due to lack of bandwidth.

B. An attacker may tap into the cable to intercept data.
C. The installation may be delayed because fiber is more fragile and complex to install.
D. Information leakage may occur due to crosstalk.

ANSWER: B
Explanation: The characteristics of fiber-optic cable and the data transmission methods used
make it difficult to physically tap into the cable, which provides enhanced security. While UTP
cable can carry less bandwidth than fiber-optic cable, the concern about performance is not as
significant as the security risk due to tapping. Fiber-optic cable is more fragile than UTP cable
and is more difficult and time-consuming to install. UTP cable is more susceptible to crosstalk
than fiber-optic cable. Crosstalk causes performance degradation and potential loss of
connectivity, but is not known to cause any security issues.

142. What should the IS auditor initially identify while reviewing the configuration of network
devices?

A. type of network topology

B. Network diagram
C. the importance of the network device in the topology.
D. Firewalls and routers

ANSWER: C
Explanation: The IS auditor must understand the importance and role of the network device
within the organization's network topology and then, the best practice for using the same
should be reviewed to ensure there are no variances within the configuration.

143. An IS auditor finds that an enterprise does not restrict the use, nor have a policy addressing
the use, of universal serial bus (USB) storage devices. Which of the following would be MOST
important for the IS auditor to recommend?
A. Implementing security software to prevent the use of USB ports for data transfer
B. Introducing a policy to address the use of portable drives
C. Implementing a virtual private network (VPN) solution to ensure encrypted sessions during
transmission of data
D. Disabling USB ports on all machines

ANSWER: A
Explanation: The best method to prevent the use of portable media is through a hardware or
software solution. Since the enterprise does not have a policy to address the use of portable
drives, it is possible that management did not consider the risks associated with their use.
Because of the portable nature of these drives, they are prone to being misplaced or lost.
Option B is not correct because, while a policy would address use, it is not a strong enough
method to prevent use. If there were an indication that management accepts the risks, then
this would be the correct answer. Management should first understand the risks associated
with the drives, and a decision should be made as to how risks will be controlled. Option C is
not correct because a VPN solution does not address the use of portable media. A VPN is used
for a secure method of remote access to a private network. Option D is not correct because it is
not practical to disable all USB ports because they may be used for a mouse, local printer or
other legitimate device.

144. The IS auditor who is evaluating the user IDs for emergency access has found that fire call
accounts are granted without a predefined expiration date. What should the IS auditor endorse?

A. Review the access control privilege authorization process

B. Implementation of identity management
C. Printing lists of user ids for emergency access
D. Granting of fire call accounts only to operating management

ANSWER: A
Explanation: The IS auditor should endorse reviewing the process of access control management
to ensure that emergency system administration-level access is given on an as-needed basis and
configured to a predefined expiration date.

146. An organization has terminated a database administrator (DBA). The organization

immediately removes all of the DBA's access to all company systems. The DBA threatens the
database will be deleted in two months unless he/she is paid a large sum of money. Which of
the following would the former DBA MOST likely use to delete the database?
A. Virus infection
B. Worm infection
C. Denial-of-service (DoS) attack
D. Logic bomb attack

ANSWER: D
Explanation: A logic bomb is hidden code that will activate when certain conditions are met; in
this example, after a certain period of time. A virus is another type of malicious code, but it does
not typically operate on a time delay. A worm also is a type of malicious code that does not use
a time delay, but is designed to spread as quickly as possible. A DoS attack would not delete the
database, but could make the service unavailable.

148. Event log entries related to failed local administrator logon attempts are observed by the IS
auditor. Which of the following is the MOST likely cause of multiple failed login attempts?

A. SYN flood attacks

B. Social engineering
C. Buffer overflow attacks – Poor system coding
D. Malicious code attacks

ANSWER: D
Explanation: Malicious code and Trojans commonly attempt to log on to administrator accounts.
A SYN attack is a denial-of-service (DoS) attack on a particular network service and does not log
on to administrator accounts. Social engineering will help in discovering passwords, but it is
separate from brute-force attacks. A buffer overflow attack will not directly result in multiple
logon failures.

CISA Domain-5

9. Management is eventually responsible for putting in place appropriate and proper internal
controls. Which of the below controls minimize the impact of an event that has already
occurred?

A. Detective
B. Corrective
C. Preventive
D. Forensics

ANSWER: B

10. Which of the following conditions is likely to represent a control failure and therefore be a
concern to the auditor?

A. A policy without an underlying standard of monitoring and enforcement

B. A policy based on guidelines
C. A general policy intended to be a catchall for things not specifically mentioned
D. Use of the guideline with monitoring, but no formal policy

ANSWER: A
Explanation: A policy without the standards of enforcement is practically worthless. Monitoring
is required to determine whether the standard is being met or violated. The lack of monitoring
and enforcement is a serious concern to the auditor.

11. What is the issue concerning the right to audit?

A. Every organization has a right to audit

B. Audit requests can be denied because of resources and time consumed
C. The audit charter should specify the authority to audit
D. Only certified auditors can execute an audit

ANSWER: B
Explanation: Audit requests of a vendor or contractor may be denied because of the cost of
resources required and time consumed. Every outsourced agreement should contain a specific
clause granting the right to audit. The service provider may respond with an SAS-70 report in
place of an audit, unless the right to audit clause specifically states the client may conduct their
own audit of the service provider organization.

13. What is meant by fiduciary responsibility?

A. Utilize the information that is obtained for own interests while taking care of the client
confidentiality
B. Work for another person’s benefit and keep the duties as honest and fair in front of personal
interests
C. Follow the client desires and keep it completely confidential even in case of illegal acts. The
audit information should never be disclosed by the auditor for protecting the client.
D. None of the above.

ANSWER: B
Explanation: Lawyers, accountants, and auditors work on behalf of the interests of their client
unless with this, they violate the law. As per law, it is the highest standard of duty for a guardian
and trustee.

16. Which among the following is not a non-audit role?

A. Operational staff member

B. Auditor
C. Organizational manager
D. System designer

ANSWER: B
Explanation: All roles apart from an auditor is a non-audit role. A person who is in a non-audit
role is not qualified for an independent auditor.
17. Why is protecting audit work papers and documentation necessary?

A. For the reason of regulatory compliance, the evidence that is collected in an audit need to be
disclosed.
B. To prove the auditee is wrong and the auditor is right, a paper trail is required.
C. In a court of law, for the auditor need to prove an illegal activity.
D. These can reveal information that is confidential and should not be disclosed or lost.

ANSWER: D
Explanation: The auditor may find some information that when disclosed, may cause a damage
to the client. A perpetrator could perform some additional actions with the information.
Additionally, the auditor need to undertake controls for ensuring the data backup and security
of their work

18. Why are the standard terms of reference used?

A. For meeting the regulatory and legal compliance requirements

B. For proving the person responsible
C. For ensuring an unbiased and honest communication
D. For ensuring that in a regulation, requirements are known

ANSWER: C
Explanation: The purpose of using standard terms of reference is to make sure an unbiased and
honest between the auditor and everyone else. Without this, knowing whether the same issue
is being discussed or the same outcome is being agreed would be difficult.

19. With what, you can relate the term auditor independence?

A. For auditors working in a consulting organization, it is not an issue.

B. It is needed for an external audit.
C. To be independent, an internal auditor need to take a certification training.
D. The auditor is bestowed independence by the audit committee.

ANSWER: B
Explanation: The auditor need to be independent. A biased opinion may result if a personal
relationship exists between the auditor and the organization being audited. If the organization
has influence over the auditor, the business relationship is also a problem. The purpose is to be
objective, fair, and not related with the audit subject.

ubject.
20. In comparison to a guideline, what is the definition of a standard?
A. A standard is a control that is discretionary used with a guideline to help the decision process
of the reader.
B. A standard is a compulsory control for supporting a policy. It is discretionary to follow
guidelines.
C. A guideline is a control that is recommended and required for supporting discretionary
standards.
D. A guideline is intended for designating a policy, while a standard is used when a policy is
absent.

ANSWER: B

21. Who should be responsible for issuing the organizational policies?

A. They should initiate from the lowest level and then move up for approval to the department
manager.
B. They should be issued by the auditor according to the standards. The highest management
level should authorize them for ensuring compliance.
C. They can be issued by any management level.
D. They should be enforced and signed by the highest management level.

ANSWER: D
Explanation: For ensuring compliance by the organization, policies should be issues, signed, and
enforced by the highest management level. Management (not the auditor) is responsible for
implementing internal controls.

22. On what basis, the final opinion of the auditor is made:

A. The verbal statements and objectives that are made by the management
B. The understanding of the expected audit results of the management
C. The specifications of the audit committee
D. The testing and evidence results

ANSWER: D
Explanation: An auditor is a questioner who performs the testing of management assertions and
provides an opinion on the basis of evidence found while performing the audit.

23. The objective of the professional ethics statement of ISACA is to:

A. Give procedural advisement to the new IS auditor
B. Specify the acceptable and unacceptable behavior clearly
C. Give instructions on dealing with illegal and irregularities acts by the client
D. Give advice on the conditions when the auditor can deviate from the standards of audit

ANSWER: B
Explanation: The professional ethics statement of ISACA states that IS auditors need to complete
their duties while taking care of highest standards of truthful and honest representation.
Violating the fiduciary relationship with the client cannot be accepted.

24. By what means the auditor develops the final opinion?

A. By the collected evidence and the observations of the auditor

B. By the assurances and representations of management
C. By the compliance testing of language that is used in the policies of the organization
D. By the audit committee’s advice

Ans A
Explanation: The auditor derives a final opinion on the basis of collected evidence and testing.
An audit’s objective is to challenge the management assertions. An evidence is collected to
disprove or support claims.

25. Which among the following statement is not correct about the audit committee?

A. The executives of the organization itself manage the audit committee. They keep the
committee busy by making them work on compliance programs.
B. The audit committee can hire and fire executives, as it oversees management.
C. The members from the board of directors are included in the audit committee. The
committee can hire external auditors, who can have a quarterly meeting with the committee in
the absence of other executives.
D. The committee gives a method to senior executives to bring problems into a confidential
discussion to explore a solution.

ANSWER: A
Explanation: Except A, all answers are correct. The responsibility of the audit committee is to
oversee the management of the executives. This committee generally includes board members
who offer executives a forum for discussing problems to solve the problem. It has the authority
to fire or hire any person in the organization, usually concentrating on senior executives and
external auditors.

26. By which method the auditor should help solve problems found while auditing?
A. By taking the responsibility of the issue and contributing in the design of the plan to fix the
problem.
B. By deciding if the problem is minor or major, and then providing the advice and solution to
the auditee while taking the business impact into consideration
C. By helping the auditees in outlining the steps required to solve the problem.
D. By never taking the ownership of issues and providing advising the auditee in general,
including a clarification of what need to be looked while performing the audit.

ANSWER: D
Explanation: The auditor must never take the responsibility of the issues. It can advise auditee in
general and show what is being looked while performing the audit. The remediation plan needs
to be designed by the auditee. Auditors participating in the remediation planning at the detail
level are no longer independent nor objective.

27. In relation to an audit, which of the below statements gives the best assessment
description?

A. As compared to assessments, audits are more formal.

B. The difference lies in wording; otherwise, they are similar in nature.
C. They both give reports that are usable for the purpose of licensing.
D. The reports from assessment give a high assurance of the condition.

ANSWER: A

28. The objective of the skills matrix is to:

A. Recognize the person to be interviewed while the audit

B. Explain the person required while the audit’s performance phase
C. Recognize the skills that are needed by the auditee to complete the audit within scope
D. Demonstrate the method to save money while the audit engagement to the client

ANSWER: B
Explanation: During preplanning, a skills matrix is made for identifying the skills essential to do a
competent audit. It justifies the personnel training or explains the skills required by the audit
team members. Additionally, it prevents the auditor from getting stuck with a “warm body” that
is unskilled

29. For regulatory compliance, which of the below is the best description of an ongoing audit
program?

A. An audit is done one time for the complete year, and for each successive year, is then
repeated with the same information.
B. With the use of an audit program software, an audit may be automated.
C. An audit is a sequence of exclusive projects of small duration that include all the steps
required for the annual compliance.
D. An audit is an assessments set required by the auditee for the objective of regulatory and
licensing compliance.

Explanation: Generally, projects are of limited duration and are exclusive. They have a fixed time
period and have a fixed start and stop date. The projects can be combined into a projects
series to meet an operational need that is ongoing, such as a perpetual quality program or an
annual audit program.

30. Which of the following is the best definition of user identity?

A. Match
B. Claim
C. Authority
D. Job role

ANSWER: B

33. What is the best reason for creating a skills matrix?

A. To identify the different skills and their individual billing rate

B. To designate who will perform each specific task
C. To identify skills needed and justify training to fill the gaps
D. To comply with the minimum standards of project management

ANSWER: C
Explanation: The primary goal is to identify all the skills needed and to justify additional
training before conducting the audit. Adding new personnel may be an acceptable option if
training would not cure the problem in time. Using a skills matrix is one of the best practices in
project management; however, that was not the best available choice. (28. The objective of the
skills matrix is to: B. Explain the person required while the audit’s performance phase)

36. Which of the following systems simulates human brain and makes a decision on weighted
probabilities?

A. Inner reference engine

B. Knowledge base
C. Decision-support system
D. Neural network

ANSWER: D
Explanation: The neural network is patterned based on the design of the human brain, with logic
comparable to human synapses. Decisions are based on the program weight factors and
probabilities.

39. Which of the following types of downloadable programs is known to present the most
serious security risk?
A. VB script
B. ActiveX
C. Java
D. Servlet

ANSWER: B
Explanation: ActiveX is more dangerous because the Authenticode method of digitally signing a
program does not protect against malicious software nor does it protect the user from poorly
written programs. Malicious ActiveX programs can subvert security of the operating system.

41. Which of the following is a true statement concerning materiality?

A. All information related to the subject is material.

B. Materiality is a physical requirement of business records.
C. Information that would change the outcome of the audit is material.
D. Materiality refers to independence of evidence.

ANSWER: C
Explanation: Materiality refers to information that would have a direct bearing on the outcome
or final determination. It is not necessary to document all information related to the subject.

42. Following the evidence rule, what could the auditor use to best determine that a given
policy is actually being used?

A. Presence of the policy manual

B. Minutes of meetings
C. Enforcement emails
D. User awareness

ANSWER: C
Explanation: The presence of emails regarding enforcement of the policy would be the best
determination that a policy is in use. A second choice might be a random sampling of user
awareness, followed by the minutes of meetings where the policy was discussed.

43. As per ISACA, which of the following are the five of the six business process reengineering
(BPR) steps?
A. Envision, initiate, evaluate, diagnose, redesign
B. Initiate, envision, evaluate, redesign, reconstruct
C. Envision, initiate, diagnose, redesign, reconstruct
D. Initiate, envision, redesign, reconstruct, evaluate

ANSWER: C
Explanation: The six general steps are envisioning the goal, initiating a project, diagnosing the
current process, redesigning the process, reconstructing with the use of change management,
and evaluating results by checking the new process to find out if it met the original objective.

44. Which sampling method should be used when there is almost no margin of error or the risk
of failure is very high?
A. Variable
B. Random
C. Discovery
D. Difference estimation

ANSWER: C
Explanation: Discovery sampling is used when the risk of failure is very high. 100 percent of the
available evidence will be tested because there is almost no margin for error. This is the most
intensive type of testing. (alternatively discovery sampling is used for detection of fraud)

46. A critical success factor is explained as:

A. An asset that needs to be planned

B. A score or measure of efficiency
C. A factor calculated for the purpose of insurance
D. Something that need to happen perfectly each time
ANSWER: D
Explanation: Also known as a showstopper, a critical success factor need to go correct each time
for the success of recovery. A KPI or key performance indicator is a numerical score.

47. The final hurdles to business continuity are threats that may include:

A. Missed targets
B. Natural disasters
C. Profit loss
D. All of the above

ANSWER: D
Explanation: The business continuity concerns include missed targets, natural disasters, and
profit loss. The continuity objective is to make sure that revenue is not disturbed and critical
targets are not missed.

48. During the planning of team assignments, it is critical to remember that:

A. The number of people or teams is not as critical as ensuring all the duties are performed.
B. A person should not hold more than one team assignment.
C. For each team, the number of duties is the same.
D. For consistency, only one key person can be assigned to all teams.

ANSWER: A
Explanation: When planning team assignments, the most critical point to remember is that all
duties are completed, irrespective of the number of people. The organization may require to
employ hundreds of extra personnel in major incidents for making sure that all duties are
completed.

49. Which of the following is a true statement pertaining to data encryption when it is used to
protect data?

A. It verifies the integrity and accuracy of the data.

B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.

ANSWER: B
Explanation: Data encryption always requires careful key management. Most algorithms are so
strong today it is much easier to go after key management rather than to launch a brute force
attack. Hashing algorithms are used for data integrity, encryption does require a good amount
of resources, and keys do not have to be escrowed for encryption.

50. What is it called when for the same message, different keys generate the same ciphertext?
A. Secure hashing
B. Collision
C. Key clustering
D. MAC

ANSWER: C
Explanation: The result is ciphertext Y when message A is encrypted with key A. If key B is used
to encrypt the same message A, the result should be different from ciphertext Y because a
different key was used. However, the occurrence is called key clustering if the ciphertext is the
same. (Same message, different keys generate the same ciphertext)

51. After a system failure, which action should take place for restoring a system and its data
files?

A. Perform a parallel test.

B. Restore from storage media backup.
C. Perform a walk-through test.
D. Implement recovery procedures.

ANSWER: D
Explanation: Recovery procedures should be implemented in such situations, which in most of
the cases include data recovery from the backup media. These recovery procedures could
comprise of steps to rebuild a system from the start, apply the required configurations and
patches, and ensure what needs to happen for ensuring that productivity is not affected. A
redundant system may also need to be considered.

52. Which is the best description of remote journaling?

A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types

ANSWER: B
Explanation: Remote journaling is a technology used to transmit data to an offsite facility, but
this usually only includes moving the journal or transaction logs to the offsite facility, not the
actual files.
Remote journaling is used to backing up logs to offsite facility

60. Which of the below property does not relate to a one-way hash function?
A. It need to infeasible to compute and find the corresponding message, given the digest value.
B. It transforms a message with an arbitrary length to a fixed length value.
C. It transforms a message with a fixed length to a value of arbitrary length.
D. It should be rare or not possible to get the same digest from two different messages.

ANSWER: C
Explanation: A hashing algorithm inputs a variable-length string and the message of any size. It
computes a value of fixed length, which is the message digest. The SHA family creates the value
of fixed length of 160 bits, while the MD family creates it of 128 bits.
61. What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used

ANSWER: A
Explanation: Cryptanalysis is the process of trying to reverse-engineer a cryptosystem, with the
possible goal of uncovering the key used. Once this key is uncovered, all other messages
encrypted with this key can be accessed. Cryptanalysis is carried out by the white hats to test
the strength of the algorithm.

62. The effective length of the DES key consists how many bits?
A. 64
B. 56
C. 16
D. 32

ANSWER: B
Explanation: The key size of DES is 64 bits; however, it uses 8 bits for parity. Therefore, the exact
key size is 56 bits. The DEA algorithm is utilized for the DES standard. Therefore, its true key size
is 56 bits, is the same algorithm here is being discussed. DEA is the algorithm, while DES is
actually the standard. It is called DES in the industry, as it is easier.

63. What is the reason a certificate authority revokes a certificate?

A. The user uses the PEM model that utilizes a web of trust
B. The public key of the user has been compromised
C. The user has moved to a different location
D. The private key of the user has been compromised

ANSWER: D
Explanation: The authority revokes a certificate to warn people using the public key of the
person. The authority warns they should not trust the public key anymore, as the public key is
not bound to the identity of that particular individual anymore. The reason could be that an
employee has changed his/her name or left the company and required a new certificate. In most
of the cases, it happens as the private key of person has been compromised.

64. What are the five phases of business continuity planning according to ISACA?
A. Analyze business impact, develop strategy, develop plan, plan testing, implement

B. Analyze business impact, develop plan, implement, plan testing, write the plan

C. Analyze business impact, write the plan, test strategy, develop plan, implement

D. Analyze business impact, develop strategy, develop plan, implement, plan testing
ANSWER: D
Explanation: Notice that business impact is always the first step. Then criteria are selected to
guide the strategy selection. A detailed plan is written using the strategy. The written plan is
then implemented. After implementation, the plan and staff are tested for effectiveness. The
plan is revised, and then the testing and maintenance cycle begins.

65. Which technology can be considered for the identity management to accomplish few needs
of the company?

A. Digital identity provisioning

B. Active directory
C. LDAP directories for authoritative sources
D. Federated identity

ANSWER: D
Explanation: With the help of federation identification, the company and its partners can enable
themselves to share the authentication information of the customer. The retail company can
have the authentication information when a customer authenticates to a partner website.
Therefore, when visiting the website of the retail company, the customer needs to submit less
user profile information. As a result, the steps to of the purchase process get reduced. This type
of functionality and structure becomes feasible when companies possess and share the similar
or same settings of the federated identity management software under a set trust model.

Federated identity is used to accomplish few needs of the company.

66. Positive pressurization pertaining to ventilation implies:

A. Air comes in when a door opens
B. The power supply is disabled when a fire takes place
C. The smoke is diverted to one room when a fire takes place
D. The air goes out when a door opens

ANSWER: D
Explanation: Positive pressurization implies the air goes out when a door is opened. The air from
outside does not enter. If the doors of a facility were opened when it were on fire, positive
pressure causes the smoke to exit and not get pushed back inside the building.

67. A category of controls not belonging in a physical security program is:

A. Response and detection

B. Deterrence and delaying
C. Delaying and lighting
D. Assessment and detection
ANSWER: C
Explanation: Apart from delaying and lighting, response, detection, deterrence, delaying, and
assessment, should make up any physical security program.

69. What does it default to if an access control does not have a fail-secure property?
A. No access
B. Being unlocked
C. Being locked
D. Sounding a remote alarm and not a local alarm

ANSWER: B
Explanation: If an access control has a fail-safe setting, it implies that in case a power disruption,
affects the automated locking system, by default, the doors will be unlocked. This type of
configuration implies that if there were any problems with power, a door would default to being
locked.

Fail secure property then system may remain unlocked.

70. A system that is not considered as a delaying mechanism is:

A. Defense-in-depth measures
B. Locks
C. Access controls
D. Warning signs
ANSWER: D
Explanation: Each physical security program needs to have delaying mechanisms with the
objective to slow down an intruder for alerting the security personnel and arriving at the scene.
Warning signs are not delaying controls, but deterrence controls.

71. The two common proximity identification devices types are:

A. Swipe card devices and passive devices
B. Biometric devices and access control devices
C. User-activated devices and system sensing devices
D. Preset code devices and wireless devices

ANSWER: C
Explanation: With a user-activated system, the user needs to enter a code or swipe the card
using the reader. With a system sensing device, the presence of the card is recognized and
communicated, without the requirement of the user to perform any activity.

72. The goal of the strategy planning phase is to:

A. Select a response to cover every situation

B. Pick up a vendor that offers the best solution
C. Fulfill the interests of all the stakeholders to their satisfaction
D. Recognize time windows and minimum service

ANSWER: D
Explanation: The main goal of this phase is recognizing the time window that is available and
minimum service necessary that is required for recovery. A specific product or a vendor should
never be involved in this discussion. The objective is forcing to develop a specific specification
and find solutions fitting the specification. (the goal of stateregy planning is to recognising the
time window and minimum service)

73. With respect to the properties of facility construction, which of these are correct?
1. For various types of attacks and explosives, the approximate penetration time’s calculations
depend on the concrete walls thickness and the rebar gauged

2. With the use of a thick rebar, and its proper placement in the concrete gives effective
protection
3. Rebar, reinforced walls, double walls can be utilized for delaying mechanisms
4. Rebar are steel rods encased in concrete

A. 3
B. 1, 2
C. All are correct
D. None is correct

ANSWER: C
Explanation: For various types of attacks and explosives, the approximate penetration time’s
calculations depend on the concrete walls thickness and the rebar gauged. (Rebar are steel rods
encased in concrete are referred to as rebar.) Therefore, the time to break or cut the rebar
would be long. With the use of a thick rebar and its proper placement in the concrete gives
effective protection. Rebar, reinforced walls, double walls can be utilized for delaying
mechanisms. TAs a result, the intruder will take a long time to break two reinforced walls. Hence
the response force gets enough time to reach the destination and stop the intruder.

74. The relationship between acceptable risk level, a risk analysis, countermeasures, baselines,
and metrics can be best defined as:
A. The output of risk analysis is utilized for determining the required proper countermeasures.
To measure these countermeasures, baselines are derived. To track the performance of these
countermeasures and make sure that baselines are met, metrics are used.
B. The output of risk analysis is utilized for making the management know and set a risk level
that is acceptable. From this level, baselines are derived. To track the performance of
countermeasure and make sure baselines are met, metrics are used.
C. The output of risk analysis is utilized to for making the management know and set baselines.
From these baselines, a risk level is derived that is acceptable. To track the performance of
countermeasure performance and make sure baselines are met, metrics are used.
D. The output of risk analysis output is utilized for making management know and set a risk level
that is acceptable. From the metrics, baselines are derived. To track the performance of
countermeasure performance and make sure baselines are met, metrics are used.

ANSWER: B
Explanation: For performing risk analysis, the physical security team identifies the threats,
vulnerabilities and business impacts of the organization. These findings should be presented by
the team to the management and worked upon for defining a risk level that is acceptable for the
physical security program. The baselines and metrics should then be developed for evaluating
and determining if baselines are met using countermeasures. After this, the team should
continually evaluate and express countermeasures performance in the previously created
metrics. The values of performance are compared with the baselines set. The security program
is successful when the baselines are continually maintained as the acceptable risk level of the
organization is not being overdone.

75. When installing intrusion detection and monitoring systems, which of the following is not a
drawback?

A. Expensive installation
B. No penetration
C. Human response requirement
D. Subject to false alarms

ANSWER: B
Explanation: Monitoring and intrusion detection systems are expensive, require someone to
respond when they set off an alarm, and, because of their level of sensitivity, can cause several
false alarms. Like any other type of technology or device, they have their own vulnerabilities
that can be exploited and penetrated.

76. A cipher lock is a lock that uses:

A. Cryptographic keys
B. A key that cannot be reproduced
C. A token and perimeter reader
D. A keypad

ANSWER: D

78. The difference between a tumbler and warded lock is best described as:
A. As compared to warded lock, a tumbler lock is easier to circumvent
B. A warded lock makes use of internal cylinders, while a tumbler lock makes use of an internal
bolt
C. As compared to a warded lock, a tumbler lock has more components
D. A tumbler lock is used internally, while a warded lock is primarily used externally

ANSWER: C
79. Light-frame construction material is utilized in building the internal walls of a company’s
facility. There are some concerns about this material. Why?
1. The least protection against fire is provided
2. The least protection against forcible attempts of entry is provided
3. It is of noncombustible nature
4. The least protection is provided to mount walls and windows

A. 1, 2
B. 1, 3
C. 2, 3, 4
D. 2, 3

ANSWER: A
Explanation: This material offers protection with the least amount against forcible attempts of
entry and fire. It has an untreated lumber that during a fire, would be combustible. The material
is generally utilized for building homes, as it is cheap and homes do not have threats of intrusion
threats and fire, as compared to office buildings.

83. A DSS or decision support system:

A. Aims to solve problems that are highly structured

B. Combines models with retrieval functions and nontraditional data access
C. Focuses flexibility in the users’ approach of decision making
D. Supports decision making tasks that are structured

ANSWER: C
Explanation: DSS focuses flexibility in the user’s approach of decision making. The objective is
to solve problems that are less structured by combining models and techniques used for analytic
with retrieval functions and traditional data access. It provides support to decision making tasks
that are semi-structured.

85. To let employees enroll for benefits on the corporate Intranet through a website, the human
resources (HR) department has developed a system. What do you think protects the data
confidentiality?

A. Two-factor authentication
B. Secure Socket Layer (SSL) encryption
C. IP address verification
D. Encrypted session cookies

ANSWER: B
Explanation: The only option that can provide data confidentiality is SSL encryption. The other
options help with issues of authentication.

Data confidentiality is protected using SSL encryption on the intranet website.

88. The process that utilizes test data for an all-inclusive program controls test in a constant
online manner is:
A. Base-case system evaluation
B. Test data/deck
C. Parallel simulation
D. Integrated test facility

ANSWER: A
Explanation: In a base-case system evaluation, test data sets are used and developed for all-
inclusive testing programs. Before acceptance and periodic validation, this is done for verifying
the right systems operations. On the other hand, test data/deck mimics transactions with the
use of real programs. Parallel simulation is a process in which the production of processed data
takes place with the use of computer programs that mimic the program logic of application.
However, an ITF makes false files in the database and processes test transactions along with
live input.

93. An organization is planning to deploy an outsourced cloud-based application that is used to

track job applicant data for the human resources (HR) department. Which of the following
should be a GREAT concern to an IS auditor?
A. The service level agreement (SLA) ensures strict limits for uptime and performance
B. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA
C. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud
provider
D. The cloud provider's data canter’s are in multiple cities and countries

ANSWER: D
Explanation: Having data in multiple countries is the greatest concern because HR applicant data
could contain personally identifiable information (PII). There may be legal compliance issues if
these data are stored in a country with different laws regarding data privacy. While the
organization would be bound by the privacy laws where it is based, it may not have legal
recourse if a data breach happens in a jurisdiction where the same laws do not apply.

98. One can validate operating standards and procedures by:

A. Observing the operation of datacenter

B. Reviewing operating manuals
C. Testing a sample of transactions
D. Interviewing operations management

ANSWER: A
Explanation: The best way to be objective and collect evidence for validating operating
procedures is observing the operations.

99. Which among these restricts users to the functions required to perform their duties?
A. Data encryption
B. Application-level access control
C. Network monitoring device
D. Disabling floppy disk drives

ANSWER: B
Explanation: Application-level access control programs work best for management control as
they allow restricting access to the functions required for performing their duties by limiting the
users. Disabling floppy disk drives and data encryption are not the best choices, as they can only
restrict users to specific function. A network monitoring device is a detective control.

104. When reviewing an access control in a client-server environment, an IS auditor finds that
users can access all printing options. Most likely, in this situation, the will make a conclusion
that:

A. All users can print any report at any time and therefore, operating efficiency is enhanced.
B. Information is available to unauthorized users and therefore, exposure is greater.
C. There is a smooth information flow among users and therefore, user friendliness and
flexibility is facilitated.
D. Information is easily available and therefore, operating procedures are more effective.

ANSWER: B

109. The access control procedure is:

A. An IS manager and the data owner create and make updates to the user authorization tables.
B. The user authorization tables are implemented by authorized staff members and approved by
the data owner.
C. The user authorization tables are created and updated by the data owner.
D. Formally, access is authorized by the data owner and the user authorization tables are
implemented by an administrator implements.

ANSWER: D
Explanation: The data owner can and is responsible for forming the access rights formally. The
user authorization tables are then implemented or updated by an IS administrator.

118. The bigger concerns with respect to asset disposal are:

A. Employees taking disposed property home
B. Residual asset value
C. Environmental regulations
D. Standing data

ANSWER: D
Explanation: Any data standing need to be eliminated from the equipment before its disposal.
This is the information recoverable from a device by any mean.
119. The most important issue to be considered with respect to insurance coverage is:
A. Premiums can be very costly
B. Salvage, and not replacement, may be dictated
C. Insurance can pay for all recovery costs
D. Coverage must consist of all business assets

ANSWER: B
Explanation: Salvage to save money may be dictated by the insurance company. It increases the
delay prior to recovery. Any replacement purchases the company makes may not be covered
under reimbursement.

121. The reason why continuity planners are capable of creating plans without a business impact
analysis (BIA) is indicated by:
A. Not possible; critical processes change constantly
B. All key processes to be used are already dictated by management
C. Risk assessment is okay
D. Business impact analysis is not needed

ANSWER: A
Explanation: Create business continuity plans is not possible without a current Business Impact
Analysis (BIA), which recognizes critical processes and the related dependencies. These
processes as per the business with new customers and products.

124. With the use of public-key infrastructure (PKI) encryption, the sender uses which key for
the receiving party authentication?

A. Recipient’s private key

B. Sender’s private key
C. Recipient’s public key
D. Sender’s public key

ANSWER: C

126. An auditor’s greatest concern in examining roles and responsibilities of an IT personnel is

when an IT member:

A. Monitors the performance of the system, makes the required program changes and tracks all
resultant problems
B. Reviews the workload requirements of the current server and predicts the future needs
C. Works with the user directly for improving the performance and response times across the
network
D. Assesses the current procedures effectiveness and suggests improvements

ANSWER: A
Explanation: The duties separation prevents a person from authorizing their own changes or
monitoring their own work. Self-authorization and self-monitoring become a problem as it
violates the IT governance intention. It would be required by the auditor to examine if the
change control board reviewed and approved the changes formally by before implementation.

128. The backup method that should be used on computer files before a forensic investigation
is:
A. Differential
B. Logical
C. Bit stream
D. Full

ANSWER: C
Explanation: Also known as physical imaging, the only backup method recording the deleted
files with the swap and slack space contents is bit stream imaging. Rest other methods do not
consider important files required as evidence.

129. The hierarchy of controls from highest level to lowest level is represented as:

A. Detailed, pervasive, application, detailed

B. Pervasive, general, application, detailed
C. General, pervasive, detailed, application
D. Application, general, detailed, pervasive

ANSWER: C
Explanation: General controls show the highest controls class applicable to all within a company.
Pervasive controls signify the required protection necessary when the technology is being used.
In all departments that use computers, IS controls are pervasive. Irrespective of the in charge,
these controls need to make sure availability and integrity. Detailed controls stipulate the
execution procedure. Application controls work at the lowest level and are that govern its use or
built into the software. If the higher-level controls are absent, application controls are
compromised.

133. The management method that provides the greatest control and not discretionary
flexibility is:

A. Centralized
B. Distributed
C. Outsourced
D. In-house
ANSWER: A
Explanation: The greatest control is always provided by centralized management. Also known as
discretionary, distributed management allows local decisions that depend on various factors.
The lowest overall control is provided by distributed methods.

134. Verification during a tape backup is an example of: -

A. Administrative control
B. Corrective control
C. Detective control
D. Preventative control

ANSWER: C
Explanation: Performing a data backup on a tape is a preventative control for preventing the
data loss. The verification function is detective for detecting any inconsistencies between the
hard disk and tape. It requires manual problem fixing. Verification and audits are detective
controls always.

135. With respect the control objectives of the IT governance, the occurrence for which the
auditor would be least concerned about during executing the audit is:

A. Using proper change control

B. Practicing self-monitoring for reporting problems
C. Managing conflicts in the existing relationship of reporting
D. Considering production system without accreditation

ANSWER: A
Explanation: For the auditor, using proper change control is of the least concern. They need to
view change control procedures to separate duties. Rest other options signify violations
necessitating further investigation.

136. One of the main methods used for implementing detective controls, physical controls, and
corrective controls is NOT:
A. Logical
B. Legal
C. Administrative
D. Physical

ANSWER: B
Explanation: The primary implementation method is not legal. Physical, logical (technical), and
administrative methods are used to implement controls. Administrative methods consist of
policies, laws, contracts, and procedures. A combination of logical, physical, and administrative
methods helps in getting legal compliance.

137. Which the below statements is correct with respect to a software worm?
A. It is a synonym for a virus
B. It need to be executed by opening a file
C. It attaches itself to data and a programs by the file opening and closing
D. It travels freely across the network for infecting other systems

ANSWER: D
Explanation: In contrary to a virus, a worm can travel freely to infect other systems. It has the
capability to infect files without the file closing or opening.

139. The technique used to store and transmit a symmetric encryption key is:
A. Generating a unique encryption key
B. Key rotation
C. Generating a shared encryption key
D. Key wrapping

ANSWER: D
Explanation: For protecting encryption keys to store and transmit keys, key wrapping is used.
The access to encryption keys should never be given to the user.

(Technique used to store and transmit key is known as symmetric encryption key)

140. The situation that does not show a reporting conflict is:

A. Employees report a violation to their boss, who also managed compliance

B. Information security manager report to internal auditors
C. Reporting and self-monitoring of violations happen
D. IT security reports to the chief information officer

ANSWER: B
Explanation: It is a conflict if IT security manager’s report their problems to internal auditors. If
an IT-related employee is needed to create violation reports to their manager directly, it is
conflict. Some job pressures may exist for covering up problems. When your job needs reporting
violations to your superior, a built-in reporting conflict exists, when the same authority is also
responsible for compliance.

141. What is the purpose of a digital signature?

A. Electronic marker showing the recipient that a sender actually sent a document
B. Provides the recipient with a method of testing the document received from a sender
C. Cyclic redundancy check to prove document integrity
D. Provides a copy of the sender’s public key along with the document

ANSWER: B
Explanation: An electronic signature is worthless unless the recipient actually tests the signature
by decrypting it. Electronic signatures should never be trusted by their presence. Digital
signatures must be tested by the recipient to verify their authenticity
142. The best way of protecting encryption keys from getting compromised is:

A. Utilizing a physically isolated system for generating the keys

B. Storing the keys in a key vault rated server
C. Limiting the individual keys use
D. Changing the encryption keys in each four months

ANSWER: C
Explanation: Limiting the encryption keys use helps in protecting them from being
compromised. Encryption keys are also applied by separation of duties. Every encryption key
should be used for a specific purpose.

143. With respect to the management and auditor roles, which of the below statement is true?

A. Management must make their assertions before report from the auditor
B. Management makes the use of the report before making assertions
C. The opinion of the auditor opinion will depend on the management desire
D. The auditor can see only evidence that management has predetermined

ANSWER: A
Explanation: The management must make their assertions before the report and independent of
the report. The auditor determines if the claims of the management can be verified correctly
with the help of evidence available.

145. The functional difference between authentication and identification is:

A. Identification is a verified match, while authentication is only a claim
B. Identification is only a claim until it gets verified, while authorization is a match
C. Identification is only a claim, while authorization is a match
D. Identification is only a claim until verified, while authentication is a match

ANSWER: D

146. The best way to prove an auditor’s competence for perform an audit is:
A. Quoting each point in a regulation with a specific test and an audit aim
B. Prior experience working in information technology
C. Prior experience in financial auditing
D. Getting auditor certification with ongoing training

ANSWER: A
Explanation: Each auditor should create a list of all points that are contained in a regulation,
while mentioning every point by page, paragraph, and line number. It is used for explaining how
the audit process is meeting the goal. Each item should have specific tests. In case the audit test
needs to be run again, the following auditor should always discover same or similar results with
the use of your documentation.
147. The main objective of the ISACA audit standards and professional ethics publication is to:

A. Explain the professional duties you could follow when building your practice
B. Provide consistency without embarrassing you or our profession
C. Provide a sample reference the auditor may use during their audit without copyright
restrictions
D. Provide a comprehensive audit toolkit

ANSWER: B
Explanation: These aim to provide consistency. With the help of these standards, you can well
understand the auditor’s duties.

148. By performing which of the following actions, a Certified Information Systems Auditor will
lose its certification?

A. Continue the participation in professional education

B. Educate the auditee regarding what is being looked in the audit
C. Use or own materials without any valid copyright license
D. Share blank audit checklists with the auditee

ANSWER: C
Explanation: They can lose their certification by using or owning materials without a valid
copyright license. This type of violation is a violation of law and ethics.

149. The auditor provides the following function:

A. Independent assurance claiming management are correct

B. Second set of eyes, which are external with respect to the subject reviewed
C. Following standards for fitting the client needs
D. Help by fixing problems discovered during the audit

ANSWER: B
Explanation: The auditor is a paid impartial observer during an external or internal audit. Rest
other statements are not true. The ownership of the problems is never taken by the auditor. The
client may meet the standards (compliant) or may not meet them (not compliant).

150. When the system shuts down in an improper manner, the dump file is created. Generally,
what does it include that proves useful in forensic investigations?

A. History of all the processed user transactions

B. Contents from RAM memory
C. All user account information
D. System startup settings

ANSWER: B
Explanation: This file includes the working memory (RAM) contents and the tasks list that were
being processed. During forensic investigations, this special diagnostic file is very helpful.

Content of RAM is very useful during the investigation

Simulation-3

1. An IS team has decided to code a new application in a 4GL software. What is the advantage of this
technology?
A. Spontaneously generates business logic, screens, and reports
B. Uses fuzzy logic and decision support systems
C. Permits time boxing and short development cycles
D. Cuts developmental time and effort for functions, but has no business logic rules built-in

ANSWER: D

6. Data warehousing is increasingly used for churning large amounts of data. Which of the following
best defines a data mart?
A. Can purchase relevant data
B. Is a substitute for data warehousing
C. Provides data mining rules
D. Stores data mining results

ANSWER: D

7. Object-oriented database management systems normally indicate database capabilities with

object-oriented programming capabilities. For which of the following data types are they designed?
A. Fixed length
B. Access with joins
C. Variable
D. Tabular implementation

ANSWER: C
Explanation: Object-oriented database management systems can manipulate data with variable data
formats, unlike relational databases that are tabular in implementation.

8. An IS auditor has undertaken a review of the configuration parameters in a software development

project. Why is this review done?

A. Changes must be properly studied for impact analysis

B. Change settings must set the minimum requirements for adequate and essential security
C. Change requests should be approved by the Change Control Board (CCB)
D. The configuration management system reveals different directories where controls are not well
managed

ANSWER: B
Explanation: Change security settings define the accountability and integrity of data. Beyond this,
changes should be studied for impact analysis, and properly approved by the Change Control Board.
Evidence of inadequate security is revealed through the study of folders under configuration
management.

9. During a software development project audit, the CISA finds the requirements fuzzy. What
potential impact could this primarily have on the project quality?
A. Lack of adherence to specifications
B. Rework and bugs
C. A non-working software
D. Customer dissatisfaction

ANSWER: A
Explanation: Quality is primarily the result of conformance to specifications. Requirements must
reflect the specifications intended for use. The lack of requirement controls significantly impact the
quality, and lead to customer dissatisfaction.

10. Software systems need to be tested at various stages to ensure they are fit for use. In a target
environment, what type of testing is undertaken to ensure the system is not in conflict with other
systems?

A. Integration
B. Sociability
C. System
D. White-box

ANSWER: B
Explanation: Sociability testing tests a software system in the target environment. All other tests are
run to ensure the software systems and its functions are fit for use.

11. In a software development project, which entity is accountable and responsible for the entire
project including its schedule, quality, and budget?
A. Quality team
B. Project Governance committee
C. Project Manager or Leader
D. All the project team members

ANSWER: B
Explanation: While all the project team members are responsible for project success, and the Project
Manager for operational project management, it is the Project Governance committee that controls
the requirements and overall scope and needs to bear accountability and responsibility for the
project schedule, scope, and budget.

12. Software Reverse Engineering occurs when a source code is taken apart to see how it operates
to replicate or improve. Which of the given risks are incurred when Reverse Engineering is
undertaken?
A. Confidentiality agreement
B. License agreement violation
C. Site agreement violation
D. Contradiction on the quality of substituted parts

ANSWER: B
Explanation: Reverse Engineering of the source or a compiled code is legally not permissible, and
would imply a legal violation of end-user licensing agreements. Legal issues also arise due to
copyright violation, and calls for legal action pertaining to theft of copyright.

14. During software development projects, estimation of size and scope are very significant factors.
Several methodologies are available to estimate the work during the initial phase. Which of these
methods use parameters such as user inputs, user outputs, reports, screens, and interfaces to
generate an estimate?

A. Story Points methodology

B. Code’s lines methodology
C. Configuration Points methodology
D. Function Point Analysis methodology

ANSWER: D
Explanation: Function Point Analysis methodology is used by several software organizations. It is
computed by taking various pertinent parameters such as the number of inputs, outputs, reports,
screens, and interfaces and their degree of complexity to arrive at a size estimate. This is further
translated into timelines based on the number of developers available and cost. The other
methodologies, Lines of Code and Story Points are used in Mainframe or legacy system, and Agile
Estimation respectively.

15. Systems and Data modeling have various diagramming methods of representation. A popular
method is the Entity-relationship diagrams (ERD). In which of the following options are these
methods used?

A. Flow diagram for data flow through the system

B. Security controls logical access diagrams
C. Schedule diagram to detail the activities sequence
D. Defining database design schema for requirements

ANSWER: D
Explanation: ERD diagrams are used to define the database structure. An entity-relationship diagram
(ERD) details how to structure the data, and the interrelationships with other data. Data flow
diagrams are then used to show the business logic and data-transformation procedures.

17. Software development projects with dynamic requirements, short schedules, quick wins, and
limited resources would use which of the given options?

A. Agile Software Development

B. Program Evaluation Review Technique
C. Critical Path Method
D. Gantt Charts

ANSWER: A
Explanation: Agile Software Development uses time-boxes management with fixed scope and
identified deliverables that trades-off between software quality and project schedule. Every
additional iterations provide additional software modules.

19. An IS auditor is reviewing an IS operation that is substantially outsourced. Which of these is an

incorrect fact about outsourcing?
A. Creates economies of scale
B. Reversal is difficult and expensive
C. Minimizes key personnel loss
D. Provides large pool of highly skilled employees

ANSWER: C
Explanation: Highly skilled and experienced employees are down-scaled or made redundant, hence
would be difficult to replace. However, outsourcing also

20. Which of these organizational structures gives the greatest power to a Project Manager?

A. Functional
B. Hybrid
C. Projectized
D. Matrix

ANSWER: C
Explanation:
It is in a projectized organization that the highest power can be enjoyed by a Project manager. Then,
comes the matrix. The functional structure has no involvement or power.

25. Which type of audit would the auditor use to check the characteristics against design conditions?
A. Compliance
B. Project
C. Application
D. Product

ANSWER: D
Explanation: Product audits compare design specifications against the attributes of a finished
product. Auditors’ use this audit during certification of a customized software or before a software
product releases.

26. Which of these processes is not required by the configuration management?

A. Configure each item
B. Release schedule
C. Change control
D. Version control

ANSWER: B
Explanation: Configuration management requires three essential components: Configuration of each
item, version control of every change, and reporting of the current configuration as it is built and has
been facilitated to the customer. Release schedule is not required.

28. Which of the following business process re-engineering strategies requires large amounts of time
for reviewing the current process?
A. Step Model
B. Big Bang
C. Incremental
D. Interactive

ANSWER: C
Explanation: An incremental process requires longer time to review the current process, and
therefore has little or no impact.

34. What are the primary risks in a system development project?

A. Risk of indisciplined development and poor project management practices

B. Risks of end users not accepting deliverables
C. Risk of inadequate technology skills
D. Risk of unclear requirements

ANSWER: A
Explanation: Indiscipline in system development and poor project management practices are the
primary risks in a project.

38. How is the completed software development rendered for the end-users?
A. Through user acceptance testing
B. Through implementation
C. Through release management
D. Through configuration control

ANSWER: C
Explanation: Software development is compiled and released to the end-users through a formal
release procedure that reviews all changes and incorporates them into a final release. This is moved
out of the development environment to production, and made available to the end users.

40. User acceptance testing should occur in which of the following environments?
A. Stand-alone systems
B. In the configuration controlled testing or staging library
C. On development systems for program
D. Production systems

ANSWER: B
Explanation: One can perform acceptance testing in an ideal configuration controlled environment
with versioned software modules.

42. In software analysis, why are the entity-relationship diagrams used?

A. To detail data relationships

B. To detail the architecture
C. To detail user requirements
D. To detail implementation needs

ANSWER: A
Explanation: The ERD are used to detail the relationships of data records and data attributes.

44. Why is the Function Point Analysis (FPA) methodology used?

A. Detail the functions in an organization

B. Forecast of resources, and the complexity of requirements
C. Use parameters to determine the requirement scope and complexity
D. Diagram of the organization chart with responsibilities

ANSWER: B
Explanation: Function Point Analysis technique uses parameters such as the inputs’ number or the
total count of outputs, and the intricacy to estimate all requirements in terms of size and schedule.
47. Which of the following represents a search for correlations in the data?

A. Data mart
B. Data snapshot
C. Data mining
D. Data warehouse

ANSWER: C
Explanation: The process of data mining is to search the available data in the data warehouse for
correlations. Data is collected from various databases with a snapshot utility, and copied to the data
warehouse. The data is searched for correlations that may provide useful information. These
correlations are then stored in the data mart for the user to review.

50. Choose among the following to explain a program object in the best way when it is a part of an
object-oriented programming?

A. It comprises methods as well as data

B. The data separates itself from the methods
C. It has all the methods in 100 percent effectiveness that is required for every task
D. It does not give out any methods

ANSWER: A
Explanation: Program objects comprise methods as well as data so a desired task can be easily
performed. The object can be delegated to another object in OOP.

53. Which SDLC phase makes use of Function Point Analysis (FPA)?

A. SDLC phase 3: System Design

B. SDLC phase 5: Implementation
C. SDLC phase 4: Development
D. SDLC phase 1: Feasibility Study

ANSWER: D
Explanation: Function Point Analysis (FPA) helps in estimating the effort needed to develop the
software. FPA is used during SDLC phase 1 which is the Feasibility Study phase, to formulate
estimates by calculating the multiplication of the number of inputs and outputs against a
mathematical factor

54. When is a project’s management oversight needed?

A. When the percentage of time, scope, or cost vary above 5 percent from the estimate
B. At the time of the feasibility study being inconclusive
C. To validated if the total benefits of the program meet the anticipated projection
D. When major changes show up in assumptions, methodology, or requirements

ANSWER: D
Explanation: Management oversight review is important for the cases where there is an anticipation
that the estimates are not right by more than 10 percent. It is also needed if major changes appear
in the used assumptions, methodology, or requirements.

55. Describe the benefits of the integrated development environment (IDE).

A. Eliminating the testing requirement in SDLC phase 4
B. Generating and debugging the program code
C. Eliminating the majority of processes in SDLC phase 2
D. Preventing design errors in SDLC phase 3

ANSWER: B
Explanation: The integrated development environment runs a program code generation
automatically and ensures online debugging for certain types of errors. It does not substitute the
traditional planning process. IDE does not amend the testing requirements in SDLC phase 4. Full
testing needs to phase 4. Full testing needs to take place.

56. Differentiate between accreditation and certification.

A. Accreditation is technical in nature while certification is managerial

B. Both are similar since both are technical in nature
C. Accreditation describes if a view of the management is fit or not and certification is a test that is
technical
D. Accreditation is technical process of testing while certification talks about the management’s view
and its apt usage

ANSWER: C
Explanation: Certification is a technical process of testing. Accreditation is a management process
that gives out any approval that is based on its aptness of usage.

60. Which of the following methods are referred by the programming software modules that use a
time-box style of management?
A. Spiral
B. Lower CASE
C. Agile
D. Fourth-generation (4GL)

ANSWER: C
Explanation: Agile uses time-box management for quick iterations of software prototypes. This is
made possible by small associations of talented programmers.
63. Name the terminology that defines a program’s coding by using a template within an integrated
software development environment?

A. Compiled coding
B. Micro-coding
C. Pseudocoding
D. Object coding

ANSWER: C
Explanation: Software developers make use of pseudocoding for writing programs into a project
template. This template lies within the integrated development environment (IDE).

65. How can one justify the price of designing with the management of a quality program?

A. Product profit margin

B. Price of failure
C. Prevention of regulatory changes and fines
D. Usage of the 100-point rule

ANSWER: B
Explanation: Quality conforms to specifications and is measured in the same way. Price of
non-conformance or cost of failure means when added costs for failing to meet the
specification are known. Costs of failure facilitate an excellent tool for justifying the funding
of preventative controls.

66. Which of the following is the best method of assessing the logic used in software of a
programming script?
A. Black-box
B. Regression
C. User acceptance
D. Crystal box

ANSWER: D
Explanation: Crystal-box testing which is also called white-box testing helps in reviewing the logic in
the software that is formulated using a programming script. The script is readable till the time it is
not compiled. Compiled programs can be tested using a black-box method. (White box = Crystal
Box)

68. Why should one use the international standards such as ISO 15489 and ISO 9126:2003 with
SDLC?

A. To use them as inputs for starting specifications for the requirements in phase 2
B. To consider itself as an international reference for starting a quality assurance program
C. To provide guidance for its use in phase 4 development
D. To reduce the initial cost of software development

ANSWER: A
Explanation: These standards help to plan the secondary software specifications. International
standards such as ISO 15489 (record management), ISO 15504 (CMM/SPICE), and ISO 9126:2003
(quality management) are best used as inputs for starting specifications in phase 2 requirements.
Primary specifications are achieved by gathering information from the user for defining their main
objectives for the software, specifying the steps in its intended mission.

74. While assessing an organization's data file control procedures, an IS auditor realizes that
transactions are run for the most current files, while the restart procedures used previous versions.
What should the IS auditor recommend to imply?
A. Retaining source documentation
B. Securing data file
C. Controlling version usage
D. Checking one-for-one

ANSWER: C
Explanation: For correct processing, it is important that the file is used in its proper version.
Transactions should be run for the latest database and restart procedures should use previous
versions.

87. Interfaces are another form of:

A. Output
B. Report
C. Input
D. Processing

ANSWER: C
Explanation: Interfaces transmit data from one system to another and are therefore inputs.

88. An IT system that now allows the corporate office to view data from their individual sales offices
introduces the most change to:

A. Social relationships
B. Technical support
C. Inter-organizational relationships
D. Company politics

ANSWER: D
Explanation: This change would affect the dynamics of the organization giving more authority to
individual sales units leading inevitably to company politics.
89. In auditing an automated change control system, an auditor reviews all of the following except:

A. License agreements
B. Rules
C. Access lists
D. Log files

ANSWER: A
Explanation: The license agreement is not required to be reviewed by the auditor when reviewing
the change controls. All others are pertinent.

101. Which of the following would BEST prevent power outages?

A. A power transfer system
B. Dual power leads
C. A power generator
D. An uninterruptible power supply

ANSWER: B
Explanation: The best way to prevent power outages is to install power leads from two different
power substations. It is not uncommon for a power transfer switch to fail during a power outage; it
would not prevent a power outage, but is used to handle the impact of such outages.

103. A group of software designers are at a stage in their software development project where they
need to reduce the amount of code running, reduce entry points available to untrusted users,
reduce privilege levels as much as possible, and eliminate unnecessary services. Which of the
following best describes the first step they need to carry out to accomplish these tasks?

A. Attack surface analysis

B. Software development life cycle
C. Risk assessment
D. Unit testing

ANSWER: A
Explanation: The aim of an attack surface analysis is to identify and reduce the amount of code
accessible to untrusted users. The basic strategies of attack surface reduction are to reduce the
amount of code running, reduce entry points available to untrusted users, reduce privilege levels as
much as possible, and eliminate unnecessary services. Attack surface analysis is generally carried out
through specialized tools to enumerate different parts of a product and aggregate their findings into
a numerical value. Attack surface analyzers scrutinize files, registry keys, memory data, session
information, processes, and services details.

105. In the system design phase, system requirement specifications are gathered and a modeling
language is used. Which of the following best describes what a modeling language is and what it is
used for?
A. A modeling language is commonly mathematical to allow for the verification of the system
components
B. A modeling language is commonly graphical to allow for threat modeling to be accomplished
through the understanding of system components
C. A modeling language is commonly graphical to allow for a system architecture to be built
D. A modeling language is commonly graphical to allow for visualization of the system components

ANSWER: D
Explanation: In the system design phase we gather system requirement specifications and use
modeling languages to establish how the system will accomplish design goals, such as required
functionality, compatibility, fault tolerance, extensibility, security, usability, and maintainability. The
modeling language is commonly graphical so that we can visualize the system from a static structural
view and a dynamic behavioral view.

106. The IS Head of an organization wants to deploy a server-side scripting language on his
company’s web server that will allow him to provide common code that will be used throughout the
site in a uniform manner. Which of the following best describes this type of technology?

A. Sandbox
B. Server-side includes
C. Cross-site scripting
D. Java applets

ANSWER: B
Explanation: Server-side includes (SSI) is an interpreted server-side scripting language used mainly
on web servers. It allows web developers to reuse content by inserting the same content into
multiple web documents. This typically involves use of an include statement in the code and a file
(.inc) that is to be included.

107. An attacker can modify the client-side JavaScript that provides structured layout and HTML
representation. This commonly takes place through form fields within compromised web servers.
Which of the following best describes this type of attack?
A. Injection attack
B. DOM-based XSS
C. Persistent XSS
D. Session hijacking

ANSWER: B

Explanation: DOM (Document Object Model) based XSS vulnerability is also referred to as local
cross-site scripting. DOM is the standard structure layout to represent HTML and XML documents in
the browser. In such attacks the document components such as form fields and cookies can be
referenced through JavaScript. The attacker uses the DOM environment to modify the original client-
side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code.
114. In evaluating programmed controls over password management, which of the following is the IS
auditor most likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check

ANSWER: C
Explanation: A validity check would be the most useful for the verification of passwords because it
would verify that the required format has been used—for example, not using a dictionary word,
including non-alphabetical characters, etc. An effective password must have several different types
of characters: alphabetical, numeric, and special.

125. An IS auditor is reviewing several completed software development projects. What should be
the primary focus?

A. Focus on system controls

B. Focus on testing controls
C. Focus on development standards
D. Focus on adequate and complete documentation

Answer: D
Explanation: When reviewing systems-development projects, an IS auditor should also strive to
ensure that adequate and complete documentation exists for the projects.

128. An IS auditor is auditing the change management process for a software system and is
reviewing both the change logs and impact analysis of the change logs. Which one would better
support the auditor as evidence?

A. The change log is best because it is subjective

B. The change log is best because it is objective and unbiased
C. The written analysis is best because it interprets the change log
D. The written analysis is best because it is objective

Answer: B
Explanation: The change log is the best evidence because it is objective and not subject to human
judgment.

130. The audit team is reviewing an application software and its processing accuracy. Which controls
would the team use?

A. Range checks
B. Run-to-run totals
C. Limit checks on calculated amounts
D. Exception reports

Answer: B
Explanation: Run-to-run total verification is designed to provide the ability to verify data and record
values through the stages of application processing. It ensures that data read into the computer was
accepted and then applied to the updating process.

131. An organization that is implementing security policies has asked the IT team’s Database
Administrator to ensure the principle of Least Privilege is implemented in the RDBMS. Which of
these would be used?
A. View
B. Table
C. Record
D. Tuple

Answer: A
Explanation: In a relational database, a view implements least privilege. Data is stored, and tables
and views allow controlled access to tables. Tuple is a row in a database table.

135. An IS auditor has been asked as a primary audit objective to review the software development
hand offs to production environment as many unauthorized development changes of earlier
versions are being put into production creating bugs and errors. Which control would the
auditor look for in preventing these unauthorized changes?

A. Comparison of released source code with production code

B. Change impact requests and logs
C. Check in and check out of source code and object code
D. Date and time-stamp review of development baseline and production code

Answer: D
Explanation: Date and time-stamp reviews of latest development baseline and production
code would ensure the latest approved source code matches the production object code.
This is the most effective way to ensure the approved production code is the one to be
used.

138. A software development organization has been facing repeated issues with multiple versions of
code without an understanding of latest versions. After a Root Cause Analysis study, it has been
decided to implement a Library control software. How would this help?

A. Restricts source code to read-only access

B. Restricts source code to write-only access
C. Full access
D. Provides read-write access

Answer: A
Explanation: Library control software restricts source code to read-only access.

140. A Software team who began with a schedule of 6 months and 10 team members finally
completed the project with 13 members over 11 months. The post implementation audit has
provided an audit comment to use estimating techniques before starting the next phase. Which of
these is a reliable technique for estimating scope and cost of a software development project?
A. Function point analysis (FPA)
B. Critical path method (CPM)
C. GANTT
D. PERT

Answer: A
Explanation: A function point analysis (FPA) from IFPUG group is considered a reliable technique for
estimating the scope and cost of a software-development project and used across many
organizations.