CISA Chapter 4 Practice

The risk of eavesdropping (RFID tags are exposed to the risk of eavesdropping.
It is the same as a wireless device. RFID, by its nature, is not subject to other
exposure, such as social engineering, phishing, or malicious code.)
Which of the following risks is applicable to active RFID?
A. The risk of social engineering
B. The risk of phishing
C. The risk of eavesdropping
D. The risk of malicious code
The availability report (An availability report indicates the time period during
which the system is up and available for use. An IS auditor can determine
downtime with the help of availability reports. Utilization reports determine
the level of use of systems. A utilization report is used to predict resource
requirements. Asset management reports include an inventory of assets.
Hardware error reports identify system failures and other issues.)
Which of the following reports should an IS auditor verify to determine
compliance with the uptime requirement defined in the SLA?
A. The availability report
B. The utilization report
C. The hardware error report
D. The asset management report
The system downtime report (The system downtime log indicates the
effectiveness of preventive maintenance programs. High downtime indicates
that preventive maintenance is not effective. Effective preventive maintenance
should result in zero or very minimal downtime. Other options will not directly
indicate the efficiency of preventive maintenance programs.)
Which of the following is of great help when determining the efficiency of
preventive maintenance programs?
A. The system downtime report
B. The service provider's report
C. The maintenance log
D. The preventive maintenance schedule
Preventive maintenance (Preventive maintenance should be conducted during
non-peak times to avoid any downtime. Other activities may not directly
impact system availability.)
Which of the following activities should not be conducted during peak
production hours to avoid unexpected downtime?
A. Data migration
B. Tape back-up
C. Preventive maintenance
D. Configuration of the standby router
Use an automated tool to verify the availability of updated patches (An
automated tool can be used to generate reports for the availability of security
update patches in each critical server. The other options may not be as efficient
and effective as automated tools.)
Which is these is the best method of determining the availability of updated
security patches for critical servers?
A. Verify the patch update process
B. Manually verify each critical server
C. Review the change management log
D. Use an automated tool to verify the availability of updated patches
Date-and-time stamping source code and object code (Date-and-time stamping
for both the source and object code will help ensure the code is in sync. The
other options are good practice, but they will not ensure that the source and
object codes are the same version.)
The synchronization of production source code and object code is best
controlled by which of the following?
A. Comparing version releases of source code and object code
B. Restricting any changes to source code
C. Restricting any access to source code and object code
D. Date-and-time stamping source code and object code
Update the IT asset inventory (Updating the IT assets should be the first step.
Once the inventory is updated, the other options can be followed.)
What is the first step after the replacement of hardware?
A. Sync the hardware with the hot site
B. Update the IT asset inventory
C. Identify and assess the vulnerability
D. Conduct risk assessment
Create an inventory of IT assets (The first step for implementing an access
control rule is to create a list of IT assets as an inventory. This will be followed
by categorization and grouping.)
What is the first step in the implementation of access control?
A. Group IT assets
B. Categorize IT assets
C. Implement an access control list
D. Create an inventory of IT assets
Identify assets (CISA aspirants should understand the following sequential
activities for the development of a risk management program: the
identification of assets, the identification vulnerabilities and threats, impact
analysis, risk prioritization, control evaluation, and the implementation of
appropriate controls.)
What is the first step in developing a risk management program?
A. Assess vulnerability
B. Assess control
C. Identify assets
D. Map risk owners
Installed software not being approved (The installation of unapproved software
is a serious violation that carries major legal, financial, and security risks.
Processes should be in place to install only standard-approved software. The
other options are not as significant as option C.)
Which of the following is the major concern for an IS auditor reviewing desktop
software compliance?
A. Installed software not being updated in IT department records
B. Users not being trained in the usage of software
C. Installed software not being approved
D. The license renewal process not being centralized
Maintenance activities being conducted during non-peak hours (As far as
possible, maintenance functions should be performed during non-peak times.
Mishaps or incidents during maintenance activities can interrupt business
processes if maintenance is carried out during peak hours. It is prudent to
conduct any maintenance activity during non-peak hours only)
Which of the following is most important for an IS audit reviewing the
preventive maintenance activity processes of a data center by a third-party
service provider?
A. Background verification of service personnel
B. Escorting service personnel during maintenance activities
C. Maintenance activities being conducted during non-peak hours
D. A review of maintenance activities by the IT manager
A few jobs having been overridden by the operator (The overriding of
scheduled jobs should be restricted as this can lead to unauthorized changes to
programs or data. This is a major concern as overriding a scheduled job is only
done by following the appropriate approval process. The other options are less
significant than overriding the schedule.)
Which of the following is a major concern for an auditor reviewing the job
scheduling process?
A. High instances of emergency changes
B. A few jobs not having completed on time
C. A few jobs having been overridden by the operator
D. A job failure analysis being done by the IT manager
Staging and job setup (Bypassing or ignoring tape header records may result in
loading the wrong tape and deleting a loaded time. Staging and job setup is
useful in compensating for weaknesses in tape label control. Through staging,
data is stored in an intermediate place (between the data source and the data
target) and processing is done. This ensures data integrity and effective
operations.)
Which of the following is the best compensating control for tape management
system where some parameters are set to bypass or ignore tape header
records?
A. A review of logs
B. Staging and job setup
C. A full back-up of tapes
D. Storage of tapes at an offsite location
The lack of a documented end-user computing policy End-user computing
refers to a system wherein a non-programmer can create their application. This
also reduces pressure on the IT department, which can concentrate on more
critical and complex applications. End-user computing is subject to some
inherent risks. The documented policy of end-user computing must be
available to address the risks. The other options are less significant than the
lack of documented policy.)
Which of the following is the greatest concern for an IS auditor reviewing the
end user computing process?
A. The lack of a documented end-user computing policy
B. The lack of training for the end-user
C. No involvement of the IT department in the development of applications
D. Applications not being subject to audit
End users are able to develop their own applications without the help of
programmers
What is End-User Computing?
A. End users access to computing resources
B. End users are able to develop their own applications without the help of
programmers
C. When programmers and end users collaborate on application development
D. Policies regarding appropriate end user computing use
the cloud provider's physical data centers are in multiple cities and countries
(Having data in multiple countries is the most significant concern because HR
applicant data could contain PII. There may be legal compliance issues if the
data is stored in a country with different privacy laws. The organization would
be bound by privacy laws where it is based, it may not have legal recourse if a
data breach happens in a jurisdiction where the same laws do not apply. A is
wrong because this application may have strict requirements for availability
and assumes the SLA would contain these same elements. B is wrong because
the right-to-audit clause is good but limits how a cloud provider may interpret
this requirement. Reviewing and assessing all the controls would be costly and
time-consuming. C is wrong because the SLA specifies uptime requirements,
and the means used to achieve those goals are not reviewed in-depth.)
An organization is planning to deploy an outsourced cloud based application
that is used to track job applicant data for the human resources department.
Which of the following should be the GREATEST concern to an IS auditor?
A. the SLA ensures strict limits for uptime and performance
B. the cloud provider will not agree to an unlimited right to audit as part of the
SLA
C. the SLA is not explicit regarding the disaster recovery plan capabilities of the
cloud provider
D. the cloud provider's physical data centers are in multiple cities and countries
Media reliability (To comply with regulatory requirements, the media should be
reliable enough to ensure an organization's ability to recover the data should it
be required for any reason. A is wrong because a full backup window is less
critical than reliability. B is wrong because media price is a consideration but
should not be more important than the ability to provide the required
reliability. Using low-cost but inadequate media may lead to penalties if data
cannot be accessed when required. C is wrong because the restore window is
the data recovery time. Because these are compliance-related backup data and
are not being used for production, this is less critical than reliability.)
Which of the following should be the MOST important criterion in evaluating a
backup solution for sensitive data that must be retained for a long period of
time due to regulatory requirements?
A. Full backup window
B. Media costs
C. Restore window
D. Media reliability
use this information to launch attacks (An organization's computer security
incident response team (CSIRT) should disseminate recent threats, security
guidelines, and security updates to the users to assist them in understanding
the security risk of errors and omissions. However, this introduces the risk that
the users may use this information to launch attacks directly or indirectly. An IS
auditor should ensure that the CSIRT is actively involved with users to assist
them in mitigating risks arising from security failures and to prevent additional
security incidents resulting from the same threat. B is wrong because
forwarding the security alert is not harmful to the organization. C is wrong
because implementing individual solutions is unlikely and inefficient, but not a
serious risk. D is wrong because users failing to understand the threat would
not be a serious concern.)
The computer security incident response team (CSIRT) of an organization
disseminates detailed descriptions of recent threats. an IS auditor's GREATEST
concern should be that the users may:
A: use this information to launch attacks
B: forward the security alert
C: implement individual solutions
D: fail to understand the threat
Alternative standby processor at another network node
A large chain of shops with electronic funds transfer (EFT) at point-of-sale
devices has a central communications processor for connecting to the banking
network. Which of the following is the BEST disaster recovery plan for the
communications processor?
A. Offsite storage of daily backups
B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Alternative standby processor at another network node
The default configurations are changed. (Default database configurations, such
as default passwords and services, need to be changed; otherwise, malicious
code and intruders could easily compromise the database. B is wrong because
the normalization of a database is related more to performance than security. C
is wrong because limiting access to stored procedures is a valid security
consideration but not as critical as changing default configurations. D is wrong
because changing the service port used by the database is a component of the
configuration changes that could be made to the database. However, other
more critical configuration changes should be made first.)
An IS auditor is reviewing database security for an organization. Which of the
following is the MOST important consideration for database hardening?
A. The default configurations are changed.
B. All tables in the database are normalized.
C. Stored procedures and triggers are encrypted.
D. The service port used by the database server is changed.
Review changes in the software version control system. (It is common practice
for software changes to be tracked and controlled using version control
software. An IS auditor should review reports or logs from this system to
identify the software promoted to production. Only moving the versions on the
VCS program will prevent the transfer of development or earlier versions. A is
wrong because even if replication is conducted manually with due care, there
remains a risk of copying unauthorized software from one server to another. C
is wrong because if developers introduce unauthorized code onto the backup
server, controls on the production server and the software version control
system should mitigate this risk. D is wrong because a review of the access log
will identify staff access or the operations performed; however, it may not
provide enough information to detect the release of unauthorized software.)
Which of the following processes will be MOST effective in reducing the risk
that unauthorized software on a backup server is distributed to the production
server?
A. Manually copy files to accomplish replication.
B. Review changes in the software version control system.
C. Ensure that developers do not have access to the backup server.
D. Review the access control log of the backup server.
technological aspect of business continuity planning (BCP). (Disaster recovery
planning (DRP) is the technological aspect of a business continuity plan (BCP)
that focuses on IT systems and operations. B is wrong because business
resumption planning addresses the operational part of BCP. C is wrong because
disaster recovery addresses the technical components of business recovery. D
is wrong because the overall coordination of BCP is accomplished through
business continuity management and strategic plans. DRP addresses technical
aspects of BCP.)
Disaster recovery planning (DRP) addresses the:
A. technological aspect of business continuity planning (BCP).
B. operational part of business continuity planning.
C. functional aspect of business continuity planning.
D. overall coordination of business continuity planning.
examine object code to find instances of changes and trace them back to
change control records. (The procedure of examining object code files to
establish instances of code changes and tracing these back to change control
system records is a substantive test that directly addresses the risk of
unauthorized code changes. A is wrong because checking the change control
system will not detect changes that were not recorded in the control system. B
is wrong because reviewing access control permissions will not identify
unauthorized changes made previously. D is wrong because reviewing change
approved designations will not identify unauthorized changes.)
The BEST audit procedure to determine if unauthorized changes have been
made to production code is to:
A. examine the change control system records and trace them forward to
object code files.
B. review access control permissions operating within the production program
libraries.
C. examine object code to find instances of changes and trace them back to
change control records.
D. review change approved designations established within the change control
system.
Improved cost-effectiveness of IT service delivery and operational support (A
standardized IT infrastructure provides a consistent set of platforms and
operating systems across the organization. This standardization reduces the
time and effort required to manage disparate platforms and operating systems.
In addition, implementing enhanced operational support tools is simplified and
can help the organization reduce IT service delivery costs and operational
support. B is wrong because a standardized infrastructure results in a more
homogeneous environment, which is more prone to attacks. C is wrong
because while standardization can reduce support costs, transitioning to a
standardized kit can be expensive; therefore, the overall IT infrastructure
investment will not likely be reduced. D is wrong because a standardized
infrastructure may simplify the testing of changes but does not reduce the
need for such testing.)
Which of the following is the MOST likely benefit of implementing a
standardized infrastructure?
A. Improved cost-effectiveness of IT service delivery and operational support
B. Increased security of the IT service delivery center
C. Reduced level of investment in the IT infrastructure
D. Reduced need for testing future application changes
Resuming critical processes (The resumption of critical processes has the
highest priority because it enables business processes to begin immediately
after the interruption and not later than the maximum tolerable period of
disruption (MTPD) or maximum tolerable downtime (MTD). B is wrong because
recovery of sensitive processes refers to recovering the vital and sensitive
processes that can be performed manually at a tolerable cost for an extended
period of time and those that are not marked as high priority. C is wrong
because repairing and restoring the site to its original status and resuming the
business operations are time-consuming and not the highest priority. D is
wrong because relocating operations to an alternative site, either temporarily
or permanently, depending on the interruption, is time-consuming; moreover,
relocation may not be required.)
Which of the following would have the HIGHEST priority in a business
continuity plan (BCP)?
A. Resuming critical processes
B. Recovering sensitive processes
C. Restoring the site
D. Relocating operations to an alternative site
Availability reports (IS inactivity, such as downtime, are addressed by
availability reports. These reports provide the periods during which the
computer was available for utilization by users or other processes. A is wrong
utilization reports document the use of computer equipment and can be used
by management to predict how, where, and/or when resources are required. B
is wrong hardware error reports provide information to aid in detecting
hardware failures and initiating corrective action. These error reports may not
indicate actual system uptime. C is wrong because system logs record the
system's activities. They may not indicate availability.)
Which of the following reports should an IS auditor use to check compliance
with a service level agreement's (SLA) requirement for uptime?
A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports
past incidents were handled appropriately. (Compliance reviews focus on
performance of a process measured against set policy or standard. It can be
achieved when the auditor determines past incidents were appropriately
handled and align with established policies and procedures. A is wrong because
roles and responsibilities may be established in the policy or separately
documented and are important for the auditor to understand. The policy
should be reviewed first. B is wrong because the importance of protecting
incident response data is not the main focus of the incident response
compliance review. A compliance audit focuses on the performance of a
process measured against the set policy or standard. C is wrong because
ensuring incident response staff members are qualified is part of a compliance
assessment. It is performed after auditor reviews policies and procedures to
ensure what they review the process against.)
When conducting a compliance review of an organization's incident response
process, the BEST approach for the IS auditor is to determine whether:
A. roles and responsibilities are clearly defined.
B. incident response data are secure.
C. incident response staff members are qualified.
D. past incidents were handled appropriately.
define recovery strategies. (One of the primary outcomes of a business impact
assessment (BIA) is the recovery time objective (RTO) and the recovery point
objective (RPO), which help define recovery strategies. B is wrong because a
BIA itself will not help in identifying the alternate site. That is determined
during the recovery strategy phase of the project. C is wrong because a BIA
itself will not help improve recovery testing. That is done during the
implementation and testing phase of the project. D is wrong because the
annual loss expectancy (ALE) of critical business assets and processes is
determined during risk assessment and will be reviewed in the BIA, but this is
not the primary advantage.)
The PRIMARY purpose of a business impact assessment (BIA) is to:
A. define recovery strategies.
B. identify the alternate site.
C. improve recovery testing.
D. calculate the annual loss expectancy (ALE).
recovery time objective (RTO). (RTO is the amount of time allowed for the
recovery of a business function or resource after a disaster occurs; the RTO is
the desired recovery timeframe based on MTO and available recovery
alternatives. B is wrong because the RPO has the greatest influence on the
recovery strategies for given data. It is determined based on the acceptable
data loss in case of a disruption of operations. The RPO effectively quantifies
the permissible amount of data loss in case of interruption. C is wrong because
MTO is the amount of time allowed to recover a business function or resource
after a disaster occurs; it represents the time by which the service must be
restored before the organization is faced with the threat of collapse. D is wrong
because an information security policy does not address recovery procedures.)
Recovery procedures for an information processing facility are BEST based on:
A. recovery time objective (RTO).
B. recovery point objective (RPO).
C. maximum tolerable outage (MTO).
D. information security policy.
The third-party provider reserves the right to access data to perform certain
operations. (Some providers reserve the right to access customer information
to perform certain transactions and provide certain services. PHI regulations
may restrict certain access, and organizations must review regulatory
environment in which the cloud provider operates because it may have
restrictions. Organizations must determine whether the cloud provides
appropriate controls for data security. A is wrong because the customer
organization would want to retain data. C is wrong because an organization
may wish to discontinue with a third party. They would then like to remove its
data from the system and ensure the service provider clears the system. Some
providers do not offer automated or bulk data withdrawal mechanisms; the
organization needs data migration. D is wrong because an organization may
need to plan data recovery processes.)
An IS auditor of a health care organization is reviewing contractual terms and
conditions of a third-party cloud provider being considered to host patient
health information (PHI). Which of the follow contractual terms would be the
GREATEST risk to the customer organization?
A. Data ownership is retained by the customer organization.
B. The third-party provider reserves the right to access data to perform certain
operations.
C. Bulk data withdrawal mechanisms are undefined.
D. The customer organization is responsible for backup, archive and restore.
Implement column- and row-level permissions
Which of the following should an IS auditor recommend for the protection of
specific sensitive information stored in the data warehouse?
A. Implement column- and row-level permissions
B. Enhance user authentication via strong passwords
C. Organize the data warehouse into subject matter-specific databases
D. Log user access to the data warehouse
Return or destruction of information (When reviewing a third-party agreement,
the most important consideration concerning the privacy of the data is the
clause concerning the return or secure destruction of information at the end of
the contract. A is wrong because data retention, backup, and recovery are
important controls; however, they do not guarantee data privacy. C is wrong
because network and intrusion detection are helpful when securing the data,
but on their own, they do not guarantee data privacy stored at a third-party
provider. D is wrong because a patch management process helps secure servers
and may prohibit unauthorized disclosure of data; however, it does not affect
the privacy of the data.)
An IS auditor is reviewing a third-party agreement for a new cloud-based
accounting service provider. Which of the following considerations is the MOST
important with regard to the privacy of the accounting data?
A .Data retention, backup and recovery
B. Return or destruction of information
C. Network and intrusion detection
D. A patch management process
Avoidance (Risk assessment and business impact assessment are tools for
understanding the business as a part of BCP. A is wrong because business
continuity self-audit is a tool for evaluating the adequacy of the business
continuity plan (BCP) but not for understanding the business. B is wrong
because resource recovery analysis is a tool for identifying the components
necessary for a business resumption strategy but not for understanding the
business. D is wrong because of the role gap analysis can play in BCP, which is
identifying deficiencies in a plan but needing to understand the business.)
When an organization's disaster recovery plan (DRP) has a reciprocal
agreement, which of the following risk treatment approaches is being applied?
A. Transfer
B. Mitigation
C. Avoidance
D. Acceptance
fallback procedures. (Fallback procedures are used to restore a system to a
previous state and are an important element of the change control process.
The other choices are not related to the change control process—a process
that specifies what procedures should be followed when software is being
upgraded, but the upgrade does not work and requires a fallback to its former
state. A is wrong because problem management procedures are used to track
user feedback and issues related to the operation of an application for trend
analysis and problem resolution. B is wrong because software development
procedures such as the SDLC are used to manage the creation or acquisition of
new or modified software. D is wrong because incident management
procedures are used to manage errors or problems with system operation. A
help desk usually uses them. One of the incident management procedures may
be how to follow a fallback plan.)
An IS auditor needs to review the procedures used to restore a software
application to its state prior to an upgrade. Therefore, the auditor needs to
assess:
A .problem management procedures.
B. software development procedures.
C. fallback procedures.
D. incident management procedures.
Develop a scenario and perform a structured walk-through. (A structured walk-
through, including incident response and business continuity personnel,
provides the best opportunity to identify gaps or misalignments between the
plans. Publishing an enterprise-level incident response plan would be effective
only if business continuity aligned with incident response. Incident response
supports business continuity, not the other way around. Sharing perspectives is
valuable, but a working group does not necessarily lead to action, ensuring the
interface between plans is workable. A project plan developed for disaster
recovery will not necessarily address deficiencies in business continuity or
incident response.)
Which of the following is the BEST way to ensure that incident response
activities are consistent with the requirements of business continuity?
A. Draft and publish a clear practice for enterprise-level incident response.
B. Establish a cross-departmental working group to share perspectives.
C. Develop a scenario and perform a structured walk-through.
D. Develop a project plan for end-to-end testing of disaster recovery.
Segregation of client data (Several clients access the same set of services in a
shared services infrastructure. Therefore, the primary concern is maintaining
the segregation of client data. A is wrong because although disparate backup
requirements may present a challenge, the primary concern is maintaining the
segregation of client data. B is wrong because the availability of infrastructure
is an inherent benefit of cloud services and, as such, is not a primary concern.
D is wrong because although data integrity is important, maintaining
confidentiality of the data through segregation is a greater concern.)
Which of the following is the GREATEST concern to an IS auditor reviewing an
organization's use of third-party-provided cloud services to store health care
billing information?
A. Disparate backup requirements
B. Availability of infrastructure
C. Segregation of client data
D. Integrity of data
Perform a business impact analysis (BIA). (The first step in any disaster recovery
plan (DRP) is to perform a BIA. A is wrong because developing a recovery
strategy will come after performing a business impact analysis (BIA). C is wrong
because the BIA will identify critical business processes and the systems that
support those processes. Mapping software systems, hardware, and network
components will come after performing a BIA. D is wrong because appointing
recovery teams with defined personnel, roles, and hierarchy will come after
performing a BIA.)
Which of the following tasks should be performed FIRST when preparing a
disaster recovery plan (DRP)?
A. Develop a recovery strategy.
B. Perform a business impact analysis (BIA).
C. Map software systems, hardware and network components.
D. Appoint recovery teams with defined personnel, roles and hierarchy.
IT management (Because a disaster recovery plan (DRP) is based on the
recovery and provisioning of IT services, IT management's approval would be
most important to verify that the system resources will be available if a disaster
event is triggered. A is wrong because although executive management's
approval is essential, the IT department is responsible for managing system
resources and their availability related to disaster recovery (DR). C is wrong
because the board of directors may review and approve the DRP. However, the
IT department is responsible for managing system resources. Their availability
as related to DR. D is wrong because the steering committee would determine
the requirements for disaster recovery (recovery time objective [RTO] and
recovery point objective [RPO]); however, the IT department is responsible for
managing system resources and their availability as related to DR.)
An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an
organization. Which approval is the MOST important when determining the
availability of system resources required for the plan?
A. Executive management
B. IT management
C. Board of directors
D. Steering committee
last-mile circuit protection. (Last-mile circuit protection provides
telecommunication continuity through many recovery facilities, providing
redundant combinations of local carrier T-1s, microwave, and/or coaxial cable
to access the local communication loop in the event of a disaster. It protects
the link from the organization to the telecommunication provider. B is wrong
because long-haul network diversity provides diverse long-distance network
availability utilizing T-1 circuits among major long-distance carriers. It ensures
long-distance access should any one carrier experience a network failure. C is
wrong because diverse routing is a routing traffic method through split or
duplicate-cable facilities. D is wrong because alternative routing is routing
information via an alternative medium like copper cable or fiber optics.)
Facilitating telecommunications continuity by providing redundant
combinations of local carrier T-1 lines (E-1 lines in Europe), microwaves and/or
coaxial cables to access the local communication loop is:
A. last-mile circuit protection.
B. long-haul network diversity.
C. diverse routing.
D. alternative routing.
Likelihood of the same natural event occurring at both sites (A likely natural
disaster is considered in business continuity planning and whether a business
case exists to set one up. The alternate site should be at a location that doesn't
expose it to the same threats as the main site. A is wrong because the alternate
site should be sufficiently far from the main site. Geographic distance is
important; however, the same event, such as an earthquake, could affect two
geographically diverse sites. C is wrong because the alternate site must sustain
operations, so normal business activities are disrupted for a reasonable
duration, and the capacity of the alternate site can be different. The focus must
be on critical business services receiving adequate support and resources to
prevent disruption. D is wrong because proximity to local fire and other
emergency response is an advantage but not a criteria.)
Which of the following is the MOST important criterion for selecting an
alternate processing site?
A. Total geographic distance between the two sites
B. Likelihood of the same natural event occurring at both sites
C. Matching processing capacity at both sites
D. Proximity of the alternate site to local fire, emergency response and hospital
facilities
Preparedness test (This is a plan walk-through involving significant players who
attempt to determine what might happen in a particular type of service
disruption in the plan's execution. A paper test usually precedes this test. This
test phase comprises a group of activities such as returning all resources to
their proper place, disconnecting equipment, returning personnel, and deleting
all company data from third-party systems. This is a localized version of a full
test, wherein resources are expended in the simulation of a system crash. This
test is performed regularly on different aspects of the plan and can be a cost-
effective way to obtain evidence about the plan's effectiveness gradually. It also
provides a means to improve the plan in increments. This a test involving a
simulated disaster situation that tests the preparedness and understanding of
management and staff rather than the actual resources.)
Which of the following is a continuity plan test that simulates a system crash
and uses actual resources to cost-effectively obtain evidence about the plan's
effectiveness?
A. Paper test
B. Posttest
C. Preparedness test
D. Walk-through
Real-time replication to a remote site (With real-time replication to a remote
site, data are updated simultaneously in two separate locations; therefore, a
disaster in one site would not damage the information in the remote site. This
assumes that both sites were not affected by the same disaster. A is wrong
because daily tape backup recovery could result in losing a day's data work. C is
wrong because hard disk mirroring to a local server occurs in the same data
center and could be affected by the same disaster. D is wrong because real-
time data backup to the local storage area network (SAN) takes place in the
same data center and could possibly be affected by the same disaster.)
In the event of a data center disaster, which of the following would be the
MOST appropriate strategy to enable a complete recovery of a critical
database?
A. Daily data backup to tape and storage at a remote site
B. Real-time replication to a remote site
C. Hard disk mirroring to a local server
D. Real-time data backup to the local storage area network (SAN)
The group walks through the different scenarios of the plan from beginning to
end. (A structured walk-through test gathers representatives from each
department who will review the plan and identify weaknesses. B is wrong
because the group's ability to ensure that specific systems can perform
adequately at the alternate offsite facility is a parallel test and does not involve
group meetings. C is wrong because group awareness of full-interruption test
procedures is the most intrusive test to regular operations and the business. D
is wrong because while improving communication is important, there are more
valued methods to ensure the plan is current.)
Which of the following is the BEST method to ensure that the business
continuity plan (BCP) remains up to date?
A. The group walks through the different scenarios of the plan from beginning
to end.
B. The group ensures that specific systems can actually perform adequately at
the alternate offsite facility.
C. The group is aware of full-interruption test procedures.
D. Interdepartmental communication is promoted to better respond in the case
of a disaster.
downtime. (The longer the period of time a client cannot be serviced, the
greater the severity (impact) of the incident. A is wrong because the cost of
recovery could be minimal, yet the service downtime could have a major
impact. B is wrong because negative public opinion is a symptom of an
incident; it is a factor in determining impact but not the most important one. C
is wrong because geographic location does not determine the severity of the
incident.)
The MAIN criterion for determining the severity level of a service disruption
incident is:Select an answer:
A. cost of recovery.
B. negative public opinion.
C. geographic location.
D. downtime.
the minimum acceptable operational capability. (The service delivery objective
(SDO) is the level of service to be reached during the alternate process mode
until the normal situation is restored. This is directly related to the business
needs. B is wrong because the cost-effectiveness of the restoration process is
not the main consideration in determining the SDO. C is wrong because
meeting the recovery time objectives (RTO) may be one of the considerations
in determining the SDO, but it is a secondary factor. D is wrong because the
allowable interruption window (AIW) may be one of the factors secondary to
determining the SDO.)
Determining the service delivery objective (SDO) should be based PRIMARILY
on:
A. the minimum acceptable operational capability.
B. the cost-effectiveness of the restoration process.
C. meeting the recovery time objectives (RTOs).
D. the allowable interruption window (AIW).
the level of information security required when business recovery procedures
are invoked. (Businesses should consider whether information security levels
required during recovery should be the same, lower, or higher than when a
business usually operates. In particular, any special rules for access to
confidential data during a crisis must be identified. B is wrong because, during
a time of crisis, the security needs of the organization may increase. After all,
there are many controls that are missing, such as separation of duties. C is
wrong because identifying resource requirements for information security as
part of the BCP is important. Still, it is more important to set out the security
levels required for protected information. D is wrong because change
management procedures can help keep a BCP up to date but are irrelevant to
this scenario.)
An IS auditor notes during an audit that an organization's business continuity
plan (BCP) does not adequately address information confidentiality during the
recovery process. The IS auditor should recommend that the plan be modified
to include:
A. the level of information security required when business recovery
procedures are invoked.
B. information security roles and responsibilities in the crisis management
structure.
C. information security resource requirements.
D. change management procedures for information security that could affect
business continuity arrangements.
Ensure that partnering organizations are separated geographically. (If the two
partnering organizations are in close geographic proximity, this could lead to
both organizations being subjected to the same environmental disaster, such as
an earthquake. A is wrong because while disaster recovery exercises are
important but difficult to perform in a reciprocal agreement, geographic
proximity is a greater risk. C is wrong because a business impact analysis (BIA)
will help both organizations identify critical applications, but separation is a
more important consideration when entering reciprocal agreements. D is
wrong because selecting a partnering organization with similar systems is a
good idea, but separation is a more important consideration when entering
reciprocal agreements.)
Which of the following BEST mitigates the risk arising from using reciprocal
agreements as a recovery alternative?
A. Perform disaster recovery exercises annually.
B. Ensure that partnering organizations are separated geographically.
C. Regularly perform a business impact analysis (BIA).
D. Select a partnering organization with similar systems.
The company stores transcription backup tapes offsite using a third-party
service provider, which inventories backup tapes annually. (Losing a backup
tape is significant for working with confidential patient data. Privacy laws
specify severe penalties for these events, and the reputation could be damaged
due to reporting requirements. The organization should perform audit tests
and evaluate third-party controls to ensure tapes are correctly handled. A is
wrong because restoration testing doesn't increase the risk of unauthorized
information leakage, and not performing these tests poses a risk. B is wrong
because lack of data backup and retention policy review may be concerning if
there have been changes in the past 3 years. Audit tests should verify the
validity of existing procedures. D is wrong because failed backup alerts not
followed up on imply certain data is not backed up.)
During an audit of a small company that provides medical transcription
services, an IS auditor observes several issues related to the backup and restore
process. Which of the following should be the auditor's GREATEST concern?
A. Restoration testing for backup media is not performed; however, all data
restore requests have been successful.
B. The policy for data backup and retention has not been reviewed by the
business owner for the past three years.
C. The company stores transcription backup tapes offsite using a third-party
service provider, which inventories backup tapes annually.
D. Failed backup alerts for the marketing department data files are not
followed up on or resolved by the IT administrator.
increase. (Due to the additional cost of testing, maintaining, and implementing
disaster recovery plan (DRP) measures, the cost of normal operations for any
organization will always increase after a DRP implementation, i.e., the cost of
normal operations during a nondisaster period will be more than the cost of
operations during a nondisaster period when no DRP was in place. B and C are
wrong because implementing a DRP will always incur additional costs to the
organization. D is wrong because the costs of a DRP are fairly predictable and
consistent.)
The cost of ongoing operations when a disaster recovery plan (DRP) is in place,
compared to not having a disaster recovery plan, will MOST likely:
A. increase.
B. decrease.
C. remain the same.
D. be unpredictable.
The organization and client must comply with open source software license
terms. (Each open-source software license has different terms and conditions.
Some licensing allows using software components freely but requires a
complete software product to allow the same rights. If the development
organization is careful, its products could uphold licensing terms by selling for
profit. The auditor should be concerned with compliance to avoid unintended
intellectual property risks or legal consequences. A is wrong because a benefit
of open-source software is that it's free. The developing organization and client
should be concerned about licensing terms and software component
conditions. C is wrong because open-source software should be tested for
security flaws and part of the SDLC process. D is wrong because open-source
software doesn't lack quality. It should be tested for reliability and part of the
SDLC process.)
During an assessment of software development practices, an IS auditor finds
that open source software components were used in an application designed
for a client. What is the GREATEST concern the auditor would have about the
use of open source software?
A. The client did not pay for the open source software components.
B. The organization and client must comply with open source software license
terms.
C. Open source software has security vulnerabilities.
D. Open source software is unreliable for commercial use.
Switches
Which of the following BEST reduces the ability of one device to capture the
packets that are meant for another device?
A. Hubs
B. Switches
C. Routers
D. Firewalls
performs maintenance during noncritical processing times. (The biggest risk to
normal operations in a data center would be if an incident or mishap happened
during critical peak processing times; therefore, ensuring that no system
maintenance is performed in these critical times would be prudent. A is wrong
because while the trustworthiness of the service personnel is essential, it is
normal practice for these individuals to be escorted and supervised by the data
center personnel. B is wrong because escorting service personnel is common
and good practice, but the greater risk, in this case, would be if work were
performed during critical processing times. D is wrong because the service
provider may be performing inadequate maintenance; therefore, this issue may
need to be investigated; however, the bigger risk is maintenance being
performed at critical processing times.)
During the review of an enterprise's preventive maintenance process for
systems at a data center, the IS auditor has determined that adequate
maintenance is being performed on all critical computing, power and cooling
systems. Additionally, it is MOST important for the IS auditor to ensure that the
organization:
A. has performed background checks on all service personnel.
B. escorts service personnel at all times when performing their work.
C. performs maintenance during noncritical processing times.
D. independently verifies that maintenance is being performed.
system and the IT operations team can sustain operations in the emergency
environment. (The applications have been operated intensively, but the
capability of the system and the IT operations team to sustain and support this
environment (ancillary operations, batch closing, error corrections, output
distribution, etc.) is only partially tested. B is wrong because the test involved
intensive usage and the backup would seem able to handle the transaction
load. C is wrong because users were able to connect to and use the system, and
the response time must have been satisfactory. D is wrong because the
intensive tests by the business indicated that the workflow systems worked
correctly. Environmental changes could pose a future problem, but it is working
correctly now.)
A live test of a mutual agreement for IT system recovery has been carried out,
including a four-hour test of intensive usage by the business units. The test has
been successful, but gives only partial assurance that the:
A. system and the IT operations team can sustain operations in the emergency
environment.
B. resources and the environment could sustain the transaction load.
C. connectivity to the applications at the remote site meets response time
requirements.
D. workflow of actual business operations can use the emergency system in
case of a disaster.
management reviews and approves the changes after they have occurred.
(Because management cannot always be available when a system failure
occurs, it is acceptable for changes to be reviewed and approved within a
reasonable period after they occur. B is wrong because although peer review
provides some accountability, management should review and approve all
changes, even if that review and approval must occur after the fact. C is wrong
because documenting the event does not replace the need for a review and
approval process. D is wrong because it is not a good control practice for
management to ignore its responsibility by preapproving all emergency
changes in advance without reviewing them. Unauthorized changes could then
be made without management's knowledge.)
Emergency changes that bypass the normal change control process are MOST
acceptable if:
A. management reviews and approves the changes after they have occurred.
B. the changes are reviewed by a peer at the time of the change.
C. the changes are documented in the change control system by the operations
department.
D. management has preapproved all emergency changes.
program changes have been authorized. (Library control software should be
used to separate tests from production libraries in mainframe and/or client-
server environments. The main objective of library control software is to
provide assurance that program changes have been authorized. B is wrong
because library control software is concerned with authorized program
changes and cannot determine whether programs have been thoroughly
tested. C is wrong because programs should not be moved automatically into
production without proper authorization. D is wrong because library control
software provides reasonable assurance that the source code and executable
code are matched when a source code is moved to production. Access control
will ensure the integrity of the software, but the most important benefit of
version control software is to ensure that all changes are authorized.)
An IS auditor should recommend the use of library control software to provide
reasonable assurance that:
A. program changes have been authorized.
B. only thoroughly tested programs are released.
C. modified programs are automatically moved to production.
D. source and executable code integrity is maintained.
Conduct a paper test. (A best practice would be to conduct a paper test. This
tests the plan in a non-hazardous manner by stepping through the plan with
key recovery team members. A is wrong because senior management
sponsorship should have been obtained before implementing the plan. B is
wrong because identifying business needs should have been obtained before
implementing the plan. D is wrong because a paper test should be conducted
first, followed by system or full testing.)
An organization has implemented a disaster recovery plan (DRP). Which of the
following steps should be carried out next?
A. Obtain senior management sponsorship.
B. Identify business needs.
C. Conduct a paper test.
D. Perform a system restore test.
Critical business processes for ascertaining the priority for recovery
As part of the business continuity planning (BCP) process, which of the
following should be identified FIRST in the business impact analysis (BIA)?
A. Risk such as single point-of-failure and infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority for recovery
D. Resources required for resumption of business
Contact information of key personnel (In the event of a disaster, it is important
to have a current updated list of personnel who are key to the plan's operation.
B is wrong because asset inventory is important and should be linked to the
organization's change management process, but having access to key people
may compensate for outdated records. C is wrong because individual roles and
responsibilities are important, but many people could fill different roles in a
disaster depending on their experience. D is wrong because the procedures for
declaring a disaster are important because this can affect response, customer
perception and regulatory issues, but not as important as having the right
people there when needed.)
The frequent updating of which of the following is key to the continued
effectiveness of a disaster recovery plan (DRP)?
A. Contact information of key personnel
B. Server inventory documentation
C. Individual roles and responsibilities
D. Procedures for declaring a disaster
Application programmers are implementing changes to production programs.
Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production
programs.
B. Administrators are implementing vendor patches to vendor-supplied
software without following change control procedures.
C. Operations support staff members are implementing changes to batch
schedules.
D. Database administrators are implementing changes to data structures.
recovery time objective (RTO). (The recovery time objective (RTO) is the
amount of time allowed for the recovery of a business function or resource
after a disaster occurs; the RTO is the desired recovery timeframe based on
maximum tolerable outage (MTO) and available recovery alternatives. B is
wrong because the recovery point objective (RPO) most influences the
recovery strategies for given data. It is determined based on the acceptable
data loss in case of a disruption of operations. The RPO effectively quantifies
the permissible amount of data loss in case of interruption. C is wrong because
MTO is the amount of time allowed to recover a business function or resource
after a disaster occurs; it represents the time the service must be restored
before the organization faces the threat of collapse. D is wrong because an
information security policy does not address recovery procedures.)
Recovery procedures for an information processing facility are BEST based on:
A. recovery time objective (RTO).
B. recovery point objective (RPO).
C. maximum tolerable outage (MTO).
D. information security policy.
the recovery plans are periodically tested (Periodic testing of the recovery plan
is critical to ensure that whatever has been planned and documented is
feasible. The other options are more tactical considerations that are secondary
to the need for testing. A is wrong because the recovery site should be far
enough away to avoid being affected by the same disaster that strikes the
primary site. However, that is not the most important part of the business
continuity plan (BCP). It is more important that the plan is tested. C is wrong
because testing backups is important, but only addresses a part of the BCP. It is
more important that the entire plan is tested. D is wrong because network
redundancy is important for many organizations, but not as important as the
need to test the plan.)
Which of the following is the MOST important aspect of effective business
continuity management?
A: the recovery site is secure and located an appropriate distance from the
primary site
B: the recovery plans are periodically tested
C: fully tested backup hardware is available at the recovery site
D: network links are available from multiple service providers
Containment at the facility (The first priority (after addressing life safety) is to
contain the incident at the facility so that the spread of the damage is
minimized. The incident team must gain control of the situation. A is wrong
because restoration ensures that the affected systems or services are restored
to a condition specified in the restore point objective. This action will be
possible only after the containment of the damage. B is wrong because facility
documentation should be prepared to inform management of the incident;
however, damage must be contained first. D is wrong because monitoring the
facility is important, although containment must take priority to avoid
spreading the damage.)
Which of the following should an incident response team address FIRST after a
major incident in an information processing facility?
A. Restoration at the facility
B. Documentation of the facility
C. Containment at the facility
D. Monitoring of the facility
Employee training on the business continuity plan (BCP) (The chain of
command might be interrupted during a disaster. Therefore, employees must
know their roles in the BCP, including where to report and how to perform their
job functions. Employee training on the plan is essential for businesses with
geographically separated offices because there is a greater chance of
communication disruption. A is wrong because procedural documentation
should continually be updated and distributed to major locations. B is wrong
because a reciprocal agreement is an emergency processing agreement
between two or more enterprises with similar equipment or applications.
Typically, participants of a reciprocal agreement promise to provide processing
time to each other when an emergency arises. C is wrong because senior
management may not be required to remove daily availability to provide
leadership during a disaster.)
Which of the following BEST ensures uninterrupted operations in an
organization with IT operation centers in several countries?
A. Distribution of key procedural documentation
B. Reciprocal agreement between business partners
C. Strong senior management leadership
D. Employee training on the business continuity plan (BCP)
Provide and monitor separate login IDs that the developer will use for
programming and for production support. (Providing separate login IDs that
would only allow a developer privileged access when required is a good
compensating control, but it must also be backed up with monitoring and
supervision of the developer's activity.)
Due to resource constraints, a developer requires full access to production data
to support certain problems reported by production users. Which of the
following choices would be a good compensating control for controlling
unauthorized changes in production?
A. Provide and monitor separate login IDs that the developer will use for
programming and for production support.
B. Capture activities of the developer in the production environment by
enabling audit trails.
C. Back up all affected records before allowing the developer to make
production changes.
D. Ensure that all changes are approved by the change manager.
Offsite storage of backup data (Remote storage of backups is the most critical
disaster recovery plan (DRP) element of the items listed because access to
backup data is required to restore systems. B is wrong because having a list of
key contacts is important but not as important as having adequate data
backup. C is wrong because a DRP may use a replacement data center or
another solution, such as a mobile site, reciprocal agreement, or outsourcing
agreement. D is wrong because having a clearly defined recovery time
objective (RTO) is especially important for business continuity planning (BCP).
However, the core element of disaster recovery (the recovery of IT
infrastructure and capability) is data backup.)
Which of the following is the MOST critical element of an effective disaster
recovery plan (DRP)?Select an answer:
A. Offsite storage of backup data
B. Up-to-date list of key disaster recovery contacts
C. Availability of a replacement data center
D. Clearly defined recovery time objective (RTO)
physically separated from the data center and not subject to the same risk. (It
is important that there is an offsite storage location for IS files and that it is in a
location not subject to the same risk as the primary data center. B is wrong
because the offsite location may be shared with other companies and,
therefore, has an even higher level of protection than the primary data center.
C is wrong because an offsite location may be owned by a third party or the
organization itself. D is wrong because physical protection is important but not
as important as not being affected by the same crisis.)
Which of the following is the MOST important criterion when selecting a
location for an offsite storage facility for IS backup files? The offsite facility must
be:
A. physically separated from the data center and not subject to the same risk.
B. given the same level of protection as that of the computer data center.
C. outsourced to a reliable third party.
D. equipped with surveillance capabilities.
each plan is consistent with one another. (Depending on the complexity of an
organization, there could be more than one plan to address various aspects of
business continuity and disaster recovery, but the plans must be consistent to
be effective. B is wrong because the plans do not necessarily have to be
integrated into one plan. C is wrong because although each plan may be
independent, each must be consistent with other plans to have a viable
business continuity planning strategy. D is wrong because it may not be
possible to define a sequence in which plans must be implemented because it
may depend on the nature of the disaster, criticality, recovery time, etc.)
Depending on the complexity of an organization's business continuity plan
(BCP), it may be developed as a set of plans to address various aspects of
business continuity and disaster recovery. In such an environment, it is
essential that:
A. each plan is consistent with one another.
B. all plans are integrated into a single plan.
C. each plan is dependent on one another.
D. the sequence for implementation of all plans is defined.
A read-only restriction (Because most data in a data warehouse are historical
and do not need to be changed, applying read-only restrictions prevents data
manipulation. A is wrong because backup address availability is not integrity.
Validated backups ensure that the backup will work when needed. B is wrong
because adequate change management procedures protect the data
warehouse and the systems with which the data warehouse interfaces from
unauthorized changes but are not usually concerned with the data. C is wrong
because data dictionary maintenance procedures provide for the definition and
structure of data input to the data warehouse. This will not affect the integrity
of data already stored.)
Which of the following security measures BEST ensures the integrity of
information stored in a data warehouse?
A. Validated daily backups
B. Change management procedures
C. Data dictionary maintenance
D. A read-only restriction
Extent of data loss that is acceptable (The RPO is determined based on the
acceptable data loss in case of a disruption of operations. It indicates the
earliest point in time that is acceptable to recover the data. The RPO effectively
quantifies the permissible amount of data loss in case of interruption. A is
wrong because the recovery time objective (RTO) is the time allowed to
recover a business function or resource after a disaster. B is wrong because the
determination of the recovery point objective (RPO) already takes cost into
consideration. D is wrong because the service delivery objective (SDO) is
directly related to the business needs. The SDO is the level of services reached
during the alternate process mode until the normal situation is restored.)
Which of the following is MOST important to determine the recovery point
objective (RPO) for a critical process in an enterprise?
A. Number of hours of acceptable downtime
B. Total cost of recovering critical systems
C. Extent of data loss that is acceptable
D. Acceptable reduction in the level of service
Daily data backups that are stored offsite and a hot site located 140 kilometers
from the main data center (Of the given choices, this is the most suitable
answer. The disaster recovery plan (DRP) includes a hot site located sufficiently
away from the main data center and will allow recovery during a major
disaster. Not having real-time backups may be a problem depending on the
recovery point objective (RPO). B is wrong because data backups are necessary,
but not having a replication site would be insufficient for the critical
application. C is wrong because, depending on the type of disaster, a hot site
should normally be located more than 500 meters from the main facility.
However, real-time backups may be the best option, depending on the data
RPO. D is wrong because a warm site may take days to recover, so it may not be
a suitable solution.)
Which of the following scenarios provides the BEST disaster recovery plan
(DRP) to implement for critical applications?
A. Daily data backups that are stored offsite and a hot site located 140
kilometers from the main data center
B. Daily data backups that are stored onsite in a fireproof safe
C. Real-time data replication between the main data center and the hot site
located 500 meters from the main site
D. Daily data backups that are stored offsite with a warm site located 70
kilometers from the main data center
regularly reviewed and updated. (The plan should be reviewed at appropriate
intervals, depending upon the nature of the business and the rate of change of
systems and personnel. Otherwise, it may become outdated and ineffective.
The plan must be subjected to regular testing, but the period between tests
will again depend on the organizational nature and the relative importance of
IS. Three months or even annually may be appropriate in different
circumstances. Although the disaster recovery plan should receive the approval
of senior management. For a purely IS-related plan, the executive responsible
for technology may have approved the plan. Similarly, although a business
continuity plan is likely to be circulated throughout an organization, the IS
disaster recovery plan will usually be a technical document only relevant to IS
and communications staff.)
An IS auditor reviewing an organization's IS disaster recovery plan should verify
that it is:
A. tested every six months.
B. regularly reviewed and updated.
C. approved by the chief executive officer (CEO).
D. communicated to every department head in the organization.
Performing preventive maintenance on electrical systems (Preventive
maintenance activities should be scheduled for non-peak times of the day,
preferably during a maintenance window time period. A mishap or incident
caused by a maintenance worker could result in unplanned downtime. A is
wrong because performing data migration may impact performance but would
not cause downtime. C is wrong because promoting applications into a staging
environment (not production) should not affect systems operations
significantly. D is wrong because reconfiguring a standby router should not
cause unexpected downtime because the router is not operational, and any
problems should not affect network traffic.)
Doing which of the following during peak production hours could result in
unexpected downtime?
A. Performing data migration or tape backup
B. Performing preventive maintenance on electrical systems
C. Promoting applications from development to the staging environment
D. Reconfiguring a standby router in the data center
Approval from the information asset owner (It is most important that
information owners approve any changes to production systems to ensure that
no serious business disruption occurs due to the patch release. A is wrong
because while testing is important for any patch, in this case, it should be
assumed that the operating system (OS) vendor tested the patch before
releasing it. Before this OS patch is put into production, the organization should
do system testing to ensure that no issues will occur. C is wrong because the
security officer does not normally need to approve every OS patch. D is wrong
because security patches, including alternate sites, must be deployed
consistently across the organization. However, approval from the information
asset owner is still the most important consideration.)
Which of the following is MOST important when an operating system (OS)
patch is to be applied to a production environment?
A. Successful regression testing by the developer
B. Approval from the information asset owner
C. Approval from the security officer
D. Patch installation at alternate sites
Identify changes that have occurred and verify approvals. (The most effective
method is to determine what changes have been made (check logs and
modified dates) and verify that they have been approved. A is wrong because
software migration records may not have all changes listed—changes that were
not included in the migration records could have been made. C is wrong
because change control records may not list all the changes. D is wrong
because ensuring that only appropriate staff can migrate changes into
production is a key control process but does not verify compliance.)
Which of the following tests performed by an IS auditor would be the MOST
effective in determining compliance with an organization's change control
procedures?
A. Review software migration records and verify approvals.
B. Identify changes that have occurred and verify approvals.
C. Review change control documentation and verify approvals.
D. Ensure that only appropriate staff can migrate changes into production.
results from previous tests. (Previous test results will provide evidence of the
effectiveness of the business continuity plan. A is wrong because comparisons
to standards will give some assurance that the plan addresses the critical
aspects of a business continuity plan but will not reveal anything about its
effectiveness. C is wrong because reviewing emergency procedures would
provide insight into some aspects of the plan but would fall short of providing
assurance of the plan's overall effectiveness. D is wrong because reviewing
offsite storage and environmental controls would provide insight into some
aspects of the plan but would fall short of providing assurance of the plan's
overall effectiveness.)
The BEST method for assessing the effectiveness of a business continuity plan is
to review the:
A. plans and compare them to appropriate standards.
B. results from previous tests.
C. emergency procedures and employee training.
D. offsite storage and environmental controls.
recovery point objective (RPO).
After a disaster declaration, the media creation date at a warm recovery site is
based on the:
A. recovery point objective (RPO).
B. recovery time objective (RTO).
C. service delivery objective (SDO).
D. maximum tolerable outage (MTO).
Date and time-stamp reviews of source and object code (Date and time-stamp
reviews of source and object code would ensure that source code, which has
been compiled, matches the production object code. This is the most effective
way to ensure that the approved production source code is compiled and is the
one being used. A is wrong because using version control software and
comparing source and object code is good practice, but may not detect a
problem where the source code is a different version than the object code. B is
wrong because all production libraries should be protected with access
controls, which may protect source code from tampering. However, this will
not ensure that source and object codes are based on the same version. C is
wrong because it is a good practice to protect all source and object code—even
in development. However, this will not ensure source and object code
synchronization.)
Which of the following controls would be MOST effective in ensuring that
production source code and object code are synchronized?
A. Release-to-release source and object comparison reports
B. Library control software restricting changes to source code
C. Restricted access to source code and object code
D. Date and time-stamp reviews of source and object code
with their named account to make the changes (Logging in using the named
user account before using the database administrator (DBA) account provides
accountability by noting the person making the changes.)
A database administrator (DBA) who needs to make emergency changes to a
database after normal working hours should log in:
A: with their named account to make the changes
B: with the shared DBA account to make the changes
C: to the server administrative account to make the changes
D: to the user's account to make the changes
Develop recovery strategies. (Once the business impact analysis (BIA) is
completed, the next phase in the BCP development is to identify the various
recovery strategies and select the most appropriate strategy for recovering
from a disaster that will meet the time lines and priorities defined through the
BIA. The other options are wrong because after selecting a strategy, a specific
business continuity planning (BCP) can be developed, tested and
implemented.)
After completing the business impact analysis (BIA), what is the NEXT step in
the business continuity planning (BCP) process?
A. Test and maintain the plan.
B. Develop a specific plan.
C. Develop recovery strategies.
D. Implement the plan.
A tabletop exercise using the procedures was conducted. (If IT conducted a
paper-based test of the procedures with all responsible members, this would
help ensure that the procedures meet requirements and are useful and
practical during a real disaster. A is wrong because even though documented
procedures were approved by management, this does not ensure that there is
nothing missing. B is wrong because while comparing the procedures with
documented industry good practices is useful, a paper test would be a better
indicator that the procedures meet requirements. D is wrong because the
documentation of recovery teams and their responsibilities would be part of
the procedures, not necessarily validating that the procedures meet
requirements.)
An IS auditor is conducting a review of the disaster recovery (DR) procedures
for a data center. Which of the following indicators is the BEST to show that the
procedures meet the requirements?
A. Documented procedures were approved by management.
B. Procedures were reviewed and compared with industry good practices.
C. A tabletop exercise using the procedures was conducted.
D. Recovery teams and their responsibilities are documented.
Resolved incidents are closed without reference to end users. (The help desk
function is a service-oriented unit. The end users must sign off before an
incident is considered closed. A is wrong because although this is of concern, it
should be expected. A problem escalation procedure should be developed to
handle such scenarios. B is wrong because a help desk team should ideally
have dedicated lines, but this exception is not as serious as the technical team
unilaterally closing an incident. D is wrong because instant messaging is an add-
on to improve the effectiveness of the help desk team. Its absence cannot be
seen as a major concern as long as calls can still be made.)
Which of the following is a MAJOR concern during a review of help desk
activities?
A. Certain calls could not be resolved by the help desk team.
B. A dedicated line is not assigned to the help desk team.
C. Resolved incidents are closed without reference to end users.
D. The help desk instant messaging has been down for over six months.
Hash keys are calculated periodically for programs and matched against hash
keys calculated for the most recent authorized versions of the programs. (The
matching of hash keys over time would allow detection of changes to files. A is
wrong because having a log is not a control; reviewing the log is a control. C is
wrong because the access was already granted at the command line level. It
will be possible for the developers to bypass the control. D is wrong because
removing the tools from the production environment will not mitigate the risk
of unauthorized activity by the developers.)
An IS auditor discovers that developers have operator access to the command
line of a production environment operating system. Which of the following
controls would BEST mitigate the risk of undetected and unauthorized program
changes to the production environment?
A. Commands typed on the command line are logged.
B. Hash keys are calculated periodically for programs and matched against hash
keys calculated for the most recent authorized versions of the programs.
C. Access to the operating system command line is granted through an access
restriction tool with preapproved rights.
D. Software development tools and compilers have been removed from the
production environment.
Foreign key structure (Referential integrity in a relational database refers to
consistency between coupled (linked) tables. Referential integrity is usually
enforced by the combination of a primary key or candidate key (alternate key)
and a foreign key. For referential integrity to hold, any field in a table declared a
foreign key should contain only values from a parent table's primary key or a
candidate key. A is wrong because field definitions describe the table layout but
are not directly related to referential integrity. B is wrong because the master
table definition describes the database structure but is not directly related to
referential integrity. C is wrong because composite keys describe how the keys
are created but are not directly related to referential integrity.)
During an application audit, an IS auditor is asked to provide assurance of the
database referential integrity. Which of the following should be reviewed?
A. Field definition
B. Master table definition
C. Composite keys
D. Foreign key structure
Ensure that all persons in the data center are evacuated. (In an emergency, life
safety is always the priority; the complete and orderly evacuation of facility
staff would be the most important activity. A is wrong because notifying the
fire department is unnecessary because most data center alarms are
configured to report to local authorities automatically. B is wrong because fire
suppression systems are designed to operate automatically, and activation
when staff are not yet evacuated could create confusion and panic, leading to
injuries or fatalities. Manual system triggering is necessary under certain
conditions, but only after the safe evacuation of all other data center
personnel. D is wrong because removing data center backup tapes is
inappropriate because it could delay personnel evacuation. Most companies
would have offsite storage backup tapes to mitigate the risk of data loss for this
type of disaster.)
An IS auditor is performing an audit in the data center when the fire alarm
begins sounding. The audit scope includes disaster recovery, so the auditor
observes the data center staff response to the alarm. Which of the following is
the MOST important action for the data center staff to complete in this
scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are evacuated.
D. Remove all backup tapes from the data center.
Default passwords are not changed when installing network devices.
An IS auditor is conducting a postimplementation review of an enterprise's
network. Which of the following findings would be of MOST concern?
A. Wireless mobile devices are not password-protected.
B. Default passwords are not changed when installing network devices.
C. An outbound web proxy does not exist.
D. All communication links do not utilize encryption.
The support model was not properly developed and implemented. (The
greatest concern for the IS auditor is that the support model was not
developed and implemented correctly to prevent or react to potential outages.
Incidents could cost the business significant money, and a support model
should be implemented with the project. This should be a step within the SDLC
and procedures; if missed on one project, it may be a symptom of an overall
breakdown in the process. The other options are important, but the more
critical issue is whether the support model was not properly developed and
implemented.)
During an implementation review of a recent application deployment, it was
determined that several incidents were assigned incorrect priorities and,
because of this, failed to meet the business service level agreement (SLA).
What is the GREATEST concern?
A. The support model was not approved by senior management.
B. The incident resolution time specified in the SLA is not realistic.
C. There are inadequate resources to support the applications.
D. The support model was not properly developed and implemented.
Catastrophic service interruption (If a new disaster recovery plan (DRP) is not
tested, the most critical risk is the possibility of a catastrophic service
interruption that the organization cannot recover from. B is wrong because a
DRP that has not been tested may lead to a higher consumption of resources
than expected, but that is not the most critical risk. C is wrong because an
untested DRP may be inefficient and lead to extraordinary costs, but the most
serious risk is the failure of critical services. D is wrong because testing
educates users and recovery teams to execute the DRP effectively, but the most
critical risk is the failure of core business services.)
Due to changes in IT, the disaster recovery plan (DRP) of a large organization
has been changed. What is the PRIMARY risk if the new plan is not tested?
A. Catastrophic service interruption
B. High consumption of resources
C. Total cost of the recovery may not be minimized
D. Users and recovery teams may face severe difficulties when activating the
plan
Cold site (Generally, a cold site is contracted longer at a lower cost. It is
generally used for noncritical applications because it requires more time to
make a cold site operational. A is wrong because a warm site is generally
available at a medium cost, requires less time to become operational, and is
suitable for sensitive operations that should be recovered in a moderate
amount of time. B is wrong because a mobile site is a vehicle ready with all
necessary computer equipment that can be moved to any location, depending
upon the need. The need for a mobile site depends upon the scale of
operations. C is wrong because a hot site is contracted for a shorter period at a
higher cost and is better suited for recovering vital and critical applications.)
Which of the following is the MOST reasonable option for recovering a
noncritical system?
A. Warm site
B. Mobile site
C. Hot site
D. Cold site
Table link/reference checks (Performing table link/reference checks serve to
detect table linking errors (such as completeness and accuracy of the contents
of the database). It thus provides the greatest assurance of database integrity.
A is wrong because audit log procedures enable the recording of all events that
have been identified and help in tracing the events. However, they only point
to the event and do not ensure the completeness or accuracy of the database
contents. C is wrong because querying/monitoring table access time checks
helps designers improve database performance but not integrity. D is wrong
because the rollback and roll forward database features ensure recovery from
an abnormal disruption. They assure the integrity of the transaction being
processed at the time of disruption, but do not provide assurance on the
integrity of the contents of the database.)
Which of the following controls would provide the GREATEST assurance of
database integrity?
A. Audit log procedures
B. Table link/reference checks
C. Query/table access time checks
D. Rollback and rollforward database features
Perform an end-to-end walk-through of the process (Observation is the best
and most effective method to test changes to ensure that the process is
effectively designed. A is wrong because testing a sample population of
changes tests operating effectiveness to ensure users submit the proper
documentation/requests. It does not test the effectiveness of the design. B is
wrong because testing changes that have been authorized may not provide
sufficient assurance of the entire process. After all, it does not test the
elements of the process related to authorization or detect changes that bypass
the controls. C is wrong because interviewing personnel in charge of the
change control process is not as effective as a walk-through of the change
controls process because people may know the process but not follow it.)
Which of the following is the MOST efficient way to test the design
effectiveness of a change control process?
A. Test a sample population of change requests
B. Test a sample of authorized changes
C. Interview personnel in charge of the change control process
D. Perform an end-to-end walk-through of the process
Unauthorized access (Untested CGIs can have security weaknesses that allow
unauthorized access to private systems because CGIs are typically executed on
publicly available Internet servers. A is wrong because while untested common
gateway interfaces (CGIs) can cause the end-user web application to be
compromised, this is not likely to make the system unavailable to other users. B
is wrong because untested CGI scripts do not inherently lead to malware
exposures. D is wrong because while untested CGIs can cause the end-user web
application to be compromised, this is not likely to impact system integrity
significantly.)
An internal audit function is reviewing an internally developed common
gateway interface (CGI) script for a web application. The IS auditor discovers
that the script was not reviewed and tested by the quality control function.
Which of the following types of risk is of GREATEST concern?
A. System unavailability
B. Exposure to malware
C. Unauthorized access
D. System integrity
A clause providing a "right to audit" the service provider (A missing "right to
audit" clause would potentially prevent the auditor from investigating any
aspect of supplier performance moving forward. It would be a concern for the
auditor because it would require more work for the organization to assess
implementation of appropriate controls. B is wrong because not all contracts
require the payment of penalties for poor performance. C is wrong because as
long as the requirement for service-level reporting is included, there must be
predefined reporting templates. D is wrong because a missing limitation of
liability clause for the service provider would expose the provider to unlimited
liability. This would be to the advantage of the outsourcing company, so while
the auditor might highlight the absence of such a clause, it would not be a
concern.)
An IS auditor reviewing a new outsourcing contract with a service provider
would be MOST concerned if which of the following was missing?
A. A clause providing a "right to audit" the service provider
B. A clause defining penalty payments for poor performance
C. Predefined service level report templates
D. A clause regarding supplier limitation of liability
Implement a properly documented process for application role change
requests. (The auditor should recommend implementing processes that could
prevent or detect improper changes from being made to the major application
roles. The application role change request process should start and be
approved by the business owner; then, the IS director can make the changes to
the application. B is wrong because while it is preferred that strict SoD be
adhered to and that additional staff be recruited, this practice is not always
possible in small enterprises. C is wrong because an automated process for
managing application roles may not be practical to prevent improper changes
from being made by the IS director, who also has the most privileged access to
the application. D is wrong because making the existing process available on
the enterprise intranet would not provide any value to protect the system.)
During an audit of a small enterprise, the IS auditor noted that the IS director
has superuser-privilege access that allows the director to process requests for
changes to the application access roles (access types). Which of the following
should the IS auditor recommend?
A. Implement a properly documented process for application role change
requests.
B. Hire additional staff to provide a segregation of duties (SoD) for application
role changes.
C. Implement an automated process for changing application roles.
D. Document the current procedure in detail, and make it available on the
enterprise intranet.
Perform a business impact analysis (BIA). (A business impact analysis (BIA) will
give the impact of the loss of each application. A BIA is conducted with
business representatives who can accurately describe the criticality of a system
and its importance to the business. A is wrong because interviews with the
application programmers will provide limited information related to the
criticality of the systems. B is wrong because a gap analysis is relevant to
system development and project management but does not determine
application criticality. C is wrong because the audits may not contain the
required information about application criticality or may not have been done
recently.)
Which of the following is the BEST method for determining the criticality of
each application system in the production environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
Test results are not adequately documented. (The effectiveness of a BCP can
best be determined through tests. If the results of tests are not documented,
then there is no basis for feedback, updates, etc. A is wrong because ideally,
the board of directors should approve the plan to ensure acceptability, but it is
possible to delegate approval authority to the chief information officer (CIO).
Pragmatically, a lack of documentation of test results could have more
significant consequences. B is wrong because the contact lists are an important
part of the BCP; however, they are not as important as documenting the test
results. D is wrong because if test results are documented, a need for training
will be identified, and the BCP will be updated.)
Which of the following should be a MAJOR concern for an IS auditor reviewing
a business continuity plan (BCP)?
A. The plan is approved by the chief information officer (CIO).
B. The plan contact lists have not been updated.
C. Test results are not adequately documented.
D. The training schedule for recovery personnel is not included.
Protocol analyzer (Protocol analyzers are network diagnostic tools that monitor
and record network information from packets traveling in the link to which the
analyzer is attached. A is wrong because online monitors measure
telecommunication transmissions and determine whether transmissions are
accurate and complete. B is wrong because downtime reports track the
availability of telecommunication lines and circuits. C is wrong because help
desk reports are prepared by the help desk, which is staffed or supported by IS
technical support personnel trained to handle problems occurring during IS
operations.)
Which of the following is a network diagnostic tool that monitors and records
network information?
A. Online monitor
B. Downtime report
C. Help desk report
D. Protocol analyzer
the software has not been subsequently modified. (Code signing ensures that
the executable code came from a reputable source and has not been modified
after signing. B is wrong because signing code will not ensure that it will
integrate with other applications. C is wrong because code signing will provide
assurance of the source but will not ensure that the source is trusted. The code
signing will, however, ensure that the code has not been modified. D is wrong
because compromising the sender's private key would result in a loss of trust
and is not the purpose of code signing.)
The purpose of code signing is to provide assurance that:
A. the software has not been subsequently modified.
B. the application can safely interface with another signed application.
C. the signer of the application is trusted.
D. the private key of the signer has not been compromised.
Risk assessment (Risk assessment and business impact assessment are tools for
understanding the business as a part of BCP. A is wrong because the business
continuity self-audit is a tool for evaluating the adequacy of the business
continuity plan (BCP) but not for understanding the business. B is wrong
because resource recovery analysis is a tool for identifying the components
necessary for a business resumption strategy but not for gaining an
understanding of the business. D is wrong because of the role gap analysis can
play in BCP, which is identifying deficiencies in a plan but not understanding the
business.)
When developing a business continuity plan (BCP), which of the following tools
should be used to gain an understanding of the organization's business
processes?
A. Business continuity self-audit
B. Resource recovery analysis
C. Risk assessment
D. Gap analysis
communicated to appropriate personnel. (The implementation of a BCP will be
effective only if appropriate personnel are informed and aware of all the
aspects of the BCP. A is wrong because the BCP, if kept in a safe place, will not
reach the users; users will never implement the BCP; thus, the BCP will be
ineffective. B is wrong because senior management approval is a prerequisite
for designing and approving the BCP but is less important than making sure
that the plan is available to all key personnel to ensure that the plan will be
effective. D is wrong because making a BCP available on an enterprise's
intranet does not guarantee that personnel can access, read, or understand it.)
For effective implementation after a business continuity plan (BCP) has been
developed, it is MOST important that the BCP be:
A. stored in a secure, offsite facility.
B. approved by senior management.
C. communicated to appropriate personnel.
D. made available through the enterprise's intranet.
Ensure that supervisory approval and review are performed for critical
changes. (Supervisory approval and review of critical changes by the
accountable managers in the enterprise are required to avoid and detect any
unauthorized change. In addition to authorization, supervision enforces a
separation of duties and prevents an unauthorized attempt by any single
employee. A is wrong because audit trails are a detective control and, in many
cases, can be altered by those with privileged access. B is wrong because staff
proficiency is important, and good training may be somewhat of a deterrent,
but supervisory approval and review is the best choice. C is wrong because
performing background checks is a basic control and will not effectively prevent
or detect errors or malfeasance.)
An enterprise uses privileged accounts to process configuration changes for
mission-critical applications. Which of the following would be the BEST and
appropriate control to limit the risk in such a situation?
A. Ensure that audit trails are accurate and specific.
B. Ensure that personnel have adequate training.
C. Ensure that personnel background checks are performed for critical
personnel.
D. Ensure that supervisory approval and review are performed for critical
changes.
the program is validated against vendor specifications. (Maintenance
requirements vary based on complexity and performance workloads, but a
hardware maintenance schedule should be validated against vendor-provided
specifications. A is wrong because unplanned maintenance cannot be
scheduled. B is wrong because hardware maintenance programs do not
necessarily need to be in line with historical trends. C is wrong because the
steering committee normally does not approve maintenance schedules.)
When reviewing a hardware maintenance program, an IS auditor should assess
whether:
A. the schedule of all unplanned maintenance is maintained.
B. it is in line with historical trends.
C. it has been approved by the IS steering committee.
D. the program is validated against vendor specifications.
processing in priority order, as defined by business management. (Business
management should know which systems are critical and what they must
process well before a disaster. It is management's responsibility to develop and
maintain the plan. Adequate time will not be available for this determination
once the disaster occurs. IS and the information processing facility are service
organizations that assist general user management in successfully performing
their jobs. A is wrong because a disaster recovery plan (DRP) will first recover
the most critical systems according to business priorities. B is wrong because,
depending on business priorities, financial systems may or may not be the first
to be recovered. C is wrong because the business manager, not the IS manager,
will determine priorities for system recovery.)
An organization's disaster recovery plan (DRP) should address early recovery of:
A. all information systems processes.
B. all financial processing applications.
C. only those applications designated by the IS manager.
D. processing in priority order, as defined by business management.
disaster tolerance is low. (Disaster tolerance is the time gap during which the
business can accept the nonavailability of IT facilities. If this time gap is low,
recovery strategies that can be implemented within a short period, such as a
hot site, should be used. The RPO is the earliest point in time at which it is
possible to recover the data. A high RPO means that the process would result
in greater data losses. C is wrong because a high RTO means that additional
time would be available for the recovery strategy, thus making other recovery
alternatives—such as warm or cold sites—viable alternatives. D is wrong
because if the MTD is long, a warm or cold site is more cost-effective.)
A hot site should be implemented as a recovery strategy when the:
A. disaster tolerance is low.
B. recovery point objective (RPO) is high.
C. recovery time objective (RTO) is high.
D. maximum tolerable downtime (MTD) is long.
Functional test of a scenario with limited IT involvement
A medium-sized organization, whose IT disaster recovery measures have been
in place and regularly tested for years, has just developed a formal business
continuity plan (BCP). A basic BCP tabletop exercise has been performed
successfully. Which testing should an IS auditor recommend be performed
NEXT to verify the adequacy of the new BCP?
A. Full-scale test with relocation of all departments, including IT, to the
contingency site
B. Walk-through test of a series of predefined scenarios with all critical
personnel involved
C. IT disaster recovery test with business departments involved in testing the
critical applications
D. Functional test of a scenario with limited IT involvement
the client's change management process is adequate. (The change
management process, which would include procedures regarding
implementing changes during production hours, helps to ensure that this type
of event does not recur. An IS auditor should review the change management
process, including patch management procedures, to verify that the process
has adequate controls and make suggestions accordingly. A is wrong because
while system administrators normally install patches, making changes
according to a formal procedure that includes testing and implementing the
change during nonproduction times is more important. C is wrong because it is
often impossible to test patches thoroughly. It is more important that changes
be made during nonproduction times and that a backout plan is in place in case
of problems. D is wrong because an approval process alone could not directly
prevent this type of incident from happening.)
During fieldwork, an IS auditor experienced a system crash caused by a security
patch installation. To provide reasonable assurance that this event will not
recur, the IS auditor should ensure that:
A. only systems administrators perform the patch process.
B. the client's change management process is adequate.
C. patches are validated using parallel testing in production.
D. an approval process of the patch, including a risk assessment, is developed.
they are set to meet security and performance requirements. (The primary
concern is to find the balance between security and performance. Recording
and periodically reviewing changes in an audit trail is a detective control;
however, if parameters are not set according to business rules, monitoring
changes may not be an effective control. B is wrong because reviewing changes
to ensure appropriate documents support them is also a detective control. C is
wrong because if parameters are set incorrectly, the related documentation
and the fact that these are authorized does not reduce the impact. D is wrong
because restricting access to parameters ensures that only authorized staff can
access the parameters; however, if the parameters are set incorrectly,
restricting access will still have an adverse impact.)
When reviewing system parameters, an IS auditor's PRIMARY concern should
be that:
A. they are set to meet security and performance requirements.
B. changes are recorded in an audit trail and periodically reviewed.
C. changes are authorized and supported by appropriate documents.
D. access to parameters in the system is restricted.
Update the IT asset inventory (An IT assets inventory is the basic input for the
business continuity/disaster recovery plan, and the plan must be updated to
reflect changes in the IT infrastructure. A is wrong because before validating
that the new hardware is compatible with the recovery site, the business
continuity manager should update the listing of all equipment and IT assets
included in the BCP. B is wrong because the implementation report will be of
limited value to the business continuity manager. After all, the equipment has
been installed. C is wrong because the walk-through of the plan should only be
done after the asset inventory has been updated.)
Which of the following activities should the business continuity manager
perform FIRST after the replacement of hardware at the primary information
processing facility?
A. Verify compatibility with the hot site
B. Review the implementation report
C. Perform a walk-through of the disaster recovery plan (DRP)
D. Update the IT asset inventory
results of business continuity tests performed by IS and end-user personnel.
(The effectiveness of the BCP can best be evaluated by reviewing the results
from previous business continuity tests for thoroughness and accuracy in
accomplishing their stated objectives. A is wrong because the alignment of the
BCP with industry good practices does not provide the assurance of the
effectiveness of the BCP. C is wrong because the offsite facility, its contents,
security, and environmental controls do not provide assurance of the
effectiveness of the BCP. Only testing will provide an accurate assessment of
the effectiveness of the BCP. D is wrong because the annual financial cost of the
BCP activities versus the expected benefit of implementing the plan does not
provide the assurance of the effectiveness of the BCP. Only testing will provide
an accurate assessment of the effectiveness of the BCP.)
An IS auditor can verify that an organization's business continuity plan (BCP) is
effective by reviewing the:
A. alignment of the BCP with industry good practices.
B. results of business continuity tests performed by IS and end-user personnel.
C. offsite facility, its contents, security and environmental controls.
D. annual financial cost of the BCP activities versus the expected benefit of the
implementation of the plan.
Business processes owners (Business process owners have the most relevant
information to contribute because the business impact analysis (BIA) is
designed to evaluate criticality and recovery timelines, based on business
needs. B is wrong because while IT management must be involved, they may
not be fully aware of the business processes that must be protected. C is wrong
because while senior management must be involved, they may not be fully
aware of the criticality of applications that must be protected. D is wrong
because the BIA depends on the organization's unique business needs, and the
advice of industry experts is of limited value.)
Which of the following groups is the BEST source of information for
determining the criticality of application systems as part of a business impact
analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
ensure that the service level requirements are met (Capacity monitoring has
multiple objectives; however, the primary objective is to ensure compliance
with the internal service level agreement between the business and IT. A is
wrong because this is one benefit of monitoring technical capacity because it
can help forecast future demands, not just react to system failures. However,
the primary responsibility of the IT manager is to meet the overall requirement
to ensure that IT is meeting the service level expectations of the business. B is
wrong because determining future capacity is one definite benefit of technical
capability monitoring. D is wrong because IT management is interested in
ensuring that systems are operating at optimal capacity, but their primary
obligation is to ensure that IT is meeting the service level requirements of the
business.)
The PRIMARY benefit of an IT manager monitoring technical capacity is to:
A. identify the need for new hardware and storage procurement
B. determine the future capacity need based on usage
C. ensure that the service level requirements are met
D. ensure the systems operate at optimal capacity
A determination of acceptable downtime (A determination of acceptable
downtime is made only in a BIA. A is wrong because an inventory of critical
assets is completed in both a risk assessment and a BIA. B is wrong because an
identification of vulnerabilities is relevant in both a risk assessment and a BIA. C
is wrong because a threat listing is relevant in a risk assessment and a BIA.)
Which of the following distinguishes a business impact analysis (BIA) from a
risk assessment?
A. An inventory of critical assets
B. An identification of vulnerabilities
C. A listing of threats
D. A determination of acceptable downtime
evaluate the adequacy of the service levels that the vendor can provide in a
contingency. (A key factor in a successful outsourcing environment is the
capability of the vendor to face a contingency and continue to support the
organization's processing requirements. B is wrong because financial stability is
unrelated to the vendor's BCP. C is wrong because the experience of the
vendor's staff is not related to the vendor's BCP. D is wrong because the review
of the vendor's BCP during a feasibility study is not a way to test the vendor's
BCP.)
During a feasibility study regarding outsourcing IT processing, the relevance for
the IS auditor of reviewing the vendor's business continuity plan (BCP) is to:
A. evaluate the adequacy of the service levels that the vendor can provide in a
contingency.
B. evaluate the financial stability of the service bureau and its ability to fulfill
the contract.
C. review the experience of the vendor's staff.
D. test the BCP.
Data restoration was completed. (The most reliable method to determine
whether a backup is valid would be to restore it to a system. A data restore test
should be performed annually to verify that the process works properly. A is
wrong because performing a tabletop test is extremely helpful but does not
ensure the recovery process works properly. C is wrong because approved
recovery procedures will not ensure that data can be restored successfully. D is
wrong because while having appropriate staff resources is appropriate, without
data the recovery would not be successful.)
Which of the following choices would MOST likely ensure that a disaster
recovery (DR) effort is successful?
A. The tabletop test was performed.
B. Data restoration was completed.
C. Recovery procedures are approved.
D. Appropriate staff resources are committed.
Load balancing (Load balancing best ensures uninterrupted system availability
by distributing traffic across multiple servers. Load balancing helps ensure
consistent response time for web applications. Also, if a web server fails, load
balancing ensures traffic will be directed to a different, functional server. A is
wrong because disk mirroring provides real-time replication of disk drives but
does not ensure uninterrupted system availability if a server crashes. B is
wrong because RAID technology improves resiliency but does not protect
against failure of a NIC or CPU processor failure. C is wrong because DDNS is a
method used to assign a hostname to an IP dynamic address. This is a useful
technology but does not help ensure availability.)
Which of the following BEST ensures that users have uninterrupted access to a
critical, heavily utilized web-based application?
A. Disk mirroring
B. Redundant Array of Inexpensive Disks (RAID) technology
C. Dynamic domain name system (DDNS)
D. Load balancing
security policy be updated to include specific language regarding unauthorized
software. (Lack of specific language addressing unauthorized software in the
acceptable use policy is a weakness in administrative controls. A is wrong
because an auditor must report on observations noted and make the best
recommendation to address the situation through policy. The IS department
cannot implement controls without the authority provided through policy. C is
wrong because preventing unauthorized software downloads is not the
complete solution. Unauthorized software can also be introduced through CDs
and USB drives. D is wrong because requiring approval from the IS manager
before installing nonstandard software is an exception handling control. It
would be ineffective unless a preventive control to prohibit user installation of
unauthorized software is established first.)
An IS auditor discovers that some users have installed personal software on
their PCs. This is not explicitly forbidden by the security policy. Of the following,
the BEST approach for an IS auditor is to recommend that the:
A. IS department implement control mechanisms to prevent unauthorized
software installation.
B. security policy be updated to include specific language regarding
unauthorized software.
C. IS department prohibit the download of unauthorized software.
D. users obtain approval from an IS manager before installing nonstandard
software.
Paper (A paper test (sometimes called a deskcheck) is appropriate for testing a
BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major
players in the BCP's execution who reason out what may happen in a particular
disaster. A is wrong because a pilot test is used to implement a new process or
technology and is inappropriate for a BCP. C is wrong because a unit test is used
to test new software components and is not appropriate for a BCP. D is wrong
because a system test is an integrated test used to test a new IT system but is
not appropriate for a BCP.)
Which of the following is an appropriate test method to apply to a business
continuity plan (BCP)?
A. Pilot
B. Paper
C. Unit
D. System
Implement integrity constraints in the database. (Implementing integrity
constraints in the database is a preventive control because data are checked
against predefined tables or rules, which prevents any undefined data from
being entered. A is wrong because logging all table update transactions
provides audit trails and is a detective control but will not prevent the
introduction of inaccurate data. C is wrong because before and after image
reporting makes it possible to trace transactions' impact on computer records
and is a detective control. D is wrong because tracing and tagging are used to
test application systems and controls but are not preventive controls that can
avoid out-of-range data.)
An IS auditor finds out-of-range data in some tables of a database. Which of the
following controls should the IS auditor recommend to avoid this situation?
A. Log all table update transactions.
B. Implement integrity constraints in the database.
C. Implement before and after image reporting.
D. Use tracing and tagging.
Confirm the content of the agreement with both departments. (An IS auditor
should confirm and understand the current practice before making
recommendations. Part of this will be to ensure that both parties agree with
the terms of the agreement. A is wrong because there is no reason to postpone
an audit. After all, a service agreement is not documented unless that is all that
is being audited. The agreement can be documented after it has been
established that there is an agreement in place. B is wrong because reporting
to senior management is not necessary at this stage of the audit because this is
not a serious immediate vulnerability. D is wrong because drafting a service
level agreement (SLA) is not the IS auditor's responsibility.)
During a human resources (HR) audit, an IS auditor is informed that there is a
verbal agreement between the IT and HR departments as to the level of IT
services expected. In this situation, what should the IS auditor do FIRST?
A. Postpone the audit until the agreement is documented.
B. Report the existence of the undocumented agreement to senior
management.
C. Confirm the content of the agreement with both departments.
D. Draft a service level agreement (SLA) for the two departments.
Gain more assurance on the findings through root cause analysis. (A change
management process is critical to IT production systems. Before recommending
that the organization take any other action, the auditor should gain assurance
that the incidents reported are related to deficiencies in the change
management process and not caused by some process other than change
management. A is wrong because while it may be necessary to redesign the
change management process, this cannot be done until a root cause analysis is
conducted to determine why the current process is not being followed. C is
wrong because a business relies on being able to make changes when
necessary. Security patches must often be deployed promptly. It would be
impossible to halt all changes until a new process is developed. D is wrong
because the audit results will be delivered to management once a root cause
analysis of the issue has been completed.)
During a change control audit of a production system, an IS auditor finds that
the change management process is not formally documented and that some
migration procedures failed. What should the IS auditor do next?
A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change process is
documented.
D. Document the finding and present it to management.
Server utilization data (Monitoring server utilization identifies underutilized
servers and monitors overall server utilization. Underutilized servers do not
provide the business with optimal cost-effectiveness. By monitoring server
usage, IT management can take appropriate measures to raise the utilization
ratio and provide the most effective ROI. A is wrong because benchmark tests
are designed to compare system performance using standardized criteria;
however, it could provide better data to ensure an organization's optimal
configuration of servers. B is wrong because a server log contains data showing
activities performed on the server but doesn't contain utilization data required
to ensure the optimal configuration of servers. C is wrong because a downtime
report identifies the elapsed time when a computer is not operating correctly
due to machine failure but doesn't help determine optimal server
configurations.)
Which of the following should the IS auditor review to ensure that servers are
optimally configured to support processing requirements?
A. Benchmark test results
B. Server logs
C. Downtime reports
D. Server utilization data
manager initiates a change request and subsequently approves it. (Initiating
and subsequently approving a change request violates the principle of
segregation of duties. A person should not be able to approve their requests. A
is wrong because involving a user in testing changes is common practice. B is
wrong because having a programmer code a change in development and then
separately test the change in a test environment is a good practice and
preferable over testing in production. C is wrong because having a manager
review a change to make sure it was done correctly is an acceptable practice.)
During the review of an in-house developed application, the GREATEST concern
to an IS auditor is if a:
A. user raises a change request and tests it in the test environment.
B. programmer codes a change in the development environment and tests it in
the test environment.
C. manager approves a change request and then reviews it in production.
D. manager initiates a change request and subsequently approves it.
A system downtime log (A system downtime log provides information regarding
the effectiveness and adequacy of computer preventive maintenance
programs. The log is a detective control, but because it validates the
effectiveness of the maintenance program, it validates a preventive control. B is
wrong because the vendor's reliability figures are not an effective measure of a
preventive maintenance program. C is wrong because reviewing the log is a
good detective control to ensure that maintenance is done; however, only the
system downtime will indicate whether the preventive maintenance is working
well. D is wrong because a schedule is a good control to ensure that
maintenance is scheduled and that no items are missed in the maintenance
schedule; however, it is not a guarantee that the work is being done.)
Which of the following would an IS auditor consider to be MOST helpful when
evaluating the effectiveness and adequacy of a preventive computer
maintenance program?
A. A system downtime log
B. Vendors' reliability figures
C. Regularly scheduled maintenance log
D. A written preventive maintenance schedule
Disk space utilization data are not kept current. (Not knowing how much disk
space is in use and, therefore, how much is needed at the disaster recovery site
could create major issues in the case of a disaster. A is wrong because while it is
not a good practice for security administrators to share accounts that stay
active, the greater risk in this scenario would be running out of disk space. C is
wrong because the particular physical characteristics of the disaster recovery
site may call for different controls that may appear less robust than those of
the main site. D is wrong because as long as the servers at the hot site are
capable of running the programs that are required in a disaster recovery
situation, the precise capabilities of the servers at the hot site are not a major
risk.)
An IS auditor is performing a review of the disaster recovery hot site used by a
financial institution. Which of the following would be the GREATEST concern?
A. System administrators use shared accounts which never expire at the hot
site.
B. Disk space utilization data are not kept current.
C. Physical security controls at the hot site are less robust than at the main site.
D. Servers at the hot site do not have the same specifications as at the main
site.
data restoration tests are not being regularly performed. (The only way to
ensure with certainty that a backup is working is to perform a data restoration
test. If this were not being done regularly, it would be a concern. B is wrong
because current backup technology utilizes disk-to-disk backup technology,
which is considered reliable and will have a faster recovery time than tape, so
this would be fine. C is wrong because while it is important to maintain logs to
document that the backup process is operating effectively, not retaining the
logs would not be a major concern. D is wrong because encrypting backup data
may be required in certain cases to protect valuable data, but critical data may
not necessarily be classified as confidential. Because encryption adds time and
expense to the backup process, it would only be used when required to meet
the security requirements rather than in all cases.)
An IS auditor is reviewing the backup strategy and the backup technology in
use by an organization. The IS auditor would be MOST concerned if:
A. data restoration tests are not being regularly performed.
B. disk subsystems are being backed up to other disks, and not to tape.
C. daily backup logs are purged quarterly.
D. backups of critical company data are not encrypted.
system and the IT operations team can sustain operations in the emergency
environment. (The applications have been operated intensively, but the
capability of the system and the IT operations team to sustain and support this
environment (ancillary operations, batch closing, error corrections, output
distribution, etc.) is only partially tested. B is wrong because the test involved
intensive usage; the backup would seem able to handle the transaction load. C
is wrong because users could connect to and use the system; the response time
must have been satisfactory. D is wrong because the business's intensive tests
indicated that the workflow systems worked correctly. Environmental changes
could pose a future problem, but it is working correctly now.)
A live test of a mutual agreement for IT system recovery has been carried out,
including a four-hour test of intensive usage by the business units. The test has
been successful, but gives only partial assurance that the:
A. system and the IT operations team can sustain operations in the emergency
environment.
B. resources and the environment could sustain the transaction load.
C. connectivity to the applications at the remote site meets response time
requirements.
D. workflow of actual business operations can use the emergency system in
case of a disaster.
Downtime costs increase with time. (Downtime costs—such as loss of sales,
idle resources, and salaries—increase with time. A disaster recovery plan (DRP)
should be drawn to achieve the lowest downtime costs possible. A is wrong
because downtime costs are not related to the recovery point objective (RPO).
The RPO defines the data backup strategy related to recovery costs rather than
downtime costs. C is wrong because recovery costs decrease with the time
allowed for recovery. For example, recovery costs to recover business
operations within two days will be higher than recovery costs within seven
days. The essence of an effective DRP is to minimize uncertainty and increase
predictability. D is wrong because, with good planning, recovery costs can be
predicted and contained.)
Which of the following statements is valid while drafting a disaster recovery
plan (DRP)?
A. Downtime costs decrease as the recovery point objective (RPO) increases.
B. Downtime costs increase with time.
C. Recovery costs are independent of time.
D. Recovery costs can only be controlled on a short-term basis.
Destroying (Destroying magnetic media is the only way to assure that
confidential information cannot be recovered. A is wrong because degaussing
or demagnetizing is a good control but insufficient to erase highly confidential
information from magnetic media. B is wrong because defragmentation aims to
improve efficiency by eliminating fragmentation in file systems; it does not
remove information. C is wrong because erasing or deleting magnetic media
does not remove the information; this method simply changes a file's indexing
information.)
Which of the following is the MOST effective method for disposing of magnetic
media that contains confidential information?
A. Degaussing
B. Defragmenting
C. Erasing
D. Destroying
The hardware being used to run the database application (The business
objective is to make the information available to the public on time. Because
the database is physically located overseas, hardware failures that are left
unfixed can reduce the system's availability to users. A is wrong because the
confidentiality of the information stored in the database is not a major concern
because the information is intended for public use. C is wrong because backups
of the information in the overseas database are not a major concern because
the overseas database is a mirror of the local database; thus, a backup copy
exists locally. D is wrong because remote access to the backup database does
not impact availability.)
A new database is being set up in an overseas location to provide information
to the general public and to increase the speed at which the information is
made available. The overseas database is to be housed at a data center and will
be updated in real time to mirror the information stored locally. Which of the
following areas of operations should be considered as having the HIGHEST risk?
A. Confidentiality of the information stored in the database
B. The hardware being used to run the database application
C. Backups of the information in the overseas database
D. Remote access to the backup database
Incident handling procedures with the provider are not well defined (A SaaS
provider does not normally have onsite support for the organization. Therefore,
incident handling procedures between the organization and its provider are
critical for detecting, communicating, and resolving incidents, including
effective lines of communication and escalation processes. A is wrong because
unless organization workstations are obsolete, upgrading should not be an
issue with a software as a service (SaaS) model because most applications
running as SaaS use common technologies that allow a user to run the
software on different devices. B is wrong because reducing software acquisition
costs is one of the benefits of SaaS. C is wrong because a SaaS provider does
not normally have onsite support for the organization.)
Which of the following should be a concern for an IS auditor reviewing an
organization's cloud computing strategy which is based on a software as a
service (SaaS) model with an external provider?
A. Workstation upgrades must be performed.
B. Long-term software acquisition costs are higher.
C. Contract with the provider does not include onsite technical support.
D. Incident handling procedures with the provider are not well defined
The alternate facility will be available until the original information processing
facility is restored. (The alternate facility should be made available until the
original site is restored to provide the greatest assurance of recovery after a
disaster. Without this assurance, the plan will not be successful. B is wrong
because having user management involved in identifying critical systems will
not provide assurance that recovery can be achieved during a disaster. C is
wrong because having copies of the plan available offsite will not provide
assurance that the plan will work in the event of a disaster. D is wrong because
providing feedback to management is important but must be based on
assurance that the plan will work. This can only be obtained through testing
and review.)
Which of the following disaster recovery/continuity plan components provides
the GREATEST assurance of recovery after a disaster?
A. The alternate facility will be available until the original information
processing facility is restored.
B. User management is involved in the identification of critical systems and
their associated critical recovery times.
C. Copies of the plan are kept at the homes of key decision-making personnel.
D. Feedback is provided to management assuring them that the business
continuity plans are indeed workable and that the procedures are current.
Before the last transaction (If before images are used, the last transaction in
the dump will not have updated the database prior to the dump is taken. B is
wrong because the last transaction will not have updated the database and
must be reprocessed. C and D are wrong because program checkpoints are
irrelevant in this situation. Checkpoints are used in application failures.)
If a database is restored using before-image dumps, where should the process
begin following an interruption?
A. Before the last transaction
B. After the last transaction
C. As the first transaction after the latest checkpoint
D. As the last transaction before the latest checkpoint
Review and evaluate the business continuity plan for adequacy (The business
continuity plan should be reviewed every time a risk assessment is completed
for the organization. B is wrong because a simulation should be performed
after the business continuity plan has been deemed adequate for the
organization. C is wrong because the employees' training should be performed
after the business continuity plan has been deemed adequate for the
organization. D is wrong because there is no reason to notify the business
continuity plan contacts.)
An organization has just completed its annual risk assessment. Regarding the
business continuity plan, what should an IS auditor recommend as the next
step for the organization?
A. Review and evaluate the business continuity plan for adequacy
B. Perform a full simulation of the business continuity plan
C. Train and educate employees regarding the business continuity plan
D. Notify critical contacts in the business continuity plan
Synchronous remote copy of the data in a warm site that can be operational in
48 hours (The synchronous copy of the data storage achieves the RPO, and a
warm site operational in 48 hours meets the required RTO. A is wrong because
a hot site would meet the recovery time objective (RTO) but incur higher costs
than necessary. B is wrong because asynchronous database updates in
distributed locations do not meet the recovery point objective (RPO). C is
wrong because synchronous updates of the data and standby active systems in
a hot site meet the RPO and RTO requirements but are more costly than a
warm site solution.)
A disaster recovery plan (DRP) for an organization's financial system specifies
that the recovery point objective (RPO) is zero and the recovery time objective
(RTO) is 72 hours. Which of the following is the MOST cost-effective solution?
A. A hot site that can be operational in eight hours with asynchronous backup
of the transaction logs
B. Distributed database systems in multiple locations updated asynchronously
C. Synchronous updates of the data and standby active systems in a hot site
D. Synchronous remote copy of the data in a warm site that can be operational
in 48 hours
To manage risk while recovering from an event that adversely affected
operations (The BCP process primarily focuses on managing and mitigating risk
during recovery of operations due to an event that affected operations. A is
wrong because the BCP does not provide assurance of continuing operations;
however, it helps the organization respond to disruptions to critical business
processes. B is wrong because establishing an alternate site is more relevant to
disaster recovery than the BCP. D is wrong because the regulatory compliance
requirements may help establish the recovery time objective (RTO)
requirements)
Which of the following is the PRIMARY objective of the business continuity plan
(BCP) process?
A. To provide assurance to stakeholders that business operations will continue
in the event of disaster
B. To establish an alternate site for IT services to meet predefined recovery
time objectives (RTOs)
C. To manage risk while recovering from an event that adversely affected
operations
D. To meet the regulatory compliance requirements in the event of natural
disaster
Tabletop (The primary purpose of tabletop testing is to practice proper
coordination because it involves all or some of the crisis team members and is
focused more on coordination and communication issues than on technical
process details. B is wrong because functional testing involves mobilizing
personnel and resources at various geographic sites. This is a more in-depth
functional test and is not primarily focused on coordination and
communication. C is wrong because full-scale testing involves enterprise-wide
participation and the full involvement of external organizations. D is wrong
because desk check testing requires the least effort of the options given. Its
aim is to ensure the plan is current and promote familiarity with the BCP to
critical personnel from all areas.)
Which of the following business continuity plan (BCP) tests involves
participation of relevant members of the crisis management/response team to
practice proper coordination?
A. Tabletop
B. Functional
C. Full-scale
D. Deskcheck
the existence of a data retention policy. (Without a data retention policy
aligned with the company's business and compliance requirements, the email
archive may not preserve and reproduce the correct information when
required. B is wrong because this would be irrelevant if the proper email
messages have not been properly preserved and others have been deleted. C is
wrong because this would not directly affect the completeness and accuracy of
the archived email. D is wrong because this is secondary to the need to ensure
a retention policy. Vendor support would not directly affect the completeness
and accuracy of the archived email.)
When auditing the archiving process of emails, the IS auditor should pay
the MOST attention to:
A. the existence of a data retention policy.
B. the storage capacity of the archiving solution.
C. the level of user awareness concerning email use.
D. the support and stability of the archiving solution manufacturer.
clarity and simplicity of the business continuity plans. (The IS auditor should
interview key stakeholders to evaluate how well they understand their roles
and responsibilities. When all stakeholders have a detailed understanding of
their roles and responsibilities in the event of a disaster, an IS auditor can deem
the business continuity plan to be clear and simple. B is wrong because to
evaluate adequacy, the IS auditor should review the plans and compare them
to appropriate standards and the results of plan tests. C is wrong because the
IS auditor should review the results from previous tests or incidents to evaluate
effectiveness. This is the best determination for the evaluation of effectiveness.
D is wrong because the IS auditor should review the results of continuity tests
to evaluate the response. This will assure the IS auditor that target and
recovery times are met.)
With respect to business continuity strategies, an IS auditor interviews key
stakeholders in an organization to determine whether they understand their
roles and responsibilities. The IS auditor is attempting to evaluate the:
A. clarity and simplicity of the business continuity plans.
B. adequacy of the business continuity plans.
C. effectiveness of the business continuity plans.
D. ability of IS and end-user personnel to respond effectively in emergencies.
Human safety procedures are in place. (The most important element in any
business continuity process is protecting human life. This takes precedence
over all other aspects of the plan. A is wrong because performing data backups
is necessary for a business continuity plan, but the IS auditor will always be
most concerned with human safety. B is wrong because a recovery site is
important for business continuity, but life safety is always the priority. D is
wrong because insurance coverage is less important than life safety.)
Which of the following would be MOST important for an IS auditor to verify
while conducting a business continuity audit?
A. Data backups are performed on a timely basis.
B. A recovery site is contracted for and available as needed.
C. Human safety procedures are in place.
D. Insurance coverage is adequate and premiums are current.
analysis and prioritization of business functions. (The DRP must primarily focus
on recovering critical business functions in the event of a disaster within
predefined RTOs; thus, it is necessary to align the recovery of IT services based
on the criticality of business functions. A is wrong because a resilient IT
infrastructure is typically required to minimize interruptions to IT services;
however, if a critical business function does not require high availability of IT,
this may not be required for all DRP elements. B is wrong because while
selecting an alternate site is important, the more critical issue is prioritizing
resources based on the impact and RTOs of business functions. C is wrong
because documented DRP test results are helpful when maintaining the DRP;
however, the DRP must first and foremost be aligned with business
requirements.)
An IS auditor is auditing an IT disaster recovery plan (DRP). The IS auditor
should PRIMARILY ensure that the plan covers:
A. a resilient IT infrastructure.
B. alternate site information.
C. documented disaster recovery (DR) test results.
D. analysis and prioritization of business functions.
Implement a log management process. (Accountability means knowing what is
being done by whom. The best way to enforce the principle is to implement a
log management process to create and store logs with pertinent information
such as user name, type of transaction, and hour. B is wrong because
implementing a two-factor authentication would prevent unauthorized access
to the database but would not record the activity of the user when using the
database. C is wrong because using table views would restrict users from
seeing data that they should not be able to see, but would not record what
users did with data they were allowed to see. D is wrong because separating
database and application servers may help better administration or even
implement access controls but does not address the accountability issues.)
What would be the MOST effective control for enforcing accountability among
database users accessing sensitive information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
Evacuation plan (Protecting human resources during a disaster-related event
should be addressed first. Having separate business continuity plans (BCPs)
could result in conflicting evacuation plans, thus jeopardizing the safety of staff
and clients. B is wrong because recovery priorities may be unique to each
department and could be addressed separately, but they should still be
reviewed for possible conflicts and/or the possibility of cost reduction, but only
after the issue of human safety has been analyzed. C is wrong because backup
strategies are not critical to the integration of the plans for the various
departments. Life safety is always the priority. D is wrong because
communication during a crisis is always challenging, but the call tree is not as
important as ensuring life safety first.)
During an audit of a business continuity plan (BCP), an IS auditor found that,
although all departments were housed in the same building, each department
had a separate BCP. The IS auditor recommended that the BCPs be reconciled.
Which of the following areas should be reconciled FIRST?
A. Evacuation plan
B. Recovery priorities
C. Backup storages
D. Call tree
Continuous data backup (Recovery point objective (RPO) is based on the
acceptable data loss in the case of a disruption. The organization needs a short
RPO in this scenario, and continuous data backup is the best option. A is wrong
because virtual tape libraries would require time to complete the backup, while
continuous data backup happens online (in real-time). B is wrong because disk-
based snapshots would require time to complete the backup and would lose
some data between the times of the backup and the failure, while continuous
data backup happens online (in real-time). D is wrong because disk-to-tape
backup would require time to complete the backup, while continuous data
backup happens online (in real-time).)
Which of the following backup techniques is the MOST appropriate when an
organization requires extremely granular data restore points, as defined in the
recovery point objective (RPO)?Select an answer:
A. Virtual tape libraries
B. Disk-based snapshots
C. Continuous data backup
D. Disk-to-tape backup
Before and after screen images (Creating before and after images is the best
way to ensure that the appropriate data have been updated in a direct data
change; the screenshots would include the data before and after the change. B
is wrong because having approved implementation plans would verify that the
change was approved to be implemented but will not ensure that the
appropriate change was made. C is wrong because having an approved
validation plan will ensure that the data change had a validation plan designed
prior to the change but will not ensure that the data change was appropriate
and correct. D is wrong because data file security would only ensure that the
user making the data change was appropriate. It would not ensure that the
data change was correct.)
Which of the following choices BEST ensures accountability when updating
data directly in a production database?
A. Before and after screen images
B. Approved implementation plans
C. Approved validation plan
D. Data file security
Issues of privacy (The purchaser of an item will not necessarily be aware of the
presence of the tag. If a tagged item is paid for by credit card, it would be
possible to tie the unique ID of that item to the purchaser's identity. Privacy
violations are a significant concern because radio frequency identification
(RFID) can carry unique identifier numbers. If desired, it would be possible for a
firm to track individuals who purchase an item containing an RFID. B is wrong
because that wavelength can be absorbed by the human body, which is a
concern of less importance. C is wrong because RFID tags may not be
removable, which is a concern of less importance than the violation of privacy.
D is wrong because RFID eliminates line-of-sight reading. This is a benefit of
RFID, not a concern.)
A retail outlet has introduced radio frequency identification (RFID) tags to
create unique serial numbers for all products. Which of the following is the
PRIMARY concern associated with this initiative?
A. Issues of privacy
B. Wavelength can be absorbed by the human body
C. RFID tags may not be removable
D. RFID eliminates line-of-sight reading
perform sample testing of the migrated account balances
Which of the following is the MOST effective when determining the correctness
of individual account balances migrated from one database to another?
A. compare the hash total before and after the migration
B. verify that the number of records is the same for both databases
C. perform sample testing of the migrated account balances
D. compare the control totals of all of the transactions
Ensuring periodic dumps of transaction logs (Ensuring periodic dumps of
transaction logs is the only safe way of preserving timely historical data.
Because online systems do not have a paper trail that can be used to recreate
data, maintaining transaction logs is critically important to prevent data loss.
The volume of activity usually associated with an online system may make
other, more traditional methods of backup impractical. A is wrong because
maintaining system software parameters is important for all systems, not just
online systems. C is wrong because having generations of backups is the best
practice for all systems. D is wrong because all backups should consider offsite
storage at a location that is accessible but not likely to be affected by the same
disaster.)
In addition to the backup considerations for all systems, which of the following
is an important consideration in providing backup for online systems?
A. Maintaining system software parameters
B. Ensuring periodic dumps of transaction logs
C. Ensuring grandfather-father-son file backups
D. Maintaining important data at an offsite location
both downtime costs and recovery costs need to be evaluated. (Downtime and
recovery costs must be evaluated to determine the acceptable period before
the resumption of critical business processes. The BIA outcome should be a
recovery strategy that represents the optimal balance. A is wrong because
downtime costs cannot be looked at in isolation. The quicker information
assets can be restored and business processing resumed, the smaller the
downtime costs. B is wrong because recovery operations alone do not
determine the acceptable period for the resumption of critical business
processes, and indirect downtime costs should be considered in addition to the
direct cash outflows incurred due to business disruption. D is wrong because
the indirect costs of a serious disruption to normal business activity may be
more significant than direct costs over time, thus reaching the point where
business viability is threatened.)
In determining the acceptable time period for the resumption of critical
business processes:
A. only downtime costs need to be considered.
B. recovery operations should be analyzed.
C. both downtime costs and recovery costs need to be evaluated.
D. indirect downtime costs should be ignored.
identify limitations of the business continuity plan. (Testing the business
continuity plan provides the best evidence of existing limitations. A is wrong
because familiarizing employees with the business continuity plan is a
secondary benefit of a test. B is wrong because it is not cost-effective to
address all residual risks in a business continuity plan. C is wrong because it is
not practical to test all possible disaster scenarios.)
The PRIMARY objective of testing a business continuity plan is to:
A. familiarize employees with the business continuity plan.
B. ensure that all residual risk is addressed.
C. exercise all possible disaster scenarios.
D. identify limitations of the business continuity plan.
minimize the impact of an adverse event
Which of the following is the MAIN reason an organization should have an
incident response plan? The plan helps to:
A: ensure prompt recovery from system outages
B: contain costs related to maintaining disaster recovery plan (DRP) capabilities
C: ensure that customers are promptly notified of issues such as security
breaches
D: minimize the impact of an adverse event
higher cost. (Recovery time objective (RTO) is based on the acceptable
downtime in case of a disruption of operations. The lower the RTO, the higher
the cost of recovery strategies. A is wrong because disaster tolerance relates to
the length of time that critical business processes can be interrupted. A higher
disaster tolerance allows for a longer outage and, therefore, longer recovery
time. C is wrong because the lower the disaster tolerance, the narrower the
interruption windows. The interruption window is the length of the outage of
critical processes. D is wrong because permissive data loss relates to recovery
point objective (RPO), not disaster tolerance.)
A lower recovery time objective (RTO) results in:
A. higher disaster tolerance.
B. higher cost.
C. wider interruption windows.
D. more permissive data loss.
Staging and job setup (If the IS auditor finds effective staging and job setup
processes, this can be accepted as a compensating control. Not reading header
records may otherwise result in loading the wrong tape and deleting or
accessing data on the loaded tape. B is wrong because a supervisory review of
logs is a detective control that would not prevent the loading of wrong tapes. C
is wrong because regular tape backup is not related to bypassing tape header
records. D is wrong because offsite storage of tapes would not prevent loading
the wrong tape because of bypassing header records.)
During a data center audit, an IS auditor observes that some parameters in the
tape management system are set to bypass or ignore tape header records.
Which of the following is the MOST effective compensating control for this
weakness?
A. Staging and job setup
B. Supervisory review of logs
C. Regular backup of tapes
D. Offsite storage of tapes
tested regularly.
To ensure structured disaster recovery, it is MOST important that the business
continuity plan (BCP) and disaster recovery plan (DRP) are:
A. stored at an alternate location.
B. communicated to all users.
C. tested regularly.
D. updated regularly.
Maintain a duplicate copy. (Sensitive data should always be fully backed up
before being transmitted or moved. Backups of sensitive information should be
treated with the same control considerations as the actual data. A is wrong
because although strong encryption protects against disclosure, it will not
mitigate the loss of irreplaceable data. C is wrong because chain of custody is
an important control, but it will not mitigate a loss if a locked area is broken
into. Media removed or if media are lost while in an individual's custody. D is
wrong because bonded security, although good for preventing theft, will not
protect against accidental loss or destruction.)
Which of the following BEST mitigates the risk of backup media containing
irreplaceable information being lost or stolen while in transit?
A. Ensure that media are encrypted.
B. Maintain a duplicate copy.
C. Maintain chain of custody.
D. Ensure that personnel are bonded.
a business continuity strategy. (A business continuity strategy is the next phase
because it identifies the best way to recover. The criticality of the business
process, the cost, the time required to recover, and security must be
considered during this phase. B is wrong because the recovery strategy and
plan development precede the test plan. C is wrong because training can only
be developed once the business continuity plan (BCP) is in place. D is wrong
because a strategy must be determined before the BCP is developed.)
An organization completed a business impact analysis (BIA) as part of business
continuity planning. The NEXT step in the process is to develop:
A. a business continuity strategy.
B. a test and exercise plan.
C. a user training program.
D. the business continuity plan (BCP).
a loss of data integrity. (Normalization is the removal of redundant data
elements from the database structure. Disabling normalization in relational
databases will create redundancy and a risk of not maintaining data
consistency, with the consequent loss of data integrity. A is wrong because
denormalization will not affect concurrent access to data in a database;
concurrent access is resolved through locking. B is wrong because deadlocks
are a result of the locking of records. This is not related to normalization. C is
wrong because access to data is controlled by defining user rights to
information and is not affected by denormalization.)
A database administrator has detected a performance problem with some
tables, which could be solved through denormalization. This situation will
increase the risk of:
A. concurrent access.
B. deadlocks.
C. unauthorized access to data.
D. a loss of data integrity.
Determine whether the modifications were properly approved. (An IS auditor
should first determine whether the modifications were properly approved and
perhaps why this change happened without properly updating the
documentation. A is wrong because the first action taken by the IS auditor
should be to verify whether the changes were authorized. Then, if necessary,
the question can be asked whether the changes were required. B is wrong
because the IS auditor should not recommend reverting to the former design
until the approval is validated and the change is needed. C is wrong because a
change control process should be in place and may not have been followed.
After this is learned, a recommendation can be made regarding a change
control process.)
An IS auditor reviewing a database discovers that the current configuration
does not match the originally designed structure. Which of the following
should be the IS auditor's next action?
A. Analyze the need for the structural change.
B. Recommend restoration to the originally designed structure.
C. Recommend the implementation of a change control process.
D. Determine whether the modifications were properly approved.
shadow file processing. (In shadow file processing, exact duplicates of the files
are maintained at the same site or a remote site. The two files are processed
concurrently. This is used for critical data files such as airline booking systems.
B is wrong because electronic vaulting electronically transmits data to direct
access storage, an optical disc, or another storage medium; banks use this
method. This is not usually in real-time as much as a shadow file system is. C is
wrong because hard disk mirroring provides redundancy if the primary hard
disk fails. All transactions and operations occur on two hard disks on the same
server. D is wrong because a hot site is an alternate site ready to take over
business operations within a few hours of any business interruption and is not
a method for backing up data.)
While designing the business continuity plan for an airline reservation system,
the MOST appropriate method of data transfer/backup at an offsite location
would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
The draft service level agreement (SLA) with the service provider (When
contracting with a service provider, entering into an SLA with the provider is a
good practice. An SLA guarantees that the provider will deliver the services
according to the contract. The IS auditor will want to ensure that performance
and security requirements are clearly stated in the SLA. A is wrong because due
diligence, such as reviewing references from other clients, is a good practice. B
is wrong because a due diligence activity such as reviewing physical security
controls is a good practice, but the SLA would be most critical because it would
define what specific levels of security would be required and make the provider
contractually obligated to deliver what was promised. D is wrong because due
diligence, such as using background checks on the service provider's
employees, is a good practice.)
An organization is considering using a new IT service provider. From an audit
perspective, which of the following would be the MOST important item to
review?
A. References from other clients for the service provider
B. The physical security of the service provider site
C. The draft service level agreement (SLA) with the service provider
D. Background checks of the service provider's employees
The recovery point objective (RPO) (The recovery point objective (RPO) is
determined based on the acceptable data loss in the case of a disruption of
operations. RPO defines the point in time from which it is necessary to recover
the data and quantifies, in terms of time, the permissible amount of data loss
in the case of interruption. A is wrong because the interruption window is
defined as the amount of time during which the organization cannot maintain
operations from the point of failure to the time that the critical
services/applications are restored. B is wrong because the recovery time
objective (RTO) is determined based on the acceptable downtime in the case of
a disruption of operations. C is wrong because the service delivery objective
(SDO) is directly related to the business needs. SDO is the level of services
reached during the alternate process mode until the normal situation is
restored.)
An IS auditor is reviewing an organization's recovery from a disaster in which
not all the critical data needed to resume business operations were retained.
Which of the following was incorrectly defined?
A. The interruption window
B. The recovery time objective (RTO)
C. The service delivery objective (SDO)
D. The recovery point objective (RPO)
Preparedness test (A preparedness test is performed by each local office/area
to test the adequacy of the preparedness of local operations for disaster
recovery. A is wrong because a full operational test is conducted after the
paper and preparedness test and is quite expensive. C is wrong because a
paper test is a structured walk-through of the disaster recovery plan and
should be conducted before a preparedness test. However, a paper test (desk
check) is insufficient to test the plan's viability. D is wrong because a regression
test is not a disaster recovery plan test and is used in software development
and maintenance.)
An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
following is the MOST cost-effective test of the disaster recovery plan?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test
providing accurate feedback on IT resource capacity. (Accurate capacity
monitoring of IT resources would be the most critical element of a continuous
monitoring process. A is wrong because continuous monitoring helps to ensure
that service level agreements (SLAs) are met, but this would not be the primary
focus of monitoring. It is possible that even if a system were offline, it would
meet the requirements of an SLA. Therefore, accurate availability monitoring is
more important. B is wrong because while data gained from capacity and
performance monitoring would be an input to the planning process, the
primary focus would be to monitor availability. D is wrong because while
continuous monitoring would help management to predict likely IT resource
capabilities, the more critical issue would be that availability monitoring is
accurate.)
While reviewing the process for continuous monitoring of the capacity and
performance of IT resources, an IS auditor should PRIMARILY ensure that the
process is focused on:
A. adequately monitoring service levels of IT resources and services.
B. providing data to enable timely planning for capacity and performance
requirements.
C. providing accurate feedback on IT resource capacity.
D. properly forecasting performance, capacity and throughput of IT resources.
The responsibility for declaring a disaster is not identified. (If nobody declares
the disaster, the BCP would not be invoked, making all other concerns less
important. A is wrong because although failure to consider duration could be a
problem, it is not as significant as scope, and neither is as critical as the need to
identify someone with the authority to invoke the BCP. B is wrong because the
difference between incidents and low-level disasters is always unclear and
frequently revolves around the time required to correct the damage. C is wrong
because the lack of detailed steps should be documented, but their absence
does not mean a lack of recovery if someone has invoked the BCP.)
Which of the following should be of MOST concern to an IS auditor reviewing
the business continuity plan (BCP)?
A. The disaster levels are based on scopes of damaged functions but not on
duration.
B. The difference between low-level disaster and software incidents is not clear.
C. The overall BCP is documented, but detailed recovery steps are not
specified.
D. The responsibility for declaring a disaster is not identified.
duration of the outage. (The initiation of a business continuity plan (action)
should primarily be based on the maximum period for which a business
function can be disrupted before the disruption threatens the achievement of
organizational objectives. B is wrong because the type of outage is not as
important to the plan's activation as the outage's length or duration. C is wrong
because the outage probability would be relevant to the frequency of
incidents, not the need to activate the plan. The plan is designed to be
activated after an event of a certain duration occurs. D is wrong because the
cause of the outage may affect the activation of the response plan, but it is not
the decision to activate the plan. The plan will be activated whenever a
predetermined duration event occurs.)
The activation of an enterprise's business continuity plan should be based on
predetermined criteria that address the:
A. duration of the outage.
B. type of outage.
C. probability of the outage.
D. cause of the outage.
recovery strategy. (The most appropriate strategy is selected based on the
relative risk level, timelines, and criticality identified in the BIA. A is wrong
because the responsibility for maintaining the business continuity plan is
decided after selecting or designing the appropriate recovery strategy and
developing the plan. B is wrong because the criteria for selecting a recovery
site provider are decided after selecting or designing the appropriate recovery
strategy. D is wrong because the responsibilities of key personnel are decided
after the selection or design of the appropriate recovery strategy during the
plan development phase.)
During the design of a business continuity plan, the business impact analysis
(BIA) identifies critical processes and supporting applications. This will
PRIMARILY influence the:
A. responsibility for maintaining the business continuity plan.
B. criteria for selecting a recovery site provider.
C. recovery strategy.
D. responsibilities of key personnel.