How to pass Isaca CISA Certification Exam Successfully?

1. Which of the following is the GRE A TEST c oncern with cond u cting penetr a tion testing o n an internal l y develop e d a pplication in the pr o duction environm e nt?

2. An IS auditor finds that not all employees are aware of t h e enterpris e' s informa t ion security polic y . The IS auditor shou l d conclude that:

3. Wh e n r ev iewing backup policie s , a n IS auditor MUST verify that backup intervals of c ritical s y ste m s do not exceed which of t h e following?

4. Which of the following manages the digital certificate l i f e cycle to ensure ade q uate security and controls exist in digital si g na t ure a p plications related to e- c ommerce?

5. The M O ST important reason why an IT risk assessment s h ould be u p d a ted on a re g ular basis is to: A. utilize IT r esources in a cost-e f f e ctive manner

B. comply with data classification changes C. comply with risk management policies D. react to changes in t h e IT environment

6. A data center has a bad g e- e ntry system.

Which of the following is MOST i m portant to prote c t the comput i ng assets in the center? A. Badge re a ders are installed in locations where t a mpering w o u ld be noticed

B. The computer that controls the bad g e system is b acked up frequently

C. A process for promptly deactivating lost or stolen bad g es e x ists

D. All badge entry attempts are logged

7. By evaluating appli c ation de v el o pment proje c ts against the capability maturity mo d el (CMM), an IS

auditor shou l d be able to verify that: A. reliable products are guar a nteed.

B. programmers' e f ficiency is improv e d. C. security r equire m ents are desig n e d .

D. predictable software p r ocesses are followed.

8. An IS auditor should awa r e of various analysis models used by data architecture. Which of the following a na lysis model d epict data entities and h o w they relate?

9. Key verification is one of the best controls f or ensuring tha t : A. Data is entered correctly

B. Only authorized cryptogra p hic keys are used

C. Input is authorized

D. Database indexing is performed p ro perly

10. Which of the following is the BEST performance criterion for evaluating the adeq ua cy of an org a nization ' s s e curity a w are n ess training?

11. In the p rocess of e valuating p r o g ram change controls, an I S auditor w o uld use source code comparison software to:

12. Which of the following activ i ties i s MOST im p ortant to consider when conducting IS audit planni n g? A. Results f r om previous audits are r ev iewed.

B. Audit sch e duling is ba s ed on skill set of audit te a m. C. Resourc e s are allocated to areas of high ris k .

D. The audit committee agrees on risk rankings.

13. In computer forens i c which o f the following d escribe the process that converts the information extracted into a format t h at can be understood by investigator?

14. Which of the following device in F r ame Relay W AN technique is genera l ly customer own e d device that provides a connectivity between company's o w n network a n d the frame relays network?

15. Wh e n e valuating the recent implementation of an intrusion detection system (IDS), a n IS auditor should be MOST conce r ned with in a ppr o priate:

16. An or g anization recently e x perienced a phishing attack that resulted in a breach of confidential information.

Which of the following would be MOST relevant f o r an IS auditor to review when d eter m ining the root cause of the incident?

17. Intrusion detection sy s tems (IDSs) can: A. s ubstitute for a firewall.

B. compensate for weak authentication mechanisms.

C. conduct i n v estigations of attacks from within the network. D. provide information to enh a nce the security infrastructure.

18. At a project steering commit t ee meeting, it is stated that ad d ing controls to business processes und e rgoi n g r e-e n gine e ri n g is an unnecessary cost.

The IS audito r ’ s BEST response is t h at the actual control overhead for a bu s iness process is: A. usually c o nsiderable, b ut the benefits of good c o ntrols alw a ys exceed the cost.

B. the responsibility of t h e project manage r , and the cost should have been included in the bu d get. C. usually di f ficult to ascertain but is j u stifiable, because c ontrols are essenti a l to doing business











D. usually l e ss than the poten t ial cost of failure caused by la c k o f controls.

19. W h at is/are used to measure and ensure pr op er network capacity ma n agement and availability o f services?

20. Which of the following is the MOST important reason for logging firewall act i vi t y ? A. Intru s ion detection

B. Auditing purposes

C. Firewall tuning

D. Incident i n v estigation

21. Which of t h e following r i sk handling technique in v olves the practice of being proactive s o that the ri s k in question is not realized?

22. So p histicated database systems provide ma n y layers and types of securit y , including (Ch o ose three.):

23. Which of the following wou l d prevent unauth o rized changes to i n formation stored in a server's log? A. W rite-protecting the directory containing the system log

B. W riting a duplicate log to another server

C. Daily printing of the system log

D. Storing the s y stem log in write-once media

24. An IS auditor revie w ing an or g an i zation that u ses cross-t r aining practices shou l d assess the risk of: A. depend en cy on a single person.

B. inadequa t e succession planning.

C. one pers o n knowing all parts of a system. D. a disruption of operat i ons.

25. A call- b ack system r equires that a user with an id and pa s sword call a remote server through a dial-up line, then the s e rver disconnects and:

26. W h o is ultimately r e sponsible a n d accountable for reviewi n g user access to s y s te m s ? A. S y s tems s ecurity administrators

B. Data custodians

C. Data ow n ers

D. Information systems auditors

27. Which of the following state m ent correctly describes the d i f ference between total flooding a nd l ocal application ex tinguishing agent?

28. What is the PRIMA R Y purpose of audit trails? A. T o document auditing e f forts

B. T o correct data integrity errors

C. T o establish accountability and responsibility for processed transactions

D. T o prevent unauthoriz e d access to data

29. T o ensure the inte g rity of a recovered data bas e, which of the following would be M OST useful? A. Before-and-after transaction images

B. Database defragm e nt a tion tools

C. A copy of the data dictionary D. Application transaction logs

30. W h en should plans for test i ng for user acceptance be pr ep are d?

31. Pretexting is an act of: A. DoS

B. social engineeri n g

C. eavedro p ping

D. soft coding

E. hard coding

F . None of t h e choices.

32. Followi n g an unaut ho rized disclo s ure of data, an or g anization ne e ds to implement d a ta loss prevention ( DLP) meas u res.

The IS audito r ’ s BEST re c ommendation should be to:

33. An IS auditor is r eviewing access to an application to determine w h ether the 10 most recent “new user” forms were cor r ectly au t horized. This is an e x ample of:

34. Which of the following could provide an organization with t he fastest resumption of processing following a d i sk failure?

35. A chan g e to the scope of an IT p r oject has been formally submitted to the project mana g e r . What should the project mana g er do N EXT?

36. Which of the following should be the GRE A T EST concern to a n IS auditor reviewi n g the information security framework of an org a nization?

37. Which of the following should be an information security m anag e r ’ s PRIMA R Y role when an org a nization initiates a da t a classification process?

38. In a bo t net, mailbot l ogs in t o a particular type of system for making coordinated attack attempts. What type of s y s tem is th i s ?

39. Assessments of critical inf o rmation systems are based on a c yclical audit plan that has not been updat e d for several years.

Which of the following should t he IS auditor recommend to BEST address this situation? A. Use a revolving set of aud i t plans to cover all systems

B. Update the audit plan quarter l y to account for delays and deferrals of per i odic reviews











C. Regularly validate the audit plan a g ainst bu s iness risks

D. Do not include per i odic reviews in detail as part of the audit plan

40. Which of the following would be an IS auditor's GRE A TEST c o ncern wh e n evaluating a cybersecu r ity incident response plan?

41. Once a n org a nization has fin i shed the business process r eengi n eer i ng (BPR) of all its critical ope r ations, an IS auditor would M O ST likely foc u s on a review o f:

42. Which of the following contr o ls would BEST detect intrus io n?

43. Foll o wing a recent internal data breach, an IS auditor w a s asked to evaluate information security practices within the org an ization.

Which of the following findings would be MOST im p ortant to report to senior management? A. Employees are not required to sign a non-comp e te agreem en t.

B. S e c urity e ducation and awar e ness workshops have not been co m pleted. C. Users lack technical knowl e dge re l ated to security and data protection.

D. Desktop passwords do not r equire special char ac ters.

44. Which of the following acts as a decoy to de t ect active in t ernet attack s ? A. Honeypots

B. Firewalls

C. T rapdoors

D. T ra f f ic a n al ys is

45. Which of the following sit e s would be MOST appropriate in the case of a v ery short r e c overy time objective ( R T O)?

46. Which of the following dynamic interaction of a Business Model for Information Security (B M IS) i s a place to introduce possible solutions such as feedback loops; a lignment with process improvement; and considerati o n of emerg e nt issues in system design life cycle, c han g e contr o l, and risk mana g ement?

47. Which of the following is the PRIMA R Y advantage of having an established infor m at i on security govern a nce framew o rk in place when an or g anization is adopting emerging t echnolog i es?

48. An IS auditor has completed a service level mana g ement a udit related to order ma n agement services provided by a t h ird part y .

Which of the following is t he MOST si g nificant findi n g? A. The third party has o f f shore suppo r t arrangem e nts. B. Penalties for missing ser v ice levels are limited.

C. The service level agreement does not define how availability is measure d .

D. Service d esk support is not a vailable outside the company ’ s business hours.

49. Which of the following is the MOST important outcome of e f f e c t i ve risk tr e atment?

50. Th e re i s a concern that a salesperson may downl o ad an org a nization ’ s full cu s to m er list from t h e

Software as a Service (SaaS) wh e n leaving to work for a competito r . Which of the following would BEST help to identify this type of i n c ident? A. Monitor a pplications logs











B. Disable remote access to the application

C. Implement a web appl ic ation firewall

D. Implement an intrusion detection sy s tem (IDS)

51. W h at is a primary high-lev e l goal for an audit o r who is rev i ewing a sys t em development project? A. T o ensure that progr a mming and p rocessing environments are s egre g at e d

B. T o ensure that proper app r o v al for the project h a s been obtained











C. T o ensure that business objectives are achieved

D. T o ensure that projects are monito r ed and adm i nistrated e f fect i v ely

52. D uring an audit of a business co n tinuity plan ( BCP), an IS auditor found that, although all dep a rtments were h oused in the same building, ea c h dep a rtme n t had a sepa r ate BC P . T h e IS auditor recommended that the B C Ps be reconciled.

Which of the following ar e as should be recon c iled FIRST? A. Evacuati o n plan

B. Recovery priorities C. Backup stora g es D. Call tree

53. Which of the following attack i s also known as T ime of C h eck( T OC)/ T i me of Use( T OU)? A. E a v esdropping

B. T ra f fic analysis C. Masquer a ding D. Race Co n dition

54. An integrated test f a cility i s cons i dered a useful audit tool because it: A. is a cost- e f ficient appr o ach to auditing applicati o n control s.

B. enables the financial and IS auditors to i n tegrate their audit test s . C. compares processing output with inde p en d ently calculated da t a.

D. provides the IS auditor with a tool to analyze a large r a nge of information

55. Which of the following should be used to assess the level of security required to p ro tect i n formation on a corpo ra te network?

56. The ne twork of an organization h as been the victim of sev e ral intruders' attac k s. Which of the following m e asures w ou l d allow for the early dete c tion of such incidents? A. Antivirus software

B. Hardening the servers

C. Screening routers D. Honeypo t s

57. Which of the following entities i s BEST suited to define t h e data classification levels within an org a nization?

58. Which of the following findings should be of MOST concern t o an IS auditor wh e n evaluating information security governan c e within an or g anization?

59. D u ring a n audit of a mission-critical system h o sted in an outsourced data cen t e r , an IS auditor discovers that contracted routine mai n tenance for the alternate pow e r ge n e r ator was not perform e d. Which of the following sh o uld be the a u dito r ’ s MAIN concern?

60. D ata edits are implemented be f ore processing and a r e considered which of the f o llowing? A. Deterrent integrity controls

B. Detective integrity controls

C. Corrective integrity controls

D. Preventative integrity controls

61. Which of the following term describes a failure of an ele c tric utility company to supply power within acceptable rang e ?

62. In addi t ion to the backup con s id e rations for all systems, w h ich of the following is an important consideration in providing backup for online syst e ms?

63. Which of the following BEST descr i bes a common risk in i mplementing a new application software package?

64. When developing a risk-based IS audit plan, the PRIMA R Y focus should be on functions: A. consider e d important by IT management.

B. with the most ine f f e ctive controls.

C. with the greatest number of threats.

D. considered critical to b usiness operations.

65. Integ ra ting busine s s continuity planning (BC P ) into an IT p roject aids i n : A. the retrofitting of the business continuity requirements.

B. the development of a more compre h ensive set o f requirem e nts. C. the development of a t ransaction flowchart.

D. ensuring the applicati o n meets the user's need s .

66. T o create a digital si g natu r e in a message using asymmetric encryption, it i s necessary to: A. first use a symm e tric algorithm for the authenti c ation seque nc e.

B. encrypt t h e authen t ication sequen c e u s ing a public ke y .

C. transmit the actual digital signature in unencrypted clear text. D. encrypt t h e authentication sequen c e using a private ke y .

67. W h en auditing a software deve l opment proj e ct, a review of which of the following will BEST v e rify that project work is adequately subdivided?

68. Which of the following type of computer has highest proces s ing speed? A. Supercomputers

B. Midrange servers

C. Personal computers D. Thin client computers

69. A comp a ny is using a soft w are developer for a project.

At which of the following poin t s should the software quality a s surance (QA) plan be dev e loped? A. As part of software definition

B. During the feasibility phase C. Prior to acceptance testing D. As part of the design phase

70. Which of t h e following secur i ty cont r ol is intended to bring e n vironment b a ck to regular ope r ation? A. Deterrent

B. Preventive C. Corrective D. Recovery

71. Which of the following E-comm e rce model covers all the transactions between companies and government org a nization?

72. What is the MOST important r ole of an organi z ation ’ s data c ustodian in support of information security function?

73. Which of the following soft w are development methods is based on iterative and incremental developmen t , where re q u i rements and solutions ev o lve through c o llabo r ation betwe e n self-or g anizing, cross-functi o nal teams?

74. An IS a u ditor discovers a re c urri n g software control proce s s issue that s e v erely impacts the e f ficiency of a crit i cal b usiness pro c ess.

Which of the following is the BEST recommendation? A. Replace t he malfunct i oning syst e m.

B. Determine the compensating controls. C. Identify other impacted processes.

D. Determine the root cause of the issue.

75. R ather than simply r eviewing the ade q uacy of access cont r ol, appro p riateness of access policies, and e f fect i v eness of saf e guards and procedures, t h e IS auditor is more concern e d w i th e f fect i veness a nd utilization of assets.

T rue or false? A. T rue

B. False

76. T est and developm e nt environm e nts should be separated. T rue or false?

77. Which of the following attack occurs when a malicious a ct i on is perfo r med by i n v oking the operating system to execute a particular s y stem call?

78. Which of the following translates e-mail formats from one network to another so that the message can travel through all the networks?

79. An IS auditor is reviewing the r e mote access methods of a company used to acc e ss system remotel y .

Which of the following is LEAST p referred remote access method from a s e c urity and cont r ol point of view?

80. Who is responsible for ensuring t hat system controls and s u pp o rting p r ocesses p r o v ides an e f f e ctive level of protection, based on the data classification set in accordance with corpo r ate security polici e s a nd proced u res?

81. Which of the following is the protocol data unit (PDU) of a pp l ication layer in TCP/IP m o del? A. Data

B. Segment

C. Packet D. Frame

82. A nu m ber of system failures are occurring when cor r ections to previously dete c ted err o rs are resubmitted for acceptance testing. This would indicate that t h e maintenance team is pro b ably not adequately performing which of the fol l owing types of testing?

83. A manu f acturing company is i m pl e menting app l ication soft w a r e for its sales and distr i bution syst e m. Which of the following is the MOST important rea s on for the co m pany choose a cen t ralized online











database?

84. The in f ormation security policy t h at stat e s 'each individ u al must have t h eir bad g e r e ad at every











controlled d o or' a d dress e s whi c h of the following attack methods? A. Piggybacking

B. Shoulder surfing C. Dumpster diving D. Impersonation

85. Which of the following is the M O ST cr i tical a n d contributes the greatest to the quality of data in a data wa r eh o use?

86. An or g anization h a s created a policy that defines the typ e s of web s i tes that u s e rs are forbi d d e n to acces s .

What is the MOST e f fective technology to en f orce this policy? A. S tateful i n spection fir e wall

B. W eb content filter C. W eb cache server D. Proxy server

87. The M OST e f f e c tive control f o r reducing the risk related to phishing is: A. centralized monit o ring of s y s te m s .

B. including signatures for phishing in antivirus software. C. publishing the policy o n an t iphishi n g on the intr a net. D. security t r aining for all users.

88. What is the pu r pose o f a hypervis o r?

89. Which of the following would be the MOST a ppropriate reas o n for an o rganization to purchase fault-tolerant har d wa r e?

90. W h at uses questionnaires to lead the user throu g h a series of choices to r each a conclusion? A. Logic tre e s

B. Decision trees

C. Decision algorithms D. Logic algorithms

91. A live test of a mut u al agree m ent for IT syst e m recovery h as been carried out, including a four- h ou r test of intensive usage by the business units.

The test has been successful, but giv e s only partial assurance that the:

92. The op timum busi n ess continuity strategy for an entity is determined b y the:

93. In a small organization, an e m pl oy ee performs computer operations and, when the situation demands, p r ogram modifications.

Which of the following sh o uld the IS auditor recommend? A. Automat e d logging of changes to development libraries B. Additional sta f f to prov i de separati o n of duties

C. Procedu r es that verify that only a p proved p r og r am changes a r e implem e nted D. Acc e ss c o ntrols to prevent t he ope r ator from making program modificatio n s

94. An IS auditor revie w ing an or g an i zation's IT strategic plan should FIRST review: A. the existi n g IT environment.

B. the business plan.

C. the present IT budget.

D. current technology trends.

95. An or g anization h a s a recovery time objective ( R T O) eq u al to zero and a recovery point objective

(RPO) close to 1 minute for a critical system. This implies that the s y st e m can tolerate:

96. W h en auditing a d i saster reco v ery plan for a critical busi n ess area, an IS auditor fi n ds that it does not cover all the systems.

Which of the following is the MOST appro p riate action for the I S auditor? A. Alert ma n agement a n d evaluate the impact of not covering all s y s te m s . B. Cancel t h e audit.

C. Complete the audit of the syst e ms covered by the existing d i saster recovery plan. D. Postpone the audit until the systems are add e d to the disast e r recovery plan.

97. An IT governance fr a mework pro v ides an org a nization with: A. a basis for directing and controlling I T .

B. assurance that there will be IT cost r eductions.

C. organizational structures to enlarge the market share thr o u g h I T . D. assurance that there are surplus IT inve s tments.

98. Which of the following shou l d an IS auditor recommend be d one FIRST upon learni n g that new d a t a protection legislation may a f fect the organization?

99. Which of the following would be the GRE A TEST risk assoc i ated with a new chat feature on a retaile r ’ s website?

100. Passwords should be:

101. Which of the following is a data validation ed i t and control? A. Hash tota l s

B. Reasona b leness checks

C. Online access controls

D. Before and after image reporting

102. An IS auditor is performing an a u dit of a large org a nizat i on ’ s operating system maintenance proced u res.

Which of the following fin d ings presents the GRE A TEST risk?

103. Which of the following would an IS auditor c o nsider to be the MOST helpful w hen evaluating the e f fectiveness and ade q u a cy of a com p uter prevent iv e maintenance prog r am?

104. An org a nization is deciding whether to outsource its c usto m er relationsh i p manage me nt systems to a provider loc a ted in anoth e r countr y .

Which of the following sh o uld be the PRIMA R Y influence in the outsourcing decision? A. T ime zone di f ferences

B. The service provid e r ’ s disaster recovery plan

C. Cross-border privacy l aws

D. Curr e nt geopolitical conditions

105. An IS auditor cond u cting an access control review in a cl i ent-server e nvironment d iscovers that all printing o ptions are accessible by all users. In this s ituation, the IS auditor is MOST likely to c onclude that: A. exposure is greate r , since information is available to unau t hor iz ed users.

B. operating e f ficiency is enh a nced, since an y one can print any report at a n y time. C. operating proced u res are more e f fective, since information is easily a vailable.

D. user friendliness and f l exi b ility is f a cilitated, since there is a smooth flow of information among user s .

106. The M OST likely e x planation for a succ e ssful social engineeri n g attack is: A. that com p uters make logic errors.

B. that peop l e make judgment errors.

C. the com p uter knowle d ge of the attackers.

D. the technological sop h istication of the attack m e thod.

107. An info r mation security m anager has identified and impl e mented mig r ating con t rols according to industry best practices.

Which of the following is the GRE A TEST risk ass o ciated with t h i s approach?

108. The P RIMA R Y purpose for mee t ing with auditees prior to formally closing a review is to: A. confirm t h at the audito r s did not ov e rlook any important issues.

B. gain agr e ement on the findings.

C. receive f e edback on the ade q uacy of the audit procedures. D. test the st ructure of t he final presentation.

109. Which of the following proce d ures would MOST e f fect i ve l y d etect the loading of illegal software packages onto a network?

110. W h en participating in a systems - development project, an IS auditor should focus on system co n trols rather than e nsuring that ade q uate a n d complete documentation exists for all projects.

T rue or false? A. T rue

B. False

111. A previ o usly agreed - upon r ecommendation w as not impl e mented bec a use the aud i tee no lon g er agr e es with the origi n al findings.

The IS audito r ’ s FIRST course of action should be to: A. exclude the finding in the follow- u p audit rep o rt.

B. e s c alate t he disagreement to the a udit commi tt ee. C. assess the reason f o r the disagre e ment.

D. require i m plementation of the original recommendation.

112. D uring an IS audit, auditor has o bserved that authentication and auth o r i zation s t eps are split into two functions and there is a possibility to force the authorization step to be c o mpleted bef o re the authentication step.

Which of the following technique a n attacker could user to for c e authorization step be f ore authentication? A. E a v esdropping

B. T ra f fic analysis C. Masquer a ding D. Race Co n dition

113. Which of the following attack i n c l udes social e ngineering, link manipulation or web site forgery techniques?

114. What type of crypt o s ystem i s characterized by data being encrypted by the sender u sing the recipient's public ke y , and the data then being d ecrypted using the recipient ' s private key?

115. An org a nization is considering w h ether to allow employees to use personal co m puting devices for business purposes.

T o BEST f a cilitate senior managem e nt ’ s decision, the informati o n security mana g er shou l d: A. perform a cost-benefit analysis

B. map the s trategy to business objectives

C. conduct a risk assessment D. develop a business case

116. Which of the following option INCORREC T L Y describes PBX featur e ?

117. W h at is the primary secur i ty concern for EDI environments? A. T ransacti o n authentication

B. T ransacti o n completeness

C. T ransaction accuracy

D. T ransaction authoriza t ion

118. An IS auditor revie w ing d i gital rights management (DRM) applications should exp e ct to find an extensive use for which of the following technolog i es?

119. During a human re s ources (HR) audit, an IS auditor is informed that there is a verbal agr e em e nt between the IT and HR departments as to the level of IT serv i c e s expected.

In this situation, what should the IS auditor do FIRST?

120. Which of the following is the PRIMA R Y role of an IS auditor with regard t o data privacy? A. E n s uring compliance w i th data privacy laws

B. Communicating data privacy requirements to t h e org a nization

C. Drafting the or g anization ’ s data privacy policy

D. V erifying that privacy p ract i ces match privacy statements

121. Which of the following BEST l i m i ts the impact of server f a ilures in a dis t ributed envi r onment? A. Redund an t pathways

B. Clustering

C. Dial backup lines D. Standby power

122. An IS auditor performing a r e view of the backup process i ng facilities should be M O ST concerned that:

123. A bank is selecting a server for its retail accounts applicatio n .

T o ensure that the server can handle a high volume of transacti o ns with the r equir e d res p onse times, which test should the IS auditor reco m mend?

124. An IS auditor is a member of an application development team that i s selecting softw a re. Which of the following w o uld i m pair the audito r ’ s i n dep e nd e nce?

125. After assessing risk, the decisi o n to treat the risk should be based P R IMARI L Y on: A. whether the level of r isk e xceeds risk appetite

B. availability of financial r esources











C. whether the level of r isk e xceeds inhe r ent risk

D. the critica l ity of the risk

126. In an o nline banki n g applicatio n , which of the following w ould BEST p rotect against identity theft? A. E n c rypti o n of personal password

B. Restr i c ti n g the user to a specif i c te r minal

C. T wo-factor authentication

D. Periodic review of ac c ess logs

127. Which of the following is MO S T i nfluential when defining d isaster recovery strategies? A. Existing server re d un d ancies











B. Maximum tolerable do wntime

C. Data classification scheme D. Annual l o ss e x pectancy

128. Which of the following sta t ement is NOT true about smoke d etector?

129. A com p any underta k es a business process reengin e eri n g ( BPR) project in support of a new and direct marketing app r oa c h to its cust o mers.

Which of the following w o uld be an IS auditor's ma i n concern a b out the new process? A. Whether key controls a re in place to protect ass e ts and inf o rmation resour c es

B. If the system address e s corporate customer re q uirements

C. Whether the system can meet the perform a nce goals (time and resources)

D. Whether owners have been identi f ied who will be responsib l e for the pr oc ess

130. In which of the following database models is t he data rep re sented in terms of tulles and g r oup e d into relations?

A. Hierarchical database model

B. Network database mo d el

C. Relational database model

D. Object-relational data b ase model

131. Perfor m ance monitoring too l s report that serv e rs are consi s tently above the recommended utilization capacit y .

Which of the following is the BEST recommendation of the IS auditor? A. Develop a capa c ity plan based on us age projections.

B. Deploy l o ad balanc e rs. C. Monitor act i vi t y logs.

D. Add servers until utiliz a t i on is at target capacit y .

132. The GR E A TEST risk when p erfo r ming data n o rmalization is: A. the incre a sed complexity of the data model

B. duplicati o n of audit logs

C. reduced d ata redu n d a ncy D. decreased performa n ce

133. When reviewing IS strategie s , a n IS auditor can BEST asse s s wheth e r IS strategy supports the organizations’ business o bjectives by determining if I S :

134. Which of the following physical a ccess controls e f f e c t i vely r educes the risk of piggybacking? A. Biometr i c door locks

B. Combination do o r locks

C. Deadman doors











D. Bolting door locks

135. Man a g e ment has agreed to perfo r m multiple remediation actions in res p onse to an audit issue, including the implementa t ion of a new control.

Which of the following is t he BEST ti m e for an IS a uditor to p e rform an audit follow-up of this issue? A. After management has comp l eted the re q uired actions

B. When au d it resources are available

C. When managem e nt r es ources are available

D. After the n ew control has been in place for one year

136. Which of the following is the MOST likely reason an organi z a t ion would u s e Pl a tform a s a Serv i c e

(PaaS)?

137. Which of the following manage m ent decisions p resents the GRE A TEST risk associated with data leakage?

138. Which of the following is a guiding best practice for imp l e menting log i cal acc e ss controls? A. Implementing the Biba Integrity Model

B. Access is grant e d on a least-privilege ba s is, per the organ i z a tion's data owners

C. Implementing the T ak e -Grant access control m o del

D. Classifyi n g data according to the subject ’ s requirements

139. Which of the following ACID p r operty in DBMS e nsures that t he concurrent execution o f transactio n s results in a system s tate that would be obtained if transactions were executed seriall y , i.e. one after the other?

140. Which of the following would B E ST support a business case to implement a data leakage prevention ( DLP) solution?

141. An org a nization has su f fe r ed a number of incidents in which USB fl a s h drives w ith sensitive data have been l o st.

Which of the following w o uld be M O ST e f fective in preventing l o ss of sensitive data? A. Modifying the disciplinary policy to b e more stringent

B. Implementing a check - in/ch e ck-out process for USB flash dri v es

C. I s suing encrypted USB flash drives to st a f f

D. Increasing the frequency of secur i ty awareness training

142. An IT department has given a vendor remote a ccess to the internal net w ork for troubleshooting network per f ormance pr o blems.

After discov e ring the remote ac t ivity d uring a fire w all log re v ie w , which of the following is t he BEST c o u r s e of action for an informati o n security mana g er?

143. Wh e n conducting a follow- u p au d it on an org a nization ’ s fir e wall configu r ation, the IS auditor











discovered that the firewall had be e n integrated in t o a new sy s tem that provides both firewall and intrusion detection capabilities.

The IS auditor should:

144. A dat a base admin is trator has detected a pe r formance p r oblem with some tables which could be solved through de n ormal i zation.

This s i tuation will increase the risk of: A. c oncurrent acc e s s .

B. deadlocks.

C. unauthor iz ed access to data. D. a loss of d ata integrit y .

145. An IS auditor obser v es a weakn e ss in the tape managem e nt s ystem at a data center in that some parameters are set to bypass or ignore tape header records.

Which of the following is the MOST e f f ective compensating control for this weakness? A. Staging and job set up

B. Supervis o ry review of logs C. Regular back-up of tapes D. O f f site st o rage of tapes

146. The IS auditor has identified a potential fraud p e rpetrated by the network administrato r . The IS auditor should:

147. A firewa l l has been instal l ed on the company ’ s web serve r . Which concern does the firewall a d dr e ss?

148. Which of the following is a s tep in establishing a security policy? A. Developing platform-l ev el security b aselines.

B. Developing configurations parame t ers for the network,

C. Implementing a process for developing and mai n taining the polic y . D. Creating a RACI matrix.

149. A reduction in which of the following would indi c ate impro v ed performan c e in the administration of information security?

150. An IS auditor review e d the bu s iness case for a proposed i nv estment to virtuali z e an org a nization ’ s server infrastructure.

Which of the following is MOST likely to be included among the benefits in t h e project pr o posal? A. Fewer operating syst e m licenses

B. Be t ter e f f i ciency of logical resources

C. Reduced har d wa r e footprint

D. Less m e mory and storage space

151. W h at is a callback system?

152. Which of the following is t he BEST method to defend against social engin e ering attacks? A. Periodically perform antivirus scans to iden t ify malware.

B. Communicate guideli n es to limit i n f ormation po s ted to public s ites. C. Monitor for unauth o rized access attempts and failed logins.

D. Employ the use of a web-content filtering solution.

153. W h en segregati o n of duties co n c erns exists betwe e n IT sup p o rt sta f f a nd end user s , what would be suitable compensating control?

154. D uring the testing of the business continuity p lan (BCP), which of the f o llowing met h ods of results analysis provides the BEST assurance that the plan is workable?

155. The B E ST way to assure an o r ga nization ’ s board of directo r s that IT st r ategies support business objectives is to:

156. An or g anization is considering m oving one of its critical business applications to a cloud hosting service. The cloud provi d er may not provide the same level of security for this application as the org a nization.

Which of the following will pro v ide the BEST information to he l p maintain the security posture? A. Ri s k a s s e ssment

B. Cloud security strategy

C. V ulnerability a ssessm e nt

D. Risk governance fra m ework

157. Which of the following will p r event dangling tuples in a database? A. C y c lic int e grity

B. Domain integrity

C. Relational integrity D. Referent i al integrity

158. W h en r eviewing the proced u r e s for the disposal of computers, which of the following should be the

GRE A TEST concern for the IS auditor?

159. As compar e d to un d erstanding a n org a nization's IT process from evidence directly collected, how valuable are prior a u d i t reports as evi d ence?

160. Which of the following data v a lidation control validates input data against pre d efined r ange value s ? A. Range C h eck

B. T able lookups

C. Existence check

D. Reasona b leness check

161. Identify the W AN message swi t ching techniq u e being used fr o m the description presented bel o w: “Data is routed in its enti r e t y from the source node to the de s ti n ation node, o ne ho p e at a time. During message ro u ting, every i n termedia t e switch in the n etwork stor e s the whole message. If t he entire network's re s ources are e nga g ed or t h e network b ec omes blocked, this W AN switching t e chnology s tores and delays the message un t il ample resources become available f or e f fective transmission of the message. “

162. An onli n e retailer is receiving customer ab o ut receiving d i f f e rent items from what they ord e red on t he org a nization ’ s website. T he r oot cause has been t r aced to poor data qualit y . Despite e f forts to clean err o neous d ata from the system, m u ltiple data qua l ity issues c o ntinue to occu r .

Which of the following re c ommendations would be the BEST way to reduce the likelihood of future occurrences?

163. A finance dep a rtme n t director has decided to outsource the org a nization ’ s budget ap p lication and has identified poten t ial p r oviders.

Which of the following actions should be initiated FIRST by the information security manager? A. V alidate that connectivity to the s e rvice p r ovider can be m a de securel y .

B. Obtain audit reports on the ser v ice providers h o sting environment. C. Review the disaster recovery plans (DRP) of the providers.

D. Align the roles of the organ i zation ’ s and the service providers’ sta f f s .

164. W h at is the most c o mmon purp o se of a virtual private network implementation?

165. In which of the follow i ng pay m ent mode, an is s uer attempts to emulate physic a l cash by creating digital certificates, which a re purchased by users w h o red e em t hem with the issuer at a later date?

166. Which of the following contr o ls would an IS auditor look for in an envi r onment w h er e duties cannot be ap p ropr ia tely segrega t ed?

167. Which of the following refers to the proving of mathematical theorems by a computer pro g ram? A. Analytical theorem pr o ving

B. Automat e d technology proving C. Automated theorem p r ocessing D. Automated theorem p r oving

E. None of t h e choices.

168. W h at is the best defense against Local DoS attacks? A. patch your systems.

B. run a vir u s checke r .

C. run an an t i-spy software.

D. find this program and kill i t. E. None of t h e choices.

169. Which of the following would be MOST useful to an informa t ion security manager w hen conducting a post-incident review of an attack?

170. The use of residual biomet r ic information to g ain un a utho riz ed access is an example of which of the following attac k s?

171. Which of the following is the PRIMA R Y purpose of documenting and a pproving a n information security pol ic y?

172. What should be a security mana g e r ’ s PRIMA R Y objective in t h e event of a s e c urity incident? A. Identify the source of the br e ach a n d how it was per p etrated.

B. Contain the threat and restore ope r ations in a timely manne r . C. Ensure that normal o p erations are not disrupte d .

D. Identify lapses in operational control e f fectiveness.

173. Which type of risk w o uld MOST influence the selection of a sampling methodology? A. Control

B. Inherent C. Residual D. Detection

174. Which of the following is the GRE A TEST risk of an inade q uate policy definition for ownership of data and systems?

175. Which of the following would be of GRE A TEST concern to an IS auditor receiving an org a nization ’ s security inci d ent handli n g proced u res?

176. Which of the following should be of GRE A TEST concern to an IS auditor condu c ting an audit of an org a nization ’ s backup processes?

177. Which of the following should be of GRE A TEST concern to an IS auditor reviewing actions taken during a fo re nsic inv e s ti g ation?

178. An IS auditor finds that a D BA has read and write access t o production data. The IS auditor should:

179. After implementation of a di s aster recovery plan, pre - disaster and p o st-disaster o peratio n al costs for an organ i zation will:

180. During an audit of identity and access management, an IS auditor finds that the eng a gement audit plan does n o t include the testing of controls that regulate ac c ess by third pa r ties.

Which of the following would be the audito r ’ s BEST c ourse of action? A. Plan to t e st these controls in another audit.

B. Escalate the deficiency to audit management.











C. Add testi n g of third-party a ccess controls to the scope of the audit.

D. Determine wheth e r the risk has been identified in the plann i ng documen t s.

181. An integrated test f a c ility is not c onsidered a useful audit t ool because it c annot c ompare p r ocessi n g output with inde p en d ently calculated data.

T rue or false? A. T rue

B. False

182. The BEST access strategy while configuring a firewall wou l d be to: A. permit access to all and log the activity

B. deny access to all but permit selected

C. permit access to a ll b u t deny selected

D. deny acc e ss to all except authorized programs

183. An IS a uditor perfo r ming an application maintenance audit would review the log of pro g ram c hang e s for the:

184. W h at can be impl e mented to provide the highest level of protection from external attack?

185. Which of the following is the MOST important element when developi n g an information security strategy?

186. Which of the following sampling t e chniques is commonly used in fraud d etection wh e n the expected occurrence r ate is small a nd the specific controls are critical?

187. Which of the following is MO S T important for an IS auditor to consider during a revi e w of the IT

govern a nce of an organi z ation? A. Funding allocations

B. Risk ma n agement methodol o gy

C. Defined service levels

D. Decision making responsibilities

188. Th e re are many known w e akn e ss e s within an Intrusion Detection S y s t em (IDS). Which of the following is NOT a limitation of an IDS?

189. An IS auditor has just compl e ted a physical a ccess review of the organization ’ s primary data cente r . Which of the following w e aknesses should be of MOST conce r n?

190. Which of the following state m ent INCORREC T L Y describes dev i ce and whe r e they sit within the

TCP/IP model?

191. When facilitating the align m ent of corporate governance and information securi t y govern a nce, which of the following is the MOST important role of an organization ’ s security s te e ring commit t ee?

192. Which of the following help(s) prevent an organization's s ystems from participa t ing in a distributed denialof-ser v ice (DDoS) a ttack?

193. R everse proxy tec h nology for web servers should be d e p loyed if: A. http serv e rs' address e s must be hidden.

B. accelerated access to a ll published pages is required. C. caching is needed f o r fault tolerance.

D. bandwidth to the user is limited.

194. Which of the following is the BEST physical security solution for granting and restricting access to individuals based on their unique access needs?

195. Which of the following should be an information security m a nag e r ’ s MOST important consideration when con duc ting a physical secur i ty r eview of a potential outs o urced data center?

196. An info r mation security manag e r ’ s PRIMA R Y objective for pr e senting key risks to t h e boa r d of directors is to:

197. Which key is used b y the s ender of a messa g e to create a digital signature for the message bei n g sent?

198. The re covery point objective (RPO) is required in which of the following? A. Informati o n security plan

B. I n cident response plan C. Disaster r ecovery plan D. Business continuity pl a n

199. Inhe r ent risk ratings are de t ermi n ed by assessing the impa c t and likeli h ood of a threat or v ulnerability occurring:

200. Which of the following is the MOST important benefit of in v olving IS audit when impl e menting govern a nce of enterprise IT?

201. Which of the following is the M O ST e f fect i ve control to m i nimize the risk of cross-site scripting

(XSS)?

202. The P RIMA R Y objective of a l o gical access control review is to: A. review access controls provided th r ough softwa r e.

B. ensure access is granted per the o r ganization's authorities.

C. walk through and assess the access provided in the IT environment.

D. provide assurance that compu t er hard w are is adeq u ately protected against abuse.

203. Which of the following is the INCORRECT Layer to Protocol m apping used in the DOD TCP/IP











model?

204. An or ga nization pla n s to implem e nt a virtualization strate g y enabling m ultiple ope r ating systems on a single host.

Which of the following sh o uld be the GRE A TEST concern with this strategy? A. Adequate storage space

B. Complexity of administration

C. Network bandw i dth

D. Application performa n ce

205. Which of the following is the BEST way to help ensure the security of pr i vacy-r e lated data stored b y an or g anization?

206. In the context of physical access control, what is known as the process of verifying u s er identities?

207. Which of the following protocol does NOT work at Network i n terface layer in TCP/IP model? A. IC M P

B. DNS C. ARP

D. Internet protocol

208. What should be the MAIN goal of an organiza t ion ’ s incident response plan? A. Keep stakehold e rs notif i ed of incident stat u s.

B. Enable appro p riate response according to criticalit y . C. Correlate incidents f r o m di f ferent systems.

D. Identify t h e root cause of the incident.

209. An IS auditor has completed a r e view of an outsourcing agreem e nt a n d has identi f ied IT governance issues.

Which of the following is the MOST e f f ective and e f ficient way of communicating the issues at a meeting with senior managem e nt?

210. Which of the following fun c tion in t r aditional EDI process m a nipulates a n d routes data between the application system and the communication hand l er?

211. An IS auditor discovers th a t developers have ope r ator access to the c o mmand line of a production environment ope r ating system.

Which of the following controls would BEST m itigate the risk of u ndetected a n d unau t h o rized pr o gram changes to the pr o du c tion environm e nt?

212. Which of the following is t he m o st fundamen t al step in preventing virus attacks? A. Adopting and commu n icating a c o mpreh e nsive an t ivirus policy

B. Implementing antivirus prot e ction software on us ers' deskt o p computers











C. Implementing antivirus conte n t ch e cking at all network-to-Internet gate way s

D. Inoculating systems with antivirus code

213. W h at determines the strength of a secret k e y within a symmetric key cryptos y stem?

214. The BEST way to v a lidate whether a malicious act has actua l ly occurred in an appl ic ation is to review:

215. Which of the following is the BEST source of information w h en assessing the amount of time a project will t a ke?

216. An IS auditor who h as disc o vered unauth o rized transactions during a r eview of EDI transactions is likely to recommend improving the:

217. Which of the following find i ngs should be an IS audito r ’ s GRE A TEST co n cern when re viewing an org a nization ’ s purchase of new IT infr a structure hardwa r e?

218. Which of the following is MO S T i mportant for the improvement of an organization ’ s incident response pr oc esses?

219. Which of the following tasks should be performed during an o rganization ’ s business continuity plan

(BCP) test?

220. Which of the following audit ma i nly focuses on d iscovering and disclosing on frauds a n d crimes? A. Compliance Audit

B. Financial Audit C. Integrated Audit D. Forensic audit

221. Which of the following would be MOST important to inclu d e in a data security policy to adequate l y manage the privacy of c u s tomer information?

222. An IS auditor revie w ing an a ccounts payable system disc o v e rs that audit logs are not being reviewed. When this issue is ra i sed w i th manage m ent the respon s e is that additional co n trols are not necessary b ecause e f fective system a ccess controls are in plac e .

The BEST r e s ponse the auditor can make is to: A. review the integrity of system acc e ss controls.

B. accept m a nagement's statement t h at e f fective a ccess controls are in place. C. stress the importance of having a system control framework in place.

D. review the background checks of the accounts p ayable sta f f.

223. Which of the following is an imp l ementation r i sk w i thin the process of d ecision support systems? A. Management control

B. Semistructured dimen s ions

C. inability to specify purpose and usage patterns

D. Chan g es in decision processes

224. An IS auditor discove r s that validation controls in a web app l ication have been mo v ed from the server side into the browser to b oost performance. This w ould MOST li k ely increase the risk of a successful attack by:

225. What is the MOST e f f ective w ay to ensure info r mation secur i ty incidents will be managed e f fectiv e ly and in a timely manner?

226. Diskless workstation is an example of: A. Handheld devices

B. Thin client computer C. Personal computer D. Midrange server

227. When developing a formal enterprise s e curity program, the MOST cr i tical succ e ss factor (CSF)

would be th e :

228. A p e n e tration test p erfor m ed as part of evaluating netwo r k s e c urity: A. provides a ssurance that all v u lnerabilities are discovered.

B. should be perform e d without warni n g the organi z ation's man a gement. C. exploits the existing vulnerabilities to ga i n unauthorized access.

D. would not damage the i nforma t ion a ssets when performed at n e twork per i meters.

229. As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them.

Which of the following would be the BEST c ourse of action for t he IS auditor? A. Accept t h e auditee ’ s response and perform additional testin g .

B. Conduct further discussions with t h e auditee to develop a mitigation plan.

C. Suggest hiring a third-party consult a nt to perform a current st a te asse s s m e nt. D. Issue a fi n al report without including the opinion of the auditee.

230. Which of the following actions should an organization ’ s s e curity policy require a n e mployee to take upon findi n g a security breach?

231. Which of the follow i ng is a telecommun i cation device that translates data from digital form to a n alog form and back to digital?

232. One a dvantage of m o netary un i t sampling is t h e fact that: A. results are stated in t e rms of the f r equ e ncy of items in er r or

B. it can easily be applied manually when computer resources a r e not available

C. it i n c reases the likelihood of selecting material items from the population D. large-val u e populati o n items are s e gre g ated a n d audited sep a rately

233. W h at t opology pro v ides the greatest redun da ncy of routes and the greatest network fault toler a nce? A. A star network topolo g y

B. A mesh n etwork topology wi t h packet forwarding enabled at each host

C. A bus ne t work topolo g y D. A ring network topolo g y

234. A p e r p etrator looki n g to gain access to and gather infor m ation about e ncr y pted data being transmitted over the network would use:

235. An IS auditor selects a ser v er for a penetrati o n test that will be carried o ut by a t e chnical specialist. Which of the following is MOST important?

236. Which of the following should be PRIMARI L Y i n cluded in a security training pr o gram for business process owners?

237. Which of the following would an IS auditor c o nsider the MOST relevant to short-term planning for an

IS department?

238. Which of the following should be an IS audito r ’ s FIRST activity when pl a nning an a u d it? A. Gain an understand i ng of t he area to be audited.

B. Document specific questions in the audit pro g r a m. C. Create a list of key c o n trols to be reviewed.

D. Identify proper res o ur c es for audit activities.

239. As part of the IEEE 802. 1 1 standard ratified in September 1999, WEP uses which stream cipher for confidentiality?

240. Which of the following is BE S T a ddressed when using a timestamp within a digital signature to deliver sensitive finan c ial information?

241. The M O ST important reason f o r documenting all aspects of a digital forensic inv e s ti g ation is that documentation:

242. D uring an exit intervie w , in cases where the r e is disagre e ment rega r di n g the impact of a finding, an

IS auditor s h ould:

243. Wh e n r ev iewing business continuity plan (BCP) test results, it is MOST important for the IS auditor to determine w hether the t e st:

244. What is the FIRST li n e of defense against cr i minal insider act i vities?

245. Which of the following fourth generation language depends on self-contained da t a b ase managem e nt s y stems?

246. A vailability C The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.

247. Which of the following is the BEST way to cont r ol the concurrent use of licensed soft w are? A. User se l f-discipline.

B. Monitor b y s y s tem administrato r .

C. Surprise audit conducted by vendo r s. D. Metering software

248. An IS auditor revie w ing security incident processes reali z e s incidents are res o lved a nd closed, but root causes are not investigated.

Which of the following sh o uld be the MAJOR conc e rn with this s i tuation? A. Abuses b y employees have not be e n report e d.

B. V ulnerabi l ities have n o t been pro pe rly addressed. C. Security incident policies are out of date.

D. Lessons lear n ed have n o t been p ro perly documented.

249. Which of the following is a benefit of a r i sk-based appro a ch to audit planning? A u dit: A. scheduling may be perf o rmed months in advance.

B. budgets are more likely to be met by the IS audit sta f f. C. sta f f will be exposed to a variety of technolog i es.

D. resources are allocated to the are a s of highest concern

250. In an a udit of an inventory application, which app r oach w o uld provide the BEST evidence that purchase or d ers are valid?

251. T alking about application sy s tem audit, focus should alwa y s be placed on (C h oose five.) A. performa n ce and con t rols of the system

B. the ability to limit unauthorized access and manipulation

C. input of data are pro c essed correctly

D. output of data are p roc essed correctly

E. changes to the system are pro p erly authorized

F . None of t h e choices.

252. Which of the following is pr o tocol d ata unit (PDU) of netwo r k interface l a y er in TCP/IP model? A. Data

B. Segment

C. Packet D. Frame

253. An IS auditor finds that client requests were processed m u ltiple times when received from di f fer e nt indep e nd e nt dep a rtmental databases, which are synchronized wee k l y .

What would be the BEST recommendation?

254. Which of the following user p rofiles should be of MOST concern to an IS auditor when performi n g an audit of an EFT system?

255. Which of the following is the MOST important requirement f o r the succ e ssful implem e ntation of security govern a nce?

256. Which of the following would he l p to ensure the portability of an application connected to a database?

257. An emp l oyee transfers from an organization ’ s risk manageme n t depar t ment to become the lead IS audito r . Whi l e in the risk m anagement department, the employee helped d evelop the key perform a nce indicators (KPIs) now used by the org a nization.

Which of the following would po s e the GRE A TEST threat to the in dependence of this auditor? A. Evaluating the e f fectiven e ss of IT risk manage m ent processes

B. Recomm e nding contro l s to address the IT risks identified by KPIs

C. Developi n g KPIs to measure the internal a u dit team











D. T raining the IT audit t e am on IT risk management processes

258. Which of the following should the IS auditor use to BEST d e termine whether a project has met it s business objectives?

259. A recent audit has identified that security controls requir e d by the organ i zation ’ s policies have not been imple m ented for a p ar t icular app l ication.

What should the information s e curity manag e r do NEXT to address this i s s u e? A. Deny access to the application until the issue is resolved.

B. Discuss t h e issue with data custodians to determine the re as on for the exception. C. Report the issue to s e nior management and request funding to fix the issue.

D. Discuss the issue with data owners to determine the reason f or the exception.

260. Which of the following would B E ST help ensure informat i on security i s e f fe c t ive following the outsourcing of ne t work operations?

261. The se l ection of s e c urity controls is PRIMARI L Y linked to: A. risk appetite of the organization.

B. regulatory requirem e nts.

C. business i m pact assessment.

D. best practices of similar organizati o ns.

262. The IS managem e nt of a multinational comp a ny is consideri n g up g rad in g its e xisting virtual private network (VPN) to support voice-over IP ( V oIP) c o mmunications v i a tunneling.

Which of the following co ns ide r ations should be PR I MARI L Y addr e ssed? A. Reliability and quali t y o f service (QoS)

B. Means of authentication

C. Privacy of voice transmissions

D. Confident i ality of data transmissions

263. In the IT dep a rtment whe r e segr e gation of dut i es is not feasible due to a limited number of resour c es, a team member is perfo r ming the functions of c o mputer ope r ator and rev i ewer of appl ic ation logs.

Which of the following w o uld be t he IS audito r ’ s BEST recomm e ndation? A. Develop procedures to verify that t h e application logs are n ot modified. B. Prevent the ope r ator from performing applicati o n developm e nt act i v ities. C. Assign an indepe n dent second reviewer to verify the applica t ion logs.

D. Restrict t h e computer operat o r ’ s access to the production environment.

264. Which of the following data validation edits is e f fect i v e in d etecting transposition and transcription errors?

265. Which of the following access rights in the production en v ironment s hould be grant e d to a develop e r to maintain segr e gation of duties?

266. Which of the following property of the core date warehouse l ayer of an e n terprise data flow architecture uses comm o n attribu t es t o access a c ross se c tion o f an information in the ware h ouse? A. Drill up

B. Drill down

C. Drill across

D. Historical Analysis

267. A vulnerability in wh i ch of t he fol l owing virtual systems would be of GRE A TEST concern to the IS

auditor?

268. An IS auditor is revi e wing IT policies and found that most policies have n ot been revi e wed in over 3 years.

The MOST significant risk is t hat the p olicies do not reflect: A. current legal requ i re m ents.

B. the vision of the CEO.

C. the missi o n of the org a nization. D. current industry best p ractices.

269. The MAIN pur p ose of documenti n g information security gui d e l ines for use within a la r ge, internati o nal org a nization is to:

270. A new i n formation security m ana g er is charged with reviewi n g and revising the information security strateg y .

The information security manag e r ’ s FIRST course of action sh o uld be to gain an und e rstanding of the org a nization ’ s:

271. Which of the following term r e lated to network p erformance refers to the variation in t h e time of arrival of packets on the recei v er of the information?

272. R un-to - run totals c a n veri f y data throu g h which stage(s) of application p rocessing? A. In i tial

B. V arious

C. Final

D. Output

273. For mission-critical applica t ions with a low recovery time objective ( R T O ) , which of the following is t he

BEST back u p strategy?

274. Which of the following compon e nts i s responsible for the c ollection of data in an intrusion detection s y stem (IDS ) ?

275. IT control objectives are u s eful to IS auditors, as they p rovide the basis for underst a nding the: A. desired result or purp o se of implementing spe c if i c control procedures.

B. best IT s e c urity control practices relevant to a s p ecific entit y . C. techniques for securing information.

D. security p olic y .

276. Which of the following is MOST important for an IS auditor to verify when reviewing an org a nization ’ s information security practices following the adoption of a bring your own d evice (BYOD) p r ogram?

277. V e nd or s have relea s ed patches fixing s e curity flaws in their software. Which of the following sh o uld an IS auditor recommend in this situation?

278. Which of the following would B E ST detect t h at a distribut e d- d enial - of-service attack (DDoS) is occurring?

279. Which of the following is the M O ST important di f ference between e nd - user computing (EUC)

applications and traditio n al applicatio ns ?

280. Which of the following term in bus i ness continu i ty determi n es the ma x i m um tolerable amount of t i me that is need e d to verify t h e s y stem a n d/or data int e grity?

281. An IS auditor can verify that an organization's business c o n tinuity plan ( BCP) is e f fe c tive by reviewing t h e:

282. Which of the following is the PRIMA R Y reason for database optimization in an enviro n ment with a high volume of transacti o ns?

283. On a daily basis, an in-hou s e development team moves d uplicate copies of production data containing p ersonally identifiable information (PII) to the test e n v ironment.

Which of the following is t he BEST w a y to mitigate the privacy risk involved? A. Require d ata own e rs to sign o f f on pro d uction data.

B. E n c rypt the data file.

C. Obtain customer opt-in acceptances.

D. Sanitize the data in the test envir o nment.

284. Which of the following compa r isons are used for identific a tion and aut h entication in a biometric s y stem?

285. Which of the following step of PDCA establishes the object i ves and proc e sses ne c essary to deliver











results in a cc ordance with the expect e d output? A. Plan

B. Do

C. Check D. A c t

286. The pr io ritization of inc i dent response actions should be P RIMARI L Y b ased on which of the following?

287. Which of the following is MO S T important when planning a n e twork audit? A. Determination of IP range in use

B. Isolation of rogue access points C. Identification of existi n g nodes D. Analysis of tra f f ic content

288. Which of the following should be of MOST c o ncern to an IS auditor reviewing an or ganization ’ s disaster recovery plan (DRP)?

289. Wh e n engagi n g s ervices from external audito rs , which of t h e following should be established FIRS T ? A. T ermination conditions agr e ements

B. Nondiscl o s ure agr e ements

C. Service l e v el agreem e nts

D. Operatio n al level agr e ements

290. Which of the following activ i ties performed by a database administrator (DBA) should be perfo r med by a di f ferent person?

291. D uring an ERP post-implementa t ion revie w , it was noted that operating costs have b een significantly higher th a n a nticipated.

Which of the following sh o uld the org an ization have done to de tec t this issue? A. Updated the project chart e r as major changes occurred

B. Conducted periodic user satisf a cti o n surveys

C. Performed an analysis of system u s age

D. Monitored financial key performan c e indicators (KPIs)

292. While observing a full simulation of the business continu i ty plan, an IS aud i tor notices that the notification systems within the organi z ational facilities could be severely im p acted by inf r a structural damage.

The BEST r e c ommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system.

B. the notification system pro v ides for the recovery of the ba c k u p. C. redu n da n cies are built in t o the notification syst e m.











D. the notification systems are stored in a vault.

293. An IS auditor notes that IDS log e ntries related to port scanning are not being a n alyzed. This l a ck o f analysis will MOST likely increa s e the risk of succ e ss of which of the following attac k s?

294. Which of the following cryptography demands less computational po w er and o f fers more security per bit?

295. W h en assessing the design of network monitoring contro ls , an IS auditor should FIRST review network:

296. Which of the following would be MOST cr i tical for an IS auditor to look for when eval u ating fire precautions in a manned data center loca t ed in the upper floor of a multi- s tory building?

297. An IS a u ditor is perfo r ming a busi n ess continuity plan (BC P ) audit and id entifies that the plan has not been tested for five years.

Howeve r , the plan was succe s s fully activated during a recent e x tended p o w e r outage. Which of the following is the IS audito r ’ s BEST course of acti o n?

298. An or g anization h a s recently i nstalled a security patch, which crashed the production serve r . T o minimize the probability of this o cc u rring again, an IS aud i tor should:

299. An IS auditor is assessing r i sk associated with peer-to - pe e r file sharing within an or g an i zation. Which of the following sh o uld be of GRE A TEST co n cern?

300. Which of the following should be included in an organization's IS s e c urity policy? A. A l i s t of k e y I T resources to be secured

B. The basis for acc e ss a uthorization

C. Identity of sensiti v e s e curity featur e s D. Relevant software security features

301. Which of the following is NOT a defined ISO basic task related to netwo r k managem e nt? A. Fault management

B. Accounting resources

C. Security managem e nt

D. Communications ma n agement

302. "Under the concept of ""defense in depth"", subsystems should be d esigned to:" A. ""fail insecure"""

B. ""fail sec u re"""

C. ""react to attack""" D. ""react to failure"""

E. None of t h e choices.

303. The ab i lity of the internal IS aud i t function to achieve d esired objectives depends largely on: A. the training of audit pe r sonnel

B. the backgrou n d of aud i t personnel

C. the inde p end e nce o f audit person n el D. the perfo r mance of audit personnel E. None of t h e choices.

304. An IS auditor is evalu a ting the completeness of privacy procedu r es involving per s on a lly identifiable information ( PII).

Which of the following is MOST important for the auditor to ve r ify is included in the proce d ures? A. Regulato r y requireme nt s for protecting PII

B. The orga n ization ’ s definition of PII

C. Encrypti o n requirements for transmitting PII e xternally D. A descript i on of how PII i s masked w ithin key systems

305. Following request for proposal (RFP) responses, a project s eeking to acquire a new application system has i dentif i ed a short list of v e ndors. At this point, the IS auditor sho u ld:

306. Involvement of senior mana g ement is MOST important in the develop m ent of: A. strategic p lans.

B. IS policies.











C. IS procedures.

D. standards and guideli n es.

307. Wh e n r ev iewing a n e wly i m plemented quality managem e nt system (QMS), which of t he following should be the IS audito r ’ s PRIMA R Y concern?

308. Which of the following term in bus i ness continu i ty defines the total amount of t i me that a business process can be disrupted witho u t causing any unacceptable consequences?

309. Which of the following is the BEST way to determine if IT is delivering value to the business? A. Distribute surveys to various end us ers of IT services.

B. Interview key IT managers and service providers. C. Review IT service level agreem e nt (SLA) metrics. D. Analyze d owntime fre q uency and duration.

310. Which of the following is MO S T he l pful in preventing a sys t e ms failure fr o m occurring when a n application is repla c ed using the abr up t changeover technique?

311. D uring an impleme n tation rev i ew of a multi u s er distributed application, an IS auditor finds minor weaknesses in three ar eas -the ini t ial setting of par a meters is impro p erly installed, weak passwords are being us e d a nd some v ital reports are not being c h ecked prop erl y . While preparing t h e a u dit report, the IS auditor shou l d:

312. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential an o malies in us e r or system b ehavio r .

Which of the following too l s are MOST suitable for performing that ta s k ? A. CA S E too l s

B. Embedd e d data collection tools

C. Heuristic scanning tools

D. T rend/variance detection tools

313. An or g anization using insta n t messaging to communicate with cust o mers can prevent legitim a te customers from being impersonat e d b y: