A.  

Implement a new system that can be patched.

B.  

Implement additional firewalls to protect the system.

C.  

Decommission the server.

D.  

Evaluate the associated risk.

A.  

Degaussing

B.  

Random character overwrite

C.  

Physical destruction

D.  

Low-level formatting

A.  

Gap analysis

B.  

Audit reports

C.  

Risk profile

D.  

Risk register

A.  

randomly selected by a test generator.

B.  

provided by the vendor of the application.

C.  

randomly selected by the user.

D.  

simulated by production entities and customers.

A.  

Availability of IS audit resources

B.  

Remediation dates included in management responses

C.  

Peak activity periods for the business

D.  

Complexity of business processes identified in the audit

A.  

the access control system's log settings.

B.  

how the latest system changes were implemented.

C.  

the access control system's configuration.

D.  

the access rights that have been granted.

A.  

The standard is met as long as one member has a globally recognized audit certification.

B.  

Technical co-sourcing must be used to help the new staff.

C.  

Team member assignments must be based on individual competencies.

D.  

The standard is met as long as a supervisor reviews the new auditors' work.

A.  

To address the overall risk associated with the activity under review

B.  

To identify areas with relatively high probability of material problems

C.  

To help ensure maximum use of audit resources during the engagement

D.  

To help prioritize and schedule auditee meetings

A.  

Programs are not approved before production source libraries are updated.

B.  

Production source and object libraries may not be synchronized.

C.  

Changes are applied to the wrong version of production source libraries.

D.  

Unauthorized changes can be moved into production.

A.  

Number of successful penetration tests

B.  

Percentage of protected business applications

C.  

Financial impact per security event

D.  

Number of security vulnerability patches

A.  

No dedicated security officer

B.  

No official charier for the information security management system

C.  

No periodic assessments to identify threats and vulnerabilities

D.  

No employee awareness training and education program

A.  

Responsible

B.  

Informed

C.  

Consulted

D.  

Accountable

A.  

Staging

B.  

Testing

C.  

Integration

D.  

Development

A.  

The security of the desktop PC is enhanced.

B.  

Administrative security can be provided for the client.

C.  

Desktop application software will never have to be upgraded.

D.  

System administration can be better managed

A.  

Verifying that access privileges have been reviewed

B.  

investigating access rights for expiration dates

C.  

Updating the continuity plan for critical resources

D.  

Updating the security policy

A.  

Data from the source and target system may be intercepted.

B.  

Data from the source and target system may have different data formats.

C.  

Records past their retention period may not be migrated to the new system.

D.  

System performance may be impacted by the migration

A.  

The IT strategy is modified in response to organizational change.

B.  

The IT strategy is approved by executive management.

C.  

The IT strategy is based on IT operational best practices.

D.  

The IT strategy has significant impact on the business strategy

A.  

Water sprinkler

B.  

Fire extinguishers

C.  

Carbon dioxide (CO2)

D.  

Dry pipe

A.  

The certificate revocation list has not been updated.

B.  

The PKI policy has not been updated within the last year.

C.  

The private key certificate has not been updated.

D.  

The certificate practice statement has not been published

A.  

Function point analysis

B.  

Balanced scorecard review

C.  

Post-implementation review

D.  

Business impact analysis (BIA)

A.  

A business impact analysis (BIA) has not been performed

B.  

Business data is not sanitized in the development environment

C.  

There is no plan for monitoring system downtime

D.  

The process owner has not signed off on user acceptance testing (UAT)

A.  

Revise the assessment based on senior management's objections.

B.  

Escalate the issue to audit management.

C.  

Finalize the draft audit report without changes.

D.  

Gather evidence to analyze senior management's objections

A.  

Business continuity plan (BCP) testing

B.  

Business impact analysis (BIA)

C.  

Disaster recovery plan (DRP) testing

D.  

Risk assessment

A.  

reflect current practices.

B.  

include new systems and corresponding process changes.

C.  

incorporate changes to relevant laws.

D.  

be subject to adequate quality assurance (QA).

A.  

test environment with production workloads.

B.  

production environment with production workloads.

C.  

production environment with test data.

D.  

test environment with test data.

A.  

Implementation plan

B.  

Project budget provisions

C.  

Requirements analysis

D.  

Project plan

A.  

Reviewing the last compile date of production programs

B.  

Manually comparing code in production programs to controlled copies

C.  

Periodically running and reviewing test data against production programs

D.  

Verifying user management approval of modifications

A.  

Annual sign-off of acceptable use policy

B.  

Regular monitoring of user access logs

C.  

Security awareness training

D.  

Formalized disciplinary action

A.  

Review working papers with the auditee.

B.  

Request the auditee provide management responses.

C.  

Request management wait until a final report is ready for discussion.

D.  

Present observations for discussion only.

A.  

Reconciliation of total amounts by project

B.  

Validity checks, preventing entry of character data

C.  

Reasonableness checks for each cost type

D.  

Display the back of the project detail after the entry

A.  

The system does not have a maintenance plan.

B.  

The system contains several minor defects.

C.  

The system deployment was delayed by three weeks.

D.  

The system was over budget by 15%.

A.  

To ensure that older versions are availability for reference

B.  

To ensure that only the latest approved version of the application is used

C.  

To ensure compatibility different versions of the application

D.  

To ensure that only authorized users can access the application

A.  

Senior management's request

B.  

Prior year's audit findings

C.  

Organizational risk assessment

D.  

Previous audit coverage and scope

A.  

communicate via Transport Layer Security (TLS),

B.  

block authorized users from unauthorized activities.

C.  

channel access only through the public-facing firewall.

D.  

channel access through authentication.

A.  

Unicode translation

B.  

Secure Sockets Layer (SSL) encryption

C.  

Input validation

D.  

Digital signatures

A.  

Alignment with the IT tactical plan

B.  

IT steering committee minutes

C.  

Compliance with industry best practice

D.  

Business objectives

A.  

The process does not require specifying the physical locations of assets.

B.  

Process ownership has not been established.

C.  

The process does not include asset review.

D.  

Identification of asset value is not included in the process.

A.  

efficiency due to the re-use of elements of logic.

B.  

management of sequential program execution for data access.

C.  

grouping of objects into methods for data access.

D.  

management of a restricted variety of data types for a data object.

A.  

Rollback strategy

B.  

Test cases

C.  

Post-implementation review objectives

D.  

Business case

A.  

Counting the transactions processed per day

B.  

Performing a sequence check

C.  

Tracing data back to the point of origin

D.  

Preparing and running test data

A.  

The policy includes a strong risk-based approach.

B.  

The retention period allows for review during the year-end audit.

C.  

The total transaction amount has no impact on financial reporting.

D.  

The retention period complies with data owner responsibilities.

A.  

Portfolio management

B.  

Business plans

C.  

Business processes

D.  

IT strategic plans

A.  

Analyze whether predetermined test objectives were met.

B.  

Perform testing at the backup data center.

C.  

Evaluate participation by key personnel.

D.  

Test offsite backup files.

A.  

Effectiveness of the security program

B.  

Security incidents vs. industry benchmarks

C.  

Total number of hours budgeted to security

D.  

Total number of false positives

A.  

Consulted

B.  

Informed

C.  

Responsible

D.  

Accountable

A.  

Securing information assets in accordance with the classification assigned

B.  

Validating that assets are protected according to assigned classification

C.  

Ensuring classification levels align with regulatory guidelines

D.  

Defining classification levels for information assets within the organization

A.  

Data migration is not part of the contracted activities.

B.  

The replacement is occurring near year-end reporting

C.  

The user department will manage access rights.

D.  

Testing was performed by the third-party consultant

A.  

A single point of failure for both voice and data communications

B.  

Inability to use virtual private networks (VPNs) for internal traffic

C.  

Lack of integration of voice and data communications

D.  

Voice quality degradation due to packet toss

A.  

To decrease system response time

B.  

To Improve the recovery lime objective (RTO)

C.  

To facilitate faster backups

D.  

To improve system resiliency

A.  

Detective

B.  

Compensating

C.  

Corrective

D.  

Directive

A.  

Average the business units’ IT risk levels

B.  

Identify the highest-rated IT risk level among the business units

C.  

Prioritize the organization's IT risk scenarios

D.  

Establish a global IT risk scoring criteria

A.  

The cost of outsourcing is lower than in-house development.

B.  

The vendor development team is located overseas.

C.  

A training plan for business users has not been developed.

D.  

The data model is not clearly documented.

A.  

application firewall policy settings.

B.  

a three-tier web architecture.

C.  

secure coding practices.

D.  

use of common industry frameworks.

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

A.  

Document the finding and present it to management.

B.  

Determine if a root cause analysis was conducted.

C.  

Confirm the resolution time of the incidents.

D.  

Validate whether all incidents have been actioned.

A.  

Enterprise risk manager

B.  

Project sponsor

C.  

Information security officer

D.  

Project manager

A.  

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.  

Establishing strong access controls on confidential data

C.  

Providing education and guidelines to employees on use of social networking sites

D.  

Monitoring employees' social networking usage

A.  

Require all employees to sign nondisclosure agreements (NDAs).

B.  

Develop an acceptable use policy for end-user computing (EUC).

C.  

Develop an information classification scheme.

D.  

Provide notification to employees about possible email monitoring.

A.  

Detective

B.  

Logical

C.  

Preventive

D.  

Corrective

A.  

Double-posting of a single journal entry

B.  

Inability to support new business transactions

C.  

Unauthorized alteration of account attributes

D.  

Inaccuracy of financial reporting

A.  

Capacity management plan

B.  

Training plans

C.  

Database conversion results

D.  

Stress testing results

A.  

Background checks

B.  

User awareness training

C.  

Transaction log review

D.  

Mandatory holidays

A.  

Developing and communicating test procedure best practices to audit teams

B.  

Developing and implementing an audit data repository

C.  

Decentralizing procedures and Implementing periodic peer review

D.  

Centralizing procedures and implementing change control

A.  

establish criteria for reviewing alerts.

B.  

recruit more monitoring personnel.

C.  

reduce the firewall rules.

D.  

fine tune the intrusion detection system (IDS).

A.  

There is not a defined IT security policy.

B.  

The business strategy meeting minutes are not distributed.

C.  

IT is not engaged in business strategic planning.

D.  

There is inadequate documentation of IT strategic planning.

A.  

Examine the computer to search for evidence supporting the suspicions.

B.  

Advise management of the crime after the investigation.

C.  

Contact the incident response team to conduct an investigation.

D.  

Notify local law enforcement of the potential crime before further investigation.

A.  

incident management.

B.  

quality assurance (QA).

C.  

change management.

D.  

project management.

A.  

re-prioritize the original issue as high risk and escalate to senior management.

B.  

schedule a follow-up audit in the next audit cycle.

C.  

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.  

determine whether the alternative controls sufficiently mitigate the risk.

A.  

Notify the chair of the audit committee.

B.  

Notify the audit manager.

C.  

Retest the control.

D.  

Close the audit finding.

A.  

firewall standards.

B.  

configuration of the firewall

C.  

firmware version of the firewall

D.  

location of the firewall within the network

A.  

recommend that the option to directly modify the database be removed immediately.

B.  

recommend that the system require two persons to be involved in modifying the database.

C.  

determine whether the log of changes to the tables is backed up.

D.  

determine whether the audit trail is secured and reviewed.

A.  

Balanced scorecard

B.  

Enterprise dashboard

C.  

Enterprise architecture (EA)

D.  

Key performance indicators (KPIs)

A.  

Verify the disaster recovery plan (DRP) has been tested.

B.  

Ensure the intrusion prevention system (IPS) is effective.

C.  

Assess the security risks to the business.

D.  

Confirm the incident response team understands the issue.

A.  

Limit employee internet access.

B.  

Implement data classification procedures.

C.  

Review firewall logs for anomalies.

D.  

Conduct periodic security awareness training.

A.  

Incident monitoring togs

B.  

The ISP service level agreement

C.  

Reports of network traffic analysis

D.  

Network topology diagrams

A.  

the same hashing algorithm as the sender's to create a binary image of the file.

B.  

a different hashing algorithm from the sender's to create a binary image of the file.

C.  

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.  

a different hashing algorithm from the sender's to create a numerical representation of the file.

A.  

Limit check

B.  

Parity check

C.  

Reasonableness check

D.  

Validity check

A.  

Periodic vendor reviews

B.  

Dual control

C.  

Independent reconciliation

D.  

Re-keying of monetary amounts

E.  

Engage an external security incident response expert for incident handling.

A.  

Compliance with action plans resulting from recent audits

B.  

Compliance with local laws and regulations

C.  

Compliance with industry standards and best practice

D.  

Compliance with the organization's policies and procedures

A.  

Perform background verification checks.

B.  

Review third-party audit reports.

C.  

Implement change management review.

D.  

Conduct a privacy impact analysis.

A.  

Availability of the site in the event of multiple disaster declarations

B.  

Coordination with the site staff in the event of multiple disaster declarations

C.  

Reciprocal agreements with other organizations

D.  

Complete testing of the recovery plan

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

A.  

Aligning the framework to industry best practices

B.  

Establishing committees to support and oversee framework activities

C.  

Involving appropriate business representation within the framework

D.  

Documenting IT-related policies and procedures

A.  

System flowchart

B.  

Data flow diagram

C.  

Process flowchart

D.  

Entity-relationship diagram

A.  

File level encryption

B.  

File Transfer Protocol (FTP)

C.  

Instant messaging policy

D.  

Application-level firewalls

A.  

Agile auditing

B.  

Continuous auditing

C.  

Outsourced auditing

D.  

Risk-based auditing

A.  

Lack of appropriate labelling

B.  

Lack of recent awareness training.

C.  

Lack of password protection

D.  

Lack of appropriate data classification

A.  

Invoking the disaster recovery plan (DRP)

B.  

Backing up data frequently

C.  

Paying the ransom

D.  

Requiring password changes for administrative accounts

A.  

The current business capabilities delivered by the legacy system

B.  

The proposed network topology to be used by the redesigned system

C.  

The data flows between the components to be used by the redesigned system

D.  

The database entity relationships within the legacy system

A.  

a risk management process.

B.  

an information security framework.

C.  

past information security incidents.

D.  

industry best practices.

A.  

Require employees to attend security awareness training.

B.  

Password protect critical data files.

C.  

Configure to auto-wipe after multiple failed access attempts.

D.  

Enable device auto-lock function.

A.  

note the noncompliance in the audit working papers.

B.  

issue an audit memorandum identifying the noncompliance.

C.  

include the noncompliance in the audit report.

D.  

determine why the procedures were not followed.

A.  

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.  

Ensuring evidence is sufficient to support audit conclusions

C.  

Ensuring appropriate statistical sampling methods were used

D.  

Ensuring evidence is labeled to show it was obtained from an approved source

A.  

Conduct periodic on-site assessments using agreed-upon criteria.

B.  

Periodically review the service level agreement (SLA) with the vendor.

C.  

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.  

Obtain evidence of the vendor's control self-assessment (CSA).

A.  

Block all compromised network nodes.

B.  

Contact law enforcement.

C.  

Notify senior management.

D.  

Identity nodes that have been compromised.

A.  

information security team.

B.  

IS audit manager.

C.  

chief information officer (CIO).

D.  

business owner.

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk acceptance

D.  

Risk reduction

A.  

security parameters are set in accordance with the manufacturer s standards.

B.  

a detailed business case was formally approved prior to the purchase.

C.  

security parameters are set in accordance with the organization's policies.

D.  

the procurement project invited lenders from at least three different suppliers.

A.  

allocation of resources during an emergency.

B.  

frequency of system testing.

C.  

differences in IS policies and procedures.

D.  

maintenance of hardware and software compatibility.

A.  

Implement overtime pay and bonuses for all development staff.

B.  

Utilize new system development tools to improve productivity.

C.  

Recruit IS staff to expedite system development.

D.  

Deliver only the core functionality on the initial target date.

A.  

Tunneling

B.  

Encryption

C.  

Message validation

D.  

Firewalls

A.  

Data conversion was performed using manual processes.

B.  

Backups of the old system and data are not available online.

C.  

Unauthorized data modifications occurred during conversion.

D.  

The change management process was not formally documented

A.  

Segregation of duties between issuing purchase orders and making payments.

B.  

Segregation of duties between receiving invoices and setting authorization limits

C.  

Management review and approval of authorization tiers

D.  

Management review and approval of purchase orders

A.  

Review of program documentation

B.  

Use of test transactions

C.  

Interviews with knowledgeable users

D.  

Review of source code

A.  

Level of stakeholder satisfaction with the scope of planned IT projects

B.  

Percentage of enterprise risk assessments that include IT-related risk

C.  

Percentage of stat satisfied with their IT-related roles

D.  

Frequency of business process capability maturity assessments

A.  

Loss of application support

B.  

Lack of system integrity

C.  

Outdated system documentation

D.  

Developer access 1o production

A.  

Environment segregation

B.  

Reconciliation

C.  

System backups

D.  

Access controls

A.  

Procedures may not align with best practices

B.  

Human resources (HR) records may not match system access.

C.  

Unauthorized access cannot he identified.

D.  

Access rights may not be removed in a timely manner.

A.  

Users can export application logs.

B.  

Users can view sensitive data.

C.  

Users can make unauthorized changes.

D.  

Users can install open-licensed software.

A.  

Abuses by employees have not been reported.

B.  

Lessons learned have not been properly documented

C.  

vulnerabilities have not been properly addressed

D.  

Security incident policies are out of date.

A.  

The end-to-end process is understood and documented.

B.  

Roles and responsibilities are defined for the business processes in scope.

C.  

A benchmarking exercise of industry peers who use RPA has been completed.

D.  

A request for proposal (RFP) has been issued to qualified vendors.

A.  

The use of the cloud negatively impacting IT availably

B.  

Increased need for user awareness training

C.  

Increased vulnerability due to anytime, anywhere accessibility

D.  

Lack of governance and oversight for IT infrastructure and applications

A.  

Increasing the frequency of risk-based IS audits for each business entity

B.  

Developing a risk-based plan considering each entity's business processes

C.  

Conducting an audit of newly introduced IT policies and procedures

D.  

Revising IS audit plans to focus on IT changes introduced after the split

A.  

Server room access history

B.  

Emergency change records

C.  

IT security incidents

D.  

Penetration test results

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

A.  

Utilize a network-based firewall.

B.  

Conduct regular user security awareness training.

C.  

Perform domain name system (DNS) server security hardening.

D.  

Enforce a strong password policy meeting complexity requirement.

A.  

Customer service complaints

B.  

Automated monitoring of logs

C.  

Server crashes

D.  

Penetration testing

A.  

Leverage the work performed by external audit for the internal audit testing.

B.  

Ensure both the internal and external auditors perform the work simultaneously.

C.  

Request that the external audit team leverage the internal audit work.

D.  

Roll forward the general controls audit to the subsequent audit year.

A.  

Perform a business impact analysis (BIA).

B.  

Determine which databases will be in scope.

C.  

Identify the most critical database controls.

D.  

Evaluate the types of databases being used

A.  

Misconfiguration and missing updates

B.  

Malicious software and spyware

C.  

Zero-day vulnerabilities

D.  

Security design flaws

A.  

prevents loss of assets.

B.  

helps to align organizational objectives.

C.  

facilitates budgeting accuracy.

D.  

enables risk management decisions.

A.  

application programmer

B.  

systems programmer

C.  

computer operator

D.  

quality assurance (QA) personnel

A.  

Determine the resources required to make the controleffective.

B.  

Validate the overall effectiveness of the internal control.

C.  

Verify the impact of the control no longer being effective.

D.  

Ascertain the existence of other compensating controls.

A.  

Network penetration tests are not performed

B.  

The network firewall policy has not been approved by the information security officer.

C.  

Network firewall rules have not been documented.

D.  

The network device inventory is incomplete.

A.  

Mobile device tracking program

B.  

Mobile device upgrade program

C.  

Mobile device testing program

D.  

Mobile device awareness program

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

A.  

Analyze a new application that moots the current re

B.  

Perform an analysis to determine the business risk

C.  

Bring the escrow version up to date.

D.  

Develop a maintenance plan to support the application using the existing code

A.  

The quality of the data is not monitored.

B.  

Imported data is not disposed frequently.

C.  

The transfer protocol is not encrypted.

D.  

The transfer protocol does not require authentication.

A.  

There are documented compensating controls over the business processes.

B.  

The risk acceptances were previously reviewed and approved by appropriate senior management

C.  

The business environment has not significantly changed since the risk acceptances were approved.

D.  

The risk acceptances with issues reflect a small percentage of the total population

A.  

Establishing a well-designed framework for network servirces.

B.  

Finding performance metrics that can be measured properly

C.  

Ensuring that network components are not modified by the client

D.  

Reducing the number of entry points into the network

A.  

Implementing the remediation plan

B.  

Partially completing the CSA

C.  

Developing the remediation plan

D.  

Developing the CSA questionnaire

A.  

Redundant pathways

B.  

Clustering

C.  

Failover power

D.  

Parallel testing

A.  

Testing incident response plans with a wide range of scenarios

B.  

Prioritizing incidents after impact assessment.

C.  

Linking incidents to problem management activities

D.  

Training incident management teams on current incident trends

A.  

The DRP has not been formally approved by senior management.

B.  

The DRP has not been distributed to end users.

C.  

The DRP has not been updated since an IT infrastructure upgrade.

D.  

The DRP contains recovery procedures for critical servers only.

A.  

Verify all patches have been applied to the software system's outdated version

B.  

Close all unused ports on the outdated software system.

C.  

Segregate the outdated software system from the main network.

D.  

Monitor network traffic attempting to reach the outdated software system.

A.  

Project management

B.  

Risk assessment results

C.  

IT governance framework

D.  

Portfolio management

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

A.  

Lessons learned were implemented.

B.  

Management approved the PIR report.

C.  

The review was performed by an external provider.

D.  

Project outcomes have been realized.

A.  

Obtain error codes indicating failed data feeds.

B.  

Purchase data cleansing tools from a reputable vendor.

C.  

Appoint data quality champions across the organization.

D.  

Implement business rules to reject invalid data.

A.  

Message encryption

B.  

Certificate authority (CA)

C.  

Steganography

D.  

Message digest

A.  

Risk identification

B.  

Risk classification

C.  

Control self-assessment (CSA)

D.  

Impact assessment

A.  

deleted data cannot easily be retrieved.

B.  

deleting the files logically does not overwrite the files' physical data.

C.  

backup copies of files were not deleted as well.

D.  

deleting all files separately is not as efficient as formatting the hard disk.

A.  

Have an independent party review the source calculations

B.  

Execute copies of EUC programs out of a secure library

C.  

implement complex password controls

D.  

Verify EUC results through manual calculations

A.  

Approved test scripts and results prior to implementation

B.  

Written procedures defining processes and controls

C.  

Approved project scope document

D.  

A review of tabletop exercise results

A.  

A formal request for proposal (RFP) process

B.  

Business case development procedures

C.  

An information asset acquisition policy

D.  

Asset life cycle management.

A.  

Statement of work (SOW)

B.  

Nondisclosure agreement (NDA)

C.  

Service level agreement (SLA)

D.  

Privacy agreement

A.  

Analyzing risks posed by new regulations

B.  

Developing procedures to monitor the use of personal data

C.  

Defining roles within the organization related to privacy

D.  

Designing controls to protect personal data

A.  

Review the documentation of recant changes to implement sequential order numbering.

B.  

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.  

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.  

Examine a sample of system generated purchase orders obtained from management

A.  

Role-based access control policies

B.  

Types of data that can be uploaded to the platform

C.  

Processes for on-boarding and off-boarding users to the platform

D.  

Processes for reviewing administrator activity

A.  

Service level agreement (SLA)

B.  

Hardware change management policy

C.  

Vendor memo indicating problem correction

D.  

An up-to-date RACI chart

A.  

Implement key performance indicators (KPIs)

B.  

Implement annual third-party audits.

C.  

Benchmark organizational performance against industry peers.

D.  

Require executive management to draft IT strategy

A.  

Earned value analysis (EVA)

B.  

Return on investment (ROI) analysis

C.  

Gantt chart

D.  

Critical path analysis

A.  

To limit the liability associated with storing and protecting information

B.  

To document business objectives for processing data within the organization

C.  

To assign responsibility and ownership for data protection outside IT

D.  

To establish a recovery point detective (RPO) for (toaster recovery procedures

A.  

Monitor and restrict vendor activities

B.  

Issues an access card to the vendor.

C.  

Conceal data devices and information labels

D.  

Restrict use of portable and wireless devices.

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

A.  

reclassify the data to a lower level of confidentiality

B.  

require the business owner to conduct regular access reviews.

C.  

implement a strong password schema for users.

D.  

recommend corrective actions to be taken by the security administrator.

A.  

gather information from the customers regarding response times and quality of service.

B.  

review the manual and automated controls in the call center.

C.  

test the technical infrastructure at the call center.

D.  

evaluate the operational risk associated with the call center.

A.  

Use an electronic vault for incremental backups

B.  

Deploy a fully automated backup maintenance system.

C.  

Periodically test backups stored in a remote location

D.  

Use both tape and disk backup systems

A.  

The contract does not contain a right-to-audit clause.

B.  

An operational level agreement (OLA) was not negotiated.

C.  

Several vendor deliverables missed the commitment date.

D.  

Software escrow was not negotiated.

A.  

data analytics findings.

B.  

audit trails

C.  

acceptance lasting results

D.  

rollback plans

A.  

Sampling risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

A.  

The testing produces a lower number of false positive results

B.  

Network bandwidth is utilized more efficiently

C.  

Custom-developed applications can be tested more accurately

D.  

The testing process can be automated to cover large groups of assets

A.  

Implement controls to prohibit downloads of unauthorized software.

B.  

Conduct periodic software scanning.

C.  

Perform periodic counting of licenses.

D.  

Require senior management approval when installing licenses.

A.  

The log is reviewed on a monthly basis.

B.  

Authorized access is required to view the log.

C.  

The log cannot be modified.

D.  

The log is retained per policy.

A.  

Regular scanning of hard drives

B.  

Communicating the policy to employees

C.  

Logging of activity on the network

D.  

Maintaining current antivirus software

A.  

comply with vendor management policy

B.  

convert source code to new executable code.

C.  

satisfy regulatory requirements.

D.  

ensure the source code is available.

A.  

Insufficient processes to track ownership of each EUC application?

B.  

Insufficient processes to lest for version control

C.  

Lack of awareness training for EUC users

D.  

Lack of defined criteria for EUC applications

A.  

Employees must immediately report lost or stolen mobile devices containing organizational data

B.  

Employees must sign acknowledgment of the organization's mobile device acceptable use policy

C.  

Employees must enroll their personal devices in the organization's mobile device management program

A.  

Inform potentially affected customers of the security breach

B.  

Notify business management of the security breach.

C.  

Research the validity of the alerted breach

D.  

Engage a third party to independently evaluate the alerted breach.

A.  

Cost of projects divided by total IT cost

B.  

Expected return divided by total project cost

C.  

Net present value (NPV) of the portfolio

D.  

Total cost of each project

A.  

Project segments are established.

B.  

The work is separated into phases.

C.  

The work is separated into sprints.

D.  

Project milestones are created.

A.  

Identify approved data workflows across the enterprise.

B.  

Conduct a threat analysis against sensitive data usage.

C.  

Create the DLP pcJc.es and templates

D.  

Conduct a data inventory and classification exercise

A.  

Shared facilities

B.  

Adequacy of physical and environmental controls

C.  

Results of business continuity plan (BCP) test

D.  

Retention policy and period

A.  

Unit testing

B.  

Pilot testing

C.  

System testing

D.  

Integration testing

A.  

Human resources (HR) sourcing strategy

B.  

Records of actual time spent on projects

C.  

Peer organization staffing benchmarks

D.  

Budgeted forecast for the next financial year

A.  

The design of controls

B.  

Industry standards and best practices

C.  

The results of the previous audit

D.  

The amount of time since the previous audit

A.  

Compare the agile process with previous methodology.

B.  

Identify and assess existing agile process control

C.  

Understand the specific agile methodology that will be followed.

D.  

Interview business process owners to compile a list of business requirements

A.  

Terminated staff

B.  

Unauthorized access

C.  

Deleted log data

D.  

Hacktivists

A.  

Reviewing the parameter settings

B.  

Reviewing the system log

C.  

Interviewing the firewall administrator

D.  

Reviewing the actual procedures

A.  

Reviewing vacation patterns

B.  

Reviewing user activity logs

C.  

Interviewing senior IT management

D.  

Mapping IT processes to roles

A.  

Information security program plans

B.  

Penetration test results

C.  

Risk assessment results

D.  

Industry benchmarks

A.  

Reversing the hash function using the digest

B.  

Altering the plaintext message

C.  

Deciphering the receiver's public key

D.  

Obtaining the sender's private key

A.  

Use automatic document classification based on content.

B.  

Have IT security staff conduct targeted training for data owners.

C.  

Publish the data classification policy on the corporate web portal.

D.  

Conduct awareness presentations and seminars for information classification policies.

A.  

compare the organization's strategic plan against industry best practice.

B.  

interview senior managers for their opinion of the IT function.

C.  

ensure an IT steering committee is appointed to monitor new IT projects.

D.  

evaluate deliverables of new IT initiatives against planned business services.

A.  

minimize scope changes to the system.

B.  

decrease the time allocated for user testing and review.

C.  

conceptualize and clarify requirements.

D.  

Improve efficiency of quality assurance (QA) testing

A.  

Testing

B.  

Replication

C.  

Staging

D.  

Development

A.  

System/process flowchart

B.  

File layouts

C.  

Data architecture

D.  

Source code documentation

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

A.  

The IT budget is not monitored

B.  

All IT services are provided by third parties.

C.  

IT value analysis has not been completed.

D.  

IT supports two different operating systems.

A.  

Discovery

B.  

Attacks

C.  

Planning

D.  

Reporting

A.  

SQL injection attacks

B.  

Denial of service (DoS) attacks

C.  

Phishing attacks

D.  

Insider attacks

A.  

End-user authorization to use the system in production

B.  

External audit sign-off on financial controls

C.  

Testing of the system within the production environment

D.  

An evaluation of the configuration management practices

A.  

the patches were updated.

B.  

The logs were monitored.

C.  

The network traffic was being monitored.

D.  

The domain controller was classified for high availability.

A.  

External audit review

B.  

Internal audit review

C.  

Control self-assessment (CSA)

D.  

Stress testing

A.  

Technology risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

A.  

The service level agreement (SLA) includes penalties for non-performance.

B.  

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.  

The vendor provides historical data to demonstrate its performance.

D.  

Internal performance standards align with corporate strategy.

A.  

Restricting evidence access to professionally certified forensic investigators

B.  

Documenting evidence handling by personnel throughout the forensic investigation

C.  

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.  

Engaging an independent third party to perform the forensic investigation

A.  

The company is being sued for false accusations.

B.  

The financial report may contain undetected material errors.

C.  

Employees have been misappropriating funds.

D.  

Key employees have not taken vacation for 2 years.

A.  

Program coding standards have been followed

B.  

Acceptance test criteria have been developed

C.  

Data conversion procedures have been established.

D.  

The design has been approved by senior management.

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

A.  

Analysis of industry benchmarks

B.  

Identification of organizational goals

C.  

Analysis of quantitative benefits

D.  

Implementation of a balanced scorecard

A.  

The new system has resulted m layoffs of key experienced personnel.

B.  

Users have not been trained on the new system.

C.  

Data from the legacy system is not migrated correctly to the new system.

D.  

The new system is not platform agnostic

A.  

Auditors are responsible for performing operational duties or activities.

B.  

The internal audit manager reports functionally to a senior management official.

C.  

The internal audit manager has a reporting line to the audit committee.

D.  

Auditors are responsible for assessing and operating a system of internal controls.

A.  

Independence

B.  

Integrity

C.  

Materiality

D.  

Accountability

A.  

The system is hosted on an external third-party service provider’s server.

B.  

The system is hosted in a hybrid-cloud platform managed by a service provider.

C.  

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

D.  

The system is hosted within an internal segment of a corporate network.

A.  

Key business process end users did not participate in the business impact " analysis (BIA)

B.  

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.  

A test plan for the BCP has not been completed during the last two years

A.  

Identify accounts that have had excessive failed login attempts and request they be disabled

B.  

Request the IT manager to change administrator security parameters and update the finding

C.  

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

A.  

To train the end users and supporting staff on the new system

B.  

To verify the new system provides required business functionality

C.  

To reduce the need for additional testing

D.  

To validate the new system against its predecessor

A.  

Operating system weaknesses are more easily identified.

B.  

Emerging security technologies are better understood and accepted.

C.  

The cost to mitigate information security risk is reduced.

D.  

Organizational awareness of security responsibilities is improved.

A.  

Data retention

B.  

Data minimization

C.  

Data quality

D.  

Data integrity

A.  

Evaluating the likelihood of attack

B.  

Estimating potential damage

C.  

Identifying vulnerable assets

D.  

Assessing the Impact of vulnerabilities

A.  

computer room closest to the uninterruptible power supply (UPS) module

B.  

computer room closest to the server computers

C.  

system administrators’ office

D.  

booth used by the building security personnel

A.  

Review test procedures and scenarios

B.  

Conduct a mock conversion test

C.  

Establish a configuration baseline

D.  

Automate the test scripts

A.  

Availability integrity

B.  

Data integrity

C.  

Entity integrity

D.  

Referential integrity

A.  

Data classification policy and procedures

B.  

Access rights of similar file servers

C.  

Previous data breach incident reports

D.  

Acceptable use policy and privacy statements

A.  

The minutes from the IT strategy committee meetings

B.  

Synchronization of IT activities with corporate objectives

C.  

The IT strategy committee charier

D.  

Business unit satisfaction survey results

A.  

some of the identified threats are unlikely to occur.

B.  

all identified threats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations' operations have been included.

A.  

the recovery site devices can handle the storage requirements

B.  

hardware maintenance contract is in place for both old and new storage devices

C.  

the procurement was in accordance with corporate policies and procedures

D.  

the relocation plan has been communicated to all concerned parties

A.  

Report the deviation by the control owner in the audit report.

B.  

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.  

Cancel the follow-up audit and reschedule for the next audit period.

D.  

Request justification from management for not implementing the recommended control.

A.  

Visitors are escorted by an authorized employee

B.  

Pre-approval of entry requests

C.  

Visitors sign in at the front desk upon arrival

D.  

Closed-circuit television (CCTV) is used to monitor the facilities

A.  

Performing periodic reviews of physical access to backup media

B.  

Performing periodic complete data restorations

C.  

Validating off ne backups using software utilities

D.  

Reviewing and updating data restoration policies annually

A.  

Parallel changeover

B.  

Modular changeover

C.  

Phased operation

D.  

Pilot operation

A.  

Financial regulations affecting the organization

B.  

Data center physical access controls whore the application is hosted

C.  

Privacy regulations affecting the organization

D.  

Per-unit cost charged by the hosting services provider for storage

A.  

Only new employees are required to attend the program

B.  

Metrics have not been established to assess training results

C.  

Employees do not receive immediate notification of results

D.  

The timing for program updates has not been determined

A.  

discontinue maintenance of the disaster recovery plan (DRP>

B.  

coordinate disaster recovery administration with the outsourcing vendor

C.  

delegate evaluation of disaster recovery to a third party

D.  

delegate evaluation of disaster recovery to internal audit

A.  

Inaccurate business impact analysis (BIA)

B.  

Inadequate IT change management practices

C.  

Lack of a benchmark analysis

D.  

Inadequate IT portfolio management

A.  

Inherent

B.  

Operational

C.  

Audit

D.  

Financial

A.  

To enable the review of large value transactions

B.  

To efficiently test large volumes of data

C.  

To help identity transactions with no segregation of duties

D.  

To assist in performing analytical reviews

A.  

Judgmental sampling

B.  

Substantive testing

C.  

Compliance testing

D.  

Stop-or-go sampling

A.  

User activity monitoring

B.  

Two-factor authentication

C.  

Network segmentation

D.  

Access recertification

A.  

Consultation with security staff

B.  

Inclusion of mission and objectives

C.  

Compliance with relevant regulations

D.  

Alignment with an information security framework

A.  

Recommend the utilization of software licensing monitoring tools

B.  

Recommend the purchase of additional software license keys

C.  

Validate user need for shared software licenses

D.  

Verify whether the licensing agreement allows shared use

A.  

Software vulnerability scanning is done on an ad hoc basis.

B.  

Change control does not include testing and approval from quality assurance (QA).

C.  

Production code deployment is not automated.

D.  

Current DevSecOps processes have not been independently verified.

A.  

Key performance indicator (KPI) monitoring

B.  

Change management

C.  

Configuration management

D.  

Quality assurance (QA)

A.  

Assign responsibility for improving data quality.

B.  

Invest in additional employee training for data entry.

C.  

Outsource data cleansing activities to reliable third parties.

D.  

Implement business rules to validate employee data entry.

A.  

payment processing.

B.  

payroll processing.

C.  

procurement.

D.  

product registration.

A.  

Strategic: goals have been considered.

B.  

A rollback plan is included.

C.  

A code check review is included.

D.  

A migration steering committee has been formed.

A.  

Unit the use of logs to only those purposes for which they were collected

B.  

Restrict the transfer of log files from host machine to online storage

C.  

Only collect logs from servers classified as business critical

D.  

Limit log collection to only periods of increased security activity

A.  

Unrealistic milestones

B.  

Inadequate deliverables

C.  

Unclear benefits

D.  

Incomplete requirements

A.  

Frameworks enable IT benchmarks against competitors

B.  

Frameworks can be tailored and optimized for different organizations

C.  

Frameworks help facilitate control self-assessments (CSAs)

D.  

Frameworks help organizations understand and manage IT risk

A.  

Standard operating procedures

B.  

Service level agreements (SLAs)

C.  

Roles and responsibility matrix

D.  

Business resiliency

A.  

Single sign-on is not enabled

B.  

Audit logging is not enabled

C.  

Security baseline is not consistently applied

D.  

Complex passwords are not required

A.  

defining the authority and responsibility of the IS audit function.

B.  

providing details on how to execute the audit program.

C.  

providing direction and information regarding the performance of audits.

D.  

outlining the specific steps needed to complete audits

A.  

Average time between incidents

B.  

Incident alert meantime

C.  

Number of incidents reported

D.  

Incident resolution meantime

A.  

Establishing a risk appetite

B.  

Establishing a risk management framework

C.  

Validating enterprise risk management (ERM)

D.  

Operating the risk management framework

A.  

All users provisioned after the finding was originally identified

B.  

All users provisioned after management resolved the audit issue

C.  

All users provisioned after the final audit report was issued

D.  

All users who have followed user provisioning processes provided by management

A.  

Business continuity plan (BCP)

B.  

Test results for backup data restoration

C.  

A comprehensive list of disaster recovery scenarios and priorities

D.  

Roles and responsibilities for recovery team members

A.  

Testing encryption standards on the disaster recovery system

B.  

Validating access controls for real-time data systems

C.  

Performing parallel testing between systems

D.  

Validating performance of help desk metrics

A.  

Verify that the compromised systems are fully functional

B.  

Focus on limiting the damage

C.  

Document the incident

D.  

Remove and restore the affected systems

A.  

Data leakage as a result of employees leaving to work for competitors

B.  

Noncompliance fines related to storage of regulated information

C.  

Unauthorized logical access to information through an application interface

D.  

Physical theft of media on which information is stored

A.  

Using passwords to allow authorized users to send documents to the printer

B.  

Requiring a key code to be entered on the printer to produce hard copy

C.  

Encrypting the data stream between the user's computer and the printer

D.  

Producing a header page with classification level for printed documents

A.  

legitimate packets blocked by the system have increased

B.  

actual attacks have not been identified

C.  

detected events have increased

D.  

false positives have been reported

A.  

Jogging all packets passing through network segments

B.  

inspecting all traffic flowing between network segments and applying security policies

C.  

monitoring and reporting on sessions between network participants

D.  

ensuring all connecting systems have appropriate security controls enabled.

A.  

business risk

B.  

security policy

C.  

data retention requirements

D.  

industry standards

A.  

Review transaction recovery logs to ensure no errors were recorded.

B.  

Recount the transaction records to ensure no records are missing.

C.  

Rerun the process on a backup machine to verify the results are the same.

D.  

Compare transaction values against external statements to verify accuracy.

A.  

Undocumented operating procedures

B.  

Lack of segregation of duties

C.  

An excessive backlog of user requests

D.  

Lack of key performance indicators (KPIs)

A.  

Use a larger sample size

B.  

Perform statistical sampling

C.  

Perform judgmental sampling

D.  

Enhance audit testing procedures

A.  

traffic volumes and response-time criteria

B.  

physical security for network equipment

C.  

the level of redundancy in the various communication paths

D.  

business use and types of messages to be transmitted

A.  

Obtain error codes indicating failed data feeds.

B.  

Appoint data quality champions across the organization.

C.  

Purchase data cleansing tools from a reputable vendor.

D.  

Implement business rules to reject invalid data.

A.  

Data storage costs

B.  

Data classification

C.  

Vendor cloud certification

D.  

Service level agreements (SLAs)

A.  

Return on investment (ROI)

B.  

Business strategy

C.  

Business cases

D.  

Total cost of ownership (TCO)

A.  

Directive

B.  

Detective

C.  

Preventive

D.  

Compensating

A.  

Review IT staff job descriptions for alignment

B.  

Develop quarterly training for each IT staff member.

C.  

Identify required IT skill sets that support key business processes

D.  

Include strategic objectives m IT staff performance objectives

A.  

File layouts

B.  

Data architecture

C.  

System/process flowchart

D.  

Source code documentation

A.  

attributes for system passwords.

B.  

security training prior to implementation.

C.  

security requirements for the new application.

D.  

the firewall configuration for the web server.

A.  

Service management standards are not followed.

B.  

Expected time to resolve incidents is not specified.

C.  

Metrics are not reported to senior management.

D.  

Prioritization criteria are not defined.

A.  

Determine where delays have occurred

B.  

Assign additional resources to supplement the audit

C.  

Escalate to the audit committee

D.  

Extend the audit deadline

A.  

Organizational chart

B.  

Audit charier

C.  

Engagement letter

D.  

Annual audit plan

A.  

Staff were not involved in the procurement process, creating user resistance to the new system.

B.  

Data is not converted correctly, resulting in inaccurate patient records.

C.  

The deployment project experienced significant overruns, exceeding budget projections.

D.  

The new system has capacity issues, leading to slow response times for users.

A.  

IT strategies are communicated to all Business stakeholders

B.  

Organizational strategies are communicated to the chief information officer (CIO).

C.  

Business stakeholders are Involved In approving the IT strategy.

D.  

The chief information officer (CIO) is involved In approving the organizational strategies

A.  

Evaluate the appropriateness of the remedial action taken.

B.  

Conduct a risk analysis incorporating the change.

C.  

Report results of the follow-up to the audit committee.

D.  

Inform senior management of the change in approach.

A.  

Programmed edit checks for data entry

B.  

Backup procedures

C.  

Use of pass cards to gain access to physical facilities

D.  

Verification of hash totals

A.  

Sell-assessment reports of IT capability and maturity

B.  

IT performance benchmarking reports with competitors

C.  

Recent third-party IS audit reports

D.  

Current and previous internal IS audit reports

A.  

Decreased time for incident resolution

B.  

Increased number of incidents reviewed by IT management

C.  

Decreased number of calls lo the help desk

D.  

Increased number of reported critical incidents

A.  

Ask management why the regulatory changes have not been Included.

B.  

Discuss potential regulatory issues with the legal department

C.  

Report the missing regulatory updates to the chief information officer (CIO).

D.  

Exclude recent regulatory changes from the audit scope.

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

A.  

Ensuring that audit trails exist for transactions

B.  

Restricting access to update programs to accounts payable staff only

C.  

Including the creator's user ID as a field in every transaction record created

D.  

Restricting program functionality according to user security profiles

A.  

The person who collected the evidence is not qualified to represent the case.

B.  

The logs failed to identify the person handling the evidence.

C.  

The evidence was collected by the internal forensics team.

D.  

The evidence was not fully backed up using a cloud-based solution prior to the trial.

A.  

The system only allows payments to vendors who are included In the system's master vendor list.

B.  

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.  

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.  

Policies and procedures are clearly communicated to all members of the accounts payable department

A.  

Availability of the user list reviewed

B.  

Confidentiality of the user list reviewed

C.  

Source of the user list reviewed

D.  

Completeness of the user list reviewed

A.  

Perform substantive testing of terminated users' access rights.

B.  

Perform a review of terminated users' account activity

C.  

Communicate risks to the application owner.

D.  

Conclude that IT general controls ate ineffective.

A.  

Requirements may become unreasonable.

B.  

The policy may conflict with existing application requirements.

C.  

Local regulations may contradict the policy.

D.  

Local management may not accept the policy.

A.  

Configure data quality alerts to check variances between the data warehouse and the source system

B.  

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.  

Include the data warehouse in the impact analysis (or any changes m the source system

D.  

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

A.  

Identify staff training needs related to compliance requirements.

B.  

Analyze historical compliance-related audit findings.

C.  

Research and purchase an industry-recognized IT compliance tool

D.  

Identify applicable laws, regulations, and standards.

A.  

Determine the value of assets.

B.  

Establish baselines.

C.  

Evaluate strategic business goals.

D.  

Replace audits.

A.  

Business project plan

B.  

Continuous monitoring plans

C.  

The cost of new controls

D.  

Business impact

A.  

enterprise architecture (EA).

B.  

industry best practices.

C.  

a risk management process.

D.  

past information security incidents.

A.  

Provide availability to the transmission

B.  

Authenticate the sender of a message

C.  

Provide confidentiality to the transmission

D.  

Verify the integrity of the data and the identity of the recipient

A.  

A backup has not been identified for key approvers.

B.  

System capacity has not been tested.

C.  

The procedures for generating key reports have not been approved.

D.  

The financial management system is cloud based.

A.  

Systems may not be supported by the vendor.

B.  

Known security vulnerabilities may not be mitigated.

C.  

Different systems may not be compatible.

D.  

The systems may not meet user requirements.

A.  

The project may go over budget.

B.  

The added functionality has not been documented.

C.  

The project may fail to meet the established deadline.

D.  

The new functionality may not meet requirements.

A.  

minimize data storage needs across the organization.

B.  

provide necessary IT resources to meet business requirements.

C.  

minimize system idle time to optimize cost.

D.  

ensure that IT teams have sufficient personnel.

A.  

IT portfolio updates are communicated when approved.

B.  

Programs in the IT portfolio are prioritized by each business function.

C.  

The IT portfolio is updated as business strategy changes.

D.  

The IT portfolio is updated on the basis of current industry benchmarks.

A.  

Configuring reports

B.  

Configuring rule sets

C.  

Enabling detection points

D.  

Establishing exceptions workflow

A.  

A risk assessment was not conducted prior to completing the BI

A.  

B.  

System criticality information was only provided by the IT manager.

C.  

A questionnaire was used to gather information as opposed to in-person interviews.

D.  

The BIA was not signed off by executive management.

A.  

Through the use of elliptical curve cryptography on transmitted messages

B.  

Through the use of a certificate issued by a certificate authority (CA)

C.  

Through the use of private keys to decrypt data received by a user

D.  

Through the use of enterprise key management systems

A.  

SQL injection

B.  

Fuzzing

C.  

Brute force

D.  

Password spraying

A.  

Printing of scan files

B.  

File movement detection

C.  

Enforcement of access policies

D.  

Storage-scanning technology

A.  

Reduced costs associated with automating the review

B.  

Increased likelihood of detecting suspicious activity

C.  

Ease of storing and maintaining log file

D.  

Ease of log retrieval for audit purposes

A.  

Reprioritize further testing of the anomalies and refocus on issues with higher risk

B.  

Update the audit plan to include the information collected during the audit

C.  

Ask auditees to promptly remediate the anomalies

D.  

Document the anomalies in audit workpapers

A.  

Integrity

B.  

Availability

C.  

Confidentiality

D.