A.  

Sell-assessment reports of IT capability and maturity

B.  

IT performance benchmarking reports with competitors

C.  

Recent third-party IS audit reports

D.  

Current and previous internal IS audit reports

A.  

Audit charter

B.  

IT steering committee

C.  

Information security policy

D.  

Audit best practices

A.  

File layouts

B.  

Data architecture

C.  

System/process flowchart

D.  

Source code documentation

A.  

Backup media are not reviewed before disposal.

B.  

Degaussing is used instead of physical shredding.

C.  

Backup media are disposed before the end of the retention period

D.  

Hardware is not destroyed by a certified vendor.

A.  

Users are not required to sign updated acceptable use agreements.

B.  

Users have not been trained on the new system.

C.  

The business continuity plan (BCP) was not updated.

D.  

Mobile devices are not encrypted.

A.  

Business continuity plan (BCP) testing

B.  

Business impact analysis (BIA)

C.  

Disaster recovery plan (DRP) testing

D.  

Risk assessment

A.  

Reviewing the parameter settings

B.  

Reviewing the system log

C.  

Interviewing the firewall administrator

D.  

Reviewing the actual procedures

A.  

Organizational chart

B.  

Audit charier

C.  

Engagement letter

D.  

Annual audit plan

A.  

Use of stateful firewalls with default configuration

B.  

Ad hoc monitoring of firewall activity

C.  

Misconfiguration of the firewall rules

D.  

Potential back doors to the firewall software

A.  

Reversing the hash function using the digest

B.  

Altering the plaintext message

C.  

Deciphering the receiver's public key

D.  

Obtaining the sender's private key

A.  

Ensure that the facts presented in the report are correct

B.  

Communicate the recommendations lo senior management

C.  

Specify implementation dates for the recommendations.

D.  

Request input in determining corrective action.

A.  

Review IT staff job descriptions for alignment

B.  

Develop quarterly training for each IT staff member.

C.  

Identify required IT skill sets that support key business processes

D.  

Include strategic objectives m IT staff performance objectives

A.  

Data migration is not part of the contracted activities.

B.  

The replacement is occurring near year-end reporting

C.  

The user department will manage access rights.

D.  

Testing was performed by the third-party consultant

A.  

Long-term Internal audit resource planning

B.  

Ongoing monitoring of the audit activities

C.  

Analysis of user satisfaction reports from business lines

D.  

Feedback from Internal audit staff

A.  

Expected deliverables meeting project deadlines

B.  

Sign-off from the IT team

C.  

Ongoing participation by relevant stakeholders

D.  

Quality assurance (OA) review

A.  

The organization's systems inventory is kept up to date.

B.  

Vulnerability scanning results are reported to the CISO.

C.  

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.  

Access to the vulnerability scanning tool is periodically reviewed

A.  

violation reports may not be reviewed in a timely manner.

B.  

a significant number of false positive violations may be reported.

C.  

violations may not be categorized according to the organization's risk profile.

D.  

violation reports may not be retained according to the organization's risk profile.

A.  

Data availability

B.  

Data confidentiality

C.  

Data integrity

D.  

Data redundancy

A.  

Use automatic document classification based on content.

B.  

Have IT security staff conduct targeted training for data owners.

C.  

Publish the data classification policy on the corporate web portal.

D.  

Conduct awareness presentations and seminars for information classification policies.

A.  

Data encryption on the mobile device

B.  

Complex password policy for mobile devices

C.  

The triggering of remote data wipe capabilities

D.  

Awareness training for mobile device users

A.  

Statement of work (SOW)

B.  

Nondisclosure agreement (NDA)

C.  

Service level agreement (SLA)

D.  

Privacy agreement

A.  

provide a report to senior management prior to discussion with the auditee.

B.  

distribute a summary of general findings to the members of the auditing team.

C.  

provide a report to the auditee stating the initial findings.

D.  

review the working papers with the auditee.

A.  

Available resources for the activities included in the action plan

B.  

A management response in the final report with a committed implementation date

C.  

A heal map with the gaps and recommendations displayed in terms of risk

D.  

Supporting evidence for the gaps and recommendations mentioned in the audit report

A.  

External audit review

B.  

Internal audit review

C.  

Control self-assessment (CSA)

D.  

Stress testing

A.  

Decreased time for incident resolution

B.  

Increased number of incidents reviewed by IT management

C.  

Decreased number of calls lo the help desk

D.  

Increased number of reported critical incidents

A.  

Conduct security awareness training.

B.  

Implement an acceptable use policy

C.  

Create inventory records of personal devices

D.  

Configure users on the mobile device management (MDM) solution

A.  

Revise the assessment based on senior management's objections.

B.  

Escalate the issue to audit management.

C.  

Finalize the draft audit report without changes.

D.  

Gather evidence to analyze senior management's objections

A.  

Continuous 24/7 support must be available.

B.  

The vendor must have a documented disaster recovery plan (DRP) in place.

C.  

Source code for the software must be placed in escrow.

D.  

The vendor must train the organization's staff to manage the new software

A.  

Historical privacy breaches and related root causes

B.  

Globally accepted privacy best practices

C.  

Local privacy standards and regulations

D.  

Benchmark studies of similar organizations

A.  

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.  

Identifying data security threats in the affected jurisdiction

C.  

Reviewing data classification procedures associated with the affected jurisdiction

D.  

Identifying business processes associated with personal data exchange with the affected jurisdiction

A.  

the organization's web server.

B.  

the demilitarized zone (DMZ).

C.  

the organization's network.

D.  

the Internet

A.  

To improve key availability metrics

B.  

To reduce costs associates with backups

C.  

To increase backup resiliency and redundancy

D.  

To minimize the backup time and resources

A.  

Security cameras deployed outside main entrance

B.  

Antistatic mats deployed at the computer room entrance

C.  

Muddy footprints directly inside the emergency exit

D.  

Fencing around facility is two meters high

A.  

To identify and eliminate the root causes of information security incidents

B.  

To enhance the impact of reports used to monitor information security incidents

C.  

To keep information security policies and procedures up-to-date

D.  

To reduce the frequency and impact of information security incidents

A.  

An imaging process was used to obtain a copy of the data from each computer.

B.  

The legal department has not been engaged.

C.  

The chain of custody has not been documented.

D.  

Audit was only involved during extraction of the Information

A.  

Availability of the user list reviewed

B.  

Confidentiality of the user list reviewed

C.  

Source of the user list reviewed

D.  

Completeness of the user list reviewed

A.  

Circuit gateway

B.  

Application level gateway

C.  

Packet filtering router

D.  

Screening router

A.  

Staging

B.  

Testing

C.  

Integration

D.  

Development

A.  

Number of successful penetration tests

B.  

Percentage of protected business applications

C.  

Financial impact per security event

D.  

Number of security vulnerability patches

A.  

Average number of learning and training hours per IT staff member

B.  

Frequency of security assessments against the most recent standards and guidelines

C.  

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.  

Percentage of staff with sufficient IT-related skills for the competency required of their roles

A.  

minimize scope changes to the system.

B.  

decrease the time allocated for user testing and review.

C.  

conceptualize and clarify requirements.

D.  

Improve efficiency of quality assurance (QA) testing

A.  

well understood by all employees.

B.  

based on industry standards.

C.  

developed by process owners.

D.  

updated frequently.

A.  

Staff were not involved in the procurement process, creating user resistance to the new system.

B.  

Data is not converted correctly, resulting in inaccurate patient records.

C.  

The deployment project experienced significant overruns, exceeding budget projections.

D.  

The new system has capacity issues, leading to slow response times for users.

A.  

Obtain error codes indicating failed data feeds.

B.  

Purchase data cleansing tools from a reputable vendor.

C.  

Appoint data quality champions across the organization.

D.  

Implement business rules to reject invalid data.

A.  

the patches were updated.

B.  

The logs were monitored.

C.  

The network traffic was being monitored.

D.  

The domain controller was classified for high availability.

A.  

Reviewing the last compile date of production programs

B.  

Manually comparing code in production programs to controlled copies

C.  

Periodically running and reviewing test data against production programs

D.  

Verifying user management approval of modifications

A.  

Implementing the remediation plan

B.  

Partially completing the CSA

C.  

Developing the remediation plan

D.  

Developing the CSA questionnaire

A.  

randomly selected by a test generator.

B.  

provided by the vendor of the application.

C.  

randomly selected by the user.

D.  

simulated by production entities and customers.

A.  

Preserving the same data classifications

B.  

Preserving the same data inputs

C.  

Preserving the same data structure

D.  

Preserving the same data interfaces

A.  

Technology risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

A.  

Reviewing vacation patterns

B.  

Reviewing user activity logs

C.  

Interviewing senior IT management

D.  

Mapping IT processes to roles

A.  

Staff members who failed the test did not receive follow-up education

B.  

Test results were not communicated to staff members.

C.  

Staff members were not notified about the test beforehand.

D.  

Security awareness training was not provided prior to the test.

A.  

Implement key performance indicators (KPIs)

B.  

Implement annual third-party audits.

C.  

Benchmark organizational performance against industry peers.

D.  

Require executive management to draft IT strategy

A.  

it facilitates easier audit follow-up

B.  

it enforces action plan consensus between auditors and auditees

C.  

it establishes accountability for the action plans

D.  

it helps to ensure factual accuracy of findings

A.  

Approved test scripts and results prior to implementation

B.  

Written procedures defining processes and controls

C.  

Approved project scope document

D.  

A review of tabletop exercise results

A.  

Project management

B.  

Risk assessment results

C.  

IT governance framework

D.  

Portfolio management

A.  

Notify law enforcement of the finding.

B.  

Require the third party to notify customers.

C.  

The audit report with a significant finding.

D.  

Notify audit management of the finding.

A.  

To limit the liability associated with storing and protecting information

B.  

To document business objectives for processing data within the organization

C.  

To assign responsibility and ownership for data protection outside IT

D.  

To establish a recovery point detective (RPO) for (toaster recovery procedures

A.  

Sampling risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk acceptance

D.  

Risk reduction

A.  

CCTV recordings are not regularly reviewed.

B.  

CCTV cameras are not installed in break rooms

C.  

CCTV records are deleted after one year.

D.  

CCTV footage is not recorded 24 x 7.

A.  

Level of stakeholder satisfaction with the scope of planned IT projects

B.  

Percentage of enterprise risk assessments that include IT-related risk

C.  

Percentage of stat satisfied with their IT-related roles

D.  

Frequency of business process capability maturity assessments

A.  

The cost of outsourcing is lower than in-house development.

B.  

The vendor development team is located overseas.

C.  

A training plan for business users has not been developed.

D.  

The data model is not clearly documented.

A.  

Disposal policies and procedures are not consistently implemented

B.  

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.  

Business units are allowed to dispose printers directly to

D.  

Inoperable printers are stored in an unsecured area.

A.  

The quality of the data is not monitored.

B.  

Imported data is not disposed frequently.

C.  

The transfer protocol is not encrypted.

D.  

The transfer protocol does not require authentication.

A.  

prevents loss of assets.

B.  

helps to align organizational objectives.

C.  

facilitates budgeting accuracy.

D.  

enables risk management decisions.

A.  

Inability to utilize the site when required

B.  

Inability to test the recovery plans onsite

C.  

Equipment compatibility issues at the site

D.  

Mismatched organizational security policies

A.  

Monitor and restrict vendor activities

B.  

Issues an access card to the vendor.

C.  

Conceal data devices and information labels

D.  

Restrict use of portable and wireless devices.

A.  

Analyze a new application that moots the current re

B.  

Perform an analysis to determine the business risk

C.  

Bring the escrow version up to date.

D.  

Develop a maintenance plan to support the application using the existing code

A.  

Statistical metrics measuring capacity utilization

B.  

Operations report of user dissatisfaction with response time

C.  

Tuning of system software to optimize resource usage

D.  

Report of off-peak utilization and response time

A.  

Ensure that paper documents arc disposed security.

B.  

Implement an intrusion detection system (IDS).

C.  

Verify that application logs capture any changes made.

D.  

Validate that all data files contain digital watermarks

A.  

Loss of application support

B.  

Lack of system integrity

C.  

Outdated system documentation

D.  

Developer access 1o production

A.  

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.  

Vulnerability in the virtualization platform affecting multiple hosts

C.  

Data center environmental controls not aligning with new configuration

D.  

System documentation not being updated to reflect changes in the environment

A.  

Real-time backup

B.  

Virtual backup

C.  

Differential backup

D.  

Full backup

A.  

Explain the impact to disaster recovery.

B.  

Explain the impact to resource requirements.

C.  

Explain the impact to incident management.

D.  

Explain the impact to backup scheduling.

A.  

Have an independent party review the source calculations

B.  

Execute copies of EUC programs out of a secure library

C.  

implement complex password controls

D.  

Verify EUC results through manual calculations

A.  

Utilize a network-based firewall.

B.  

Conduct regular user security awareness training.

C.  

Perform domain name system (DNS) server security hardening.

D.  

Enforce a strong password policy meeting complexity requirement.

A.  

Right to perform e-discovery

B.  

Advice from legal counsel

C.  

Preserving the chain of custody

D.  

Results of a root cause analysis

A.  

The survey results were not presented in detail lo management.

B.  

The survey questions did not address the scope of the business case.

C.  

The survey form template did not allow additional feedback to be provided.

D.  

The survey was issued to employees a month after implementation.

A.  

Analysis of industry benchmarks

B.  

Identification of organizational goals

C.  

Analysis of quantitative benefits

D.  

Implementation of a balanced scorecard

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

A.  

reclassify the data to a lower level of confidentiality

B.  

require the business owner to conduct regular access reviews.

C.  

implement a strong password schema for users.

D.  

recommend corrective actions to be taken by the security administrator.

A.  

The applications are not included in business continuity plans (BCFs)

B.  

The applications may not reasonably protect data.

C.  

The application purchases did not follow procurement policy.

D.  

The applications could be modified without advanced notice.

A.  

failure to maximize the use of equipment

B.  

unanticipated increase in business s capacity needs.

C.  

cost of excessive data center storage capacity

D.  

impact to future business project funding.

A.  

Users are not required to change their passwords on a regular basis

B.  

Management does not review application user activity logs

C.  

User accounts are shared between users

D.  

Password length is set to eight characters

A.  

Restricting program functionality according to user security profiles

B.  

Restricting access to update programs to accounts payable staff only

C.  

Including the creator’s user ID as a field in every transaction record created

D.  

Ensuring that audit trails exist for transactions

A.  

Determine the resources required to make the control

effective.

B.  

Validate the overall effectiveness of the internal control.

C.  

Verify the impact of the control no longer being effective.

D.  

Ascertain the existence of other compensating controls.

A.  

Leverage the work performed by external audit for the internal audit testing.

B.  

Ensure both the internal and external auditors perform the work simultaneously.

C.  

Request that the external audit team leverage the internal audit work.

D.  

Roll forward the general controls audit to the subsequent audit year.

A.  

The security weakness facilitating the attack was not identified.

B.  

The attack was not automatically blocked by the intrusion detection system (IDS).

C.  

The attack could not be traced back to the originating person.

D.  

Appropriate response documentation was not maintained.

A.  

Improved disaster recovery

B.  

Better utilization of resources

C.  

Stronger data security

D.  

Increased application performance

A.  

The BCP's contact information needs to be updated

B.  

The BCP is not version controlled.

C.  

The BCP has not been approved by senior management.

D.  

The BCP has not been tested since it was first issued.

A.  

Simple mail transfer protocol (SMTP)

B.  

Simple object access protocol (SOAP)

C.  

Hypertext transfer protocol (HTTP)

D.  

File transfer protocol (FTP)

A.  

Perform background verification checks.

B.  

Review third-party audit reports.

C.  

Implement change management review.

D.  

Conduct a privacy impact analysis.

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

A.  

Analyzing risks posed by new regulations

B.  

Developing procedures to monitor the use of personal data

C.  

Defining roles within the organization related to privacy

D.  

Designing controls to protect personal data

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

A.  

Verify all patches have been applied to the software system's outdated version

B.  

Close all unused ports on the outdated software system.

C.  

Segregate the outdated software system from the main network.

D.  

Monitor network traffic attempting to reach the outdated software system.

A.  

Review the documentation of recant changes to implement sequential order numbering.

B.  

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.  

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.  

Examine a sample of system generated purchase orders obtained from management

A.  

Manual sign-in and sign-out log

B.  

System electronic log

C.  

Alarm system with CCTV

D.  

Security incident log

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

A.  

Misconfiguration and missing updates

B.  

Malicious software and spyware

C.  

Zero-day vulnerabilities

D.  

Security design flaws

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

A.  

Perimeter firewall

B.  

Data loss prevention (DLP) system

C.  

Web application firewall

D.  

Network segmentation

A.  

Improve the change management process

B.  

Establish security metrics.

C.  

Perform a penetration test

D.  

Perform a configuration review

A.  

Service level agreement (SLA)

B.  

Hardware change management policy

C.  

Vendor memo indicating problem correction

D.  

An up-to-date RACI chart

A.  

use a proxy server to filter out Internet sites that should not be accessed.

B.  

keep a manual log of Internet access.

C.  

monitor remote access activities.

D.  

include a statement in its security policy about Internet use.

A.  

Strong risk management practices

B.  

Internal auditor commitment

C.  

Supportive corporate culture

D.  

Documented policies

A.  

Ensure sufficient audit resources are allocated,

B.  

Communicate audit results organization-wide.

C.  

Ensure ownership is assigned.

D.  

Test corrective actions upon completion.

A.  

Change management

B.  

Problem management

C.  

incident management

D.  

Configuration management

A.  

Network penetration tests are not performed

B.  

The network firewall policy has not been approved by the information security officer.

C.  

Network firewall rules have not been documented.

D.  

The network device inventory is incomplete.

A.  

The contract does not contain a right-to-audit clause.

B.  

An operational level agreement (OLA) was not negotiated.

C.  

Several vendor deliverables missed the commitment date.

D.  

Software escrow was not negotiated.

A.  

Restricting evidence access to professionally certified forensic investigators

B.  

Documenting evidence handling by personnel throughout the forensic investigation

C.  

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.  

Engaging an independent third party to perform the forensic investigation

A.  

IT operator

B.  

System administration

C.  

Emergency support

D.  

Database administration

A.  

The end-to-end process is understood and documented.

B.  

Roles and responsibilities are defined for the business processes in scope.

C.  

A benchmarking exercise of industry peers who use RPA has been completed.

D.  

A request for proposal (RFP) has been issued to qualified vendors.

A.  

Review a report of security rights in the system.

B.  

Observe the performance of business processes.

C.  

Develop a process to identify authorization conflicts.

D.  

Examine recent system access rights violations.

A.  

Use an electronic vault for incremental backups

B.  

Deploy a fully automated backup maintenance system.

C.  

Periodically test backups stored in a remote location

D.  

Use both tape and disk backup systems

A.  

The IT strategy is modified in response to organizational change.

B.  

The IT strategy is approved by executive management.

C.  

The IT strategy is based on IT operational best practices.

D.  

The IT strategy has significant impact on the business strategy

A.  

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.  

Review compliance with data loss and applicable mobile device user acceptance policies.

C.  

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.  

Verify employees have received appropriate mobile device security awareness training.

A.  

SIEM reporting is customized.

B.  

SIEM configuration is reviewed annually

C.  

The SIEM is decentralized.

D.  

SIEM reporting is ad hoc.

A.  

Inform potentially affected customers of the security breach

B.  

Notify business management of the security breach.

C.  

Research the validity of the alerted breach

D.  

Engage a third party to independently evaluate the alerted breach.

A.  

An assessment of whether requirements will be fully met

B.  

An assessment indicating security controls will operate

effectively

C.  

An assessment of whether the expected benefits can be

achieved

D.  

An assessment indicating the benefits will exceed the implement

A.  

Disabled USB ports

B.  

Full disk encryption

C.  

Biometric access control

D.  

Two-factor authentication

A.  

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.  

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.  

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.  

Job failure alerts are automatically generated and routed to support personnel.

A.  

The management of the client organization is aware of the testing.

B.  

The test results will be documented and communicated to management.

C.  

The environment and penetration test scope have been determined.

D.  

Diagrams of the organization's network architecture are available.

A.  

business impact analysis (BIA).

B.  

threat and risk assessment.

C.  

business continuity plan (BCP).

D.  

disaster recovery plan (DRP).

A.  

Implement network access control.

B.  

Implement outbound firewall rules.

C.  

Perform network reviews.

D.  

Review access control lists.

A.  

note the noncompliance in the audit working papers.

B.  

issue an audit memorandum identifying the noncompliance.

C.  

include the noncompliance in the audit report.

D.  

determine why the procedures were not followed.

A.  

Walk-through reviews

B.  

Substantive testing

C.  

Compliance testing

D.  

Design documentation reviews

A.  

Notify the cyber insurance company.

B.  

Shut down the affected systems.

C.  

Quarantine the impacted systems.

D.  

Notify customers of the breach.

A.  

The IS auditor provided consulting advice concerning application system best practices.

B.  

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.  

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.  

The IS auditor implemented a specific control during the development of the application system.

A.  

describes the auditors' authority to conduct audits.

B.  

defines the auditors' code of conduct.

C.  

formally records the annual and quarterly audit plans.

D.  

documents the audit process and reporting standards.

A.  

establish criteria for reviewing alerts.

B.  

recruit more monitoring personnel.

C.  

reduce the firewall rules.

D.  

fine tune the intrusion detection system (IDS).

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

A.  

information security team.

B.  

IS audit manager.

C.  

chief information officer (CIO).

D.  

business owner.

A.  

Detective

B.  

Logical

C.  

Preventive

D.  

Corrective

A.  

Assessment of the personnel training processes of the provider

B.  

Adequacy of the service provider's insurance

C.  

Review of performance against service level agreements (SLAs)

D.  

Periodic audits of controls by an independent auditor

A.  

Accept management's decision and continue the follow-up.

B.  

Report the issue to IS audit management.

C.  

Report the disagreement to the board.

D.  

Present the issue to executive management.

A.  

Inability to close unused ports on critical servers

B.  

Inability to identify unused licenses within the organization

C.  

Inability to deploy updated security patches

D.  

Inability to determine the cost of deployed software

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

A.  

Frequent testing of backups

B.  

Annual walk-through testing

C.  

Periodic risk assessment

D.  

Full operational test

A.  

Document the finding and present it to management.

B.  

Determine if a root cause analysis was conducted.

C.  

Confirm the resolution time of the incidents.

D.  

Validate whether all incidents have been actioned.

A.  

Implement overtime pay and bonuses for all development staff.

B.  

Utilize new system development tools to improve productivity.

C.  

Recruit IS staff to expedite system development.

D.  

Deliver only the core functionality on the initial target date.

A.  

Assign responsibility for improving data quality.

B.  

Invest in additional employee training for data entry.

C.  

Outsource data cleansing activities to reliable third parties.

D.  

Implement business rules to validate employee data entry.

A.  

Projected impact of current business on future business

B.  

Cost-benefit analysis of running the current business

C.  

Cost of regulatory compliance

D.  

Expected costs for recovering the business

A.  

Independent reconciliation

B.  

Re-keying of wire dollar amounts

C.  

Two-factor authentication control

D.  

System-enforced dual control

A.  

To ensure that older versions are availability for reference

B.  

To ensure that only the latest approved version of the application is used

C.  

To ensure compatibility different versions of the application

D.  

To ensure that only authorized users can access the application

A.  

application test cases.

B.  

acceptance testing.

C.  

cost-benefit analysis.

D.  

project plans.

A.  

Balanced scorecard

B.  

Enterprise dashboard

C.  

Enterprise architecture (EA)

D.  

Key performance indicators (KPIs)

A.  

There is not a defined IT security policy.

B.  

The business strategy meeting minutes are not distributed.

C.  

IT is not engaged in business strategic planning.

D.  

There is inadequate documentation of IT strategic planning.

A.  

Future compatibility of the application.

B.  

Proposed functionality of the application.

C.  

Controls incorporated into the system specifications.

D.  

Development methodology employed.

A.  

The default configurations have been changed.

B.  

All tables in the database are normalized.

C.  

The service port used by the database server has been changed.

D.  

The default administration account is used after changing the account password.

A.  

Assignment of responsibility for each project to an IT team member

B.  

Adherence to best practice and industry approved methodologies

C.  

Controls to minimize risk and maximize value for the IT portfolio

D.  

Frequency of meetings where the business discusses the IT portfolio

A.  

recommend that the option to directly modify the database be removed immediately.

B.  

recommend that the system require two persons to be involved in modifying the database.

C.  

determine whether the log of changes to the tables is backed up.

D.  

determine whether the audit trail is secured and reviewed.

A.  

Report the mitigating controls.

B.  

Report the security posture of the organization.

C.  

Determine the value of the firewall.

D.  

Determine the risk of not replacing the firewall.

A.  

incident management.

B.  

quality assurance (QA).

C.  

change management.

D.  

project management.

A.  

Require employees to attend security awareness training.

B.  

Password protect critical data files.

C.  

Configure to auto-wipe after multiple failed access attempts.

D.  

Enable device auto-lock function.

A.  

Availability of the site in the event of multiple disaster declarations

B.  

Coordination with the site staff in the event of multiple disaster declarations

C.  

Reciprocal agreements with other organizations

D.  

Complete testing of the recovery plan

A.  

is more effective at suppressing flames.

B.  

allows more time to abort release of the suppressant.

C.  

has a decreased risk of leakage.

D.  

disperses dry chemical suppressants exclusively.

A.  

Developing and communicating test procedure best practices to audit teams

B.  

Developing and implementing an audit data repository

C.  

Decentralizing procedures and Implementing periodic peer review

D.  

Centralizing procedures and implementing change control

A.  

Double-posting of a single journal entry

B.  

Inability to support new business transactions

C.  

Unauthorized alteration of account attributes

D.  

Inaccuracy of financial reporting

A.  

Invoking the disaster recovery plan (DRP)

B.  

Backing up data frequently

C.  

Paying the ransom

D.  

Requiring password changes for administrative accounts

A.  

efficiency due to the re-use of elements of logic.

B.  

management of sequential program execution for data access.

C.  

grouping of objects into methods for data access.

D.  

management of a restricted variety of data types for a data object.

A.  

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.  

Establishing strong access controls on confidential data

C.  

Providing education and guidelines to employees on use of social networking sites

D.  

Monitoring employees' social networking usage

A.  

Business interruption due to remediation

B.  

IT budgeting constraints

C.  

Availability of responsible IT personnel

D.  

Risk rating of original findings

A.  

Address technical IT issues.

B.  

Be informed of all IT initiatives.

C.  

Have an IT strategy committee.

D.  

Approve the IT strategy.

A.  

Review working papers with the auditee.

B.  

Request the auditee provide management responses.

C.  

Request management wait until a final report is ready for discussion.

D.  

Present observations for discussion only.

A.  

the same hashing algorithm as the sender's to create a binary image of the file.

B.  

a different hashing algorithm from the sender's to create a binary image of the file.

C.  

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.  

a different hashing algorithm from the sender's to create a numerical representation of the file.

A.  

subsystem structure.

B.  

program execution.

C.  

security control options.

D.  

operator overrides.

A.  

Senior management's request

B.  

Prior year's audit findings

C.  

Organizational risk assessment

D.  

Previous audit coverage and scope

A.  

Full test results

B.  

Completed test plans

C.  

Updated inventory of systems

D.  

Change management processes

A.  

Audit cycle defined in the audit plan

B.  

Complexity of management's action plans

C.  

Recommendation from executive management

D.  

Residual risk from the findings of previous audits

A.  

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.  

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.  

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.  

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

A.  

Consulted

B.  

Informed

C.  

Responsible

D.  

Accountable

A.  

Modify applications to no longer require direct access to the database.

B.  

Introduce database access monitoring into the environment

C.  

Modify the access management policy to make allowances for application accounts.

D.  

Schedule downtime to implement password changes.

A.  

Portfolio management

B.  

Business plans

C.  

Business processes

D.  

IT strategic plans

A.  

Rotate job duties periodically.

B.  

Perform an independent audit.

C.  

Hire temporary staff.

D.  

Implement compensating controls.

A.  

Data masking

B.  

Data tokenization

C.  

Data encryption

D.  

Data abstraction

A.  

Identifying relevant roles for an enterprise IT governance framework

B.  

Making decisions regarding risk response and monitoring of residual risk

C.  

Verifying that legal, regulatory, and contractual requirements are being met

D.  

Providing independent and objective feedback to facilitate improvement of IT processes

A.  

Note the exception in a new report as the item was not addressed by management.

B.  

Recommend alternative solutions to address the repeat finding.

C.  

Conduct a risk assessment of the repeat finding.

D.  

Interview management to determine why the finding was not addressed.

A.  

Ensure corrected program code is compiled in a dedicated server.

B.  

Ensure change management reports are independently reviewed.

C.  

Ensure programmers cannot access code after the completion of program edits.

D.  

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

A.  

perform a business impact analysis (BIA).

B.  

issue an intermediate report to management.

C.  

evaluate the impact on current disaster recovery capability.

D.  

conduct additional compliance testing.

A.  

Key performance indicators (KPIs)

B.  

Maximum allowable downtime (MAD)

C.  

Recovery point objective (RPO)

D.  

Mean time to restore (MTTR)

A.  

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.  

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.  

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.  

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

A.  

phishing.

B.  

denial of service (DoS)

C.  

structured query language (SQL) injection

D.  

buffer overflow

A.  

firewall standards.

B.  

configuration of the firewall

C.  

firmware version of the firewall

D.  

location of the firewall within the network

A.  

Require all employees to sign nondisclosure agreements (NDAs).

B.  

Develop an acceptable use policy for end-user computing (EUC).

C.  

Develop an information classification scheme.

D.  

Provide notification to employees about possible email monitoring.

A.  

Lack of appropriate labelling

B.  

Lack of recent awareness training.

C.  

Lack of password protection

D.  

Lack of appropriate data classification

A.  

Incident monitoring togs

B.  

The ISP service level agreement

C.  

Reports of network traffic analysis

D.  

Network topology diagrams

A.  

Obtain error codes indicating failed data feeds.

B.  

Appoint data quality champions across the organization.

C.  

Purchase data cleansing tools from a reputable vendor.

D.  

Implement business rules to reject invalid data.

A.  

Rollback strategy

B.  

Test cases

C.  

Post-implementation review objectives

D.  

Business case

A.  

Conduct periodic on-site assessments using agreed-upon criteria.

B.  

Periodically review the service level agreement (SLA) with the vendor.

C.  

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.  

Obtain evidence of the vendor's control self-assessment (CSA).

A.  

There is no requirement for desktops to be encrypted

B.  

Staff are allowed to work remotely

C.  

Security awareness training is not provided to staff

D.  

Security policies have not been updated in the past year

A.  

Reviewing decisions on how business processes should be conducted in the new system

B.  

Completing data cleanup in the current database to eliminate inconsistencies

C.  

Understanding the new system's data structure

D.  

Creating data conversion scripts

A.  

Biometrics

B.  

Procedures for escorting visitors

C.  

Airlock entrance

D.  

Intruder alarms

A.  

Audit transparency

B.  

Data confidentiality

C.  

Professionalism

D.  

Audit efficiency

A.  

Lack of segregation of duties

B.  

Lack of a dedicated QC function

C.  

Lack of policies and procedures

D.  

Lack of formal training and attestation

A.  

Computer-assisted technique

B.  

Stratified sampling

C.  

Statistical sampling

D.  

Process walk-through

A.  

Determine whether another DBA could make the changes

B.  

Report a potential segregation of duties violation

C.  

identify whether any compensating controls exist

D.  

Ensure a change management process is followed prior to implementation

A.  

available resources are used efficiently and effectively

B.  

computer systems are used to their maximum capacity most of the time

C.  

concurrent use by a large number of users is enabled

D.  

proposed hardware acquisitions meet capacity requirements

A.  

Business continuity plan (BCP)

B.  

Test results for backup data restoration

C.  

A comprehensive list of disaster recovery scenarios and priorities

D.  

Roles and responsibilities for recovery team members

A.  

Interview change management personnel about completeness.

B.  

Take an item from the log and trace it back to the system.

C.  

Obtain management attestation of completeness.

D.  

Take the last change from the system and trace it back to the log.

A.  

Document last-minute enhancements

B.  

Perform a pre-implementation audit

C.  

Perform user acceptance testing (UAT)

D.  

Ensure that code has been reviewed

A.  

Shared registries

B.  

Host operating system

C.  

Shared data

D.  

Shared kernel

A.  

Legacy data has not been purged.

B.  

Admin account passwords are not set to expire.

C.  

Default settings have not been changed.

D.  

Database activity logging is not complete.

A.  

Periodic audits

B.  

File counts

C.  

File checksums

D.  

IT operator monitoring

A.  

Frameworks enable IT benchmarks against competitors

B.  

Frameworks can be tailored and optimized for different organizations

C.  

Frameworks help facilitate control self-assessments (CSAs)

D.  

Frameworks help organizations understand and manage IT risk

A.  

Map data classification controls to data sets.

B.  

Control access to extract, transform, and load (ETL) tools.

C.  

Conduct a data discovery exercise across all business applications.

D.  

Implement classification labels in metadata during data creation.

A.  

Encrypting and destroying keys

B.  

Machine shredding

C.  

Software formatting

D.  

Wiping and rewriting three times

A.  

To determine data retention policy

B.  

To implement data protection requirements

C.  

To comply with the organization's data policies

D.  

To follow industry best practices

A.  

implement a control self-assessment (CSA)

B.  

Conduct a gap analysis

C.  

Develop a maturity model

D.  

Evaluate key performance indicators (KPIs)

A.  

Interview IT management to clarify the current procedure.

B.  

Report this finding to senior management.

C.  

Review the organization's patch management policy.

D.  

Request a plan of action to be established as a follow-up item.

A.  

Virtual firewall

B.  

Proxy server

C.  

Load balancer

D.  

Virtual private network (VPN)

A.  

validate the incident.

B.  

notify the head of the IT department.

C.  

isolate systems impacted by the incident.

D.  

initiate root cause analysis.

A.  

The IS audit staff has a high level of experience.

B.  

It is expected that the population is error-free.

C.  

Proper segregation of duties is in place.

D.  

The data can be directly changed by users.

A.  

Whether the solution architecture compiles with IT standards

B.  

Whether success criteria have been achieved

C.  

Whether the project has been delivered within the approved budget

D.  

Whether lessons teamed have been documented

A.  

To evaluate the effectiveness of continuous improvement efforts

B.  

To compare incident response metrics with industry benchmarks

C.  

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.  

To evaluate the effectiveness of the network firewall against future security breaches

A.  

Recommend the application be patched to meet requirements.

B.  

Inform the IT director of the policy noncompliance.

C.  

Verify management has approved a policy exception to accept the risk.

D.  

Take no action since the application will be decommissioned in three months.

A.  

Financial regulations affecting the organization

B.  

Data center physical access controls whore the application is hosted

C.  

Privacy regulations affecting the organization

D.  

Per-unit cost charged by the hosting services provider for storage

A.  

Require that a change request be completed and approved

B.  

Give the programmer an emergency ID for temporary access and review the activity

C.  

Give the programmer read-only access to investigate the problem

D.  

Review activity logs the following day and investigate any suspicious activity

A.  

Data retention

B.  

Data minimization

C.  

Data quality

D.  

Data integrity

A.  

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.  

IT investments are mapped to specific business objectives

C.  

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.  

The IT Investment budget is significantly below industry benchmarks

A.  

Comparison of object and executable code

B.  

Review of audit trail of compile dates

C.  

Comparison of date stamping of source and object code

D.  

Review of developer comments in executable code

A.  

Confirm the BCP has been recently updated.

B.  

Review the effectiveness of the business response.

C.  

Raise an audit issue for the lack of simulated testing.

D.  

Interview staff members to obtain commentary on the BCP's effectiveness.

A.  

Risk acceptance

B.  

Risk mitigation

C.  

Risk transference

D.  

Risk reduction

A.  

defining the authority and responsibility of the IS audit function.

B.  

providing details on how to execute the audit program.

C.  

providing direction and information regarding the performance of audits.

D.  

outlining the specific steps needed to complete audits

A.  

Support

B.  

Performance

C.  

Confidentiality

D.  

Usability

A.  

Visitors are required to be escorted by authorized personnel.

B.  

Visitors are required to use biometric authentication.

C.  

Visitors are monitored online by security cameras

D.  

Visitors are required to enter through dead-man doors.

A.  

Report that the changes make it impractical to determine whether the risks have been addressed.

B.  

Accept management's assertion and report that the risks have been addressed.

C.  

Determine whether the changes have introduced new risks that need to be addressed.

D.  

Review the changes and determine whether the risks have been addressed.

A.  

The change management process was not formally documented

B.  

Backups of the old system and data are not available online

C.  

Unauthorized data modifications occurred during conversion,

D.  

Data conversion was performed using manual processes

A.  

The actual start times of some activities were later than originally scheduled.

B.  

Tasks defined on the critical path do not have resources allocated.

C.  

The project manager lacks formal certification.

D.  

Milestones have not been defined for all project products.

A.  

Confirm that the encryption standard applied to the interface is in line with best practice.

B.  

Inspect interface configurations and an example output of the systems.

C.  

Perform data reconciliation between the two systems for a sample of 25 days.

D.  

Conduct code review for both systems and inspect design documentation.

A.  

All users provisioned after the finding was originally identified

B.  

All users provisioned after management resolved the audit issue

C.  

All users provisioned after the final audit report was issued

D.  

All users who have followed user provisioning processes provided by management

A.  

when drafting the report.

B.  

during fieldwork.

C.  

at the end of fieldwork.

D.  

within the audit report

A.  

Information security officer

B.  

Database administrator (DBA)

C.  

Information owner

D.  

Data architect

A.  

Lower start-up costs

B.  

Reduced risk of system downtime

C.  

Direct oversight of risks

D.  

Increased ability to adapt the system

A.  

sign off on the final build document.

B.  

ensure that each project deadline is met.

C.  

ensure that developed systems meet business needs.

D.  

provide regular project updates and oversight.

A.  

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.  

Outsource the audit to independent and qualified resources.

C.  

Manage the audit since there is no one else with the appropriate experience.

D.  

Have a senior IS auditor manage the project with the IS audit manager performing final review.

A.  

Identify accounts that have had excessive failed login attempts and request they be disabled

B.  

Request the IT manager to change administrator security parameters and update the finding

C.  

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

A.  

User activity monitoring

B.  

Two-factor authentication

C.  

Network segmentation

D.  

Access recertification

A.  

The DRP was developed by the IT department.

B.  

The DRP has not been tested during the past three years.

C.  

The DRP has not been updated for two years.

D.  

The DRP does not include the recovery the time objective (RTO) for a key system.

A.  

To train the end users and supporting staff on the new system

B.  

To verify the new system provides required business functionality

C.  

To reduce the need for additional testing

D.  

To validate the new system against its predecessor

A.  

anonymizing users through changed IP addresses.

B.  

providing multi-factor authentication for additional security.

C.  

providing faster response than direct access.

D.  

load balancing traffic to optimize data pathways.

A.  

data classifications are automated.

B.  

a data dictionary is maintained.

C.  

data retention requirements are clearly defined.

D.  

data is correctly classified.

A.  

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.  

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.  

IT administrators have access to the production and development environment

D.  

Post-implementation testing is not conducted for all system releases.

A.  

Standard operating procedures

B.  

Service level agreements (SLAs)

C.  

Roles and responsibility matrix

D.  

Business resiliency

A.  

Password attack

B.  

Eavesdropping attack

C.  

Insider attack

D.  

Spear phishing attack

A.  

All incidents have a severity level assigned.

B.  

All identified incidents are escalated to the CEO and the CISO.

C.  

Incident response is within defined service level agreements (SLAs).

D.  

The alerting tools and incident response team can detect incidents.

A.  

Information privacy

B.  

256-brt key length

C.  

Data availability

D.  

Nonrepudiation

A.  

database conflicts are managed during replication.

B.  

end users are trained in the replication process.

C.  

the source database is backed up on both sites.

D.  

user rights are identical on both databases.

A.  

issuing authentication tokens

B.  

Reinforcing current security policies

C.  

Limiting after-hours usage

D.  

Installing an automatic password generator

A.  

Differential backup

B.  

Full backup

C.  

Incremental backup

D.  

Mirror backup

A.  

traffic volumes and response-time criteria

B.  

physical security for network equipment

C.  

the level of redundancy in the various communication paths

D.  

business use and types of messages to be transmitted

A.  

Integration testing

B.  

Regression testing

C.  

Automated testing

D.  

User acceptance testing (UAT)

A.  

Configuration phase

B.  

User training phase

C.  

Quality assurance (QA) phase

D.  

Development phase

A.  

HTTP server error rate

B.  

Server thread count

C.  

Average response time

D.  

Server uptime

A.  

Reviewing emergency changes to data

B.  

Authorizing application code changes

C.  

Determining appropriate user access levels

D.  

Implementing access rules over database tables

A.  

Alignment of information security with IT objectives

B.  

Management’s commitment to information security

C.  

Integration of business and information security

D.  

User accountability for information security

A.  

Document the findings in the audit report.

B.  

Identify who approved the policies.

C.  

Escalate the situation to the lead auditor.

D.  

Communicate the observation to the auditee.

A.  

Administrator passwords do not meet organizational security and complexity requirements.

B.  

The number of support staff responsible for job scheduling has been reduced.

C.  

The scheduling tool was not classified as business-critical by the IT department.

D.  

Maintenance patches and the latest enhancement upgrades are missing.

A.  

The ability to deliver continuous, reliable performance

B.  

A requirement for annual security awareness programs

C.  

An increase in the number of IT infrastructure servers

D.  

A decrease in the number of information security incidents

A.  

Completing the incident management log

B.  

Broadcasting an emergency message

C.  

Requiring a dedicated incident response team

D.  

Implementing incident escalation procedures

A.  

Ensure the third party allocates adequate resources to meet requirements.

B.  

Use analytics within the internal audit function

C.  

Conduct a capacity planning exercise

D.  

Utilize performance monitoring tools to verify service level agreements (SLAs)

A.  

Implementing risk responses on management's behalf

B.  

Integrating the risk register for audit planning purposes

C.  

Providing assurances to management regarding risk

D.  

Facilitating audit risk identification and evaluation workshops

A.  

SQL injection attacks

B.  

Denial of service (DoS) attacks

C.  

Phishing attacks

D.  

Insider attacks

A.  

To optimize system resources

B.  

To follow system hardening standards

C.  

To optimize asset management workflows

D.  

To ensure proper change control

A.  

Observing the execution of a daily backup run

B.  

Evaluating the backup policies and procedures

C.  

Interviewing key personnel evolved In the backup process

D.  

Reviewing a sample of system-generated backup logs

A.  

maximum tolerable loss of data.

B.  

nature of the outage

C.  

maximum tolerable downtime (MTD).

D.  

business-defined criticality of the systems.

A.  

attributes for system passwords.

B.  

security training prior to implementation.

C.  

security requirements for the new application.

D.  

the firewall configuration for the web server.

A.  

Attack vectors are evolving for industrial control systems.

B.  

There is a greater risk of system exploitation.

C.  

Disaster recovery plans (DRPs) are not in place.

D.  

Technical specifications are not documented.

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

A.  

Verifying that access privileges have been reviewed

B.  

investigating access rights for expiration dates

C.  

Updating the continuity plan for critical resources

D.  

Updating the security policy

A.  

Require written authorization for all payment transactions

B.  

Restrict payment authorization to senior staff members.

C.  

Reconcile payment transactions with invoices.

D.  

Review payment transaction history

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

A.  

To decrease system response time

B.  

To Improve the recovery lime objective (RTO)

C.  

To facilitate faster backups

D.  

To improve system resiliency

A.  

Testing

B.  

Replication

C.  

Staging

D.  

Development

A.  

The system only allows payments to vendors who are included In the system's master vendor list.

B.  

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.  

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.  

Policies and procedures are clearly communicated to all members of the accounts payable department

A.  

The IT budget is not monitored

B.  

All IT services are provided by third parties.

C.  

IT value analysis has not been completed.

D.  

IT supports two different operating systems.