- •In performing an external network security assessment, which of the following should be normally be performed first?
- •Vulnerability scanning
- •In performing a risk-based audit, which risk assessment is completed initially by the is auditor?
- •Inherent risk
- •Informal peer reviews
- •In order for management to effectively monitor the compliance of processes and applications, which of the following would be the most ideal?
- •Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
- •Imagine a company…
- •Imagine a system failure…
- •IaaS – Infrastructure as a Service, it provides cloud-based processing, storage, network and other fundamental computing resources
- •Vital: Can be performed manually for very short time
In performing an external network security assessment, which of the following should be normally be performed first?
Exploitation
Enumeration
Reconnaissance
Vulnerability scanning
Which of the following presents the GREATEST risk to the organization?
Not all traffic traversing the internet is encrypted
Traffic on internal networks is unencrypted
Cross-border data flow is unencrypted
Multiple protocols are being used
Which of the following outlines the overall authority to perform and IS audit?
The audit scope, with goals and objectives
A request from management to perform an audit
The approved audit charter
The approved audit schedule
In performing a risk-based audit, which risk assessment is completed initially by the is auditor?
Detection risk assessment
Control risk assessment
Inherent risk assessment
Fraud risk assessment
While developing a risk-based audit program, on which of the following would the IS auditor MOST likely to focus?
Business processes
Critical IT applications
Operational controls
Business strategies
Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?
Control risk
Detection risk
Inherent risk
Sampling risk
Which of the followingis the most effective for implementing a control self-assessment (CSA) within business units?
Informal peer reviews
facilitated workshops
process flow narratives
data flow diagrams
The FIRST step in planning an audit is to:
define audit deliverables
finalize the audit scope and audit objectives
gain an understanding of the business’ objectives
develop the audit approach or audit strategy
The approach an IS auditor should use to plan IS audit coverage should be based on
Risk
Materiality
Professional scepticism
Sufficiency of audit evidence
Which of the following would BEST reduce the likelihood of business systems being attacked through the wireless network?
Scanning all connected devices for malware
Placing the wireless network on a firewalled subnet
Logging all access
Logging administrator access
In order for management to effectively monitor the compliance of processes and applications, which of the following would be the most ideal?
A central document repository
A knowledge management system
A dashboard
Benchmarking
Which of the following would be included in an IS strategic plan?
Specifications for planned hardware purchases
Analysis of future business objectives
Target dates for development projects
Annual budgetary targets for the IS department
Which of the following BEST describes and IT department’s strategic planning process?
The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives
The IT department strategic plan must be time- and project-oriented, but not so detailed as to address and help determine priorities to meet business needs
Long-range planning for the IT department should recognise organizational goals, technological advances and regulatory requirements
Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans
The MOST important responsibility of a data security officer in an organization is:
Recommending and monitoring data security policies
Promoting security awareness within the organization
Establishing procedures for IT security policies
Administering physical and logical access controls
What is considered the MOST critical element for the successful implementation of an information security (IS) program?
An effective enterprise risk management (ERM) framework
Senior management commitment
An adequate budgeting process
Meticulous program planning
An IS auditor should ensure that IT governance performance measures
Evaluate the activities of IT oversight committees
Provide strategic IT drivers
Adhere to regulatory reporting standards and definitions
Evaluate the IT department
Which of the following tasks may be performed by the same person in a well-controlled information processing computer center?
Security administration and change management
Computer operations and system development
System development and change management
System development and systems maintenance
Which of the following is the MOST critical control over database administration?
Approval of DBA activities
Segregation of duties
Review of access logs and activities
Review of the use of database tools
When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?
Origination
Authorization
Recording
Correction
Which one of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments?
User satisfaction
Goal accomplishment
Benchmarking
Capacity and growth planning
For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options?
Mobile site
Warm site
Cold site
Hot site
An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted?
Network administrator
System administrator
Data administrator
Database administrator
Which of the following is the MOST effective antivirus control?
Scanning e-mail attachments on the mail server
Restoring systems from clean copies
Disabling USB ports
An online antivirus scan with up-to-date virus definitions