C
I
S
A
2
100
Many organizations require employees to take a mandatory vacation each year PRIMARILY because the organization wants to ensure that: A. adequate cross-training exists between all functions to the organization. B. employee morale is maintained to ensure an effective internal control environment. C. potential irregularities in processing are identified by temporarily replacing an employee in the job function. D. rotation of employees reduces the risk of processing errors.
C. potential irregularities in processing are identified by temporarily replacing an employee in the job function. Explanation -> Page 73 (A2-1).
100
Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IT strategy? That it: A. has been approved by line management. B. does not vary from the IT department's preliminary budget. C. complies with procurement procedures. D. supports the business objectives of the organization.
D. supports the business objectives of the organization. Explanation - page 93 (A2-43)
100
A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: A. vulnerabilities. B. threats. C. probabilities. D. impacts.
A. vulnerabilities. Explanation -> Page 117 (A2-93)
100
An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the: A. alignment of the BCP with industry good practices. B. results of business continuity tests performed by IS and end-user personnel. C. offsite facility, its contents, security and environmental controls. D. annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan.
B. results of business continuity tests performed by IS and end-user personnel. Explanation -> page 140 (A2-142)
100
Which of following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy
B. Identifying organizational strategies Explanation - page 115 (A2-89)
200
Assessing IT risk is BEST achieved by: A. evaluating threats and vulnerabilities associated with existing IT assets and IT projects. B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organizations. D. reviewing IT control weaknesses identified in audit reports.
A. evaluating threats and vulnerabilities associated with existing IT assets and IT projects. Explanation - page 110 (A2-79)
200
An IS auditor is reviewing an organization's recovery from a disaster in which not all critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A. The interruption window B. The recovery time objective (RTO) C. The service delivery objective (SDO) D. The recovery point objective(RPO).
D. The recovery point objective(RPO). Explanation - page 81 (A2-17)
200
Which of the following is responsible for the approval of an information security policy? A. The IT department B. The security committee C. The security administrator D. The board of directors
D. The board of directors Explanation - page 97 (A2-51)
200
Integrating the business continuity plan (BCP) into IT project management aids in: A. the testing of the business continuity requirements. B. the development of a more comprehensive set of requirements. C. the development of a transaction flowchart. D. ensuring the application meets the user's needs.
B. the development of a more comprehensive set of requirements. Explanation -> page 139 (A2-139)
200
Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? A. Payment terms B. Uptime guarantee C. Indemnification clause. D. Default resolution.
B. Uptime guarantee Explanation -> page 123 (A2-107)
300
Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed. D. Creation of an application traffic matrix showing protection methods
B. Identification of network applications to be externally accessed Explanation -> page 99 (A2-54)
300
Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date? A. The group walks through the different scenarios of the plan from beginning to end. B. The group ensures that specific systems can actually perform adequately at the alternate offsite facility. C. The group is aware of full-interruption test procedures. D. Interdepartmental communication is promoted to better respond in case of disaster.
A. The group walks through the different scenarios of the plan from beginning to end. Explanation -> page 143 (A2-149)
300
Responsibility for the governance of IT should rest with the: A. IT strategy committee. B. Chief Information Officer (CIO). C. audit committee. D. board of directors.
D. board of directors. Explanation -> page 126 (A2-113)
300
The PRIMARY objective of testing a business continuity plan is to: A. familiarize employees with the business continuity plan. B. ensure that all residual risk is addressed. C. exercise all possible disaster scenarios. D. identify limitations of the business continuity plan.
D. identify limitations of the business continuity plan. Explanation -> page 135 (A2-130).
300
After completing the business impact analysis (BIA), what is the NEXT step in the business continuity planning (BCP) process? A. Test and maintain the plan. B. Develop a specific plan. C. Develop recovery strategies. D. Implement the plan.
C. Develop recovery strategies. Explanation -> page 147 (A2-160).
400
Establishing the level of acceptable risk is responsibility of: A. quality assurance (QA) management. B. senior business management. C. the chief information officer (CIO). D. the chief security officer (CSO).
B. senior business management. Explanation -> page 86 (A2-28)
400
Which of the following would BEST provide assurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resume
A. Background screening Explanation -> page 88 (A2-31)
400
A local area network (LAN) administrator normally would be restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration.
C. having programming responsibilities. Explanation -> page 90 (A2-35).
400
Which of the following is the PRIMARY objective of the business continuity plan (BCP) process? A. To provide assurance to stakeholders that business operations will continue in the event of disaster. B. To establish an alternate site for IT services to meet predefined recovery time objectives (RTOs) C. To manage risk while recovering from an event that adversely affected operations D. To meet the regulatory compliance requirements in the event of natural disaster
C. To manage risk while recovering from an event that adversely affected operations Explanation -> page 157 (A2-181)
400
Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? A. The disaster levels are based on scopes of damaged functions but not on duration. B. The difference between low-level disaster and software incidents is not clear. C. The overall BCP is documented, but detailed recovery steps are not specified. D. The responsibility of declaring a disaster is not identified.
D. The responsibility of declaring a disaster is not identified. Explanation -> page 150 (A2-167).
500
The PRIMARY objective of business continuity and disaster recovery plans should be to: A. safeguard critical IS assets. B. provide for continuity of operations. C. minimize the loss to an organization. D. protect human life.
D. protect human life. Explanation -> page 149 (A2-164)
500
Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? A. Inclusion of a blanket legal statement in each policy B. Periodic review by subject matter experts C. Annual sign-off by senior management on organizational policies. D. Policy alignment to the most restrictive regulations.
C. Annual sign-off by senior management on organizational policies. Explanation -> page 144 (A2-152)
500
Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)? A. The plan is approved by the chief information officer (CIO). B. The plan contact lists have not been updated. C. Test results are not adequately documented. D. The training schedule for recovery personnel is not included.
C. Test results are not adequately documented. Explanation -> page 130 (A2-121)
500
In the context of effective information security governance, the PRIMARY objective of value delivery is to: A. optimize security investment in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture.
A. optimize security investment in support of business objectives. Explanation -> page 125 (A2-110).
500
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A. Risk reduction B. Risk transfer C. Risk avoidance D. Risk mitigation
B. Risk transfer Explanation -> page 130 (A2-120)
M
e
n
u