| A |
Contractual issues regarding payment, service improvement and dispute resolution are important but not as critical as ensuring that service disruption, data loss, data retention, or other significant events occur in the event that the organization switches to a new firm providing outsourced services.
|
| B |
The service level agreement (SLA) should address performance requirements and metrics to report on the status of services provided; it's nice to have commitment for performance improvement, although it's not mandated.
|
| C |
The SLA should address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute, but this is not the most critical part of an SLA.
|
| D |
The delivery of IT services for a specific customer always implies a dose linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization.
|
| A |
The DBA often performs or supports database backup and recovery procedures.
|
| B |
Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA, If a DBA were performing this function, there would be a risk based on inappropriate segregation of duties.
|
| C |
Performing database changes according to change management procedures would be a normal function of the database administrator (DBA)and would be compliant with the procedures of the organization.
|
| D |
A DBA is expected to support the business through helping design, create and maintain databases and the interfaces to the databases.
|
| A |
A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations that should be recovered in a moderate amount of time.
|
| B |
A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site depends upon the scale of operations.
|
| C |
A hot site is contracted for a shorter time period at a higher cost, and it is better suited for recovery of vital and critical applications.
|
| D |
Generally, a cold site is contracted for a longer period at a lower cost. Because it requires more time to make a cold site operational, it is generally used for non critical applications.
|
| A |
Accurate capacity monitoring of IT resources would be the most critical element of a continuous monitoring process.
|
| B |
Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important.
|
| C |
While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability.
|
| D |
While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate
|
| A |
The retention date will not affect the ability to read the file.
|
| B |
The creation date, not the retention date, will differentiate files with the same name.
|
| C |
Backup copies would be expected to have a different retention date and, therefore, may be retained after the file has been overwritten.
|
| D |
A retention date will ensure that a file cannot be overwritten or deleted before that date has passed.
|
| A |
The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy.
|
| B |
When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report.
|
| C |
With respect to this matter, representations obtained from management cannot be independently verified.
|
| D |
If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.
|
| A |
The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies.
|
| B |
Discovering that users have not been formally trained in the use of a software product is common, and while not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively.
|
| C |
A software license that is about to expire is not a risk if there is a-process in place to renew it.
|
| D |
All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software.
|
| A |
Vendor's reliability figures are not an effective measure of a preventive maintenance program.
|
| B |
A schedule is a good control to ensure that maintenance is scheduled and that no. items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.
|
| C |
Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well.
|
| D |
A system downtime log provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control.
|
| A |
The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the outsourcing company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern.
|
| B |
While the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern.
|
| C |
The absence of a "right to audit" clause or other form of attestation that the supplier was compliant with a certain standard would potentially prevent the IS auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls had been put in place.
|
| D |
While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance, and when performance penalties are required, these penalties are often subject to negotiation on a case-by-case basis. As such, the absence of this information would not be as significant as a lack of right to audit.
|
| A |
While capacity planning should be considered in each development project, it will not ensure system availability, no risit part of the change control process.
|
| B |
The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently.
|
| C |
User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question.
|
| D |
Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management.
|
| A |
For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence.
|
| B |
A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.
|
| C |
Multiple cold sites leased for the multiple offices would lead to an ineffective solution with poor availability.
|
| D |
A hot site maintained by the business would be a costly solution but would provide a high degree of confidence.
|
| A |
Recovery costs decrease with the time allowed for recovery. For example, recovery costs to recover business operations within two days will be higher than the cost to recover business within seven days. The essence of an effective DRP is to minimize uncertainty and increase predictability.
|
| B |
Downtime costs-such as loss of sales, idle resources, salaries-increase with time. A disaster recovery plan should be drawn to achieve the lowest downtime costs possible.
|
| C |
With good planning, recovery costs can be predicted and contained.
|
| D |
Downtime costs are not related to the recovery point objective (RPO). The RPO defines the data backup strategy, which is related to recovery costs rather than to downtime costs.
|
| A |
The customer organization would want to retain data ownership and, therefore, this would not be a risk.
|
| B |
Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure.
|
| C |
An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's processes. This would only be a risk if the customer organization was unable to perform these activities itself.
|
| D |
An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider.
|
| A |
While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed.
|
| B |
A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.
|
| C |
The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.
|
| D |
A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed.
|
| A |
The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value.
|
| B |
While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected.
|
| C |
Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs.
|
| D |
While IT management must be involved, they may not be fully aware of the business processes that need to be protected.
|
| A |
Ifthe DRP is designed and documented properly, the loss of an experienced project manager should have minimal impact. The risk of a poorly designed plan that may not meet the requirements of the business is much more significant than the risk posed by loss of the project manager.
|
| B |
Use of a hot site is a strategic determination based on tolerable downtime, cost and other factors. Although using a hot site may be considered a good practice, this is a very costly solution that may not be required for the organization.
|
| C |
The risk of not using the results of the business impact analysis (BIA) for disaster recovery planning means that the DRP may not be designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization to recover from a disaster.
|
| D |
Although testing a disaster recovery plan (DRP)is a critical component of a successful disaster recovery strategy ,this is not the biggest risk; the biggest risk comes from a plan that is not properly designed.
|
| A |
The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk.
|
| B |
Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater.
|
| C |
While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping.
|
| D |
The tools and techniques to install UTP are not simpler or easier than other copper-based cables.
|
| A |
Applying security software patches promptly is critical to maintain the security of the servers; further, testing the patches is important because the patches may affect other systems and business operations. Because the vendor has recently released several critical patches in a short time, it can be hoped that this is a temporary problem and does not need a revision to policy or procedures.
|
| B |
The testing done by the vendor may not be applicable to the systems and environment of the organization that needs to deploy the patches.
|
| C |
Applying security software patches promptly is critical to maintain the security of the servers. Delaying patching would increase the risk of a security breach due to system vulnerability.
|
| D |
Reduced testing increases the risk of business operation disruption due to a faulty or incompatible patch. While a backout plan does help mitigate this risk, a thorough testing up front would be the more appropriate option.
|
| A |
A clustered setup in one site makes the entire network vulnerable to natural disasters or other disruptive events.
|
| B |
Diverse routing provides telecommunications backup if a network is not available.
|
| C |
A hot site would also be a good alternative for a single point-of-failure site.
|
| D |
Dispersed geographic locations provide backup if a site has been destroyed.
|
| A |
Referential integrity in a relational database refers to consistency between coupled (linked) tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table's primary key or a candidate key.
|
| B |
Field definitions describe the layout of the table but are not directly related to referential integrity.
|
| C |
Composite keys describe how the keys are created but are not directly related to referential integrity.
|
| D |
Master table definition describes the structure of the database but is not directly related to referential integrity.
|
| A |
A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process.
|
| B |
Identifying key controls is not the focus of data flow diagrams. The focus is as the name states-flow of data.
|
| C |
The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.
|
| D |
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.
|
| A |
Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.
|
| B |
Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated.
|
| C |
Logging the outage times reported by users is helpful but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent.
|
| D |
Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved.
|
| A |
System logs are used for recording the system's activities. They may not indicate availability.
|
| B |
Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. These error reports may not indicate actual system uptime.
|
| C |
IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes.
|
| D |
Utilization reports document the use of computer equipment, and can be used by management to predict how, where and/or when resources are required.
|
| A |
An analytical review assesses the general control environment of an organization.
|
| B |
Forensic analysis is a specialized technique for criminal investigation.
|
| C |
Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently.
|
| D |
System log analysis would identify changes and activity on a system but would not identify whether the change was authorized unless conducted as a part of a compliance test.
|
| A |
The backups cannot be trusted until they have been tested. However,this should be done as part of the overall tests of the DRP.
|
| B |
Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process.
|
| C |
The corporate business continuity plan may not include disaster recovery plan (DRP) details for remote offices. It is important to ensure that the local plans have been tested.
|
| D |
Security is an important issue because many controls may be missing during a disaster. However, not having a tested plan is more important.
|
| A |
Having a clearly defined recovery time objective is especially important for business continuity planning, but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.
|
| B |
Having a list of key contacts is important but not as important as having adequate data backup.
|
| C |
Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems.
|
| D |
A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement.
|
| A |
Resolving issues related to exception reports is an operational issue that should be addressed in the service level agreement (SLA); however, a response time of one day may be acceptable depending on the terms of the SLA.
|
| B |
While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually.
|
| C |
Lack of service measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided.
|
| D |
The complexity of application logs is an operational issue, which is not related to the SLA.
|
| A |
Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily compromised by malicious code and by intruders.
|
| B |
The denormalization of a database is related more to performance than to security.
|
| C |
Limiting access to stored procedures is a valid security consideration but not as critical as changing default configurations.
|
| D |
Changing the service port used by the database is a component of the configuration changes that could be made to the database, but there are other more critical configuration changes that should be made first.
|
| A |
When contracting with a service provider, it is a good practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security requirements are clearly stated in the SLA.
|
| B |
A due diligence activity such as reviewing physical security controls is a good practice, but the SLA would be most critical because it would define what specific levels of security would be required and make the provider contractually obligated to deliver what was promised.
|
| C |
A due diligence activity such as the use of background checks for the service provider's employees is a good practice, but the SLA would be most critical because it would define what specific levels of security and labor practices would be required and make the provider contractually obligated to deliver what was promised.
|
| D |
A due diligence activity such as reviewing references from other clients is a good practice,but the service level agreement(SLA) would be most critical because it would define what specific levels of performance would be required and make the provider contractually obligated to deliver what was promised.
|
| A |
Walk-through costs are not a part of disaster recovery.
|
| B |
Because the recovery time for plan B is longer, recovery costs can be expected to be lower.
|
| C |
Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher.
|
| D |
Because the recovery time for plan B is longer, resumption costs can be expected to be lower.
|