| A |
Changes in decision processes are not a type of risk, but a characteristic of a DSS.
|
| B |
Semistructured dimensions is not a type of risk, but a characteristic of a DSS.
|
| C |
The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS.
|
| D |
Management control is not a type of risk, but a characteristic of a decision support system (DSS).
|
| A |
Having a backup server with current data is critical but not as critical as ensuring the availability of the source code.
|
| B |
Having staff training is critical but not as critical as ensuring the availability of the source code.
|
| C |
Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.
|
| D |
Having a backup server with relevant software is critical but not as critical as ensuring the availability of the source code.
|
| A |
Change control requires that good change management processes be implemented and enforced.
|
| B |
Outsourcing the IT function is a business decision and not directly related to the rate of technological change, nor does the rate of change increase the importance of outsourcing.
|
| C |
Personnel in a typical IT department can often be trained in new technologies to meet organizational requirements.
|
| D |
Although meeting user requirements is important, it is not directly related to the rate of technological change in the IT environment.
|
| A |
A strategic information technology planning scorecard would be covered by a strategic plan.
|
| B |
The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a framework for the IT short-range plan.
|
| C |
A clear definition of the IT mission and vision would be covered by a strategic plan.
|
| D |
Business objectives relating to IT goals and objectives would be covered by a strategic plan.
|
| A |
Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time off, it may be possible to discover any fraudulent activity that was taking place.
|
| B |
Maintaining a good quality of life is important, but the primary reason for a mandatory vacation is to catch fraud or errors.
|
| C |
Enforcing a rule that all vacations must be taken a week at a time is a management decision but not related to a mandatory vacation policy. The primary reason for mandatory vacations is to detect fraud or errors.
|
| D |
Providing cross-training is an important management function, but the primary reason for mandatory vacations is to detect fraud or errors.
|
| A |
Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate rebuilding.
|
| B |
Besides being a good practice, laws and regulations may require an organization to keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic paper makes the retention policy of corporate email a necessity. Ail email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves.
|
| C |
Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate recovery.
|
| D |
Email policy should address the business and legal requirements of email retention. Reuse of email is not a policy matter.
|
| A |
Results of a new accounting package is a tactical or short-term goal and would not be included in a strategic plan.
|
| B |
Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan.
|
| C |
Short-term project plans is project-oriented and is a method of implementing a goal but not the goal in itself The goal would be to have better project management-the new system is how to achieve that goal.
|
| D |
An evaluation of information technology needs is a way to measure performance, but not a goal to be found in a strategic plan.
|
| A |
Leading-edge technology is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals.
|
| B |
To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals.
|
| C |
A low-cost philosophy is one objective, but more important is the cost-benefit and the relation of IT investment cost to business strategy.
|
| D |
Plans to acquire new hardware and software could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.
|
| A |
Procurement procedures are organizational controls, but not a part of strategic planning.
|
| B |
The budget should not vary from the plan.
|
| C |
A strategic plan is a senior management responsibility and would receive input from line managers but would not be approved by them.
|
| D |
Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals.
|
| A |
Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective.
|
| B |
The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.
|
| C |
Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount.
|
| D |
Punitive actions are needed to enforce the policy but are not the key to successful implementation.
|
| A |
Having sufficient excess capacity to respond to changing directions is important to show flexibility to meet organizational changes but is not in itself a way to ensure that IT is aligned with business goals.
|
| B |
Using equipment and personnel efficiently and effectively is an effective method for determining the proper management of the IT function but does not ensure that the IT strategy is aligned with business objectives.
|
| C |
The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans.
|
| D |
Having personnel and equipment is an important requirement to meet the IT strategy but will not ensure that the IT strategy supports business objectives.
|
| A |
The IT department is responsible for the execution of the policy, having no authority in framing the policy.
|
| B |
Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.
|
| C |
The security committee also functions within the broad security policy framed by the board of directors.
|
| D |
The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
|
| A |
The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
|
| B |
Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications.
|
| C |
Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step.
|
| D |
Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications.
|
| A |
The information system solution should be cost-effective, but this is not the most important aspect.
|
| B |
Prior to implementing new technology, an organization should perform a risk assessment, which is then presented to business unit management for review and acceptance.
|
| C |
Compatibility with existing systems is one consideration; however, the new system may be a major upgrade that is not compatible with existing systems, so this is not the most important consideration.
|
| D |
The security risk of the current technology is one of the components of the risk analysis, and alone is not the most important factor.
|
| A |
The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.
|
| B |
A list of key IT resources to be secured is more detailed than that which should be included in a policy.
|
| C |
The identity of sensitive security assets is more detailed than that which should be included in a policy.
|
| D |
A list of the relevant software security features is more detailed than that which should be included in a policy.
|
| A |
Although any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements.
|
| B |
Although security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. Although the use of standard supported technology may be more secure, this is not the primary benefit of the EA.
|
| C |
The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.
|
| D |
When selecting an application, the business requirements and the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they are more likely to choose a solution that fits their business process the best with less emphasis on how compatible and supportable the solution will be in the enterprise, and this is not a concern.
|
| A |
When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective.
|
| B |
Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However,that is not as serious as the combination of system administrator and application programmer, which would allow nearly unlimited abuse of privilege.
|
| C |
While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.
|
| D |
In some distributed environments,especially with small staffing levels,users may also manage security.
|
| A |
A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.
|
| B |
A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions but is not limited by predetermined criteria.
|
| C |
A DSS supports semistructured decision-making tasks.
|
| D |
A decision support system (DSS) is aimed at solving less structured problems.
|
| A |
Employee award programs provide motivation; however, they do not minimize dependency on key individuals.
|
| B |
Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established.
|
| C |
Succession planning ensures that internal personnel with the potential to fill key positions in the organization are identified and developed.
|
| D |
Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals.
|
| A |
Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.
|
| B |
The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators [KPIs]) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions.
|
| C |
Although performance management issues related to service level agreements could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk.
|
| D |
If the performance indicators are not objectively measurable, the most significant risk would be the presentation of misleading performance results to management. This could result in a false seltle of assurance and, as a result, IT resources may be misallocated, or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management.
|
| A |
Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness.
|
| B |
Information security is everybody's business, and all staff should be trained in how to handle information correctly.
|
| C |
Providing security awareness training is not an IS audit function.
|
| D |
AIl employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
|
| A |
Bonding is directed at due-diligence compliance and does not ensure integrity.
|
| B |
A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc.
|
| C |
References are important and would need to be verified, but they are not as reliable as background screening because the references themselves may not be validated as trustworthy.
|
| D |
Qualifications listed on a resume may be used to demonstrate proficiency but will not indicate the integrity of the candidate employee.
|
| A |
Investments in IT need to be aligned with top management strategies rather than be relevant to short term planning and focus on technology for technology'S sake.
|
| B |
Conducting control self-assessments is not as critical as allocating resources during short-term planning for the IT department.
|
| C |
Evaluating hardware needs is not as critical as allocating resources during short-term planning for the IT department.
|
| D |
The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately.
|
| A |
An organization-defined security policy ensures that help desk personnel do not have access to personnel data, and this is covered under the security policy. The more critical issue is that the application complied with the security policy.
|
| B |
Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (RR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario.
|
| C |
The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.
|
| D |
Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
|
| A |
User accountability is important but not as great a risk as the actions of unauthorized users.
|
| B |
Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization. The ability of unauthorized users to modify data is greater than the risk of authorized user accounts not being controlled properly.
|
| C |
The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk.
|
| D |
The failure to implement audit recommendations is a management problem but not as serious as the ability of unauthorized users making modifications.
|
| A |
There is a probability that a terminated employee may-misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take.
|
| B |
All the work of the terminated employee needs to be backed up, but this is not as critical as removing terminated employee access.
|
| C |
The employees need to be notified of the termination, but this is not as critical as removing terminated employee access.
|
| D |
All the work of the terminated employee needs to be handed over to a designated employee; however, this is not as critical as removing terminated employee access.
|
| A |
Although not ideal, a local area network (LAN) administrator may have end-user responsibilities.
|
| B |
In small organizations, the LAN administrator may also be responsible for security administration over the LAN.
|
| C |
The LAN administrator may report to the director of the information processing facility (IPF) or, in a decentralized operation, to the end-user manager.
|
| D |
A LAN administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.
|
| A |
A steering committee may use a feasibility study in its reviews; however, it is not responsible for performing/conducting the study.
|
| B |
The steering committee is not responsible for enforcing security controls.
|
| C |
The steering committee is not responsible for implementing development methodologies.
|
| D |
A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities.
|
| A |
Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC.
|
| B |
A balanced scorecard (BSC) is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC.
|
| C |
A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC.
|
| D |
A BSC will measure the value of IT to business, not the other way around.
|
| A |
Techniques are the means of achieving an objective, but it is more important to know the reason and objective for the control than to understand the technique itself.
|
| B |
A security policy mandates the use of IS controls, but the controls are not used to understand policy.
|
| C |
Control objectives provide the actual objectives for implementing controls and mayor may not be based on good practices.
|
| D |
An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity.
|