Ensurepass

 

QUESTION 401

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor’s PRIMARY concern shouldbe that the:

 

A.

requirement for protecting confidentiality of information could be compromised.

B.

contract may be terminated because prior permission from the outsourcer was not obtained.

C.

other service provider to whom work has been outsourced is not subject to audit.

D.

outsourcer will approach the other service provider directly for further work.

 

Correct Answer: A

Explanation:

Many countries have
enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are not related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.

 

 

QUESTION 402

The development of an IS security policy is ultimately the responsibility of the:

 

A.

IS department.

B.

security committee.

C.

security administrator.

D.

board of directors.

 

Correct Answer: D

Explanation:

Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

 

 

QUESTION 403

Which of the following is a function of an IS steering committee?

 

A.

Monitoring vendor-controlled change control and testing

B.

Ensuring a separation of duties within the information’s processing environment

C.

Approving and monitoring major projects, the status of IS plans and budgets

D.

Liaising between the IS department and the end users

 

Correct Answer: C

Explanation:

The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information’s processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee.

 

 

QUESTION 404

When reviewing an organization’s strategic IT plan an IS auditor should expect to find:

 

A.

an assessment of the fit of the organization’s application portfolio with business objectives

B.

actions to reduce hardware procurement cost

C.

a listing of approved suppliers of IT contract resources

D.

a descri
ption of the technical architecture for the organization’s network perimeter security

 

Correct Answer: A

Explanation:

An assessment of how well an organization’s application portfolio supports the organization’s business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. Operational efficiency initiatives belong to tactical planning, not strategic planning. The purpose of an IT strategic plan is toset out how IT will be used to achieve or support an organization’s business objectives. A listing of approved suppliers of IT contract resources is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail ofa specific technical architecture.

 

 

QUESTION 405

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the:

 

A.

establishment of a review board.

B.

creation of a security unit.

C.

effective support of an executive sponsor.

D.

selection of a security process owner.

 

Correct Answer: C

Explanation:

The executive sponsor would be in charge of supporting the organization’s strategic security program, and would aid in directing the organization’s overall security management activities. Therefore, support by the executive level of management is themost critical success factor (CSF). None of the other choices are effective without visible sponsorship of top management.

 

 

QUESTION 406

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations’ business objectives by determining if IS:

 

A.

has all the personnel and equipment it needs.

B.

plans are consistent with management strategy.

C.

uses its equipment and personnel efficiently and effectively.

D.

has sufficient excess capacity to respond to changing directions.

 

Correct Answer: B

Explanation:

Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization’s strategies.

 

 

QUESTION 407

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?

 

A.

User management coordination does not exist.

B.

Specific user accountability cannot be established.

C.

Unauthorized users may have access to originate, modify or delete data.

D.

Audit recommendations may not be implemented.

 

Correct Answer: C

Explanation:

Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.

 

 

QUESTION 408

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

 

A.

Utilization of an intrusion detection system to report incidents

B.

Mandating the use of passwords to access all software

C.

Installing an efficient user log system to track the actions of each user

D.

Training provided on a regular basis to all current and new employees

Correct Answer: D

Explanation:

Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness.

 

 

QUESTION 409

An IS auditor reviewing an organization’s IT strategic plan should FIRST review:

 

A.

the existing IT environment.

B.

the business plan.

C.

the present IT budget.

D.

current technology trends.

 

Correct Answer: B

Explanation:

The IT strategic plan exists to support the organization’s business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

 

 

QUESTION 410

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

 

A.

address all of the network risks.

B.

be tracked over time against the IT strategic plan.

C.

take into account the entire IT environment.

D.

result in the identification of vulnerability tolerances.

 

Correct Answer: C

Explanation:

When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today’s results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.