Which International Organization for Standardization (ISO) below BEST describes the performance of risk management, and includes a five-stage risk management methodology.

A.

ISO 27001

B.

ISO 27002

C.

ISO 27004

D.

ISO 27005

Which of the following is considered to be an IT governance framework and a supporting toolset that allows for managers to bridge the gap between control requirements, technical issues, and business risks?

A.

Control Objective for Information Technology (COBIT)

B.

Committee of Sponsoring Organizations (COSO)

C.

Payment Card Industry (PCI)

D.

Information Technology Infrastructure Library (ITIL)

Creating a secondary authentication process for network access would be an example of?

A.

Nonlinearities in physical security performance metrics

B.

Defense in depth cost enumerated costs

C.

System hardening and patching requirements

D.

Anti-virus for mobile devices

During the course of a risk analysis your IT auditor identified threats and potential impacts. Next, your IT auditor should:

A.

Identify and evaluate the existing controls.

B.

Disclose the threats and impacts to management

C.

Identify information assets and the underlying systems

D.

Identify and assess the risk assessment process used by management.

The BEST organization to provide a comprehensive, independent and certifiable perspective on established security controls in an environment is

A.

Penetration testers

B.

External Audit

C.

Internal Audit

D.

Forensic experts

Which of the following activities is the MAIN purpose of the risk assessment process?

A.

Creating an inventory of information assets

B.

Classifying and organizing information assets into meaningful groups

C.

Assigning value to each information asset

D.

Calculating the risks to which assets are exposed in their current setting

The effectiveness of an audit is measured by?

A.

The number of actionable items in the recommendations

B.

How it exposes the risk tolerance of the company

C.

How the recommendations directly support the goals of the company

D.

The number of security controls the company has in use

A missing/ineffective security control is identified. Which of the following should be the NEXT step?

A.

Perform an audit to measure the control formally

B.

Escalate the issue to the IT organization

C.

Perform a risk assessment to measure risk

D.

Establish Key Risk Indicators

An IT auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late night shift a week as the senior computer operator. The most appropriate course of action for the IT auditor is to:

A.

Inform senior management of the risk involved.

B.

Agree to work with the security officer on these shifts as a form of preventative control.

C.

Develop a computer assisted audit technique to detect instances of abuses of the
arrangement.

D.

Review the system log for each of the late night shifts to determine whether any irregular actions occurred.

The remediation of a specific audit finding is deemed too expensive and will not be implemented. Which of the following is a TRUE statement?

A.

The asset is more expensive than the remediation

B.

The audit finding is incorrect

C.

The asset being protected is less valuable than the remediation costs

D.

The remediation costs are irrelevant; it must be implemented regardless of cost.

Which of the following reports should you as an IT auditor use to check on compliance with a service level agreement’s requirement for uptime?

A.

Systems logs

B.

Hardware error reports

C.

Utilization reports

D.

Availability reports

You are the Chief Information Security Officer of a large, multinational bank and you suspect there is a flaw in a two factor authentication token management process. Which of the following represents your BEST course of action?

A.

Validate that security awareness program content includes information about the potential vulnerability

B.

Conduct a thorough risk assessment against the current implementation to determine system functions

C.

Determine program ownership to implement compensating controls

D.

Send a report to executive peers and business unit owners detailing your suspicions