Topic 2: IS Management Controls and Auditing Management
Which of the following is a benefit of a risk-based approach to audit planning?
A.
Resources are allocated to the areas of the highest concern
B.
Scheduling may be performed months in advance
C.
Budgets are more likely to be met by the IT audit staff
D.
Staff will be exposed to a variety of technologies
Resources are allocated to the areas of the highest concern
Which represents PROPER separation of duties in the corporate environment?
A.
Information Security and Identity Access Management teams perform two distinct functions
B.
Developers and Network teams both have admin rights on servers
C.
Finance has access to Human Resources data
D.
Information Security and Network teams perform two distinct functions
Information Security and Network teams perform two distinct functions
The MOST common method to get an unbiased measurement of the effectiveness of an Information Security Management System (ISMS) is to
A.
assign the responsibility to the information security team.
B.
assign the responsibility to the team responsible for the management of the controls.
C.
create operational reports on the effectiveness of the controls.
D.
perform an independent audit of the security controls.
perform an independent audit of the security controls.
A Chief Information Security Officer received a list of high, medium, and low impact audit findings. Which of the following represents the BEST course of action?
A.
If the findings impact regulatory compliance, try to apply remediation that will address the most findings for the least cost.
B.
If the findings do not impact regulatory compliance, remediate only the high and medium risk findings.
C.
If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
D.
If the findings do not impact regulatory compliance, review current security controls.
If the findings impact regulatory compliance, remediate the high findings as quickly as possible.
Which of the following are necessary to formulate responses to external audit findings?
A.
Internal Audit, Management, and Technical Staff
B.
Internal Audit, Budget Authority, Management
C.
Technical Staff, Budget Authority, Management
D.
Technical Staff, Internal Audit, Budget Authority
Technical Staff, Budget Authority, Management
IT control objectives are useful to IT auditors as they provide the basis for understanding the:
A.
Desired results or purpose of implementing specific control procedures.
B.
The audit control checklist.
C.
Techniques for securing information.
D.
Security policy
Desired results or purpose of implementing specific control procedures.
Providing oversight of a comprehensive information security program for the entire organization is the primary responsibility of which group under the InfoSec governance framework?
A.
Senior Executives
B.
Office of the Auditor
C.
Office of the General Counsel
D.
All employees and users
Senior Executives
At which point should the identity access management team be notified of the termination of an employee?
A.
At the end of the day once the employee is off site
B.
During the monthly review cycle
C.
Immediately so the employee account(s) can be disabled
D.
Before an audit
Immediately so the employee account(s) can be disabled
Which of the following is the MOST effective way to measure the effectiveness of security controls on a perimeter network?
A.
Perform a vulnerability scan of the network
B.
External penetration testing by a qualified third party
C.
Internal Firewall ruleset reviews
D.
Implement network intrusion prevention systems
External penetration testing by a qualified third party
An organization has implemented a change management process for all changes to the IT production environment. This change management process follows best practices and is expected to help stabilize the availability and integrity of the organization’s IT environment. Which of the following can be used to measure the effectiveness of this newly implemented process:
A.
Number of change orders rejected
B.
Number and length of planned outages
C.
Number of unplanned outages
D.
Number of change orders processed
Number of unplanned outages
Which of the following represents the BEST reason for an organization to use the Control Objectives for Information and Related Technology (COBIT) as an Information Technology (IT) framework?
A.
It allows executives to more effectively monitor IT implementation costs
B.
Implementation of it eases an organization’s auditing and compliance burden
C.
Information Security (IS) procedures often require augmentation with other standards
D.
It provides for a consistent and repeatable staffing model for technology organizations
Implementation of it eases an organization’s auditing and compliance burden
The risk found after a control has been fully implemented is called:
A.
Residual Risk
B.
Total Risk
C.
Post implementation risk
D.
Transferred risk
Residual Risk
| Page 12 out of 38 Pages |
| Previous |