CISA : Certified Information Systems Auditor : Part 55
-
During the procurement process, which of the following would be the BEST indication that prospective vendors will meet the organization’s needs?
- An account transition manager has been identified.
- Expected service levels are defined.
- The vendor’s subcontractors have been identified.
- The service catalog is documented.
-
When conducting a requirements analysis for a project the BEST approach would be to:
- conduct a control self-assessment.
- consult key stakeholders.
- test operational deliverables.
- prototype the requirements.
-
What is the BEST population to select from when testing that programs are migrated to production with proper approval?
- List of changes provided by application programming managers
- List of production programs
- Completed change request forms
- Change advisory board meeting minutes
-
Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes?
- IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
- The organization should use a capability maturity model to identify current maturity levels for each IT process.
- IT management should include process improvements in staff performance
- The organization should refer to prior audit reports to identify the specific IT processes to be improved.
-
An organization implements a data loss prevention tool as a control to mitigate the risk of sensitive data leaving the organization via electronic mail. Which of the following would provide the BEST indication of adequate control design?
- Management has formally approved the control design.
- Management presents evidence that data loss incidents have decreased.
- Security administrators can demonstrate the functions of the tool.
- Rules enforced by the tool were based on the classification of the data.
-
Which of the following should be the PRIMARY consideration when developing an IT strategy?
- IT key performance indicators based on business objectives
- Alignment with overall business objectives
- Alignment with the IT investment portfolio
- Short and long-term plans for the enterprise IT architecture
-
An IS auditor is involved in the user testing phase of a development project. The developers wish to use a copy of a peak volume transaction file from the production process to show that the development can cope with the required volume. What is the auditor’s PRIMARY concern?
- Sensitive production data may be read by unauthorized persons.
- The error-handling and credibility checks may not be fully proven.
- Users may not wish for production data to be made available for testing.
- All functionality of the new process may not be tested.
-
A post-implementation review of a system implementation has identified that the defined objectives were changed several times without the approval of the project board. What should the IS auditor do NEXT?
- Notify the project sponsor and request that the project be reopened.
- Ask management to obtain retrospective approvals.
- Notify the project management office and raise a finding.
- Determine whether the revised objectives are appropriate.
-
An organization has implemented data storage hardware. Which of the following should an IS auditor review to assess if IT is maximizing storage and network utilization?
- Capacity management plans
- Downtime statistics
- The quality management systems
- Routine and non-routine job schedules
-
Which of the following is MOST likely to be included in a post-implementation review?
- Results of live processing
- Current sets of test data
- Test results
- Development methodology
-
At what point in software development should the user acceptance test plan be prepared?
- Implementation planning
- Requirements definition
- Transfer into production
- Feasibility study
-
At a project steering committee meeting, it is stated that adding controls to business processes undergoing re-engineering is an unnecessary cost. The IS auditor’s BEST response is that the actual control overhead for a business process is:
- usually considerable, but the benefits of good controls always exceed the cost.
- the responsibility of the project manager, and the cost should have been included in the budget.
- usually difficult to ascertain but is justifiable, because controls are essential to doing business
- usually less than the potential cost of failure caused by lack of controls.
-
In a decentralized organization, the selection and purchase of IS products is acceptable as long as which of the following conditions exists?
- The same operating system is used throughout the organization.
- Various offices are independent and exchange data on an occasional basis.
- Acquired items are consistent with the organization’s short- and long-term IS strategy plans.
- Managers undertake a full cost-benefit analysis before deciding what to purchase.
-
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern is that:
- the implementation plan meets user requirements.
- a clear business case has been established.
- the new hardware meets established security standards.
- a full, visible audit trail will be included.
-
An effective implementation of security roles and responsibilities is BEST evidenced across an enterprise when:
- operational activities are aligned with policies.
- policies are signed off by users.
- policies are rolled out and disseminated.
- reviews and updates of policies are regularly performed.
-
When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate:
- encryption.
- training.
- tuning.
- patching.
-
A technology service organization has recently acquired a new subsidiary. What should be the IS auditor’s NEXT course of action when considering the impact on the development of the IT audit plan?
- Review the revised business impact analysis (BIA).
- Proceed with the current audit plan.
- Perform a risk assessment.
- Include the new systems in the audit plan.
-
During a software acquisition review, an IS auditor should recommend that there be a software escrow agreement when:
- the estimated life for the product is less than 3 years.
- the deliverables do not include the source code.
- the product is new in the market.
- there is no service level agreement (SLA).
-
Which of the following procedures should be implemented prior to disposing of surplus computer equipment to employees?
- Use operating system commands to delete all files from the hard drive.
- Have the employee receiving the machine sign a nondisclosure agreement.
- Use application delete commands to remove files.
- Overwrite the hard drive with random data.
-
Which of the following controls should be implemented to BEST minimize system downtime for maintenance?
- Nightly full backups
- Virtualization
- Warm site
- Clustering
Subscribe
0 Comments
Newest