1、copyright 2009 isaca. all rights reserved. these questions and answers may not be used, copied, modified, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of isaca.e

2、nter your name (required):1. which of the following is a benefit of a risk-based approach to audit planning? audit:a. scheduling may be performed months in advance.b. budgets are more likely to be met by the is audit staff.c. staff will be exposed to a variety of technologies.d. resources are alloca

3、ted to the areas of highest concern.2. an is auditor is assigned to perform a post-implementation review of an application system. which of the following situations may have impaired the independence of the is auditor? the is auditor:a. implemented a specific control during the development of the ap

4、plication system.b. designed an embedded audit module exclusively for auditing the application system.c. participated as a member of the application system project team, but did not have operational responsibilities.d. provided consulting advice concerning application system best practices.3. a prim

5、ary benefit derived from an organization employing control self-assessment (csa) techniques is that it:a. can identify high-risk areas that might need a detailed review later.b. allows is auditors to independently assess risk.c. can be used as a replacement for traditional audits.d. allows managemen

6、t to relinquish responsibility for control.4. with regard to the evidence gathered during a computer forensic investigation, an is auditor should be most concerned with:a. analysis.b. evaluation.c. preservation.d. disclosure.5. which of the following best describes the early stages of an is audit?a.

7、 observing key organizational facilitiesb. assessing the is environmentc. understanding the business process and environment applicable to the reviewd. reviewing prior is audit reports6. during the course of an audit, an is auditor observes that duties are not properly segregated. under such a circu

8、mstance, the is auditor should look for:a. overlapping controls.b. preventive controls.c. compensating controls.d. logical access controls.7. before implementing an it balanced scorecard, an organization must:a. deliver effective and efficient services.b. define key performance indicators.c. provide

9、 business value to it projects.d. control it expenses.8. to assist an organization in planning for it investments, the is auditor should recommend the use of:a. project management tools.b. an object oriented architecture.c. tactical planning.d. enterprise architecture.9. an is auditor should expect

10、which of the following items to be included in the request for proposal (rfp) when is is procuring services from an independent service provider (isp)?a. references from other customersb. service level agreement (sla) templatec. maintenance agreementd. conversion plan10. it governance ensures that a

11、n organization aligns its it strategy with:a. enterprise objectives.b. it objectives.c. audit objectives.d. control objectives.11. an is auditor should ensure that it governance performance measures:a. evaluate the activities of it oversight committees.b. provide strategic it drivers.c. adhere to re

12、gulatory reporting standards and definitions.d. evaluate the it department.12. which of the following would be included in an is strategic plan?a. specifications for planned hardware purchasesb. analysis of future business objectivesc. target dates for development projectsd. annual budgetary targets

13、 for the is department13. when reviewing a system development project at the project initiation stage, an is auditor finds that the project team is following the organizations quality manual. to meet critical deadlines the project team proposes to fast track the validation and verification processes

14、, commencing some elements before the previous deliverable is complete. under these circumstances, the is auditor should:a. report this as a critical finding to senior management.b. accept that different quality processes can be adopted for each project.c. report to is management the teams failure t

15、o follow quality procedures.d. report the risks associated with fast tracking to the project steering committee.14. which of the following risks could result from inadequate software baselining?a. scope creepb. sign-off delaysc. software integrity violationsd. inadequate controls15. which of the fol

16、lowing is critical to the selection and acquisition of the correct operating system software?a. competitive bidsb. user department approvalc. hardware configuration analysisd. purchasing department approval16. when conducting a review of business process reengineering, an is auditor found that a key

17、 preventive control had been removed. the is auditor should:a. inform management of the finding and determine whether management is willing to accept the potential material risk of not having that preventive control.b. determine if a detective control has replaced the preventive control during the p

18、rocess and, if it has, not report the removal of the preventive control.c. recommend that this and all control procedures that existed before the process was reengineered be included in the new process.d. develop a continuous audit approach to monitor the effects of the removal of the preventive con

19、trol.17. to assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. an is auditors primary concern is that the data should be:a. sanitized.b. complete.c. representatived. current.18. an organization deci

20、des to purchase a package instead of developing it. in such a case, the design and development phases of a traditional software development life cycle (sdlc) would be replaced with:a. selection and configuration phases.b. feasibility and requirements phases.c. implementation and testing phases.d. no

21、thing; replacement is not required.19. an is auditor is performing a project review to identify whether a new application has met business objectives. which of the following test reports offers the most assurance that business objectives are met?a. user acceptanceb. performancec. sociabilityd. penet

22、ration20. when reviewing input controls, an is auditor observes that in accordance with corporate policy, procedures allow supervisory override of data validation edits. the is auditor should:a. not be concerned since there may be other compensating controls to mitigate the risks.b. ensure that over

23、rides are automatically logged and subject to review.c. verify whether all such overrides are referred to senior management for approval.d. recommend that overrides not be permitted.21. capacity monitoring software is mainly used to ensure:a. maximum use of available capacity.b. that future acquisit

24、ions meet user needs.c. concurrent use by a large number of users.d. continuity of efficient operations.22. which of the following exposures associated with the spooling of sensitive reports for offline printing should an is auditor consider to be the most serious?a. sensitive data can be read by op

25、erators.b. data can be amended without authorization.c. unauthorized report copies can be printed.d. output can be lost in the event of system failure.23. the database administrator has decided to disable certain normalization controls in the database management system (dbms) software to provide use

26、rs with increased query performance. this will most likely increase the risk of:a. loss of audit trails.b. redundancy of data.c. loss of data integrity.d. unauthorized access to data.24. an is auditor evaluating the resilience of a high-availability network should be most concerned if:a. the setup i

27、s geographically dispersed.b. the network servers are clustered in a site.c. a hot site is ready for activation.d. diverse routing is implemented for the network.25. when reviewing a service level agreement for an outsourced computer center, an is auditor should first determine that:a. the cost prop

28、osed for the services is reasonable.b. security mechanisms are specified in the agreement.c. the services in the agreement are based on an analysis of business needs.d. audit access to the computer center is allowed under the agreement.26. an is auditor should recommend the use of library control so

29、ftware to provide reasonable assurance that:a. program changes have been authorized.b. only thoroughly tested programs are released.c. modified programs are automatically moved to production.d. source and executable code integrity is maintained.27. which of the following provides the best method for

30、 determining the level of performance provided by similar information-processing-facility environments?a. user satisfactionb. goal accomplishmentc. benchmarkingd. capacity and growth planning28. which of the following satisfies a two-factor user authentication?a. iris scanning plus fingerprint scann

31、ingb. terminal id plus global positioning systemc. a smart card requiring the users pind. user id along with password29. naming conventions for system resources are important for access control because they:a. ensure that resource names are not ambiguous.b. reduce the number of rules required to ade

32、quately protect resources.c. ensure that user access to resources is clearly and uniquely identified.d. ensure that internationally recognized names are used to protect resources.30. which of the following would most effectively reduce social engineering incidents?a. security awareness trainingb. in

33、creased physical security measuresc. e-mail monitoring policyd. intrusion detection systems31. to protect a voip infrastructure against a denial-of-service attack, it is most important to secure the:a. access control servers.b. session border controllers.c. backbone gateways.d. intrusion detection s

34、ystem.32. which of the following acts as a decoy to detect active internet attacks?a. honeypotsb. firewallsc. trapdoorsd. traffic analysis33. which of the following best provides access control to payroll data being processed on a local server?a. logging access to personal informationb. using separa

35、te passwords for sensitive transactionsc. using software that restricts access rules to authorized staffd. restricting system access to business hours34. which of the following is the most effective anti-virus control?a. scanning e-mail attachments on the mail serverb. restoring systems from clean c

36、opiesc. disabling floppy drivesd. an online antivirus scan with up-to-date virus definitions35. an is auditor reviewing the log of failed logon attempts would be most concerned if which of the following accounts was targeted?a. network administratorb. system administratorc. data administratord. data

37、base administrator36. an is auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. which of the following weaknesses would be considered the most serious?a. the security officer also serves as the database adminis

38、trator.b. password controls are not administered over the client-server environment.c. there is no business continuity plan for the mainframe systems noncritical applications.d. most local area networks do not back up file-server-fixed disks regularly.37. a utility is available to update critical ta

39、bles in case of data inconsistency. this utility can be executed at the os prompt or as one menu option in an application. the best control to mitigate the risk of unauthorized manipulation of data is to:a. delete the utility software and install it as and when required.b. provide access to the util

40、ity on a need-to-use basis.c. provide access to the utility to user management.d. define access so that the utility can be executed only in the menu option.38. an organization is proposing to install a single sign-on facility giving access to all systems. the organization should be aware that:a. max

41、imum unauthorized access would be possible if a password is disclosed.b. user access rights would be restricted by the additional security parameters.c. the security administrators workload would increase.d. user access rights would be increased.39. an element of an information security program is t

42、he monitoring, detection and prevention of hacking activities and alerting the system administrator when suspicious activities occur. which of the following infrastructure components could be used for this purpose?a. intrusion detection systemsb. firewallsc. routersd. proxy servers40. to address a m

43、aintenance problem, a vendor needs remote access to a critical network. the most secure and effective solution is to provide the vendor with a:a. secure shell (ssh-2) tunnel for the duration of the problem.b. two-factor authentication mechanism for network access.c. dial-in access.d. virtual private

44、 network (vpn) account for the duration of the vendor support contract.41. which of the following concerns about the security of an electronic message would be addressed by digital signatures?a. unauthorized readingb. theftc. unauthorized copyingd. alteration42. which of the following would be most

45、appropriate to ensure the confidentiality of transactions initiated via the internet?a. digital signatureb. data encryption standardc. virtual private networkd. public key encryption43. to prevent ip spoofing attacks, a firewall should be configured to drop a packet if:a. the source routing field is

46、 enabled.b. it has a broadcast address in the destination field.c. a reset flag (rst) is turned on for the tcp connection.d. dynamic routing is used instead of static routing.44. in the event of a data center disaster, which of the following would be the most appropriate strategy to enable complete

47、recovery of a critical database?a. daily data backup to tape and storage at a remote siteb. real-time replication to a remote sitec. hard disk mirroring to a local serverd. real-time data backup to the local storage area network (san)45. a primary objective of testing a business continuity plan (bcp) is to:a. familiarize employees with the bcp.b. ensure that all residual risks are addressed.c. exercise all possible disaster scenarios.d. identify limitations of the bcp.46. a structured walk-through test of a disaste