What is the MOST critical finding when reviewing an organizations information security management

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A. Apply single sign-on for access control B. Enforce an internal data access policy. C. Enforce the use of digital signatures. D. Implement segregation of duties.

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A. Analyze whether predetermined test objectives were met. B. Perform testing at the backup data center. C. Test offsite backup files. D. Evaluate participation by key personnel.

A disaster recovery plan (DRP) should include steps for:

A. negotiating contracts with disaster planning consultants. B. obtaining replacement supplies. C. identifying application control requirements. D. assessing and quantifying risk.

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

A. business process supported by the system. B. availability reports associated with the cloud-based system. C. architecture and cloud environment of the system. D. policies and procedures of the business area being audited.

Which of the following is necessary for effective risk management in IT governance?

A. Risk management strategy is approved by the audit committee. B. Risk evaluation is embedded in management processes. C. Local managers are solely responsible for risk evaluation. D. IT risk management is separate from corporate risk management.

What is the Most critical finding when reviewing an organization's information security management?

A. No periodic assessments to identify threats and vulnerabilities B. No official charier for the information security management system C. No employee awareness training and education program D. No dedicated security officer

Which of the following data would be used when performing a business impact analysis (BIA)?

A. Expected costs for recovering the business B. Cost-benefit analysis of running the current business C. Projected impact of current business on future business D. Cost of regulatory compliance

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

A. Develop quarterly training for each IT staff member. B. Identify required IT skill sets that support key business processes C. Include strategic objectives m IT staff performance objectives D. Review IT staff job descriptions for alignment

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

A. The system deployment was delayed by three weeks. B. The system was over budget by 15%. C. The system contains several minor defects. D. The system does not have a maintenance plan.

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

A. Test results for backup data restoration B. Roles and responsibilities for recovery team members C. Business continuity plan (BCP) D. A comprehensive list of disaster recovery scenarios and priorities

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

A. Transaction log review B. Mandatory holidays C. User awareness training D. Background checks

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

A. Purchase data cleansing tools from a reputable vendor. B. Implement business rules to reject invalid data. C. Obtain error codes indicating failed data feeds. D. Appoint data quality champions across the organization.

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

A. Evaluating the backup policies and procedures B. Observing the execution of a daily backup run C. Interviewing key personnel evolved In the backup process D. Reviewing a sample of system-generated backup logs

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

A. Training plans B. Database conversion results C. Stress testing results D. Capacity management plan

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

A. Configure users on the mobile device management (MDM) solution B. Conduct security awareness training. C. Implement an acceptable use policy D. Create inventory records of personal devices

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

A. Data classification B. Organizational policies and procedures C. Legal and compliance requirements D. Customer agreements

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

A. Identification of organizational goals B. Analysis of industry benchmarks C. Implementation of a balanced scorecard D. Analysis of quantitative benefits

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

A. Intercepting packets and viewing passwords B. Flooding the site with an excessive number of packets C. Using a dictionary attack of encrypted passwords D. Phishing

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

A. The design has been approved by senior management. B. Data conversion procedures have been establish. C. Acceptance test criteria have been developed D. Program coding standards have been followed

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

A. Results of a risk assessment B. Policies including BYOD acceptable user statements C. An inventory of personal devices to be connected to the corporate network D. Findings from prior audits

Which of the following metrics would BEST measure the agility of an organization's IT function?

A. Percentage of staff with sufficient IT-related skills for the competency required of their roles B. Frequency of security assessments against the most recent standards and guidelines C. Average number of learning and training hours per IT staff member D. Average time to turn strategic IT objectives into an agreed upon and approved initiative

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

A. Zero-day vulnerabilities B. Security design flaws C. Misconfiguration and missing updates D. Malicious software and spyware

Which of the following is MOST important with regard to an application development acceptance test?

A. All data files are tested for valid information before conversion. B. User management approves the test design before the test is started. C. The programming team is involved in the testing process. D. The quality assurance (QA) team is in charge of the testing process.

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

A. perform a user access review for the development team B. hire another person to perform migration to production. C. implement continuous monitoring controls. D. remove production access from the developers.

Which of the following business continuity activities prioritizes the recovery of critical functions?

A. Risk assessment B. Business continuity plan (BCP) testing C. Disaster recovery plan (DRP) testing D. Business impact analysis (BIA)

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

A. Use both tape and disk backup systems B. Periodically test backups stored in a remote location C. Use an electronic vault for incremental backups D. Deploy a fully automated backup maintenance system.

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

A. Securing information assets in accordance with the classification assigned B. Ensuring classification levels align with regulatory guidelines C. Validating that assets are protected according to assigned classification D. Defining classification levels for information assets within the organization

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A. Reviewing vacation patterns B. Interviewing senior IT management C. Reviewing user activity logs D. Mapping IT processes to roles

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

A. Assurance that the new system meets performance requirements B. Assurance that the new system meets functional requirements C. Significant cost savings over other system implemental or approaches D. More time for users to complete training for the new system

Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

A. EUC tests of operational effectiveness B. EUC access control matrix C. EUC inventory D. EUC availability controls

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD) policy to help prevent data leakage?

A. Require employees to waive privacy rights related to data on BYOD devices. B. Require multi-factor authentication on BYOD devices, C. Specify employee responsibilities for reporting lost or stolen BYOD devices. D. Allow only registered BYOD devices to access the network.

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

A. Short key length B. Random key generation C. Use of symmetric encryption D. Use of asymmetric encryption

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

A. Users have not been trained on the new system. B. The business continuity plan (BCP) was not updated. C. Mobile devices are not encrypted. D. Users are not required to sign updated acceptable use agreements.

Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?

A. Defining roles within the organization related to privacy B. Analyzing risks posed by new regulations C. Designing controls to protect personal data D. Developing procedures to monitor the use of personal data