CISA Exam Questions (401 - 500) with Verified Answers
An IS auditor is reviewing the software development process for an organization. Which of the
... [Show More] following functions would be appropriate for the end users to perform?
Select an answer:
A.
Program output testing
B.
System configuration
C.
Program logic specification
D.
Performance tuning - CORRECT ANSWER You are correct, the answer is A.
A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user.
B. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. This could introduce a segregation of duties issue.
C. Program logic specification is a very technical task that is normally performed by a programmer. This could introduce a segregation of duties issue.
D. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue.
An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation?
Select an answer:
A.
The test environment may not have adequate controls to ensure data accuracy.
B.
The test environment may produce inaccurate results due to use of production data.
C.
Hardware in the test environment may not be identical to the production environment.
D.
The test environment may not have adequate access controls implemented to ensure data confidentiality. - CORRECT ANSWER You are correct, the answer is D.
A. The accuracy of data used in the test environment is not of significant concern as long as these data are representative of the production environment.
B. Using production data in the test environment would not cause test results to be inaccurate. If anything, using production data would improve the accuracy of testing processes because the data would most closely mirror the production environment. In spite of that fact, the risk of data disclosure or unauthorized access in the test environment is still significant and, as a result, production data should not be used in the test environment. This is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data.
C. Hardware in the test environment should mirror the production environment to ensure that testing is reliable. However, this does not relate to the risk from using live data in a test environment. This is not the correct answer because it does not relate to the risk presented in the scenario.
D. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning (ERP) system. As the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy?
Select an answer:
A.
Significant cost savings over other testing approaches
B.
Assurance that new, faster hardware is compatible with the new system
C.
Assurance that the new system meets functional requirements
D.
Increased resiliency during the parallel processing time - CORRECT ANSWER You are correct, the answer is C.
A. Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and would not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money.
B. Hardware compatibility should be determined and tested much earlier in the conversion project and is not an advantage of parallel operation. Compatibility is generally determined based on the application's published specifications and on system testing in a lab environment. Parallel operation is designed to test the application's effectiveness and integrity of application data, not hardware compatibility. In general, hardware compatibility relates more to the operating system level than to a particular application. While new hardware in a system conversion must be tested under a real production load, this can be done without parallel systems.
C. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (batch jobs, backups) on both systems to ensure that the new system is reliable before unplugging the old system.
D. Increased resiliency during parallel processing is a legitimate outcome from this scenario, but the advantage it provides is temporary and minor,
What kind of software application testing is considered the final stage of testing and typically includes users outside the development team?
Select an answer:
A.
Alpha testing
B.
White box testing
C.
Regression testing
D.
Beta testing - CORRECT ANSWER You answered A. The correct answer is D.
A. Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users.
B. White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users.
C. Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users.
D. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort.
During which phase of software application testing should an organization perform the testing of architectural design?
Select an answer:
A.
Acceptance testing
B.
System testing
C.
Integration testing
D.
Unit testing - CORRECT ANSWER You answered B. The correct answer is C.
A. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined.
B. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system.
C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design.
D. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.
An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production?
Select an answer:
A.
Server configuration has been hardened appropriately.
B.
Allocated physical resources are available.
C.
System administrators are trained to use the virtual machine (VM) architecture.
D.
The VM server is included in the disaster recovery plan (DRP). - CORRECT ANSWER You are correct, the answer is A.
A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture.
B. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed.
C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment.
D. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan (DRP).
Which of the following situations would increase the likelihood of fraud?
Select an answer:
A.
Application programmers are implementing changes to production programs.
B.
Administrators are implementing vendor patches to vendor-supplied software without following change control procedures.
C.
Operations support staff members are implementing changes to batch schedules.
D.
Database administrators are implementing changes to data structures. - CORRECT ANSWER You are correct, the answer is A.
A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data.
B. The lack of change control is a serious risk—but if the changes are only vendor-supplied patches to vendor software then the risk is minimal.
C. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data unless jobs are run in the wrong sequence.
D. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:
Select an answer:
A.
rules.
B.
decision trees.
C.
semantic nets.
D.
dataflow diagrams. - CORRECT ANSWER You are correct, the answer is B.
A. Rules refer to the expression of declarative knowledge through the use of if-then relationships.
B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached.
C. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes.
D. A dataflow diagram is used to map the progress of data through a system and examine logic, error handling and data management.
Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
Select an answer:
A.
Parallel testing
B.
Pilot testing
C.
Interface/integration testing
D.
Sociability testing - CORRECT ANSWER You answered A. The correct answer is D.
A. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. This allows a new system to be tested without affecting existing systems.
B. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. In most cases the cutover to the new system will disable existing systems.
C. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. This will not test in a true production environment.
D. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development.
At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:
Select an answer:
A.
report the error as a finding and leave further exploration to the auditee's discretion.
B.
attempt to resolve the error.
C.
recommend that problem resolution be escalated.
D.
ignore the error because it is not possible to get objective evidence for the software error. - CORRECT ANSWER You answered A. The correct answer is C.
A. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production.
B. The IS auditor is not authorized to resolve the error.
C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary.
D. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.
Which of the following is an implementation risk within the process of decision support systems (DSSs)?
Select an answer:
A.
Management control
B.
Semistructured dimensions
C.
Inability to specify purpose and usage patterns
D.
Changes in decision processes - CORRECT ANSWER You answered D. The correct answer is C.
A. Management control is not a type of risk, but a characteristic of a decision support system (DSS).
B. Semistructured dimensions is not a type of risk, but a characteristic of a DSS.
C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS.
D. Changes in decision processes are not a type of risk, but a characteristic of a DSS.
An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
Select an answer:
A.
Pilot
B.
Parallel
C.
Direct cutover
D.
Phased - CORRECT ANSWER You are correct, the answer is C.
A. All other alternatives are done gradually and, thus, provide greater recoverability and are less risky. A pilot implementation is the implementation of the system at a single location or region and then a rollout of the system to the rest of the organization after the application and implementation plan have been proven to work correctly at the pilot location.
B. A parallel test requires running both the old and new system in parallel for a time period. This would highlight any problems or inconsistencies between the old and new systems.
C. Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization.
D. A phased approach is used to implement the system in phases or sections—this minimizes the overall risk by only affecting one area at a time.
Which of the following system and data conversion strategies provides the GREATEST redundancy?
Select an answer:
A.
Direct cutover
B.
Pilot study
C.
Phased approach
D.
Parallel run - CORRECT ANSWER You are correct, the answer is D.
A. Direct cutover is actually quite risky because it does not provide for a "shake down period" nor does it provide an easy fallback option.
B. A pilot study approach is performed incrementally, making rollback procedures difficult to execute.
C. A phased approach is performed incrementally, making rollback procedures difficult to execute.
D. Parallel runs are the safest—though the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs.
From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:
Select an answer:
A.
a major deployment after proof of concept.
B.
prototyping and a one-phase deployment.
C.
a deployment plan based on sequenced phases.
D.
to simulate the new infrastructure before deployment. - CORRECT ANSWER You are correct, the answer is C.
A. A major deployment would pose a higher risk of implementation failure.
B. Prototyping may reduce development failure, but a large environment will usually require a phased approach.
C. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results.
D. It is not usually feasible to simulate a large and complex IT infrastructure prior to deployment.
During the system testing phase of an application development project the IS auditor should review the:
Select an answer:
A.
conceptual design specifications.
B.
vendor contract.
C.
error reports.
D.
program change requests. - CORRECT ANSWER You are correct, the answer is C.
A. A conceptual design specification is a document prepared during the requirements definition phase. The system testing will be based on a test plan.
B. A vendor contract is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports.
C. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors.
D. Program change requests would be reviewed normally as a part of the postimplementation phase.
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to:
Select an answer:
A.
acknowledge receipt of electronic orders with a confirmation message.
B.
perform reasonableness checks on quantities ordered before filling orders.
C.
verify the identity of senders and determine if orders correspond to contract terms.
D.
encrypt electronic orders. - CORRECT ANSWER You are correct, the answer is C.
A. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers.
B. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders.
C. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern.
D. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?
Select an answer:
A.
IS auditor
B.
Database administrator
C.
Project manager
D.
Data owner - CORRECT ANSWER You answered C. The correct answer is D.
A. An IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project.
B. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data.
C. A project manager provides day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data.
D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data.
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:
Select an answer:
A.
correlation of semantic characteristics of the data migrated between the two systems.
B.
correlation of arithmetic characteristics of the data migrated between the two systems.
C.
correlation of functional characteristics of the processes between the two systems.
D.
relative efficiency of the processes between the two systems. - CORRECT ANSWER You answered C. The correct answer is A.
A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system.
B. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics.
C. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review.
D. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.
Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?
Select an answer:
A.
System owners
B.
System users
C.
System designers
D.
System builders - CORRECT ANSWER You are correct, the answer is A.
A. System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems.
B. System users are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project.
C. System designers translate business requirements and constraints into technical solutions.
D. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same.
The MAJOR advantage of a component-based development approach is the:
Select an answer:
A.
ability to manage an unrestricted variety of data types.
B.
provision for modeling complex relationships.
C.
capacity to meet the demands of a changing environment.
D.
support of multiple development environments. - CORRECT ANSWER You answered B. The correct answer is D.
A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types.
B. Component-based development is no better than many other development methods at modeling complex relationships.
C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.
D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.
The specific advantage of white box testing is that it:
Select an answer:
A.
verifies a program can operate successfully with other parts of the system.
B.
ensures a program's functional operating effectiveness without regard to the internal program structure.
C.
determines procedural accuracy or conditions of a program's specific logic paths.
D.
examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system. - CORRECT ANSWER You are correct, the answer is C.
A. Verifying the program can operate successfully with other parts of the system is sociability testing.
B. Testing the program's functionality without knowledge of internal structures is black box testing.
C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths.
D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.
Following good practices, formal plans for implementation of new information systems are developed during the:
Select an answer:
A.
development phase.
B.
design phase.
C.
testing phase.
D.
deployment phase. - CORRECT ANSWER You are correct, the answer is B.
A. The implementation plans are updated during the development of the system, but the plans were already addressed during the design phase.
B. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses.
C. The testing phase focuses on testing the system and is not concerned with implementation planning.
D. The deployment phase implements the system according to the plans set out earlier in the design phase.
The reason a certification and accreditation (C&A) process is performed on critical systems is to ensure that:
Select an answer:
A.
security compliance has been technically evaluated.
B.
data have been encrypted and are ready to be stored.
C.
the systems have been tested to run on different platforms.
D.
the systems have followed the phases of a waterfall model. - CORRECT ANSWER You are correct, the answer is A.
A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration.
B. Certification tests security functionality, including encryption where that is required, but that is not the primary objective of the certification and accreditation (C&A) process.
C. Certified systems are evaluated to run in a specific environment.
D. A waterfall model is a software development methodology and not a reason for performing a C&A process.
An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?
Select an answer:
A.
Use of a capability maturity model (CMM)
B.
Regular monitoring of task-level progress against schedule
C.
Extensive use of software development tools to maximize team productivity
D.
Postiteration reviews that identify lessons learned for future use in the project - CORRECT ANSWER You answered C. The correct answer is D.
A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics.
B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project.
C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.
D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make?
Select an answer:
A.
Consider the feasibility of a separate user acceptance environment.
B.
Schedule user testing to occur at a given time each day.
C.
Implement a source code version control tool.
D.
Only retest high-priority defects. - CORRECT ANSWER You are correct, the answer is A.
A. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained.
B. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity.
C. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment.
D. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.
Which of the following BEST ensures the integrity of a server's operating system (OS)?
Select an answer:
A.
Protecting the server in a secure location
B.
Setting a boot password
C.
Hardening the server configuration
D.
Implementing activity logging - CORRECT ANSWER You are correct, the answer is C.
A. Protecting the server in a secure location is a good practice, but it does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS).
B. Setting a boot password is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS.
C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.
D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
Select an answer:
A.
Firewalls
B.
Routers
C.
Layer 2 switches
D.
Virtual local area networks (VLANs) - CORRECT ANSWER You answered B. The correct answer is A.
A. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.
B. Routers can filter packets based on parameters, such as source address but are not primarily a security tool.
C. Based on Media Access Control (MAC) addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic.
D. A virtual local area network (VLAN) is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network (LAN). Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.
A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?
Select an answer:
A.
Most employees use laptops.
B.
A packet filtering firewall is used.
C.
The IP address space is smaller than the number of PCs.
D.
Access to a network port is not restricted. - CORRECT ANSWER You answered C. The correct answer is D.
A. Dynamic Host Configuration Protocol (DHCP) provides convenience (an advantage) to the laptop users.
B. The existence of a firewall can be a security measure.
C. A limited number of IP addresses can be addressed through network address translation (NAT).
D. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.
Which of the following line media would provide the BEST security for a telecommunication network?
Select an answer:
A.
Broadband network digital transmission
B.
Baseband network
C.
Dial-up
D.
Dedicated lines - CORRECT ANSWER You are correct, the answer is D.
A. The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption.
B. A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker.
C. A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today.
D. Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.
When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the:
Select an answer:
A.
node list.
B.
acceptance test report.
C.
network diagram.
D.
users list. - CORRECT ANSWER You are correct, the answer is C.
A. Verification of nodes from the node list would follow the review of the network diagram.
B. The review of the acceptance test report would follow the verification of nodes from the node list.
C. To properly review a local area network (LAN) implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.
D. The users list would be reviewed after the acceptance test report.
Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?
Select an answer:
A.
Compare the hash total before and after the migration.
B.
Verify that the number of records is the same for both databases.
C.
Perform sample testing of the migrated account balances.
D.
Compare the control totals of all of the transactions. - CORRECT ANSWER You answered A. The correct answer is C.
A. The hash total will only validate the data integrity at a batch level rather than at a transaction level.
B. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated.
C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration.
D. Comparing the control totals does not imply that the records are complete or that individual values are accurate.
Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor?
Select an answer:
A.
Process owners have not been identified.
B.
The billing cost allocation method has not been determined.
C.
Multiple application owners exist.
D.
A training program does not exist. - CORRECT ANSWER You are correct, the answer is A.
A. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. In the absence of a defined process owner, there may be issues in respect to monitoring or authorization controls.
B. The allocation method of application usage cost is of less importance.
C. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified.
D. The fact that a training program does not exist would only be a minor concern for the IS auditor.
Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? [Show Less]