Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
A. Align service level agreements (SLAs) with current needs.
B. Monitor customer satisfaction with the change.
C. Minimize costs related to the third-party agreement.
D. Ensure right to audit is included within the contract.
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
A. Audit charter
B. IT steering committee
C. Information security policy
D. Audit best practices
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
A. There Is a reconciliation process between the spreadsheet and the finance system
B. A separate copy of the spreadsheet is routinely backed up
C. The spreadsheet is locked down to avoid inadvertent changes
D. Access to the spreadsheet is given only to those who require access
Which of the following is a PRIMARY responsibility of an IT steering committee?
A. Prioritizing IT projects in accordance with business requirements
B. Reviewing periodic IT risk assessments
C. Validating and monitoring the skill sets of IT department staff
D. Establishing IT budgets for the business
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
A. Review a report of security rights in the system.
B. Observe the performance of business processes.
C. Develop a process to identify authorization conflicts.
D. Examine recent system access rights violations.
An IS auditor has completed an audit on the organization's IT strategic planning process. Which of the following findings should be given the HIGHEST priority?
A. The IT strategic plan was completed prior to the formulation of the business strategic plan
B. Assumptions in the IT strategic plan have not been communicated to business stakeholders
C. The IT strategic plan was formulated based on the current IT capabilities
D. The IT strategic plan does not include resource requirements for implementation
A recent audit has identified that security controls required by the organization's policies have not been implemented for a particular application. What should the information security manager do NEXT to address this issue?
A. Deny access to the application until the issue is resolved.
B. Discuss the issue with data custodians to determine the reason for the exception.
C. Report the issue to senior management and request funding to fix the issue.
D. Discuss the issue with data owners to determine the reason for the exception.
Which of the following is MOST important to include in a contract with a critical service provider to help ensure alignment with the organization's information security program?
A. Escalation paths
B. Right-to-audit clause
C. Termination language
D. Key performance indicators (KPIs)
An organization wants to test business continuity using a scenario in which there are many remote workers trying to access production data at the same time. Which of the following is the BEST testing method in this situation?
A. Application failover testing.
B. Network stress testing.
C. Alternate site testing.
D. Network penetration testing.
An IS auditor can BEST help management fulfill risk management responsibilities by:
A. highlighting specific risks not being addressed.
B. ensuring the roles for managing IT risk are defined.
C. developing an IT risk management framework.
D. adopting a mechanism for reporting issues.
A message is being sent with a hash. The risk of an attacker changing the message and generating an authentic hash value can be mitigated by:
A. requiring the recipient to use a different hash algorithm.
B. generating hash output that is the same size as the original message.
C. using a secret key in conjunction with the hash algorithm.
D. using the sender's public key to encrypt the message.
To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control .........
A. Directive
B. Corrective
C. Preventive
D. Detective
When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is: A. Platform as a Service (PaaS).
B. Software as a Service (SaaS).
C. Infrastructure as a Service (laaS).
D. Identity as a Service (IDaaS).
An organization outsourced its IS functions To meet its responsibility for disaster recovery, the organization should:
A. discontinue maintenance of the disaster recovery plan (DRP>
B. coordinate disaster recovery administration with the outsourcing vendor
C. delegate evaluation of disaster recovery to a third party
D. delegate evaluation of disaster recovery to internal audit