Domain 2 (CISA Review Questions, Answers
& Explanations Manual, 12th Edition | Print
| English)
39 To support an organization's goals, an IT department should have:
A. A low-cost philosophy.
B. Long- and short-term plans.
C. Leading-edge technology.
D.Planstoacquirenewhardwareandsoftware. - -B is the correct answer.
Justification:
A. A low-cost philosophy is one objective, but more important is the cost-
benefit and the relation of IT
investment cost to business strategy.
B. To ensure its contribution to the realization of an organization's overall
goals, the IT department should have long- and short-range plans that are
consistent with the organization's broader and strategic plans for attaining
its goals.
C. Leading-edge technology is an objective, but IT plans would be needed
to ensure that those plans are
aligned with organizational goals.
D. Plans to acquire new hardware and software could be a part of the
overall plan but would be required only if hardware or software is needed
to achieve the organizational goals.
- A2-10 An IS auditor is performing a review of the software quality
management process in an organization. The
FIRST step should be to:
A. Verify how the organization complies the standards.
B. Identify and report the existing controls.
C. Review the metrics for quality evaluation.
D.Requestallstandardsadoptedby theorganization. - -D is the correct
answer.
Justification:
A. The auditor needs to know what standards the organization has
adopted and then measure compliance with those standards. Determining
how the organization follows the standards is secondary to knowing what
the standards are. The other items listed-verifying how well standards are
being followed, identifying relevant controls and reviewing the quality
metrics-are secondary to the identification of standards.
B. The first step is to know the standards and what policies and
procedures are mandated for the organization, then to document the
controls and measure compliance.
,C. The metrics cannot be reviewed until the auditor has a copy of the
standards that describe or require the metrics.
D. Because an audit measures compliance with the standards of the
organization, the first step of the review of the software quality
management process should be to determine the evaluation criteria in the
form of standards adopted by the organization. The evaluation of how well
the organization follows their own standards cannot be performed until
the IS auditor has determined what standards exist.
- A2-100 A small organization has only one database administrator
(DBA) and one system administrator. The DBA has root access to the UNIX
server, which hosts the database application. How should segregation of
duties be enforced in this scenario?
A. Hire a second DBA and split the duties between the two individuals.
B. Remove the DBA's root access on all UNIX servers.
C. Ensure that all actions of the DBA are logged and that all logs are
backed up to tape.
D.Ensure that database logs are forwarded to a
UNIXserverwheretheDBAdoesnothaverootaccess. - -D is the correct
answer.
Justification:
A. Hiring additional staff is a costly way to ensure segregation of duties.
B. The databaseadministrator(DBA)needs root accessto the database
serversto install upgrades or patches.
C. The administrator can modify or erase logs prior to the tape backup
event.
D. By creating logs that the DBA cannot erase or modify, segregation of
duties is enforced.
- A2-101 Which of the following user profiles should be of MOST concern
to an IS auditor when performing an audit of an electronic funds transfer
system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own
messages
D. Three users with the abilityto captureand verify the messages of other
users and to send their own messages - -A is the correct answer.
Justification:
A. The ability of one individual to capture and verify their own messages
represents an inadequate segregation because messages can be taken as
correct and as if they had already been verified. The verification of
messages should not be allowed by the person who sent the message.
B. Users may have the ability to send messages but should not be able to
verify their own messages.
C. This is an example of separation of duties. A person can send their own
message but only verify the messages of other users.
,D.Theabilitytocaptureandverifythemessagesofothersbutonlysendtheirown
messagesisacceptable.
- A2-102 Which of the following does an IS auditor FIRST reference when
performing an IS audit?
A. Implemented procedures
B. Approved policies
C. Internal standards
D.Documentedpractices - -B is the correct answer. Justification:
A. Procedures are implemented in accordance with policy.
B. Policies are high-level documents that represent the corporate
philosophy of an organization.
Internal standards, procedures and practices are subordinate to policy.
C. Standards are subordinate to policy.
D. Practices are subordinate to policy.
- A2-103 An enterprise selected a vendor to develop and implement a
new software system. To ensure that the enterprise's investment in
software is protected, which of the following security clauses is MOST
important to include in the master services agreement?
A. Limitation of liability
B. Service level requirements
C. Software escrow
D. Version control - -C is the correct answer. Justification:
A. A limitation of liability clause protects the financial exposure of the
organization but not its software investment.
B. Service level requirements specify financial penalties for not meeting
standards, but these do not
address issues of vendor insolvency.
C. Software escrow clauses in a contract ensure that the software source
code will still be available to the organization in the event of a vendor
issue, such as insolvency and copyright issues.
D.Version control is related to the software development life cycle and not
the software investment.
- A2-104 When implementing an IT governance framework in an
organization the MOST important objective is:
A. IT alignment with the business
B. Accountability
C. Value realization with IT
D. Enhancing the return on it investments - -A is the correct answer.
Justification:
A. The goals of IT governance are to improve IT performance, deliver
optimum business value and ensure regulatory compliance. The key
practice in support of these goals is the strategic alignment of IT with the
business. To achieve alignment, all other choices need to be tied to
business practices and strategies.
, B. Accountability is important, but the most important objective of IT
governance is to ensure that IT
investment and oversight is aligned with business requirements.
C. IT must demonstrate value to the organization, but this value is
dependent on the ability of IT to align with, and support, business
requirements.
D. Enhancing return is a requirement of the IT governance framework, but
this requirement is only demonstrated through aligning IT with business
requirements.
- A2-105 An IS auditor is reviewing an IT security risk management
program. Measures of security risk should:
A. address all of the network risk.
B. be tracked over time against the IT strategic plan.
C. consider the entire IT environment.
D.resultintheidentificationofvulnerabilitytolerances. - -C is the correct
answer.
Justification:
A. Measures of security risk should not be limited to network risk, but
rather focus on those areas with the highest criticality so as to achieve
maximum risk reduction at the lowest possible cost.
B. IT strategic plans are not granular enough to provide appropriate
measures. Objective metrics must be tracked over time against
measurable goals; thus, the management of risk is enhanced by
comparing today's results against results from last week, last month and
last quarter. Risk measures will profile assets on a network to objectively
measure vulnerability risk.
C. When assessing IT security risk, it is important to consider the entire IT
environment.
D.Measuresofsecurityriskdonotidentifytolerances.
- A2-106 The ultimate purpose of IT governance is to:
A. encourage optimal use of IT.
B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT. - -A is the correct answer. Justification:
A. IT governance is intended to specify the combination of decision rights
and accountability that
is best for the enterprise. It is different for every enterprise.
B. Reducing IT costs may not be the best IT governance outcome for an
enterprise.
C. Decentralizing IT resources across the organization is not always
desired, although it may be desired
in a decentralized environment.
D. Centralizing control of IT is not always desired. An example of where it
might be desired is an enterprise wanting a single point of customer
contact.
& Explanations Manual, 12th Edition | Print
| English)
39 To support an organization's goals, an IT department should have:
A. A low-cost philosophy.
B. Long- and short-term plans.
C. Leading-edge technology.
D.Planstoacquirenewhardwareandsoftware. - -B is the correct answer.
Justification:
A. A low-cost philosophy is one objective, but more important is the cost-
benefit and the relation of IT
investment cost to business strategy.
B. To ensure its contribution to the realization of an organization's overall
goals, the IT department should have long- and short-range plans that are
consistent with the organization's broader and strategic plans for attaining
its goals.
C. Leading-edge technology is an objective, but IT plans would be needed
to ensure that those plans are
aligned with organizational goals.
D. Plans to acquire new hardware and software could be a part of the
overall plan but would be required only if hardware or software is needed
to achieve the organizational goals.
- A2-10 An IS auditor is performing a review of the software quality
management process in an organization. The
FIRST step should be to:
A. Verify how the organization complies the standards.
B. Identify and report the existing controls.
C. Review the metrics for quality evaluation.
D.Requestallstandardsadoptedby theorganization. - -D is the correct
answer.
Justification:
A. The auditor needs to know what standards the organization has
adopted and then measure compliance with those standards. Determining
how the organization follows the standards is secondary to knowing what
the standards are. The other items listed-verifying how well standards are
being followed, identifying relevant controls and reviewing the quality
metrics-are secondary to the identification of standards.
B. The first step is to know the standards and what policies and
procedures are mandated for the organization, then to document the
controls and measure compliance.
,C. The metrics cannot be reviewed until the auditor has a copy of the
standards that describe or require the metrics.
D. Because an audit measures compliance with the standards of the
organization, the first step of the review of the software quality
management process should be to determine the evaluation criteria in the
form of standards adopted by the organization. The evaluation of how well
the organization follows their own standards cannot be performed until
the IS auditor has determined what standards exist.
- A2-100 A small organization has only one database administrator
(DBA) and one system administrator. The DBA has root access to the UNIX
server, which hosts the database application. How should segregation of
duties be enforced in this scenario?
A. Hire a second DBA and split the duties between the two individuals.
B. Remove the DBA's root access on all UNIX servers.
C. Ensure that all actions of the DBA are logged and that all logs are
backed up to tape.
D.Ensure that database logs are forwarded to a
UNIXserverwheretheDBAdoesnothaverootaccess. - -D is the correct
answer.
Justification:
A. Hiring additional staff is a costly way to ensure segregation of duties.
B. The databaseadministrator(DBA)needs root accessto the database
serversto install upgrades or patches.
C. The administrator can modify or erase logs prior to the tape backup
event.
D. By creating logs that the DBA cannot erase or modify, segregation of
duties is enforced.
- A2-101 Which of the following user profiles should be of MOST concern
to an IS auditor when performing an audit of an electronic funds transfer
system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own
messages
D. Three users with the abilityto captureand verify the messages of other
users and to send their own messages - -A is the correct answer.
Justification:
A. The ability of one individual to capture and verify their own messages
represents an inadequate segregation because messages can be taken as
correct and as if they had already been verified. The verification of
messages should not be allowed by the person who sent the message.
B. Users may have the ability to send messages but should not be able to
verify their own messages.
C. This is an example of separation of duties. A person can send their own
message but only verify the messages of other users.
,D.Theabilitytocaptureandverifythemessagesofothersbutonlysendtheirown
messagesisacceptable.
- A2-102 Which of the following does an IS auditor FIRST reference when
performing an IS audit?
A. Implemented procedures
B. Approved policies
C. Internal standards
D.Documentedpractices - -B is the correct answer. Justification:
A. Procedures are implemented in accordance with policy.
B. Policies are high-level documents that represent the corporate
philosophy of an organization.
Internal standards, procedures and practices are subordinate to policy.
C. Standards are subordinate to policy.
D. Practices are subordinate to policy.
- A2-103 An enterprise selected a vendor to develop and implement a
new software system. To ensure that the enterprise's investment in
software is protected, which of the following security clauses is MOST
important to include in the master services agreement?
A. Limitation of liability
B. Service level requirements
C. Software escrow
D. Version control - -C is the correct answer. Justification:
A. A limitation of liability clause protects the financial exposure of the
organization but not its software investment.
B. Service level requirements specify financial penalties for not meeting
standards, but these do not
address issues of vendor insolvency.
C. Software escrow clauses in a contract ensure that the software source
code will still be available to the organization in the event of a vendor
issue, such as insolvency and copyright issues.
D.Version control is related to the software development life cycle and not
the software investment.
- A2-104 When implementing an IT governance framework in an
organization the MOST important objective is:
A. IT alignment with the business
B. Accountability
C. Value realization with IT
D. Enhancing the return on it investments - -A is the correct answer.
Justification:
A. The goals of IT governance are to improve IT performance, deliver
optimum business value and ensure regulatory compliance. The key
practice in support of these goals is the strategic alignment of IT with the
business. To achieve alignment, all other choices need to be tied to
business practices and strategies.
, B. Accountability is important, but the most important objective of IT
governance is to ensure that IT
investment and oversight is aligned with business requirements.
C. IT must demonstrate value to the organization, but this value is
dependent on the ability of IT to align with, and support, business
requirements.
D. Enhancing return is a requirement of the IT governance framework, but
this requirement is only demonstrated through aligning IT with business
requirements.
- A2-105 An IS auditor is reviewing an IT security risk management
program. Measures of security risk should:
A. address all of the network risk.
B. be tracked over time against the IT strategic plan.
C. consider the entire IT environment.
D.resultintheidentificationofvulnerabilitytolerances. - -C is the correct
answer.
Justification:
A. Measures of security risk should not be limited to network risk, but
rather focus on those areas with the highest criticality so as to achieve
maximum risk reduction at the lowest possible cost.
B. IT strategic plans are not granular enough to provide appropriate
measures. Objective metrics must be tracked over time against
measurable goals; thus, the management of risk is enhanced by
comparing today's results against results from last week, last month and
last quarter. Risk measures will profile assets on a network to objectively
measure vulnerability risk.
C. When assessing IT security risk, it is important to consider the entire IT
environment.
D.Measuresofsecurityriskdonotidentifytolerances.
- A2-106 The ultimate purpose of IT governance is to:
A. encourage optimal use of IT.
B. reduce IT costs.
C. decentralize IT resources across the organization.
D. centralize control of IT. - -A is the correct answer. Justification:
A. IT governance is intended to specify the combination of decision rights
and accountability that
is best for the enterprise. It is different for every enterprise.
B. Reducing IT costs may not be the best IT governance outcome for an
enterprise.
C. Decentralizing IT resources across the organization is not always
desired, although it may be desired
in a decentralized environment.
D. Centralizing control of IT is not always desired. An example of where it
might be desired is an enterprise wanting a single point of customer
contact.
