Certified Informatior® Systems Auditor Invent Your Future. Get Certified!wore than 75,000 members in more than 160 countries. ISACA (new isace.org) fo @ reesgniecd world ise Keates ntl y and a unded in 1969. ISACA spnenrs international conferences, ublishes the Infor ms ( and develops international information systeme auditing and it ministers the globally respected Certified Information Systems Auclitar™ (CISAS) med by more than 60,000 professionals since 1978; the Certified Information Security Manager® SM") designation, eared by more than 9,000 professionals since 2002; and the new Certified in the Governance dt ) designation IT Governance Institute wie (IOP) (ne dtge.org) s @ nonprotit, independent research entity that provides guidance \ tity on issued related to the governance oF 11 assets. [TGI was established by the * SACA in 1998 to help ensure that IT delivers Value and its risks are mitigated th enterprise objectives, IT 3 are properly managed, and IT performance 1s measured. i D mation and related Technotgy (Con\T*) and Val IT™, and offers original : Ip enterprise leaders and boards of directors Fulfill heir IT governance responsibilities Rate . ae : ndwiduale preparing t rsa ro n the CISA Certification Board, which has had no responsibility : public and were ner made available to ISACA for kes n warranties whatsoever with repard to these or other SRigieaie er ved. No part of this publication may be used, copied, modified, displayed, ccd in any form by any means (electronte, mechanical, photocopying, recording ISACA Ison 976 6000 047 8 £154 Revi uct Amar Explains Mal 2000 Slee Pein in the Ute Sates of Ameria w CISA Review Questions, Answers & ExplanationsPREFACE ISACA ts pleased 10 offer the 110 questions inthis C7SA Review uevtiony, Answers && Explanations MuanualanODe {this supplement (sto provide the CISA candidate with sample questions and testing prspare and sty forthe CISA examination * he material for dhs ous consists oF multiple-choice questions onganized inte the current CISA job practice content syeas These questions, answers and explanations are intended to introduce CISA candidates to the types of questions. hat might appear on the CISA examination. They are not aetual questions from the exam. The candidate may alse Wane | the C/S4 Review Questions, Answers é Explanations Manual 2008, which consists of 600 multiple ations, and/or the CAS Review Questions, Answers and Explanations: estions), The candidate may also wish to access the CISA Online Review course: >4 success with the CISA examination, Your commitment to pursuing the leading certification for audit, aaurance, security and control professtonas is cncinplej ard FoF Hii teem = se and coverage of this wanual are welcomed. At the back of this publieaion, you shack questionnaite. fer the examination is ever, please take a moment to complete and mail this questionnaire back to ISACA. Your observations will be invaluable as new questions, answers and explana are preparedACKNOWLEDGMENTS This ClS4 Review Questions, Answers & Explanations Manual 2009 Supplement was the result of the collective efforts ‘many volunteers, ISACA members from throughout the world participated, generously offering their talents and “yestse. This international team exhibited a spint and selflessness that has become the hallmark of contributors to this able manual. Their participation and insight are truly appreciated, i ted below are ISACA members who participated in providing or reviewing sample questions for this manual Orin its 5 view. All are deserving of our thanks and gratitude. : Sanj Ke ar Agarwala, CISA, CISM, Pune, India Gerardo D. Alcatraz, CISA, Montevideo, Uru osé Roberto Alpizar Fallas, San José, Costa Rica Sunil Bhaskar Bakshi, CISA, Pune, India Priccila Baleazar Hernandez, CIS, Mexico City, Mexico Mustapha Ben Mahbous, CISA, Montreal, Canada Rajaji Chandrasekhar, CISA, Chennai, India lises Castillo Hernandez, CISA, CISM, Mexico City, Mexico, Dietmar Hinkel, CISA, Germam Oviengo Ashioya Josiah, Kenya hhamed Iqbal Keeka, South Africa ichael W. Krasny, CISA, Sydney, A Siee Krishna Rao, CISA, Bangalore, | Arun Laxminarayanan, Cochin, Indi Robert G. Morella, CISA, Atlanta, USA Isaac Msiska, CISA, Member at Large, Malawi Balakrishnan Natarajan. CISA, Silicon Valley, USA Abraham Soka Nyirongo, CISA, CISM, Member at Large, Zambia Mana Patricia Prandini, CISA, Buenos Aires, Argentina S. Rajaganapathi, CISA, Bangalore, india Angele Rodaro, CISA, Milano, Italy ‘ Ramanathan Sankaran, CISA, Chennai, India Polisetty Veera Subrahmanya Kumar, CISA, Chennai, India Ganesh Ram Sundaram, Chennat, India Hideyuki Tanaka, CGEIT, CISA, CISM, Tokyo, Japan Johann Tello Meryk, CISA. CISM, Panama ‘Murali Anantha Thoota, CISA, Hudson Valley, USA. Manjunath Sridharam Venkataraman, CISA, Bangalore, India ISACA has begun planning for the 2010 editions of the CISA study materials. Volunteer participation « ‘ofthese publications. I'you are interested in becoming a member of a select group of professionals: zElobal project, please contact: lia Fernandez Manager—Certification Study Program and Falucational Development Phone: 11.847 .253.1545, ext. $584 email: efermandestwiaca ongTABLE OF CONTENTS ACKNOWLEDGMENTS INTRODUCTION ‘YPES OF QUESTIONS ON THE CISA EXAM QUESTIONS, ANSWERS AND EATLANATIONS BY AREA ‘| HE IS AUDIT PROCESS. A YSTEMS AND INFRASTRUCTURE LIFE CYCLE MANAGEMENT AREA 4—IT SERVICE DELIVERY AND SUPPORT R PROTECTION OF INFORMATION ASSETS An DUSINESS CONTINUITY AND DISASTER RECOVERY SAMPLE EXAM 30 SAMPLE EXAM ANSWER AND REFERENCE KEY 59 SAMPLE EXAM ANSWER SHEET (PRETEST) SAMPLE EXAM ANSWER SHEET (POSTTEST). EVALUATION OTHER COMMENTS/SUGGESTIONS NOTES COMPLETE LIST OF 2009 CISA STUDY AIDS,! |INTRODUCTION OVERVIEW " I consists of 100 sample multiple-choice questions, answers and explanations, These questions are provided ons Sor teil iy Content Aven (sorted) Ly wanient seas and comin she number of tems equivalent mination items. They are intended to provide the CISA candidate with an understandin type and structs sestions that have typically appeared on the examination, am, They have been randomly ordered, Candidates are urged to use this 4 the answer sheet provided to simulate an actual examination. Many candidates use this sample exam pretest io determine their specific strengths or weaknesses, or as a final exam. Sample exam answer sheets have b wide! tor both uses. In addition, a sample exam answer/reference key is included, Ins sample exam has been cross-feferenced to the questions, answers and explariations by area, so 1t 1s convenvent to reler back to the explanations ofthe correct answers. This publication is ideal to ajunction with the CISA Review Manual 2008, with the iS Revien answers & Explanaiio 20S, anal with the ChSa Revtew Questions, Answers and SA Revie Questions, Answers & Explunudtuns Munsat 2008 Supplement Was Reem developed to assist « CISA candidate in studying and preparing for the CISA examination, As you use this publication to prepare forthe examination, please ote that & covers a broad! spectrum of 1S audit, assurance, control and security sssues. Do not assume that reading and working the questions in this supplement vill fully prepare you forthe’ samination Since examination questions often relate to practical experience, CISA candidates ae advised to referia their own experience and to other publications referred to in the CISA Review Manual 2000. These additional references are excellent sources of further detiled information and clarification. I is siggested thar andlidates evaluate the areas in whic they are weak or rete ft andes, and sty accordingly Als, please note tat this publetion has been written using «tanta American FnglichDacca uuu [HYPE OF QUESTIONS ON THE cisa FAM < with the intent of measuring and testing practical knowledge andthe application of previously mentioned all questions are muttple choice and are designed for one CISA exam questions are dey ye candte is cautioned to read each quetion carefully; Many times a CISA exam question wil require the si ainptoprate answer that i= MOST likely or BEST. Other times a candidate may be asked to | a would be performed FIRST related to the other choices. In every ease the She suetion carefully eliminate known wrong choses and then make the best oie : fsked and how to study to answer them wil go afong way toward pes of questions (question) and four options (answer choites), The candidate is asked to chinese the CISA question h answer from the opti 1e siem may be in the form of a question or incomplete statement. In some a cans or description problem may also be included. These questions normally melude a description of a reef reeune the candidate 10 answer two of more questions based on the information provided, Please note that ae late to choose ane tn several items from a list are no longer used on the CISA examination nould not be used as a study source ee Jidate should consider when preparing for the exam is to recognize that 1S audit and control is { individual perceptions and experiences may not reflect the more global position oF the exam and CISA manuals are writen for the international IS aucht and control community sve te be somewhat flexible when reading an auditor control condition that may be contary to 8 te noted that CISA exam questions are writen by experienced {S audit practitioners } question on the exam is reviewed by ISACAS CISA Test Enhancement Committee and consist of international members, THis geographical representation ensures qually in every country and language c living documents. As technology advances, ISACA manuals will be updated fo dates to this dycusent before the date of the exam may be viewed! at Note: ISACA review manua reflect such advances. Further up say sussestions to enhance the materials covered herein, ote Suagest reference materials, should be directed tas Mail: ISACA ‘DI Algonquin Road, Suite 1010 Rolling Meadows, Illinois 60008 USA Certification Study Program and Educational Development Fe ‘Attention: Man: Phone: +1.847253.1545, ext. $584 Fax: +1.847.293 1493 -mail: cfernandexi@uisacd.orgRo ee ed QUESTIONS, ANSWERS AND EXPLANATIONS BY AREA AREA 1—THE IS AUDIT PROCESS (10%) n onginization’s 1S audit charter should specify the: | A. short- and long-term plans for 1S audit engagements 4 B. objectives and scope of 1S audit engagements CC detailed training plan for the IS audit staff 1 tale af the IS audit function > An 1S audit charter establishes the role of the information systems audit function, The charter should describe the overall authority, scope and responsibifities ofthe audit Function. It should be approved by the hnghest level of management and, ifavailable, by the audit committee. Short-term and long-term planning is sponsibility of audit management. The objectives and scope of each 1S audit should be agreed to in an naavement letter training plan, based on the audit plan, should be developed by audit management. ich of the following should an IS auditor use to detect duplicate invoice recortls within an invoice adit software (GAS) d test facility (ITF) B General ble the auditor to review the entite invoice file to 1e0k for would aid mn identifying records meeting uld not compare one record to another to identify duplicates. To detect duplicate IS auditor should check all ofthe items that meet the criteria and not just a sample oF used to verify program processing, but will wot KkOitify duplicate tevendseA lity (ITF) allows the 1S auditor to test transactions through the production system, But rds to identify duplicates. C13 Which of the following would be the MOST effective audit technique for identifying segregation of duties Violations in a new enterprise resource planning (ERP) implementation? A. Reviewing a report of security rights in the system B. Reviewing the complexities of authorization abjects C. Building a program to identify conflicts in authorization D, Examining recent aovess rights violation cases Since the objective isto entity violation in segregation of duties, its necessary to will identify conflicts in authorization. A program could be developed to identify of security rights in the enterprise resource planning (ERP) system wou ‘consuming to review; therefore, this technique is not as effective as increase, it becomes more difficult to verify the effectiveness of the ys a lnk to segregation of duties It is good practice to review resent “may require a significant amount of time to truly identify which vi ‘inappropriate segregation of duties.ee acid 4 Which ofthe following would an 1S auditor se wo determi: {nai SST ean ee A. System log analysis ® 2 Analytial review detcrminin that only authorized modifications are made to production programs would require the change snanavement process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance ‘ting would help to verify dha the change management process has been applied consistently. Kis ug diy thatthe eystem log analysis would provide information eBoh = att aelattetaanaam * Forensic 1 specialized technique for eriminal investigation. An analytical review assesses the 7 ral jronment of an organization, Which of the following is the key benefit of contol selFassessment (CSA)? ; p of the internal cont supporting business objectives is reinforced © reduced whom the ascecement results are an input ta ecternal andit work n cince internal business staff are engnged in testing controls Pte shift to # consultative approach by using the results ofthe assessment, tho objactive of cnntral celfeassessment is to have business management become more aware of the niportance af internal control and their responsibility in terms of corporate governance. Reducing audit tnpenses is nota key benefit of control self-assessment (CSA). Improved fraud detection is important, but {as important a5 ownetship, and is nota principal objective of CSA. CSA may give more insights 10 internal auditors aloving them to take a more consultative role: however, this isan additional Benefit, not During a change control audit ofa production system, an I auditor tind that te enange manksyeneit process is not formally documented and that some migration procedures fated. What should the IS siditar do next? A. Recommend redesigning the change 1ianayement process. 1B Gain more assurance on the Findings through root cause analysis: C. Recommend that program migration be stopped until the change process is documented, > 1nd prosunt i to management ‘A change management process ts critical to IT production systems. Before recommending that organization take any other action (o @ ciopping migrations edesighing the Change During the collection of forensic evidence, which ofthe following destruction oF corruption oF evidence on a wompsomised system? A. Dumping the memory content to a file 8 Generating disk mages o he compromise C_Reebooting the systeee ated itor who was mnvolved in desiening an organi Sie en lons business continuity plan (BCP) has been. phn, The 18 auditor soul rm manage rent of the possible conflict of interest after completing the audit assignment inform the business continuity planning (BCP) team of the possible con!lict oF mterest prior 10, beginning the assignment lunwate the poonibility of eonflist oF interwat te management prior to starting the arsignment, ie ‘ommunicating the possibility ofa conflict oF mnterest to management prior to Starting the assignment is the susie: A possible conflict of interest, likely to affect the auditor's independence, should be brought to the attention of management prior to starting the assignment. Dectinmg the assignment is not the correct ament could be accepted after obtaining management approval. Informing, sement ofthe possible conflict of interest after completion of the audit assignment is not correct rpproval should be obtained prior lo commencement and not after the completion of the ming the business continuity planning (BCP) team of the possible conflict of interest prior to st at is not the correct answer since the DCP team would mot have the authority 19 cs he PRIMARY purpose of an IT forensic audit te ipate in investigations related to corporate fraud. the systematic collection of evidence after a system imegularity. c ccove the eortectness of an orzanization’s financial statements, D__ te determine that there has been criminal activity B Choice B describes a forensic audit. The evidence collected could then be used 1n judietal proceedings Foren: ‘care not limited to corporate fraud. Assessing the correctness of'an organization's financial purpose ofa forensic audit, Drawing a wonclusion as to criminal asivity wowld Rejpart tive of a forensic audit. Cito An 8 auditors perforcning an audit oF remotely managed server hackup, The IS auditor reviews tH: IES sad fds one case where loging on a server has failed withthe result that backwp restarts cannot be confirmed. What should the auditor do? A. Issue an audit finding Bi Seek an explanation from {S management C. Review the classifications of data held on the server 1D. Expand the sample of logs reviewed ‘Audit standards require that an IS auditor gather sufficient and appropriate audit evidene found a potemial problem and now needs to determine if this isan solated inci tem Control failure. At this stage it s to preliminary to issue an audit finding and seeking dn SPA” ‘management is advisable, but it would be better to gather additional evidence: Seriousness ofthe sluation. A BACKUP Failute, nhich fas not been establish it involves critical data. However, the issue isnot the importance of the thas been detected, but whether a systematic control failure that impactsAREA 2 AREA 2—1T GOVERNANCE 1T GOVERNANCE (15%) Which of the following is normally a responsibility ofthe chief security officer (C80)? A. Periodically reviewing and evaluating the security poticy Executing user application and software testing and evaluation CC. Granting and revoking user access to IT resources Approving access to data and applications fe role oF eter Security ofhieer (CSO) is ensure thatthe corporate Secury poltey ana controls are quate t prevent wnaunhorized access to the company assets, including data, programs and equipment. 7 applivatiow and ollict so Revare testing and evaluation’ sd aes aaa rsvigined to development and maintenance, Granting and revoking access to IT retourees ik usually a function of network or database administators. Approval of access to data and applientions i the duty of usta When developing o formal enterprise security program, the MOST critical success factor (CSF) would be the: establishment ofa review board reation of a security unit ive support of an executive sponsor ex the organization's strategic security program, and ould al in directing the organcation’s overall security management activities. Therefore, support by the 1s factor (CSF), None of the other choices are tive sponsor Would be in charge of supper effective wth visible oe When reviewing an organization's strategic IT plan an 1S auditor should expest to find Aan ascossment ofthe fit af the orvanization’s application portfolio with business objectives. ons to reduce hardware procurement cost. Ca listing of approved suppliers of IT contract resources. 1D. description of the technical architecture for the organization's network perimeter security. Aw assessment of how well an organization's application portfolio supports the organization’ objectives is 9 hey component ofthe overall IT strategic planning process. His anves the how well the overall L/ organization, encompassing applications, infrasiriciure, 91 vives processes, et, can support the business objectives. Operational efficieney initiatives bel strategic planning. The purpose of an IT stratesic plan iy 4 set out how 1 wall Support it ungattcation’> business vbiestives. A lating of approved suppliers tactical rather than @ sirstegic eoneern. An IT strategie plan would not norm apecific technical architecture,Bee Jc executed FIRST! icy communicates a coherent Security standard (0 us stage in terms of what tools and procedures are needed nly after defining a security policy users are deactivated within 90 ely since deactivation happens within the time frame stated " : oy to ensure d n of user IDs upon t terminated users be reviewed on a ming 1S auelt as appropnateness of the policy. If, in the opin appropnate, the aud to communicate this to mana ugh the deactivation happens as stated in the policy st cannot be concluded that uld require thatthe ID of a terminated user be deactivated to-have basis is necessary when: inated. users be sevieme on 8 falas tivation upon fermination Which of th wing should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategie organizational prionties’ A Define a halanced se r measuring performance B. Consider user satisfactio key performance indicators (KPIs) C._ Select projects according to business benefits and risks D. Modify the yearly process of defining the project portfolio, c joritization of projects on the basis of their expected benefit{s) to business, and the related risks tthe best measure for achteving alignment of the project portfolio to an organization's strategic prioitis, Modifying the yearly process of the projects portfolio definition might improve the situation, but only ifthe portfolio definition process is currently nat tied to the definition of corporate strategies; however this is Uniikely since the UITiculics ate in maintaining the alignment, and not in eotfing itn initially. Measures such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.ev ieaw auc PRIMARY benefit of implementing a security program as part ofa security governance Framework isthe: Jonment of the IT activities with TS audit recommendations 1 orcement of the management of security risks, | (implementation of the chief information security officer's (CISO) recommendations. ! uction of the cost for IT security id he major benefit of implementing a se } ty program is managements assesment of risk and its appropnate level of risk, and the monitoring of the remaining residual risks. 4 ' sottae cisons and objestves ofthe auditor andthe chet information secuny officer (CISC) wis included within a security program, but they would not be the major benefit. The cost of IT may or may nat be reduced. Jitor who is reviewing incident reports discovers that, in one instance, an important document Ie | ee Jw omoved and putin the garhage hy the qutsourced cleaning stalf; Which of the following should the 1S auditor to management? s nt Jd be implemented by both the organization and the cleaning agency: x woited since such incidents have not occurred in the past cy should be implemented and strictly enforced in the organtzatun. | y nd policy for all portant office documents should be implemented. rit on a desk and the cleaning staff removing it may result ima 1S auditor chenld recommend that strict controls be on and the outsourced cleaning agency. That such ineidents have not > the seriousness of their impact. Implementing and monitoring a clear Ss 1 of the issue. Appropriate confidentiality agreements with the cleaning ea clone with ensuring that the cleaning staff has been educated on the dos and don's oF te eleaning vse contrat that should be implemented. The risk here tS Not a loss of dats, but teakags of tuts to unauthorized sources, A backup policy does not address the issue of unauthorized leakage of An IS auditor iste lewing a project to implement a payment system between a parent bank and 3 subsidiary. The IS auditor should FIRST verify thatthe: A. technical platforms between the two companies are interoperable: BB. parent bank is authorized to serve as a service provider: security features are in pla zate subsidiary trades. 1D. subsidiary can join as a co-owner of this payment system. {Even between parent and subsidiary companies, contractual agreement) should be place to conduct Shared services This is particularly important in highly regulated organizations such as bunks granted to serve as a service provider, it may not be legal for the bank ‘to extend business | Companies ‘Technical aspects should always be considered; however, this ca De that the parent bank can serve as a service provider. Security aspects af {hi should be considered afer confirming thatthe parent bank eal Serve 358 ‘ownership of the payment system ts not 3s important as the lea ‘authorization tB An organization bas outsourced its help desk activities An IS auditors GREATEST concern when revenge coral and aiiae sec eE nercient (SLA ple Une Aa {documentation oF sta background checks, independent audit reports OF Tull aude secess @ © reporting the yeat-toryear ineremental Cost reductions, reporting staf? turnover, development or taining, hen the functions of an IS department are outsourced. an IS auctor shouk! ensure thal a provision is alent aut reports that cover all essential areas, or that the outsourcer has full audit aceess, essary to document the fact that background checks are performed, this 1s not as miportant as provisions for audits. Financtal measures such as year-to-year incremental cost reductions are ina service level agreement (SLA); however, cost reductions are not as important as the pendent audit reports or full audit access, An SLA might include human relationship vicasures such as resource planning, starr umover, development or (ratinny, but this iy ma ay impart a> fhe requirements for indeperdent reports or full audit access by the outsourcing organteaticn, ¢ auditor identifies that reports on product profitability produced by an organization's finance and lating departments give different results. Further investivation reveals that the product definition being. ed by th eartments is different. What should the IS auditor recommend? UAT) occur for all eports before release into production Organizational data governance practices be putin place ‘ jware tools be used for report development nit sign-off on requirements for new reports WY fe directly addresses the prublem An organizationwide approach 1s needed to achieve effective This includes enforcing standard definitions of data elements, which is part of @ hor choices, while cound development practices, do not address the root lat goveiuaince initiative, The cause of the problem desenbed Which of the following BEST supports the prioritization of new IT projects? A. Internal control self-assessment (CSA) B Information systems audit C._ Investment portfolio analysis: 1D. Business risk assessment Iris most desirable o conduct an invesuntent portfalio analysis, which will present not only a clear focus on Investment siaieyy, but will provide the rationsle for terminating nonperforming TT prejects Unita control selfeassessment (CSA) may highlight noncompliance to the current poliey, but may not be the best source for driving the priortization af IT projects. Like internal CSA, |S audits m cnly part ofthe picture for the prioritization of IT projects, Business risk analysis is portfolio analysis but, by itself. is not the best method for prioritizing new IT projects.Oe eke aun 2 Which of the following is the MOST important IS audit consideration when an greanization outsources a tomer credit review system to a third-party service provider? The prawidier: A. meets or exceeds industry security standards ¢ ns a good market reputation for service and experience. ) Complies with security policies of the organization, B is critical that an independent Secunty review of an outsourcing vendor be obtained because eustomer 4 fot information will be kept there. Compliance with security standards or organization policies is portant, but there is way to verify oF prove that that the case without an independent review. Though , tone experience in business and good reputation is an important factor to assess service quality the busi mnot outsource to a provider whose security contro is weak. \fler the merger of two organizations, multiple sef-developed legney applications from both companies are sc realaced by a new common platform. Which of the following would be the GREATEST risk? eress reporting is combined in a project management office which is ject management and pr | independent projects without integrating the resource: 1 approach, sanizations are inefficiently allocated while they are being familiarized B._ The replacement effort consists of se ith the other company’s legacy systems. business areas of both organizations to change their work processes, The new platform will for hich will result in extensive training needs. B efforts should dated to ensure alignment with the overall strategy of the postmerner jen, Ir resource allocation isnot centralized. the separate projects are at rsk of overestimating the Tality of key knowledge eesourees for the in-house developed legacy applications. In postmerBet ation programs. it is common to form project management offices to ensure standardized and separable intormavin levels in the planning and reporting structures, and to rentalize dependences af tesources, The experience of external consultants can be valuable since project vrsnawenvent practices do not requite in-depth knowledge of the legacy system. This cam fies up resales fromal tasks, itis a good idea to first get familiar with the old systems, to understand what needs Tiun and to evaluate the implications of technical decisions, in most cases, Menger resi vd thus in training, needs as organizations and processes change to leverage the deliv be done in a m 1m application changes an intended synergy effects of the merger.> that the FF department of a medium-sized organization has mg arate rsk marwementfinction, an the ergoniatin's operations isk Gaeumeniaon Say eontliaam few hay deseribe 1 risks: What isthe MOST appropriate recommendation inthis sium sent department and establish an 11 risk framework with the aid of external J management experts 7 ft vnmon industry standard aids to divide the existing Fisk documentation into Several individual Jes which will be easier to han © No recommendation 1s necessary since the current approach is appropriate for a medium-sized 1D Fstablish regular IT risk management meetings to identify-and assess risks, and ereate a mitigation plan, npur to the organization's risk management 1: reyular meetings isthe best way to identify and assess risks in a medium-sized organization, 10 cldvess responsibilities to the respective management and to keep the risk fist and mitigation plans up to ly not have @ separate IT risk management department, Moreover, the risks are usually manageable enough so that external belp would not be needed. While lands, they cannot address the specific situation of discovered without a detailed assessment from within the organization, Splitting the one risk position into several 1s not sufficient, Jommon risks may be covered by common industy st n organization. Individual risks will not bPe iia ea ee Ot esis [AREA 3—SYSTEMS AND INFRASTRUCTURE LIFE CYCLE MANAGEMENT (16%) ‘ omganization is implementing an enterprise resouree planning (ERP) application fo meet its business objectives Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure wee with che prejeet plan and that it will deliver the expected results? that it is progressing ih accord B._ System development project team (SPDT) Project steering committee ject steering committee that provides an overall direction for the enterprise resource planning (ERP) sinutementation project is responsible for reviewing the projeet’s progress to ensure that it will deliver the eccted results, A project sponsor is typically the senior manager in charge ofthe primary Business uni Pathe application vill support. The sponsor proves Tunaing for the project and wanks osely with the | ta define the ential success factors or metrics for the project. The project sponsor is not ile for reviewing the progress of the project. A system development project tear (SDP) med tasks, works according to the instructions of the projéet manager and communicates ojear taut, The SPT is not responsible for reviewing the prngrecs of the project. A user sned tasks, communicates effectively with the system development project mana project team (UPT) completes the assi } works according to the advice ofthe project manager. A UPT is not responsible for reviewing the: f the project c \ lepacy payroll application is migrated to a new application. Which of the following stakeholders should ne PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data A. 1Sauditor D._ Data owner During the data conversion stage ofa project, the data awner is primarily responsible or reviewing and signimg-off thatthe data are migrated completely, accurately and are valid, Am IS auditor i$ NOt for reviewing and signing-off on the accuracy of the converted data, However, an 1S auditor should that there is a review and sign-off by the data owner during the data conversion stage of the Pralest database administator’s primary responsibility is to maintain the integrity of the database and make # database available to users, A database administrator isnot responsible for reviewing migra project manager provides day-to-day management and leadership of the project, But 1s the accuracy and integrity of the ataWhile evaluating software development practices ano 0 1S auditor notes thatthe guilty igement. The MOST important conver foran 1S aul the: surance (QA) function reports to project mn The QA function bocanive i should mteraet hetween project management and wer 5 elficiency of the QA function because should interact with the project implementation (2am # the projeet manayer because the project manager should interact with the QA function. Ticieney of the project manager because the QA function will need « commisnicate witli the pro entation team, be eff he quality assurance (QA) function should be independent of project management. The QA + interact with the project implementation team singe this ean impact effectiveness. The 1 interact with the QA function, which should not impact the effectiveness of the on does not mteract with the project implementation team, which should not impact the efficiency of the project manager . tion is migrating fom a legacy system to an emerprise resource planning (ERP) system. While MOST important concern for the 1S auditor 1s to determine that reviewmg the data migration activity, t relation of semantic characteristics ofthe data migrated between the two systems, forrelation of arthmetic characteristics oF the data migrated between the two systems acteristics of the processes between the two systems. ) relative efficiency of the processes between the two systems. ue to the fact that the two systems could have a different data representation, including the database {chema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in yew as it was inthe old system. Arithmetic characteristics represent aspects of data structure and nternal definition in the w of the correlation aase, and therefore are less important than the semantic characteristics. A r the functional characteristics or a review of the relative emiciencte> uf dre i processes between the Wo systems is not relevant to a data migration review. ’ serul! he mecential to involve which of the following stakeholders an the initiation stage of A. System owners B. System users C__ System designers D._ System builders ‘System owners are the information systems (project) sponsors or chief advocates. ‘responsible for initiating and funding projects to develop, operate and maintain i System users are the individuals who use or are affected by the information ‘rucial in the testing stage of a project. System designers translate bi into technical solutions, System builders construct the system based designers. In most cases, the designers and builders are one and the same.Ee OU a eee en trig A project manager of a project that 18 scheduled to take 18 months to complete announces that the project is thy financial position because, after 6 months, only one-sixth of the budget has been spent. The 1S Ao wat of against schedule has been achieved. B._ ifthe project budget can be reduced if the project could be brought in ahead of schedule, D. ifthe budget savings can be applied to increase the project scope. project cannot be properly assessed in isolation of schedule performance. Cost sed simply in terms of elapsed time on a project. To properly assess the project budget } ‘ecessary to know how much progress has actually been made and given this, wit level uf tld be expected It is possible that project expenditure appears to be low because actual ‘con slow. Util the analysis of project against schedule has been completed, itis impossible to 1 to reduce budget. Ifthe project has slipped behind schedule, then not only but itis possible that extra expenditure may be needed to retrieve the ually be representative of a situation where the project likely to know whether there is any tay there be no spore budg slippage The low expenditure could ac nee deadlines rather than potentially come in ahead of time. [fthe project is found to be ahead of budget ‘isting for actual progress, this is not necessarily @ good outcome because it points «0 flaws im the rrninal budizeting process. and, as saad above, until further analysis ts undertaken, it cannot be determined vy apare junds actually exist Further, ifthe project 1 behind schedule, then adding seope may be The MAJOR advantage of @ component based development approach is the ty to manage an unrestricted variety of data types. 3 for modeling complex relationships. (© capacity to meet the demands of a changing environment, support of multiple development environments. omponents written in one lana teract with comporients written in other languages oF runing on thet machines, which can increase the speed of development. Software developers can then forts an ibusiness logic. The other choices are not the most sigmificant advantages of a component-based development approach. The specific advantage of white box testine 1s that it AA. verifies a program ean operate successfully with other parts ofthe system ra 5 ciwures a programs functional operating effectiveness without regard wo the intemal rogram SucEaS; determines procedural accuracy or conditions of program's specific loge paths. Z D cremnes Programs functionals by crevuting in 8 Gxt eontrlied ort] exniinii=ns Ua restricted access to the host system. i White box testing assesses the effectiveness of software program logie, Speeiticly dotermining procedural accuracy ar conditions of a progran’s logic pals. Ver operate successfully with other parts of the system is sociability testing srithout knowledge of internal structures ts black box testing, Controlled Uebugyed environment, either heavily contsolled step-by-step oF via moni tox testing,Mee eas ak ning best practices. firma plans fo inplementaion oF new in a aig hy formation systems are developed A. develonment phase " B design phase © testing phase Jeployieat phase The season a certification and accreditation process 1s performed on eitical systems is 16 ensure that. A. security compliance has been techoically evaluated ave been encrypted and are ready to be stored the systems have been tested to run on diferent platforms. 5. the systems have followed the phases of waterfall model d and accredited sy sore systems that have had their securty compliance technically evaluated a specific production server Choice B is incorrect because not all data of certified systems. noice C 1s incorrect because certified systems are evaluated to run in a specific all ead ie « sotiinir cetera te ie eee ee re encrypred An 1S auditor is reviewing a project that is using an Aegile software development approach. Which of the 1 1S auditor expect to find? : Use ofa process-based maturity mode! such as the capability maturity model (MN) B_ Regular monitoring of task-level progress against schedule (_Euiensive use of software development tools to maximize team productivity 1D. Postteration reviews that identify lessons learned for future use m the project key tenet ofthe Agile approach to software project management is team learning and the use of team Teamvng to refine project ranagement and software development processes asthe project progresses | eaeeeneay eae teahicve tha tathat atthe ond ach stration, the team considers and do srorked well and what could have worked better, and identifies improvements to be mpl Miesequent iterations. CMM and Agile really sit at opposite poles, CMM places Reavy predetined formal processes and formal project management and software development Frojects by contrast, rel on refinement of process as dictated by the particular needs oP team dynamics, Additionally, Iss imporance ts placed un fonml paper-based de preference being effecive informal communication within the team and with key ou Thnile projects produce releasable software in short trations, typically ‘elt, stills considerable performance disciple within the team. This, ‘msotings to-aoree on what the tam is doing and the identification of racking against a schedule redundant. Agile proqects do make use tools are not seen asthe primary means of échteving productivity. ‘and collective ability to solve challenges ae of greater importance.\ manayer of a projest was ot able to implement all audit recommendations by the target date. The IS, auditor should A. recommend that the peoject be halted until the issues are resolved recommend that compensating controls be implemented. CC. evaluate risks associated with the unresolved issues ) fecommend that the project manager reallocate test resources to resoive the Issues. is important to evaluate What the expan would be when audit econedations have not been inpicted oy the target date, Based on the evaluation, management can accordingly consider compensating. ols, risk accepance, ete. All other choices might be appropriats only after the risks have been assessed. 1 help an 1S auditor gain reasonable assurance that @ project techniques would B timation of the actual end date based on the completion percentages and estimated time to complete, a taken from status reports fe Contirnation of the target date based on interviews with experienced managers and statt involved m he completion of the project deliverables ©. Entravolation of the overall end date based on completed work packages and current resources » Calvulation of the expected end date based on current resources and remaining available prajest budaet Frresults is better than estimations ane «qualitative information gained from interviews tts, Project managers and involved staf? tend to underestimate the time needed for completion, hhonessary time buffers for dependencies between tasks, while overestimating the completinn sncentaae for tasks underway (50-20 rule). The vekculaon based on remaining budget dare no take into) int the speed at wiiich the project has been progrsasing: sement (CRM) system rmgration project, which of «shes gmoney anda ng teen oe Re short for completing all tasks. B._Emplogerc piletetesting the system are 6 ‘eampletely different from the eld system. A ‘A single implementation is planned. immediately decommissioning the 1egacy SYStetty Five weeks prior to the target date, there are still numerous detects m the printing f new system's software, concerned that the data representation ithe new SSF fy Major system migrations should include a phase of parallel operation or phased e implementation risks. Decommissioning of disposing of the ele hardware would Strategy, should the new system not operate correctly. A weekend cow be used a thew system will have a bewter chance of being up and running after the tepresentation does not mean different data presentation a the font & Issue can be solve by subsquate teonvng end uoar ruppert. The printing: i Ie ast Funatnons to be tested in 2 new system heoansn itis heEUS aa eae rent a es An IS auditor finds that user acceptance testing oF a new systems is being repeatedly i fives ane inpfen y developes: Which 0 he flowang woul Be he BEST 1S auditor 1 make? A. Consider feasibility of a separate user acveptanee environment 18 Schealute user testing to occurat a given time euch day © Iinplement « sourse eode version eontrot toot pacate. When defects 1 be fixed inthe development environment, without sterting testi before being migrated ina controlled manner to the fest environment, A Separate test ci an also be used as the final staging area from which code 1s migrated to production. this ova separation between development and production code, The logistic of setting up and refreshing Sioned tet data is easter ita separate envifOament is maintained (Cdevelopers an estes ate han the sane environment, they have to WTR EMECUvely at sepaate Gines UFube Jay. Kis unlikely that sis srould provide optimum productivity. Use ofa source code eontrol tool isa good practice, but it does not Riper mitigate the ck of an appropriate testing environment. Even low priority fixes rum the ek af retin u antended results when combined with the est ofthe system eode. To prevent this. reps vcuius ists covering all code changes should arciwr A seporate test environment makes the logistics When reviewing an organization’s approved software product list, which of the following is the MOST thine to verify? ae risks associated with the use of the products are periodically assessed he latest version of software is listed for each product, Due to licensing issues the list does not contain open source software hours support 1s offered Since the business conditions surtuuning vendors may change, its important for an organization 1S aunttuct periodic tsk wosessments of the vender 2oftware ist. This might he hest incorporated into te risk imanayeient process. Choices B, C and D are possible considerations hut would not be the m important.Oud Luh ae ae AREA 4. 17 SERVICE DELIVERY AND SUPPORT (14%) AREA a. ‘ Dring a human resources (HR) ati, an 1S auditor is informed that there fs 8 verbal agreement between the [T and HR departarents as to the level of UT services expected, th this situation, wWhtt should the IS widitor do FIRST A. Postpone the audit until the agreement is documented 1b Report the eststence of the undocumented agreement to senior management © Confivm the content of the agreement with both departments nent (SLA) far the two dep vice level ag fonents « Ay 1S auditor should first confirm and understand the current practice befove making any ccominenslations. The agteement can be documented after it has been established that there fs an Soreement i pace The fact that there fs not Written agreement coes not justify postponing the audit, and owt to senior tsnagentent is NOT NECeSSAY at ths Stage of the audit, Dring w service fevel agreement (SLA) is nt the tS auditor's responsibility 4 \ datas acminstator as setected a performance probe with some tables which could be solved through denormalization This situation Wil nerease the risk of » ‘ormalbetion is the removal af redundhnt daa elements fom the database structre, Disabling hormolization w relational databases will create yedundaney and a risk of not maintaining consistency OF: Joti. with the consequent loss of data integrity. Deadlocks are not caused by denormalization, AGGESs 10) data ts contr by defining user tights to information, and is not affected by denormalization, ©43 Which oF he following processes should an 1S auditor recommend to assist i dhe recording Of software releases’ A. Change m 1B. Backup and recovery Ineasent management ‘The eonfiguiration management process may include autemated tools that will recording of software release baselines, Should the new release fail the ‘which to return, The other choices cto not provice the processes necessary f0 Inaselince and ate not related to software release baselines47 Aw IS autor notes that patehes tor the of Wyse used hy a ganization are dep ne le cat as anlvised by the vendor. the MOST ah i ; mihi: A. the tuning needs for users afler applying the pach, 8. any beneficial impact of the patch on the operational systems, © delaying deployment until testing the inpact of the patch, tena users oF new pattes, Deploying patches without testing exposes an organization tothe tisk of system disruption of failure Normally, the need for training or advising. users when a new operating System patch has been impact is Fess important than the risk of unavailability that could be avesded with Which of the following would be an indicator of the effectiveness of a compiler seeurty meident ave of business anplications that are being protected es that were patched ator js the financial impact per security incident. Choices B, C and D could be tiveness of security, but would not be a measure of the effectiveness of a response team. h significant isk is introduced by running the file transfer protocol (FTP) service on a server: demilitarized zone (DMZ thin could send a B. FIP services could allow a user to download files from unauthorized sources. be able to use the FTP service to bypass the firewall ignificantly educe the performance of a DMZ server, A user from le to an unauthorized person. A hacker mi Since file transfer protocol (FTP) is considered an insceure protocol, it should not be installed on a server ‘na demilitarized zone (DMZ). FTP could allow an unauthorized user to gain acess to the network: Sending files to an unauthorized person and the risk of downloading unauthorized filesaremotas| Sonificant as having a firewall breach. The presence ofthe utility does not reduce the performance OF & DMZ server, therefore, performance degradation is not a threat. i ‘The MAIN reason for requiring that all computer clocks across an organization |A. prevent omission or duplication of transactions. ensure smooth data transition from client machines to servers. CC. ensure that e-mail messages have accurate time stamps. D._ support the incident investization process . During an investigation of incidents, audit logs are used as them is useful. IFthe clocks are not synchronized i ‘of events might not be easily established, Time-stamping ee p 7cH10 When reviewing the configuration of network devices, an IS auditor Should FIRST identify: A. the best practices for the type of netivork devices deplayed i whether components of the network are missing, CC the importance of the network device in the topology” > whether subcomponents of the network are being used appropriately The frst step is to understand the importance and role of the network device within the organization's .) After understanding the devices in the network, the best practice for using the device nomalies within the configuration. Identification of which ‘missing or being used inappropriately can only be Known ‘pen reviewing ology and the best practice for deployment of the device in the network. should be reviewed to ensure that there are no Which ofthe following would REST maintain the integrity ofa firewall log? A. Grantin €._tumg dat togs onto separate storage media | Oe oe information to dedicated tidy log server 7 third-party log server and logging events init isthe best procedure for maintaining: When access control to the log server is adequately maintained, the risk of vodh ication will be mitigated. therefore iinprowing the integrity of log information. Te of daties, administrators should not have access to log files. This primarily contributes: ‘confidentiality rather than integrity. There are many ways to capture log information: tung systems layer, et, however, there is no log integrity idvantage in eaptaring events in the operating systems layer 1fst ica inghly mission-critieal infOrssatOR ‘stem, may be nice to run the system with a dual log mode; Having logs i two different storage Geviees) he availability of log information, rather than to maintaining rough the application layer, network layer, ope sts were processed multiple times when received from different An 1S auditor finds that client requ ‘What would be the BEST independent departmental databases, which are synchronized weekly. recommendation? Increase the frequency for data replication between the different department systems ie updates “ 1B. Centralize all request processing m one department to avoid parallel processing of th CC. Change the appication arches ig st suman data are el departments Implement reconciliation contols(o detect duplicates before orders Fe A. ‘Keeping the data in one place isthe hes! way to ensure that dat ae ‘users have the same data on thew systems, Although increasing the problem, the risk of duplication eanot he eliminaiext completely b Business requirements will mos likely dictate where data proc hrusiness structure to solve an problem is nok practical p ‘solve the problem af duplicate processing, and would requite I ‘handle the discovered duplicates, -D 413 Oe Which of the following database controls wild ensune thot the integrity of rane W Tans PROCESS system's cabs A. Authentication comtots B._ Data normalization controls Read/write acess log controls 1D. Commitment and rolthack gontrots 1 rolback contols are directly relevant to integrity, These controls ensure tht database: perations that form logical transaction unit will complete in its entirety or not tall: Leif for some ction cannot be fully completed, then incomplete insets/updates/deltes are rolled back $0 thot he database return tos pretansaction state. All other choiges would mot addessranseton meg imes of the day, the data warehouse query performance decreases ignificantly: Which of the following controls would it be relevant for the IS wuditor (0 review? poo! limits restrict the space available for runnit user queries. This prevents poorly formed queries from consunnng excessive system resources and impacting general query performance: Limiting the space ailable to users in their own databases prevents them from building excessively large tables. This helps t pertirn ining « bufler between the actual vty. Additionally, it prevents users from consuming, ids (as opposed to scheduled production loads that often can run we are optimized for performance purposes). In a data warehouse, since youare not running line transactions, commitment an rollback does not have an impact on performance. The other choices ikely to be the root cause of this performance issue ta volume stored and the physical device caps cessive resources in ad hoc table b following will BEST control the risk in this situation? A. Approve and document the change the next business day B. Limit developer access to production to a specific timeframe CC. Obsain secondary approval before releasing to production D._ Disable the compiler option in the production machine Ik may be appropriate to allow programmers to make emergency changes us Log and approved after the fact Restricting release time frame may help somewhat to emergency changes and cannot prevent unauthorized release of the program relevant in an emengeney situation.AREA 4—IT SERVICE DELIVERY AND SUPPORT Time constraints and expanded needs have been found by an IS auditor to be the root enuses for recent \iolations of corporate data definition standards in a new business intellisence project. Which oF the following is the MOST appropriate suggestion for an aueltor to make? \. Achieve standards alignment through an inerease of resources devoted to the project 1B. Align the data definition sundards afer completion of the project © Delay the project until compliance with standards ean be achieved D. Enforce stendard compliance by adopting punitive uicasuiey aiehion vuluburs Provised that data architecture, technical, and operational requirements are euffisiently desumented, the signment ta stindatds could be teated 26 specific work package assigned to new project resources, The Use of nonstandard dats definitions would lower the efficieney of the new development, and increase the rick of ermes fn critical business decisions. To change data definition standards after nrojeet conelusion choice 8) is risky and is nota viable solution. On the other hand, punishing. the violators (choice 1D) oF jelay ny: the project (choise C) would be an inappropriate suggestion bezause ofthe likely damage tothe entire project profitabilityph of che flowing would Be tke MOST sinificint audit finding when eeviewing pole Ie 4 A. Invoices recorted on the POS system Papen are manually entered into an accounting application anner is not used to read bar Codes for the generation of sales invoices C._ Frequent power outages occur, resulting in the manual preparation of invoices D. Customer credit card information is stored unencrypted on the local POS system : Ie is tmportant for the 1S auditor to determine iPany credit eard information is Stored on the loeal point ate POS) syosem. Any such information, (Fotured, SuoUld Be encrypted or protected by other means to. avoid the possibilty of unauthorized disclosure. Manually inputting sale invoices into the accounting application (san operational issue. Ifthe POS system were to be interfaced with the financial accounting application, the overall efficiency could be improved. The nonavailability of optical scanners to read bar les of the products and power outages are operational issues. An 1S auditor should expect the responsibility for authorizing aecess rights to production data and Systems: to be entrusted to the B._ system administrators, D. data owner Data ooners are primatly responsible for saf the data and authorizing access to production data What is the BEST action to prevent loss of data integrity or confidentiality in the case of an e-commerce application running, on a LAN, processing electronic fund transfers (EFT) and orders? A. Using virtual private network (VPN) tunnels for data transfer , B. Enabling data encryption within the application 4 CC. Aueliting the access control to the network D. Logging all changes to access lists ‘The best way to ensure confidentis and integrity of data is to cnerypt it using virtual private (VPN) tunnels. This 3s the most common and convenient way to encrypt the data travelling over the network. Data encryption within the application is less efficient than VPN. The other opti practice, but they do not diet prevent the loss of dat Integnty and confidentiality ing ‘communication through a network. in is ‘When conclucting a penetration test ofan IT system, an organization should be MOST co {he confidentiality ofthe report Funding all yossible weahuesse9 un dhe systent C. restoring all systems to the original state Jogging all changes made to the production system,Dis eeu Rua ea 5:5 Which ofthe following penetration fests Would MOST effectively evaluate incident handling and response A. Targeted testing BL Extemal testing > Double-blind testing D ina double-blind tet, the administrator and security taf are not aware of the test, which wil result in an \ of the incident handing and response capability in an organization. In targeted, external, and. ternal testing, the system administrator and security staff are aware of the tests since they are informed fore the start of the tests 5 Whiem proteutng an crganication’ IT ayatems, which ofthe Following is normaly the next line GF efense fer 1 Firewall has been compromised Inirusion detection system (IDS) Virtual local area network (VLAN) configuration « An inttsion detection system (IDS) would be the next line of defense after the firewall I-woUld detect anomalies in the network’server activity and try to detect the perpetrator. Anivitusprogtanis. petsonal firewalls nd VLAN configurations would te [ier Mae tne UP defeise An JS auditor has completed a network audit Which af the folowing isthe MOST significant logial A. Network workstations are not disabled automatically ater a period of macy. B. Wining closets are leRt unlocked Network operating manuals and documentation are not properly secure. ). Network components are not equipped with an uninterruptible power supply. a Choice A is the only logical security finding. Network fogicat security contnols should be i place fo restrict, identity, and report authorizes and unauthorized useiy UP the network, Disabling inactive \workstations restricts users OF the network, Chive D is an environmental issue and choices Band Care physical security issues, Choices B, C and D should be reported to the appropriate entity. os CSS Which of rhe fallowiny would MOST effectively enhance the security of a challer authentication system? ‘A. Selecting a more robust algorithm to generate challenge strings B.__ Implementing measures to prevent session hijacking attacks ©. Increasing the frequency of associated password changes, D. Increasing the length | authentication strings ‘vance pone ed wie ie tronngemca dal fe we hse gts Fk mei (ccanciogy Selecting aire rout luni wlan me varRo 3 fy (59 Whaat he flowing shou an or ommend Te he protein oF pee SE Tplement cotuann: ane row-leve) merissions 1B Pnhance user authentication via song password © Organize the data waeehouse into subject matireypeuifc databases > ncvess fo the data WwirehouNe ‘: Choise spesitically aeldeesbes the question of seasitive data by controling what information weeRS can ‘cess. Column-fevel secunty prevents users fom seeing one or more atebutes on a table, With row-level cenit a certnn proupiny OF information on table is resrieted; ea table held details of employee oe then a restriction could be putin place to ensure tat unless specifically authorized, users could not ca the sulries of executive staff Column and row-tevel security ean be achieved in a relational database by flowin ass o access loca represetaions of data rather than physical tables. This ‘fine-grained seeunty ‘nce is likely to offer the best balance between information protection while still supporting a wide range of vnalyical and reporting uses. Enhancing user authentication via strong passwords is 2 security contol that ould apply to all users of the data warehouse and does net specifically sddress protection of sensitive dala nici a data warehouse ito subject-specific databases ia potentaly useful practice but in self. does thovaudeuately protect sensitive data, Database-level security is nermally foo ‘course a level Io eftiienty and Citecinely protect information For example, one database may hold information that needs tobe restric day and customer profitability details while ether information such as employee mately accessed by 0 large number of users. Organizing the data warehouse tment may need 10 be le vis subjest matter specific datbases 1s similar choice Bn that this control should generally apply. Extra enon could be devoted to reviewing access to Sables with sensitive data, bat this contol is mot suficent ithout strong ive controls as specified in choice A. rasmunication, wich of the following controls allows the device receiving the C510 In witeess fy thatthe received communications have not been altered in tansit? authentication if prevention systems (IPS) A. Device authentication and data ong B, Wireless intrusion detection (IDS) C. The use of cryptographic hashes D. Packet headers and trailers Calculating eryptographic hashes for wireless communications allows the device receiving the Ccmmunications to verify that the received communications have not been aliered in transit, T SStsqurading and message modification altacks, Device authentication and data origin the correct answer since authenticating witeless endpoint to each other prevents man-in tnd masquerading, Wireless IDS IPSs (snot the correct answer sinze wireless IDSIIPSs have detest miconfigured devices and rogue devices, and detect and possibly stop certsin types of Packer headets and trates alone do not ensure hatte wntent has not ben altered,Dic raee soL SehLcs a eda Ae cL) CS-11Anorgamization is planning fo replace its wired networks with wireless networks. Which of the following Would BEST secure the wireless network from unauthorized access? A. Implement Wired Equivalent Privacy (WEP) Permit access to only authorized Media Access Control (MAC) addresses C_Disable open broadcast of service set identifiers (SSID) D._ implement Wi-Fi Protected Access (WPA) 2 D \Wi-Fi Protected Access (WPA) 2 implements most ofthe requirements of the LEEE #02 11s standard. The Advanced Encryption Standard (AES) used in WPA2 provides beter security. Also, WPA? supports beth the eicnsble Aushentication Provool andthe preshared secret key authentication model. Implementing Wied cjuvalent Privacy WEP) 16 correct since canbe eracked within minates, WEP uses a static key sic has be communicated 1 all authorized users, ths management difficult. Also, thee fsa greater ibility i the static key is not changed at regular intervals. The practice of allowing access based on | Access Control (MAC) 1s not a solution since MAC addresses can be spoofed by attackers to gaim sccess ty the network. Disabling open broadcast of service set ientifiers (SSID) is not the correct answer they cannot handle access control SS auditor is reviewing a software-based firewall configuration. Which of the following represents the: GREATEST \uinerability? The firewall software: 4. is configured with an implicit deny rule as the fast rute inthe rule Base 3. js installed on an operating system with default settings. Chas been configured with rules permitting or denying access to systems OF networks, » Figured as o virtual private network (VPN) endpoint tings are often published and provide an intruder with predictable configuration information, ‘compromise. To mitigate this risk, firewall software should be installed on & {em using @ hardened operating system that has limited functionality, providing only the services hevessaty to support the firewall software, Choices A, C anid D aie itornal or best prectiess for finmaatt B Defaul CS. The GREATEST risk posed byy an improperly implemented intrusion prevention system (IPS) is: that there will be too many alerts for system administrators to verify. decreased network performance die to IPS traffic. the blocking of critical systems or services due to false triggers. Feltance on specialized expertise within the (T wigancatir. sae [An inisusion prevention system (IPS) prevents a connection or service based on he reac! fo specific incidents. Ifthe packets are coming from a spoofed adress and the | ‘on previously defined behavior, it may block the service oF connection of & ther choices are risks that are not as severe as blocking critical systems OFSd eens he MOST effective control for reducing the risk related to phishing is D P vail attack that attempls to convince ss on. Phishing is attack can bes wor ts wenuine, withthe tack. Any social ugh security and awareness training ontrolled th iple of a soe 4 Augital cenificate verifiration proseee. which ofthe following Findings represents i MOST significant risk th ration authority (RA) for reporting key compromises. ¢ ata hat 1s t messages and verity digital signatures. key compromises to the cettif cA B . vst (CRL) is not current, there could be a digital certificate that is not revoked that nicer foe snaithorized ovr Fraidulent activities The certificate authority (CA can assume the no registration authority (RA). Digital certificates contaming a public key that is used figital signatures is not o risk. Subscribers reportin 2 this to the CA enab key compromises to the CA to take appropriate action ¢ an electronic identification of a person or entity Its created by using asymmetric encrypt ify integrity of data, the sender uses a cryptographic hushing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm and compare results with what was sent 10 censure the integrity of the message. C5-17 Which of the following would effectively verify the originator of a transaction? ‘A. Using a secret password between the originator and the receiver B._ Encrypting the transaction With the receiver's public key C__ Using a portable document format (PDF) to encapsulate transaction content D._ Digitally signing the transaction with the source's private key D A digital signature is an electronic identification of a person, created by using a public Key verify to a recipient the identity of the source ofa transaction and the integrity of is €o a’shared secret’ between the user and the system itself, passwords are considered @Eh kone Uc aL) Which of the following fire suppression systems is MOST appropriate to use m a data center environment? ‘Wee-pine spiler system 3. _Dry-pipe sprinkler system C_FM-200 system D. Carbon diowi ‘based fire ext c M-200 is safer to use than carbon dioxide, It is considered a clean agent for use in gaseous fire suppression applications. A water-based fire extinguisher is suitable when sensitive computer equipment uid be damaged before the fire department personnel artive atthe site, Manual firefighting (fire ay not provide fast enough protection for sensitive equipment (e.g. network servers), cst Vhich of the following physical access controls effectively reduces the risk of piggybacking? AQ oor locks B door locks sir of doors For the cerond don to operate. the first entry door must close and lock in permitted in the holding area, This effectively reduces the risk of piggybacking, An vhuivical’s unique body features such as voice, retina, fingerprint or signature activate biometric door Jocks:however, hey do not prevent ar reduce the risk of piggybacking. Combimation door locks, also known key pad or dial to gain enity. They do not prevent or reduce the risk oF 1 vndividuals may sili gaxn access Wy the pruvessing center Belting doer key to gain entry, Unauthorized individuals could still gam access to the as cipher lock iggybacking since unauthor ack’ 12 me! ized individual to business application system belongs to the: A. data owner B._ security administrator CIT securty manage D._requestor’s immediate supervisor. When 2 business application is developed. the best practice isto assign an information oF dat application The Information owner shoul be responsible for authorizing aesess athe appli to back-end databases for queries. Choices B and C are not correct because the security ad anager normally do not have responsibility for authorizing access 10 business applica Jrmesiate supervisor may share the responsibilty for approving user access 10 system; however, the final responsiblity shold io to the information owes.AREA 5_PROTECTION OF INFORMATI A perpetrator looking on ‘nd Lathe intonation abeut snerypted data bung leunamtited REE Bi. spooting Dm i < Jn) atte analysis, which if 9 passive attack, an intrudes determines the mature OF the tafe ow between Jefined hocte and through an analysis of eeccion length, lequcicy aul svessage Teel tid ie RUE pe oF eommuniontinn taking place. This typically ia uaud when meeages are Eneypleal iu racults In eavesdropping, which aleo w a paasive aitacl, : ation flowing through the neranek with the intent af acquiring and releasing: ssage contents for personal analysis of for third parties. Spoofing and masquerading ane netive atk In spoofing, a u an e-mail that appears (o have originated from one Source when it actually was ‘ounce. In masquerading, the ingruder presents an identity other than the original identity, receipt of the initial signed digital certificate the user will decrypt the certificate with the public Key registration authority UA B 4 certificate authority (CA) isa network authority that sues and manages seeurity eredentials and publie keys for message encryption. Asa part of the public key infrastructure, 2 CA. checks with a negistatinn onty (RA) to venfy snformation provid by the requestor ofa digtal cari ficate. Ihe RA verifies the for's information, the CA can issue a certificate The CA signs the certificate with its private key for 9) eipt, the user will decrypt the certificate with the CA's public key 1S management is considering a Voic-ove Internet Protocol (Vel) network to rede telecommute costs and management asked the IS auditor to comment on appropriate security controls, Which of the following security measures is MOST appropriate? ‘A. Review and, where necessary, upgrade firewall capabilities 14, Instal modems to allow remote maintenance support access Create a physically distinct network to handle VoIP traffic 1D. Reslirct all VoIP traf to allow cleartext logging of authentications eiedentials Firewalls used as ens points to a Voiee-over Intent Protacol (VolP) nctwork should be nctwork scevices such a3 11.323 introduce complete dt ate hkely t alein the © Allowing for mote support acceze ie an important consideration, However, 2 ‘would offer a mors eacure means of enabling thicascece than reliance on rate VoIP and data network ie gant iden Optione such as virtual LANS (VI rerun adress tanclation (NAT) combined with private IP adressing. setting the networks will increas oth cost and ahi co information, particularly sensitive mfermation such as julnerability, When designing a VolP network, it cana eeeeR da Lk oe Co eae C524 The MOST effective biometric control system is the one A. which has the highest equal-e 3. which has the lowest EER for which the false-rejection rate (FRR) is equal to the false-acceptance rate (FAR). or rate (EER), for which the FRR is equal tothe failure-to-enroll rate (FER), : ‘The equal-crror rate (BER) of a biometne system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-ejection rate (FRR), The biometne that has the lowest EER 1s the most * ‘fh he biometric that has the highest EER is the most ineffective. For any biometri, there will be a a zasure at which the FRR will be val to the FAR. This is the EER. PER is an aggregate measure of FRR. 25 Whichof the followings the BEST sy to sty two-factor weer utheneation? A. sist card requiring the users PIN | ._inssccning ps ingeorat ane oh 1 equiring the users PIN | a a sma ita use as, gona sl eee personal identifica number (PIN). An ID and password, what the i on, Choice C is not a two-factor user authentication because ) is similar to choice A, but the magnetic card may be copied: therefore, choice: 1 user authentication 26 What should an organization do before providing an external agency physical access to its information rocessing facilities (\PF3) sof the external agency should be subjected to an IS audit by an independent agency af the external agency should be trained on the security procedures of the orzantzation. C. Any access by an external agency should he limited to the demilitarized zone (DMZ). ization should conduct risk assessment and design and implement appropriate controls. Physical access of information processing facilities (IPRs) by an external agency introduces additional Liveatssnto an organization. Therefore, a risk assessment should be conducted and conirols designed accordingly. The processes of the external agency are not of concern here. Iis the agency's interact the organization that needs wo he protected. Auditing their processes would not be relevant inthis Training the employees of the external agency may be one control procedure, but could be perfor ‘access fas been granted. Sometimes an external agency may require access to the processing fe ‘beyond the demilitarized zone (DMZ). For example. an agency which undertakes m ray require access to the main server room. Restricting access within the DMZ wil 1Cue aaa An 1S awlitor is reviewing the physical security measune caning jriom. Ihe 1S auth aNSIN ve ee res of an organization. Rewaing the access ca weermed that al ve given (0 the cleaning stall who use a signa sheet bu show no proah access Cards dre not laheled with the enganization's na es ; neamization’s ame and adress 0 fa ae easy return of a tance and rights administration for the uunecessay lead time for new ards, wards are done by different departments, causing: he cards can only be replaced afer three weeks in the 8 secured area, 30 identification ofall inslviduals is oF vimost importance. It Is Hot adequate tO trust unknown external people by allowing them to write down: their alleved name without proof, €.., identity card, driver's license, ete, Choice 8 is not a concern because f the name and aderess of the organization was written on the card, a malicious finder could use the card to ses. Separating card issuance from technical rights management is a method ” of duties So that no single person ean produce a fun rganization’s pr joning card for a ses. Choices B and C are good practices, nat concer, important since a system failure ofthe card programming device an that the readers do not function anymore, It simply means that no new cards ean he issued 50 this ention is minor compared to the threat oF improper identification When the procedu GREATEST concern fort the disposal of computers, which of the following should be the A Hard disks are overwritten several times at the sector level, but are not reformatted before leaving the 3. All files and folders on hard disks are separately deleted, and the hard disks are formatted before C. Hard disks are rend leaving the organization. D._ The transport of hard disks is escorted by internal security staff to a nearby metal xeyeling COMPA: where the hard disks are registeted and then shredded lunreadable by hole-punching through the platters at specifie positions before Deleting and formatting does not completely erase the data but only marks the sectors that contained files: as being free. There are tools available over the Internet which allow one to reconstruct most of a hard disk’s contents. Overwriting a hard disk atthe sector level would completely erase data drestores, indices and macter file tahlec Refirmatting ic not nececcary since all contents are destraved. Overweiting several times makes useless some forensic measures which are able to reconstruct farmer contents ofnewh) ‘ovenwritten sectors by analyzing special magnetic features of the platter’s surface. While hol does not delete file contents, the hard disk cannot be used anymore, especially when head and track zero information are impacted. Reconstructing data would be extremely &xP* analysis must be performed under a clean roam atmosphere and 1s only possible withi or until the surfice is corroded. Data reconstruction from shredded hard disks is virtua expecially when the scrap is mixed with other metal parts. If the transport can be struction be proved as described in the option, this isa valid method of disposal.Ee oo Ruane ear R ® hospital, medical personal carry handheld computers which contain patient henlth data. These handheld compu a synshronzed with PCs which manferda fem asp database Which ofthe o Fhe sist importadae? Thre handheld computore ore properly protected te prevent lose of data confidentiality in ase OF the The employee who deletes temporary fies from the local PC, after usage, is authorized to maintain PCs. CC. Timely synchronization is ensured by policies and procedures The usage of the handheld computers is allowed by the hospital policy. xia confidentiality 's@ major requirement of privacy regulations. Choices B, C and D relate to internal 5 ty requirements, and are secondary when compared to complianice with data privacy laws, organization has policy that defines the Iypes of web sites that users are forbidden to mccess. What is the MOST effective technology to enforce this policy? nt filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vencdors have made available URL blacklists ind classifications for millions of web sites. A stateful inspection firewall i of litle help an tiftering Web te it does nol review the content of the web site nor does it take mto consideration the sites ton A web cache server is designed te improve the speed of retrieving the most common wt 4 web pages. A proxy server is micorrect because a proxy server isa server wit seivises the request ofits clients by forwarding requests to other servers. Many peuple insorrestly use proky server ae Synonym of web proxy server even though not all web prusy servers have content filtering capabilites, What would be ine MOST effective control for enforerng ages wntability, among database tsers ACCESSING: A. Implement @ log management process B. Implement a two-factor authentication CC. Use table views to access sensitive data 1D Separate datahase and application servers Accountabiliy means knowing what is heing doing by whom. The best way to enforce the Jmplement a Tex management process that would ereate and storage logs with pertnen {ser name, type of transaction, hour, cte Choice B, mmplementng a two-Aicto authentest Using table views to access sensitive data are controls that would limit aucess tothe users but would not resolve the accountability problem, Chui D may help in 2 ven in implementing access contots bur, again, does not addres the nec etei Ada de Cu AREA ©—BUSINESS CONTINUITY AND DISASTER RECOVERY (14%) hization’s business continuity plan (BCP) does not eae en: ormtion contentaity dary a recovery proces. The 1 auditor shuld mend that the plan be modified 40 include formation security required when bucinnce meaty precudures urs ive 8. information security roles and responsibilities in the crisis management stricture. mation security resource requirements, ange management procedure! for information security that couk! affect business continuity A consider whether information security levels required during recovery shouldbe the seme, han when business 's operating normally. In particular, any Special rules faraecess to 1 during a crisis need to be identified The other choices donot dteety address the information confidentiality issue > covery test an 1S auditor observes that the performance ofthe disaster reconery site rs slow To find the rot cause ofthis, the IS auditor should FIRST review the event e renerated at the disaster recovery site B. disaster recovery test plan ‘ covery plan (DRP >. configurations and alignment of the primary’ and disaster recovery sites D Since the configuration ofthe system isthe most probable cause, the IS auditor should review that rst 1f | "be clarified. the IS auditor should then review the event errr log. The disaster recovery tet) sester recovery plan (DRP) ould not contain information about the system configuration. Co3__Which of the following isthe GREATEST risk when storage grow ina critical file server isnot managed properly? A. Backup time would steadily increase B. Backup operational cost would significantly increase Storage operational cost would significantly inerease 1D. Server recovery work may not meet the recovery time objective (RTO) Incase of a crash, recovering a server with an extensive amount of data could requite a signi ‘of time: IFthe recovery cannot meet the recovery time objective (RTO), there will be: strategis. I's important fo ensure that server restoration can meet the RTO. Incremen toke the backup of the datly differential, thus a steady increase in backup time is not ‘backup and storage costs issues are not as significant as not meeting the RTO.Ak eee eta 06-4 ——_-Anorpanization has overy time objective (RTO) equal to zer0 and a recovery point objective (RPO) close to 1 minute for a critical system, This implies that the system can tolerate: A. a data Joss of up to 1 minute, but the processing must be continuous, Ba |-minute processing interruption but cannot tolerate any data loss. CC aprocessing interruption of 1 minute oF more, 5 beth « data lose and e processing interruption longer than 1 rHitee A m™ xy time objective (RTO) measures an organization's tolerance for downtime and the recovery 1 objective (RPO) measures how much data loss can be accepted. Choices B, C and D are incorrect nce they exceed the RTO limits set by the scenario. sie co rT TN APTS TY ©. Which of the following issues should be the GREATEST concern to the 1S auditor when reviewing an IT. disaster recovery test A. Duc tothe limited test time window, only the most essential systems were tested. The other systems: were tested separately during the rest ofthe yen B_During the test it was noticed that some of the backup systems were defective ar not working, eausing: he hesl Sl ibe reer ©. The procedures to shut down nd secure the original production site Derore stating the bukup Sie required far more time than planned D_ Every year, the same employees perform the test. The recovery plan documents are not used since ry step 1s well known by all participants D A disaster recovery test should test the plan, processes, people and IT systems, Therefore, ifthe plan is not toed, its accuracy and adequacy eannot be venfed, Disaster recovery should not rely on hey staif since a aster can occur when they ate not availabe, Its common that not all systems can be tested ina fimited teatime frame. [ts important, however, tha those systems which are essential tothe business ae tested, fnd thatthe other sostems are eventually tested thFOUgMOUT the Year. One ait UF die test tate lense and replace defective devices so thot all systems can be replaced in the case of a disaster, Choice B would only bbe a concem if the number of discovered problems is systematically very hgh. I areal disaster there i 90 need fora clean shutdown of the original production environment since the first prifity isto bring the backup site up C6-6 The frequent updating of which of the Following is key to the continued effectiveness of a disaster plan (DRP)? Contact information of ey personnel Server inventory documentation Individual roles and responsi Procedures for declaring a disaster A B. c D In the event of disaster, itis important te have a current updated Tist OF ‘operation of the plan. Choices B. © and D would be more likely to remain stablLilies SU Rea An or zation fos outsourced its wide ara network (WAN) 1a thi-parly eres Teac which of ie Tullowing isthe PRIMATEY cask the 1S audio sald 5 fora aa >F business vontinuity (BCP) amd disaster recovery planning (ERP? ‘Review whether the service provider's BCP process i aligned with the OFgariEInG ty Beta ‘contractual obligations Review whether the service level agreement (SLA) contains penalty Clause in e#8e Gf sHaRe © Review the m » adopted by the organization in choosing the service provider. Review the accreditation of the third-party service provider's state 4 Reviewing whether the service providers business enntinnity plan (GCP) proses shane! wl von's BCP and contractual obligations isthe correct answer since an adverse effector disruption Yo he business of the service provider has a direct bearing on the organization and its customers. Reviewing whether the service level agreement (SLA) contains a penalty clause in ease of fanlure to meet the level oF service in ease of a disaster isnot the correet answer since the presence of penalty clauses. alhouth aa’ nual element of a SLA, 18 nota primary concer. Choices C and D are possible eoncems, but of lessee cerify that an organization's business continuity plan (BCP) is effective by reviewing the: it of the BCP with industry best practices. results of business continuity tests performed by 1S and end-user personnel. off-site facility, ts contents, security and environmental controls D_ annual financial cost of the BCP activities versus the expected benefit of implementation of the plan B he eff F the business continuity plan (BCP) can best be evaluated by reviewing the results from previous business contimuity tests for thoroughness and accuracy in accomplishing their stated objectives: Liter choices do not provide the assurance of the effectiveness of the BCP C69 A lve west ofa mutual agreement for IT system recovery has been carried ait including & Sarno aT mene usge bythe busines nits, Tho tnt ag ban ca gk A. system and the ITT operations team can sustain operations in the emergeney environment. B._ resources and the environment could sustain the transaction load. C_ connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system i case of a disaster The applications haye been intensively operated, therefore choices B, C and D have beenPenh haa MUP ican anization’s business contingency plan (BCP), an 1S auditor should recommend 0 optimize an oF ness impact analysis (BIA) ih order te determine: the business provesses that generate the most financial value for the organization and therefore must be jecovery to ensure alignment with the organization's business strategy. it must be recovered following a disaster to ensure the organization's survival, recovery which will recover the greatest number of systems in the shortest To ensure the organization's survival following a disaster, iis important to reeover the most eritien! inst It's. common mistake to overemphasize value (A) rather than urgency. For hie processing of incoming mortgage loan payments is important from a financial pective, it ud be delayed for a few days in the event ofa disaster. On the other hand, wiring funds to ‘on a loan, while not generating direct reventc. is far more critical because of the possibility of ta Jeins, customer complaints nd reputation issues. Choices 8 and D are not correct because ey nor the mere number of recovered systems has a direct impact at sncial services organization is developing and documenting business continuity measures. in which of he fll uid an IS auditor MOST likely raise an issue? The organization uses good practice guidelines instead of industry standards and! relies on external to ensure the adequacy of the methodolo The business continuity capabuities are planned around a carefully selected set of scenarios which. Jescribe events that might happen with @ reasonable probability inte into aozount, euch ae RTOs) do not fake IT disaster recovery sone idencies during the recovery phase. ‘on plans to rent a shared alternate site with emergency workplaces ‘which has only nowzh room for half oF the normal staff « a common mistake to use scenario planning for business continuity. The problem is that it is impossible plan and dacument actions for every possible scenario, Planning for just selected scenarios denies the fact that even improbable events can cause an organization to break down. Best practice planning addresses ne fur ose areas of impact ina snr: premiies people en ai ed aes dependencies. All scenarios ean be reduced to these four eategories and can be handled simultaneously: There are very few special scenarios which justify an additional separate analysis. It is a good idea to use best practices and extemal advice for such an important topi, especialy since know edge ofthe right level of preparedess.— ond the judgment about adequacy of the measures taken is not available in every organization, time objectives (Rs) are hased om the essential husiness processes requited to ensure the Ut survival, therefore it would be inappropriate for them to be based on IT capabilities. Best prac idelines recommend having 20-80% of normal capacity available at an emergency site: ‘of 50% would not bea problem if there are no additional factors.cota Ne a ago nsamzation whose IT disaster ecovery menses have be it ple an ear ha ast developed tormal business continuity pln (BCP). base BC able exes nes! successfully Which testing should an 1S auditor recommend be performed NEXT to verity: the adequacy of the new BCP FFullseale test with relovation of all depurtments, including I to the contingency site B.Wath-through test of a series of predefined scenarios with all ritieal personnel involved C17 disaster recovery test with business departments involved in testing the eritival applications Functional test of a scenario with limited IT involvement labletop exercise has been performed. the next step would be a functional test, which ineludes the lization of staff to exereise the administrative and org ions of a recovery, Since the IT wo verify and optimize the Business continuity plan (BCP) before actually mvolving IT in a full-scale test, The full-scale test would be the last. ep of the verification process before entering into a regular annual testing schedule. A full-seale test im the rational fun xy lab ler cote (SF pari Hine be RET inuation described mighail because it would be the first time thatthe plan is actually exercised, and a beer of resources (including T) and time would be wasted. The walk-through testis the most basic type f testing. lis tention 1s to make hey staff familiar with the plan and discuss eritical plan elements, eather an veri'ying its adequacy. The recovery of applications should always be verified and approved by the ‘ read of being purely IT-driven. A disaster recovery test would not help in verifying the adn and organizational parts of the BCP which are not (Tetelated lowing ts the MOST important consideration when defining recovery point objectives (RPOS)? ety time objectives (RTOs) are the acceptable time delay in a level of data loss/reworking an organization is willing to accept. ies andl minimum operating requitements help in defining recovery strategies, recovery point obj Mean time between fail “To address an organization's disaster recovery requirements, backup intervals should not exceed the: A. service level objective (SLO), B._ recovery time objective (RTO), 2 ©. recavery point obiective (RPO), as D. maximum acceptable outage (MAO), The recovery point objective (RPO) defines the point im time to which data must be restored 0 as to resume processing transactions. Backups should be performed in a way thatthe Iai ‘older than this maximum time frame. If service levels are not met, the usual conse ‘payments, not cessation of business. Organizations will try to set service ‘meet established targets. The resulting time for the service level agreement than the RPO. The recovery time objective (RTO) defines the time business functionality needs to be restored. The maximum acs amount of system downtime that is tolerable, It can be used as @ ‘denotes an objectveltarget, while the MAO constitutes aPage intentionally left blankSaal SAMPLE EXAM formation only 10 administrator ledivated thitd-part PRIMARY in rowan as pat wily ince Framework isthe: ‘ rity isk RN mi migeation project, which of GREATEST Saudi Jing a long weekend. and the time window ist hat the dat entation in the new system is 4 immediately & ving the legacy system mer in the printing functionality of the between the origi nid the receiver portable di mat (PDF) to encapsulate transaction content 7 ly signing the transaction with the source's private key ter recovery test, an IS auditor observes that the performance af the disaster recovery site a 1». To find the root eause of this, the IS auditor should FIRST review the wery site onfigurations and and disaster recovery sites CISA Review Questions, Answers & Explanations Manual 2003 SupplementOe aud r Which of the following issues should be the GREATEST concer to the 1S auditor when reviewing an IT st time window, only the most essential systems were tested, The other systems A. Due to the limited were tested separately during the rest of the year [During the test it was noticed that some of the backup systems were defective or not working, causing: he test of these systems to fail © The procedures to shit down and secure the original production site before starting the backup site ae terme trploes pr ce Te eee pase ee j «omens cad oe gen the ening af ho es inn ht asa POE "5 anc ih admiration rhe as ave doe hy ie eprint xe 7 1D. Internal auditors can shift to a consultative approach by using the results of the assessment. 8 During an audit, an JS auditor notes that an organization's business continuity plan (BCP) does not Iceess information confidentiality during a recovery process, The IS auditor should adequately ad recommend that the plan be modified to inetude: the level of information security required when business recovery procedures are invoked. information security roles and responsibilities in the ensis management structure, information security resource requirements sal change management procedutes for information security that could affect business continity srrangements onp> Which ofthe following. isthe MOST important 1S audit consideration ‘customer credit review system to a third-party service provider? The provi ‘A. meets or exceeds industry security stanlards. B. agrees to be subject to external security reviews. Chas.a good market reputation for service ancl experience, 1D. complies with security policies oF the organtzanion,st. policy that defines ites that users are forbidden to acwess, n, the MOST ext, factor (CSF) would be the: software development approach. Which of the ty model such ast bility odel (CMM edule Jentfy lessons learned for future use in the proiect i ntinge (CP), an 1S auditor should recommend BIA) in order to determine rnerate the most financial value for the organization and therefore must be for recovery to ensure alignment with the organization's business strategy ( ness proce must be recovered following a disaster to ensure the organization's survival ori recovery which will he greatest number of systems in the shartest Which of the following database controls woud ensure that the integrity OF transactions is maintained in an, online transaction processing system's databa controls, C. Readiwrite access log controls D. Commitment and rollback controls 16. When protecting an organization's IT systems, which of the following is normally the next Tine of defense after the network firewall has been compromised? A. Personal firewall B. Antivirus programs C.Intrusion detection system (IDS) D. Virtual local area network (VLAN) configuration CISA Feview Questions, Answers @ Explanations Manual 2003 SupplementWhen reviewing the procedures forthe disposal of computers, which of the following should be the GREATEST concern fo ihe 1S ahr? A. Hard disks are overwritten several times at the sector level, butare nut reformatted before Jeaving the . ation | A All files and folders on hard disks are separately deleted, and the hard disks are formatted before a leaving the orpanization, eo C Hard disks ave rendered unreadable by hole-punching through the nlatters at specific positions hefore leaving the organization transport of hard disks 's escorted by internal security state a nearby metal recycling company, where the hard disks are registered and then shredded. 8. Twa sal organization, developers may release ereigeiey hes re a ellowing wil BEST conrol the rik in thie staton? anyone ai dovimnent the ange eet eee | 5 Limi develoner access to production toa sneifietimefiame “Oban suanciey approval oe release 1. Disable the compile option inthe production methine . ne reponbiity for authoring cece tv bares se ater Deere ! x Which ofthe following BEST supports the prioritization of new FT projects? A. Internal contol self-assessment (CSA) a Biers sea aa ‘ © venetian ; is GREATEST vulnerability? The freval software A. 4 configured with an imphiett deny rule as the last rule mv the rue base: ‘ Bis sted om a operating system with detautt serene. C.has been configured with rules permitting or denying access to systems or networks. 1. is configured as a virial private network (VPN) endpoint. el ‘The GREATEST tisk posed by an improperly implemented ant ‘A. that there will be too many alerts for system administrators 10 18, docreased network performance die to [PS talc. Ss Se Na i ee : la2 Which of the following is the GREATEST risk when storage growth ina critical file Server te not rer {Backup time would steadily menease Backup operational cost would significantly imerease ©. Storage operational cost would significantly increase Server recovery work may not mest the recovery time objective (RTO) Which of the following would be the MOST effective audit technique for identifying segresation of duties ations th a new enterprise resource planning (ERP) implementation? Reviewing a report of security rights in the system Reviewing the compleaities of authorization objects CC. Building 9 program to identify conflicts in authorization Examining recent access rights violation cases 25 A legacy payroll application is migrated to @ new application. Which of the following stakeholders should ¢ PRIMARILY res nsible for reviewing and signing Ton the accuracy and completeness of the data Database administrator Project mariager Da \n IS auditor has completed « network audit. Which of the fallowing ts the MOST significant logical A. Network workstations are not disabled automatically afler a period of inactivity. B. Wiring closets are left unlocked Network operating manuals and documentation are not properly secured. D.__ Network components are not equipped with an uninterruptible poser supply. i 2. Which of the following is normally a responsibility ofthe chief security officer (CSO)? A. Periodically reviewing and evaluating the security policy B. Executing user application and sofiware testing and evaluation Granting and revoking user access to IT resources. D. Approving access to data and applications After the merger of two organizations, multiple self developed legacy app! to be replaced by a new common platform. Which of the following ‘A. Project management and progress reporting is combined in a projea ao 9 In wireless communication, which of the following controls allows the device receiving the” communications to verify that the received communications have not been altered in transit? A. Device authentication and data origin authentication B._ Wireless intrusion detection (IDS) and prevention systems (IPS) The use of cryptographic hashes 1 Packet headers and trailers 30 What should an organization do before providing an external agency physical access to its information : processin es (IPF) . sses of the external agency should be subjected to an IS audit by an independent agency: es of the external agency should be trained on the security procedures of the ongantzation. < by an external agency should be limited to the demilitarized zone (DMZ). onduct a risk assessment and design and! implement appropriate controls, D. The organization should 5 address an organization's disaster recovery requirements, backup intervals should not exceed the: A. service level objective (SLO). B recovery time objective (RTO) CC. recovery point abjective (RPO). D_ maximum acceptabl je outage (MAO) The MAJOR ad ot a component-based development approach is the iplex relationships neet the demands of a chan B._ provision for modelin 5. support of multiple development enviro When reviewing the configuration of network devices, an 1S auditor should FIRST identify: A. the best practices for the type of network devices deployed 1B. whether components of the netwurk are missing, C_ the importance oF the network device in the topology. D._ whether subcomponents of the network are being used appropriately. 34. ‘An IS auchitor finds that. in accordance with 1S policy, IDs of terminated users ays of termination, The IS auditor should 'A. report thatthe control is operating effectively since deactivation happens in the IS policy. mi ‘verify that user access rights have been pranted on a need-to-have recommend changes to the |S poliey to ensure deactivation of user caeieaiil9 The MOST effective e ol for reducing the risk related to phishing is: centralized monitoring oF systems 15 including signatures or phishang 1 antivirus software publishing the policy on antiphishing on the intranet ccurity training for all users, 7 hould an 1S auditor recomm i for the protection of specific sensitive information Iinplement cohimn- and row-level p ia strong passwords Jata warehouse into subject matter-specific databases authentication Log user access to the data warehouse During a human resources (HR) audit, an [S auditor is informed that there ts a verbal agreement between kIT and HR departments as to the level of IT services expected. In this situation, what should the 1S aditor do FIRST until the agreement is documented nto senior management the undocumented agreem: Confirm the content of the agreement with both departments ). Draft a service level agreement (SLA) for the two departments jement is considering ‘over Internet Protocol (VoIP) network to reduce telecommunication and management asked the IS auditor to comment on appropnate security controls. Which of the following security measures is MOST appropriate’ A. Review and, where necessary, upgrade firewall capabilities BB. Install modems to allow remote maintenance support access C. Create a physically distinct network to handle VoIP traffic D. Red VoIP traffic to allow clear text logging of authentication credentials Which of te folowing processes should an 1S auditor recornménd to assists the recording of satiate teen Change management Backup and recovery Incident management Configuration management goo An IS auditor i reviewing a project to implement a payment system Stlaidiey. The 16 autor showld FIRST wely thot t= technics! platforms between the two companies are parent bank i authorized to serve asa service provider, security features ae in place to segregate subsidiary D._ subsidiary can join asa co-owner of thisthat patches for the operating system used by an organization are deployed by the IT dcparcment as adviced by the vendor, The MOST significant concern an 1 auditor should have wah this practice is the nonconsideration by IT of A. the training needs for users after applying the patch. FR any beneficial impact of the patch on the operational systems. (© achying deployment until testing the tmpact of the patch, D. the necessity of rs of new patches. Most eff jometric contral system is t hich has the highest equal-error rate (EER). B. which has the lowest EER c Tee-tejection rate (FRR) is equal to the false-acceptance rate (FAR) D. for RR is equial to the failure-to-enroll rate (FER). the PRIMARY purpose of an IT forensic audit is to participate in investigations related to Corporate fraud u the correctn 1h organization's finanetal statements to determine that there has been criminal activity 44, sroject manager ofa project that is scheduled to take 18 months te complete SnnOwe=s testis Feolaasg a healt ease because. afer 6 months, only one-isth of the budget Bas been set TN auditor should FIRST determine A. what amount of progress agninst schedule has been achieved: B._ifthe project budget can be reduced. ©. ifthe project could be brought in ahead of schedule D_ ifthe budget savings ean be applied to merease the project Scope 45 ‘When reviewing 9 digital certificate venifiation process, which of the following (ands represents the: MOST significant risk A. There is no registration authority (RA) for reporting key compromises. A. The certificate revocation list (CRL) ss not current. (Digi ceruneares wornain « public ley that i weer tn encrmt messages 2 ed verify iia signaties. 1D. Subseribers report key compromises to the certifteate authority (CA F ‘Am 1S auditor it performing an audit of a remotely managed server backup, The Is ferone day and finds one case where logging on a server has fated with the ‘cannot be confirmed, What should the auditor do? A. Issue an audit finding. 5B. Seck an explanation from 18 management Review the classifications of data held an the server 1D. Expand the sample of lous revicwed5 An IS auwlitor identities that reports on prodet profitability produced! by an 0 varkoting departments give different results: Fuether investi nization’s finance and io reveals that the produet definition bem 15 autor recom User acceptance testing (UAT) accu for all reports hefire release into production 3 Organizational data governance practices be pul in place tarlard software tools be used for report development mnent sign-off on requirements for new reports ations business continuity plan (BCP) fs effective by reviewing the: jgnment of the BCP with industry best practices. ‘sults of business continuity tests performed by 1S and end-user personnel. offsite facility, ts contents, security and environmental controls cost of the BCP actiities versus the expected benetit of implementation oF me plan mall { be essential to involve which of the following stakeholders in the initiation stage of 4 nerds have heen found by an 1S auditor to be the root enuses for recent porate data definition standards in a new business intelligence project. Which of the ing is the MOST appropriate suggestion For an auditor to make? Achieve standards alignment through an increase of resources devoted to the project B. Align the data definition standards after completion of the project c yy the project until compliance with standards can be achieved D. npliance by adopting punitive measures against violators si Upon receint ofthe intial signed digital certificate the user wall deerypt the certificate withthe publie Ney of the: A. registration authority (A). B._ certificate authority (CA) C. certificate repository D. receiver. ‘A medium-sized organization, whose IT disaster recovery’ measures have bees in pla for years, has just developed a formal business continuity plan (BCP). A basic BCP been performed successfully. Which testing should an IS auditor reco the adequacy of the new BCP? Full-scale test with relocation of all departments, including IT, “Walkthrough test of a series of predefined scenarios with all "IT disaster recovery test with business departments invor | Functional test of a scenario with limited IT involvementtae 8 Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define « balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the Key performance indicators (KPIs) ts according to business benefits and risks CC. Select proi 1D. Moairy me pruvess of defining Une project pot alia When reviewing an ofganization’s strategic IT plan an 1S auditor should expect to find: \. an assessment of the fit ofthe organization's application portfolio with business objectives, tions to reduce hardware procurement cost. 1 suppliers of IT contract resources, 1 description of the technical architecture for the organization's network perimeter security, re Suppression systems is MOST appropriate to use ina data center environment? by significant tisk is introduced by running the file transfer protocol (FTP) service on a server in | demilitarized zone (DMZ) A. A.user trom within could send a fle 1 an unautnortzea person. 3. FTP services could allow a user to download files from unauthorized sources. | © Abhacker may be abl D. FTP could si 1 use the FTP service to bypass the firewall | reduce the performance of a DMZ server. lose to | minute for a critical system. This implies that the system can folerate: 2 data toss oF up to 1 minute, but the processing must be continuous. 4 I-minute processing interruption but cannot tolerate any data Toss. 4 processing interruption of | minute or more both a dats Toss and a processing interruption longer than 1 tinute. one ‘An IS auditor should expect the responsibility for authorizing aceess rights 10 to be entrusted fo the: A. process owners. B._systerm administrators, © security administrator. D. data owners,en i mal Sizmitury, the messiee divest is eamputed anc the receiver by the certificate authority (CAD 1s outsourced its help desk activities, An IS auditor's GREATEST concem when nt (SLA) between the organization and vendor taf¥ background checks, Jent audit reports of full audit access, cear-to-year incremental cost reductions, rover, development or training MOST effectively enhance the security of a challey response based 9 fe cal access controls effectively reduces the risk of pigeybacking? >. Bolting door locks 6s An IS auatitor finds that client requests were processed multiple times sehen rezeived from different Independent depatiiienial databases, which are synchronized weekly: Whar wonld be the BEST recommendation? A. Imerease the frequency for data replication between the different department systems fo ensure timely updates 1B. Centralize all request processing in one department to avoid parallel processing of the same request ©. Chane the application architecture so that common data are held in just one shared database for alt departments, D__ Implement reconciliation controls to detect duplicates before orders are processed i te systema "Which of the following techniques Would BEST help an IS auditor gai ‘can meet its tanger date? A. Estimation of the actual end date based on the completion taken from status reports 1B. Confirmation of the target date base on interviews with e thecomolon ofthe rie dvenBes C._ Extrapolation ofthe overall end date based on completed 1D. Calculation of the expected end date based on curren8 ‘When revie! swing an organization's approved software product list, which of the following is the ‘MosT A. The nicks assorvated with the use of the products are periodically assessed The latest version of software 1s listed for each product ‘sve’ the list does not Contain open source software A D. After hours support is offt security arcintectare, Which of the following steps should be executed FIRST? gain access to and gather information about encrypted data being tansmiie ever A. eavesdro B_ spoofing 3 | the following should an 1S auditor use to detect duplicate mvoiee Feconls wth sn ISisias A. Attribute sampling Generalized audit software (GAS) C. Test dat D. Integrated test taciliry (TF) that, at cermin times of the day, the data warehouse query performance detisass 09 An 1S auditor finds 1s would it be relevant for the [S auditor to #evieW? siznificantly, Which of the following contro 4 Persnanent table-space allocation B, Commitment and rollback controls CC. User spool! and database limit controls 1D. Reai/wnte access log controts Which of the following would be the MOST significant audit finding (POS) system? |A.. Imunions seconded on the POS system are manually entered B_Anoptical scanner is no! used 10 read bar codes tr the Beet Frequent power outages occur, resulting i the manual oe 1D. Customer exec care nfon : mHWhat is the BEST action to prevent loss of data integrity or confidentiality in the ease of an e-cumimeree ippliatuon funniny 8M 3 LAN, processing ctecirante Tund transfers (PT) aiid artes te motwork (PNY) tunnels For ela tan habling data encryption within the application Avalting the arcess control to the network DF ogying all changes to access lists When conductin ‘ration test of an FY system, an organization should be MOST concerned with: identiality of the report B._ finding all possible weaknesses on the system, C._restoring all sysients to the onginal state 1D. towying all changes made to the production system a ation and accreditation process #s performed on ertical systems is to ensuite that A it bee ly evaluated B. data t ncrypted and are ready to be stored. © thes sted to run on different platforms. " ins have followed the phases of a waterfall model he folk coctration tests would MOST effectively evaluate incident handling and response apabilities of an organization’ R Feternal testi C. Internal testi ‘ D. Double-blind testing During the collection ot torensic evidence, whit ut ihe fllywing actions would MOST Wkely trsilti the: destruction or corruption of evidence on « compromised aystem? AL Dun B._ Generating disk images of the compromised system © Rebooting the system D. Removing the system from the network ng the memory content to a file ‘nS aor vino was valved in designs an onnizatons busines corti ran EE) asa assigned to audit the plan, Ihe {S auditor should: ace ‘A. decline the assignment 'B. inform management ofthe possible conflict of interest after CC. inform the business enntinity planning (BCP) team of the ps Iheeimning the assionment. D. communicate the possibility of confit of interest to man81 SAMPLE EXAM An nnrantvation 1s migrating from a legacy system to an enterprise resource planning (ERP) system. While vi, the MOST important concern for the I auditor to determine that reviewing the data migration correlation of semantic characteristics of the data migrated between the two systems 5 correlation of arithmetic characteristics of the data migrated between the two systems. (correlation of functional characteristies of the processes between the two systems. relative effiuiency of the processes between the two ayéteme: 1 anatiow fins that user acceptance testing of @ new system 1s being repeatedly interrupted as defect “sc implemented by developers. Which of the following would be the BEST recommendation for an fa separate user acceptance environment B 1 occur ata given time each day 3 onb ty defect suring 4 change eontnl audit of a production system, an IS auditor finds thatthe change management re sc hut formally documented and that some migration procedures failed. What should the 1S suitor Recommend redesigning the change management process B nore assurance on the fi analysis nena that prosram migration be stujpped uni the change process ¥ documented Document te finding an present it to management he frequent wpdating of which of the following is key tothe continued eflestiveness ofa disaset reEavery A. Contact information of key personnel B._ Server inventory dacimentation Individual roles and responsibuibes b. sures for declaring a disaster An onganization’s 1S audit charter should specify the: 7 A term plans for 1S audit engagements B. objectives and scope of IS audit engagements C_detailed training plan for the IS audit staff, D. ole of the IS audit function.B. Num vulnerabilities that were patched lentage of business applications that are heing pratected Number of successful penetration tests to replace its wired networks with wireless networks, Which of the follewing ld BEST secure the wireless network fron unauthorized access? 4. Implement Wired Equivalent Privacy [WEP) 3 Permit access to only authorized Meaia Access Control ( MAC) addresses ft n broadcast of service set identifiers (SSID) >. Implement Wi-Fi Protected Access (WWPA)2 An organization has outsourced its wide arag neruork (WAN) tn a third-party service pmvirer Under these ” which of the following is the PRIMARY task the 15 auditor should perform during an audit # business continuity (BCP) and disaster recovery planning (DRP)? whether the service provider’ BCP process 1s aligne contractus tions. B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster. Review the methodology adopted by the organrzation in choosing the service provider. 1D, Review the accreditation of the mird-party service provides sa with the organization’: BCP and a1, Which of the following is the BEST way to satisfy a qvo-fuctor user authentication? A. A smart card requiring the user's PIN B. User ID along with password C._Inis scanning plus Fingerprint scanning D. A magnetic card requiring the user's PIN A live test of a mutual agreement for IT system recovery has been carried wu ‘oyster and the IT operations team can custain operations in resourees and the environment could sustain the transaction connectivity to the applications at the remote site meets resior who is reviewing incident reports discovers that, in one instance, an important document left oan employee's desk was removed and put inthe prbage bythe outsourced cleaning sf: Which ofthe following should the 1S auditor recommend to management?” ould be implemented by both the organization and the cleaning agency. jon is required since such incidents have not occurred in the past. uid be impleiented ana strictly entorcea in the organtzation. 4 backup policy for all important office documents should be implemented ul services organization is developing and documenting business continuity measures. In which of he ing cases would an IS auditor MOST likely raise an issue? od practice guidelines instead of industry standards and relies on external x rnsute the adequacy of the methodology. capabilities ate planned around a carefully selected set of scenarios which ht happen with a reasonable probability. RTOs) do not take IT disaster recovery constraints into account, such as: Jependencies during the recovery phase Srsanization plans to rent a shared alternate site with emergency workplaces whten mas onty h room for half of the normal staff The business continuit {= MAIN season for requiring that all computer clocks across an organization be synchronized is 10: sent omission or duplication of transactions ure smooth data transition from client machines to servers, estigation pro urate time stamps | personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the would be of th A. The handhekl computers are properly protected to prevent loss of data confidentiality, in ease of thet The employee who deletes temporary files from the local PC. after usage, is authorized to maintain PCS. Timely synchronization is ensured by policies and procedures. The usage of the handheld compuiers is allowed by the hospital policy. during the: development phase design phase. testing phase deployment phase. one1 tha He HY dgpartment of separate risk management fapetion, and theo medium-sized organization has 90 zztnzalian’s operational risk documentation only contains few broadly eetrited I ricke, Whats de MICS appro fale ESSNeRA GH Hea aa tion is implementin an enterprise resource planning (ERP) application ta meet its business \who 1s PRIMARILY responsible for overseeing the project in order to ensure hat i 1s progressing in accordance with the project plan and that it will deliver the expected resulls? jelopment project tesim (SPDT), would an {S auditor use to determine if unauthorized modifications were made to D. Analytical review | While evaluating sofia development prastices in an onsanization, an 1 auditor notes that the quality assurance (Q)) fimction mports to projeet management. The MOST important concer Foran 1S oudlitoe hae A. effectiveness ofthe QA function hecause it should interact Between project management and were managenent ; B. efficiency ofthe OA function heeause it chet interact withthe praject implementation team C._ffectiveness of the project manager because the praject manager chowld interact with the QA 1D. efficiency of the project manaver because the A function will need to communicate with | implementation team, 95. What would be the MOST effective control for enforcing accountability among. sensitive information? ' ‘A. implement a fog management process 5. Implement a two-factor authentication ©. Use tuble views to access sensitive cata i 1D. Separate database and application serversEa a) ‘The specific advantage of white Box testing is that at: 4. verifies » projeam can operate successfully with other parts ofthe system. 5 casures a programs functional operating effectiveness without regard tothe internal program Structure. C._ determines procedural accuracy or conditions of a program's specific logic paths. 1) examincs a program's functionality by executing tim 2 tightly controlled or virual environment ith restricted access to the host system eens ect was not able to implement all audit recommendations by the target date. The 1S auditor shou mmend that the project be halted until the issues are resolved. rmpensating controls be implemented alate risks associated with the unresolved issues. «project manager reallocate test resources to resolve the isues.Earl aul yaaa CISA Review Questions, Answers & Explanations Manual 2009 Supplement Question Number SAMPLE EXAM ANSWER AND REFERENCE KEY REF. C49 Number ANSWER 4-12 5-1 5-3 5-4 3-10 5-5 C17 C18 3-4 3-15 C1-6 C66 ct 4-2 06-13 4-5 5-11 6-7 5-25 C6-9 Cé-11_| >|)0|0]0|>\o)@|>|>|>|>|o)/>|e/o|\a)>|a)/>|>/olo]a|>|q|>|o)0 8/8|S)8\8\2\8\8/2\8\8\8 3-7 C4-8 Blolola|olo|a|s|>|o|a|o\a|a a|>|>|~ C25 Blole|=\ololala|o\alo|>|alal>lo|o|=|>|>|a)a\0|0 >|a|a/a]m/a/>/a}>) Bgisljalziaisj2/e Relerooe example: (4-8 = Se content area 4 questoSAMPLE EXAM ANSWER SHEET (PR CISA Review Questions, Answers & Explanations Manual 2009 Supplement SAMPLE EXAM ANSWER SHEET (PRETEST) (side 1) et to take the s reterence g: ple exam as a pretest to determine strengths and, 15 on page 57. = 29 }— : get : OOSO99O| 7 . 2GOO900 1 f = See9sOo—] 2 | stencil 129O0O0' E = soe eS 1D OOS ty} 23232525>52d2552020> 3OaBsdededroegegsaeas 3BrBaGsonosoeGsoeReee 2858s8e8s0sns0c0eRe08 2OeOe s8c8eiEA WO ea (side 2) ‘ake the sample exam as a refere 2 Please pretest to determine strengths and rid is on page 57. nee n200 agg0 sage eee Jens Sahou 9008" 388m . 000m 000m 000m S585 cee 8685u 8685u bobbi 8355 8588 8385 3008 5585 $565 000m oQegeRedsOe® g 8Q20eQ2080 3 9782328 60908 6055e 60008 6385m 800m G000m 828282328 #8582373762829" PR Ee 808) 950-9 5 Bee GedeqeQeQeGu Oad80 8 : SOvde0edeouguQugeg: 9 2 £000208020202020s0s020age0sQa0e0e0sQed - 20e020eQeQeQe020eQe0e0s0a0e SOedeGeGs0e Oe ~ 12H GBWINDAL TASAUNLWNOIS HOAAnswers & Explanations Manual 2009 Supplement SAMPLE EXAM ANSWER SHEET (POSTTEST) CISA Review Questions, (side 1) je exam as a erence grid is on page posttest to determine ctrengths and wer key/t 126) OO SOO Ords0e 5090000 cOe0s0e Bod Sobabataeg sxe ee oe O>Q>O>O>0>O>0>0> QeO20e0eOs0eGs0e OeGeOe0e0eOeOeOe0eO20eG OeO00s0e000a000e00dnbeOeGeQe000 OedeOeOe Os0sGeds O> Oe Oo. Oe PEUPO Peete eeea = posttest (0 determine strengths and es 2 8 828 000m eee 82928282 eee bce B50 538m 2007 3858888 82828: oe be * “ Q 83, : 6 9 6 oO 8 é : 3 Q ° 6 ° 6 6 8 20e0e0e0sQe0eGeOeGuGe: 202000e0a0200: soEge answer sheet to take the sample exam as a preps <0« 5 The answer key/reference ~~ U3H a3uINOAM WAS/ALNLYNOS ENOA se th Eee heen alee iaalciatecatahi Un (side 2) Please weaknes:EVALUATION logis) veal ing these rapid advances, CISA review ism sane ah woes acrecung ‘ore updated annually, wudit and control professional. Rec To assist ISACA with keeping abreast of these advances. ISACA Chnferenne and Kudueation Board sould apprceHielE if you would take a moment to evaluate the C/SA Review Ouestions. Answers d& Explunutinne Mumval 2000 Supplement | Such feedback is valuable to fully serve the profession and future CISA examination regierante ie te the questionnaire below and return to: Suite 1010 Ilinois 60008, USA. 1.847.253.1443 tention Manager fication Study Program and Educational Development What was your overall impression of the CASA Review Questions, Answers & Explanations Manual 2009 telptu __Not very helptul 2 ‘Did you find the questions/answers helpful in preparing for the CISA examination? How would you rate the format of the C/S4 Review Questions, Answers & Explanations Manual 2009 Supyplemera (questions by area/sample exam)? Very letphul _eipnt——_1Not very neiprut \ istynunendacivnis Wu you have for improving Whe CISA Review Queotivas, Answers & Explanations ‘Manual 2008 Supplement? aug If you would like to complete this evaluation online, please go to wwwisaca or Please also note on the back of this page (or a separate page) any specific co concerning errors and omissions, enhancements, references and format, address and phone number so we may fellow up with you.OTHER COMMENTS/SUGGESTIONSNOTES CISA Review Questions, Answers & Explanations Manual 2009 SupplementPrepare for the 2009 CISA Exams 2009 CISA" Review Materials for Exam Preparation and Professional Development 199) exam, a candidate should hive an dyaniced plan of skid To assis individuals with he — ORDER NOW CISA Review Manual 2009 comp eit a se ‘sty pncypes and paces, CISA joo practice areas. The the knowledge required to plan, new etn also fetus new content ITA), recently published by ‘eurance made tha ieorporaes fag guidance o9 the design, conduct nmr, defines terns and shes snr that address "hc responsible, knowledge finan has been developed and 8 organized to help prepare the oie ee irae ie yele management CRM. English Edition ERMAP French Edition CERMAK felian Eaton CRM9) Japanese Edition ‘ROE Spanish Eatwon CISA Review Questions, Answers & Explanations Manual 2008, ISACA “i Cn newer Quen dnsvers & planaons sama 28 onc 9400 mune wy cnn hat pry posted nthe CIS4* anew Queions dnwers Explonatons Manus 20 ante 207 Sppionent, May yuestons have be tolenl vere) cocci racist core = eae ‘hoe rpc fhe crn CSA exam aeston Karma, andlor 0 rode fuer any or esplnaon of he eo anew Tse iti rmsd ast nnd pets IDA ‘Shite wih an endening othe ype nd acre of aon ‘nd core that hve poses ppested on te nam, This pbb sea use conjunction wit he CISA Revion Mania] 209. “ud ner manta RU EMS RN a NE the fellowing tan way a Jan, ISACA* offer several study sds and review ours (mm sue Orcoreview) 1 eka CISA Review Questions, Answers & Explanations Manual 2008 and 2009 Supplements sac Developed each yor, the CISA Rein Quen Arawers & cplrerions Man 2909 Sunlement a 2008 Selmer ‘ecommended for use when prepa for the 2009 CISA exam: Each “Shin cri 100 sane uuu wer a explana Deo fee cureti9A pci wea eg a res wo ‘pment sina Oe proces for developing stl exam ems. The stone eng rie me Cio aa wi a theranding ofthe ype ste of evesons tt ae | Appeared on post exams, and wee reared spell forse ‘fudying fore ISA exam. 2008 Eaitions QAE-SES English Editon QAE-OPS French Elton APIS tains Editon QAE9IS Japanese Eaton QAE SSS spun Edin 2008 Editions ‘QAE-ES" English Edition QAESFS French Edition OALSIS lichan Edition QAEAIS Japanese Edition QAE-83S Spans Eu CISA Practice Question Database 19 “The CISA" Practice Question Database v9 cmmbines the CISA Kev Onersoms Anawers& Explonaons Mana 20 withthe CEM Revie Otero dsvers Explanations Mama! 2008 Saplemens 3982008 Sipplemereinte one comprehensieH0t-question Study gue. Sample cis wn anno stecau qusais sah Ue he and We eels ‘Sfowed by [oh practi, allowing fr concealed tly one ae Line Addition, queatons generated dang 2 study seen {Sir we pena ang oy te revival) usiexed neo [ecsons. Also melded are formation Sistem ‘referenced in the CISA Review Manual 2009. Toemat or asa web site download. PLEASE NOTE the following system *Tnel Pena 3 or higher (Pentur 4 ret S Winsome 9007 ob ~SSPh eAM e M omot ede ME oe pe2009 C7S4 Exams m Preparation and Professional Development te should have an organize plano sty, To ass ndiduals with the Sa review courses ww sea onétvereview) to exam candids, CISA Review Questions, Answers & Explanations Manual 2008 and 2009 Supplements ISACA ean ite C134" Review Questions, answers & fanual 2008 Supptoment and 2008 Sgpement are recomend fr use when preparing fo the 2009 CISA exam. Each ‘chuom comnts or 109 sane que ates at epanatons based nthe urea CISA ob practice areas, using a process for fem, {evelopment similar ta the process for develop actual exam items. The {quests are tere w ply we Ore C15 cata Wid at toes tadn ofthe peal Stoke oF tests at ae pay appeared on post exai, and were prepared specifically for yng for he CISA ena 2009 Batons 2008 Editions ‘QAE-SES English Edition ‘QAE-SES English Eaton OES. French Edition OAE-SES. French Edition Haan Edition OAESIS Ialian Eton 1S lapanene Eaion QAE-SIS Jypanese Editon OAR 98S Shunt Fi OARS Spun Filion CISA Practice Question Database v9 ISACA The CISA? Practice Question Datahae v9 combines the CIA Review Questions, Anevers & Explonanons Manual 208 with the CISA Review (Questions, Amvers & Egplananons Manuel 2008 Supplement abd 2009 Sipylement itt one comprehensive AOD-question sty aide. Sample cams with fandom selected questions ean be taken and the results \ewed by jb practice allowing Tor concentrated study one area ata lime. Additionally, questions generated during a study session are sorted based upon the uss previous scoring history allowing CISA candidates {oveasi and quickly tle) ter seg aad weaknesses, an 1245 thei sy efforts accordingly Other Features allow the usar to select. ‘ale exams ty speci revue nore seis lagi aly essen Als inl ae information Sytem Coo ales ‘tena ne Cis Reve Mana 3109 alae a CDROM. Format or asa web site download, “tena nee nl Pemu er ahr ean #ecammened) cen Lee roll Mi atin aoa 7 Display with ‘ecommerce sealtion of 1024-x 768