E. To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative riskassessment approaches. Show
C2.59Q. When segregation of duties concerns exist between IT support staff and end users, what would be asuitable compensating control? Get answer to your question and much more C2.60Q. A top down approach to the development of operational policies will help ensure: Get answer to your question and much more C2.61Q. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: Get answer to your question and much more C2.62Q. Which of the following controls would an IS auditor look for in an environment where duties cannotbe appropriately segregated? Get answer to your question and much more ‘ skipped 2.63, 64, 65, 66C2.67Q. Which of the following provides the BEST evidence of the adequacy of a security awareness program? Get answer to your question and much more C2.68Q. Which of the following is the MOST important element for the successful implementation of ITgovernance? Get answer to your question and much more © 2022 - Free Practice Exam Collection - www.freecram.net | DMCA Disclaimer: Recommended textbook solutionsHuman Resource Management15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine 249 solutions
Operations Management: Sustainability and Supply Chain Management12th EditionBarry Render, Chuck Munson, Jay Heizer 1,698 solutions
Human Resource Management15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine 249 solutions
Information Technology Project Management: Providing Measurable Organizational Value5th EditionJack T. Marchewka 346 solutions Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls ANSWER: D. Compensating controls Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is Boundary controls establish the interface between the Access controls for resources are based on individuals and not on roles. IT control objectives are useful to IS auditors, as they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy. ANSWER: A. desired result or purpose of implementing specific control procedures. An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. C is the correct answer. Justification: B. Cross-training assists in succession planning. C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. D. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls D is the correct answer. Justification: B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IS audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization. B is the correct answer. Justification: IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls D is the correct answer. Justification: Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. C is the correct answer. Justification: Cross-training assists in succession planning. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? A. To conduct a feasibility study to demonstrate IT value B. To ensure that investments are made according to business requirements C. To ensure that proper security controls are enforced D. To ensure that a standard development methodology is implemented B is the correct answer. Justification: B. A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities. C. The steering committee is not responsible for enforcing security controls. D. The steering committee is not responsible for implementing development methodologies. The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: A. IT budget. Correct Answer: C Explanation/Reference: Which of the following is a function of an IS steering A. Monitoring vendor controlled change control and testing B. Ensuring a separation of duties within the information's C.
Approving and monitoring major projects, the status of IS D. Responsible for liaison between the IS department and the Answer: C Explanation/Reference: Ensuring a separation of duties within the information's processing environment is an IS management responsibility. Liaison between the IS department and the end Which of the following should an IS auditor recommend to BEST enforce alignment of an IT A. Define a balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the key performance indicators (KPIs) C. Select projects according to business benefits and risks D. Modify the yearly process of defining the project portfolio Answer: C Explanation: Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the
best measure for achieving alignment of the project portfolio to an organization's strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the In reviewing the IS short-range (tactical) plan, the IS A. there is an integration of IS and business staffs within B. there is a clear definition of the IS mission and vision. C. there is a strategic information technology planning D. the plan correlates business objectives to IS goals and Answer: A The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C, and D are areas covered by a strategic plan. Many companies use categories like Transformational, Informational, Strategic, and Infrastructure as: IT investment portfolio categories. The rate of change of technology increases the importance of: A. outsourcing the IS function. B. implementing and enforcing good processes. C. hiring personnel willing to make a career within the D. meeting user requirements. Answer: B Change requires that good change management processes be An IS auditor identifies that reports on product profitability by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing (UAT) occur for all reports before release into production. B. Organizational data governance be put into place. C. Standard software tools be used for report development. D. Management sign-off on requirements for new reports. B. Organizational data governance practices be put in place. Six Sigma, Total Quality Management and Plan, Do, Check, Act are available methods of ________________. A. evaluating the alignment of IT investments to enterprise goals. B. managing continuous quality improvement in IT processes. C. assessing enterprise IT capability needs. D. developing business cases for IT investments B. managing continuous quality improvement in IT processes. Which of the following would an IS auditor consider to be the most important when evaluating an organization's IS strategy that it?Which of the following does an IS auditor consider to be MOST important when evaluating an organization's IT strategy? That it: supports the business objectives of the organization.
Which of the following controls would an IS auditor look for in an environment where duties Cannot be appropriately segregated?Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
Which of the following does an IS auditor consider the most relevant to short term planning for an IT department?Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department? Explanation: The IS department should specifically consider the manner in which resources are allocated in the short term.
Which of the following programs would a sound information security policy most likely include to handle suspected intrusions?Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions.
|