46.
In regard to the IT governance control objectives, which of the following occurrences would
the auditor be most concerned about during execution of the audit?
- A.Using the practice of self-monitoring to report problems
- B.Using proper change control/li>
- C.Conflict in the existing reporting relationship
- D.Production system without accreditation
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| The auditor would be most concerned about use of proper change control. Auditors want to see change control procedures being used for separation of duties. All of the other choices represent violations warranting further investigation. |
47.
What is the purpose behind system accreditation?
- A.Hold management responsible for fitness of use and any failures.
- B.Provide formal sign-off on the results of certification tests
- C.Improve the accuracy of forecasting in IT budgets
- D.Make the user responsible for their use of the system
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| System accreditation is a formal sign-off to witness management’s acceptance of fitness for the system’s intended use and full responsibility for any failures. System accreditation is for a period of 90 days, 180 days, or 365 days (annual). The system must be reaccredited by the expiration date. |
48.
Implementing a strong external boundary is a successful method to prevent hackers and
thieves from accessing your internal computer systems provided you are using which of the
following technologies?
- A.Internet firewalls and intrusion detection systems with prevention capabilities (an IDPS) to prevent ingress
- B.Strong administrative policy controls with harsh sanctions that include termination and/or criminal liability
- C.Antivirus software with malware detection capabilities
- D.The elimination of shared access accounts and static passwords, including those shared for mandatory administrative access
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Boundary security is based on ingress filtering (authorized inbound), egress filtering (outbound, which includes authorized users getting tricked by malware or social engineering or even sending files that are not supposed to leave the organization to outsiders or web services), changing default settings that are well known and make any system overly predictable for compromise by hacker, and preventing shared administrative access via static passwords contained in configuration files across the network that are almost never rotated after setup. |
49.
Which of the following techniques is used in the storage and transmission of a symmetric
encryption key?
- A.Key rotation
- B.Generating a unique encryption key
- C.Key wrapping
- D.Generating a shared encryption key
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| Key wrapping is used to protect encryption keys during storage and transmission of the keys. Encryption keys should never be directly accessible to the user. |
50.
Which of the following situations should the auditor consider if the auditee has
implemented six phases of the System Development Life Cycle (SDLC)?
- A.The auditee is probably doing a good job with no concerns at this time.
- B.The IT governance model has been implemented
- C.The auditee may be missing a critical function.
- D.There are only five phases to the System Development Life Cycle.
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
| The complete System Development Life Cycle contains seven phases, not six. The auditee may have a control failure because the postimplementation (phase 6) or disposal process (phase 7) may not have been formally adopted. Using fewer than seven phases would indicate that shortcuts have been taken. |
|
|
||||||||||||||||||||||||||||
