disa course ca

1. DISA 3.0 new questions 100 (Collected from various sources)
1. Whichof the followingisthe best Risk ManagementPractice?
a. EstablishRiskmanagementCommittee
b. IdentifyRisksrelatedtothe business
c. Manage Risksi.e. identify,assessandremediationonyearlybasis
d. Manage risksi.e.identify,assessandremediationoncontinuousbasis
Ex: OptionD representsthe bestriskmanagementpractice.
2. A large business house is planning to implement a CSA program. Which of
the following could be the primary objective of the implementation
a. Leverage the internal audit function and its responsibilities
b. Gain more control over to the IT functional areas
c. Provide confidence to the statutory auditor to the compliance of internal
controls to the management's objectives
d. Shift some of the following controls to the internal audit function
Ex: Control self assessment actually helps in building more IT controls.
3. An IS auditor discoversthat several IT-basedprojects were implementedthatwere not
approved by the steeringcommittee.What isthe greatest concernfor the IS Auditor?
a. IT projectswill notbe adequatelyfunded
b. IT projectsare not followingthe systemdevelopmentlife cycle process
c. IT projectsare not consistentlyformallyapproved
d. The IT departmentmaynotbe workingtowardsa commongoal.
Ex: a) fundingof the projectsmaybe addressedthroughvariousbudgetsandmaynotrequire
steeringcommitteeapproval.The primaryconcernwouldbe toensure thatthe projectisworking
towardsmeetingthe goalsof the company.
b) althoughrequiringsteeringcommittee approvalmaybe partof the SDLC process,the greater
concernwouldbe whetherthe projectsare workingtowardsthe corporate goal.Withoutsteering
committee approval,itwouldbe difficulttodetermine whetherthese projectsare followingthe
directionof the corporate goals.
c) Althoughhavingaformal approval processisimportant,the greatestconcernwouldbe forthe
steeringcommitteetoprovide corporate directionfor the projects.
d) The steeringcommitteeprovidesdirectionandcontrolsoverprojectstoensure thatthe company
ismakingappropriate investments.Withoutapproval,the projectmayormay not be working
towardsthe company’sgoal.
4. 4. While reviewingaquality managementsystem the IS auditor should primarilyfocus on
collectingevidence toshow that:
a. Qualitymanagementsystemscomplywithbestpractices
b. Continuousimprovementtargetsare beingmonitored
c. Standardoperatingproceduresof ITare updatedannually
d. Keyperformance indicatorsare defined.
Ex: Continuousandmeasurableimprovementof qualityisthe primaryrequirementtoachieve the
businessobjectivesforthe qualitymanagementsystems.
5. The primary benefitofan enterprise architecture initiative wouldbe:
a. Enable the organisationtoinvestinthe mostappropriate technology
b. Ensure that securitycontrolsare implementedoncritical platforms

2. c. Allowdevelopmentteamstobe more responsive tobusinessrequirements
d. Provide businessunitswithgreater autonomytoselectITsolutionsthatfittheirneeds.
Ex: The primaryfocusof the enterprise architectureistoensure thattechnologyinvestmentare
consistentwiththe platform, dataanddevelopmentstandardsof the ITorganisation;therefore,the
goal of the EA is to helpthe organisationtoimplementthe technologythatismosteffective.
6. While doing planning under risk based audit approach if the IS auditor
found inherent risk, control risks are high then
A. Detection Risk should be low
B. Detection Risk can be high or low depending on the resources
C. Detection Risk can be high
D. Detection risk does not matter
Ex: : Inherent risk means overall risk of management which is on account of entity’s
business operations as a whole. Control risk is the risk present in the internal control
system. Detection risk is the risk of the IS Auditor when he is not able to detect the
inherent risk or the control risk. Hence when inherent and control risk is high,
detection risk should be low.
7. The primary objective for an IS auditor to review organisational chart and
job description is to:
A. Understand how organisation works.
B. Check reporting and escalation path
C. Ensure segregation of duties and authority
D. Determine span of control for each individual employee.
Ex: Organisational chart depicts the reporting hierarchy and thus an important tool to
ensure segregation of duties and authority.
8. Controls are implemented to:
A. Eliminate risk and reduce potential for loss
B. Mitigate risk and eliminate the potential for loss
C. Mitigate risk and reduce the potential for loss
D. Eliminate risk and eliminate the potential for loss
Ex: Definition of controls state the purpose as to mitigate the risk to the maximum
extent possible. It is not possible to eliminate the risk, but to reduce the potential for
loss.
9. IS auditor observed that the organization’s policy requires approval for
using new software. During the course of audit it was observed that there
are few instances of installing software without approval of management.
The Auditor should:
A. Verify whether proper controls are established and working for the software
B. Communicate to the Management risks associated with installing unapproved
Software.
C. Report non-compliance of policies in the audit report.
D. Recommend to update policy and procedure for installing software.
Ex: Option 1 is the preventive control, which is the first to activate by an IS auditor.
Other options are subsequent.
10. Which of the following actions impairs the IS auditors independence?
A. Auditor Designs Controls
B. Auditor Tests controls
C. Auditor advises on Controls
D. Auditor designs an Audit tool

3. Ex: Auditor should be involved in testing controls, designing audit trails, advising on
controls. But designing controls impair the independence of Auditor.
11. To assist in testing a core banking system being acquired, an organisation has provided the
vendorwith sensitive data from itsexistingproductionsystem.An IS auditor’sprimary concern
is that the data should be:
a. Sanitised
b. Completed
c. Representative
d. Current
Ex: Sanctityof productiondatausedfor testingisthe primary concernfor an auditor.Data shouldbe
properlymaskedorsanitisedbeforeit’suse.Allotheroptionisrequiredforcorrectanalysisandresult.
12. An IS Auditor is performing a project review to identify whether a new application has met
businessobjectives.Whichofthe followingtestreportsoffersthe mostassurance that business
objectives are met?
a. User acceptance
b. Performance
c. Sociability
d. Penetration
Ex:Useracceptance isthe bestindicationthatbusinessobjectivesare made.Performance isafinancial
indicator, sociability is acceptance indicator and penetration is control weakness measurement.
13. When conducting a review of business process re-engineering, an IS auditor found that a key
preventive control had been removed. In this case the IS auditor should:
a. Inform management of the finding and determine whether management is willing to
accept the potential material risk of not having that preventive control.
b. Determine if a detective control has replacedthe preventive control during the process
and, if it has not, report the removal of the preventive control.
c. Recommend that this and all control procedures that existed before the process was
reengineered be included in the new process.
d. Develop a continuous audit approach to monitor the effects of the removal of the
preventive control.
Ex: BPR is a process of un-learning and re-learning where there could be a complete change of
controls.Ratherthancompleteremoval of apreventivecontrol,acompensatorycontrollike detective
control is acceptable compare to only reporting or continuing the earlier process.
14. A hash total of employee numbersis part of the input to a payroll master file update program.
The program comparesthe hash total withthe correspondingcontrol total. Whatis the purpose
of this procedure?
a. Verify that employee numbers are valid
b. Verify that only authorised employees are paid
c. Detect errors in payroll calculation
d. Detect the erroneous update of records.
Ex: Hash total compare withthe control total isa batch control processwhichis a file levelcontrol.It
can confirmthe filelevelauthoritycompare toindividual validityof record.Itcannotdetectanyerror.
15. When auditing the requirements phase of a software acquisition, the IS auditor should:
a. Assess the feasibility of the project timetable
b. Assess the vendor’s proposed quality processes
c. Ensure that the best software package is acquired

4. d. Review the completeness of the specifications.
Ex: Requirement phase in SDLC verify the completeness. Option A done in feasibilitystudy phase,
option b is in analysis phase, option c is not the purpose of requirement analysis phase.
16. An organisationdecidestopurchase a software package insteadofdevelopingit.Insucha case,
the design and development phases of a traditional software development life cycle (SDLC)
would be replaced with:
a. Selection and configuration phases
b. Feasibility and requirements phases
c. Implementation and testing phases
d. Nothing: replacement is not required.
Ex: Activitiesindesignanddevelopmentphase forsoftware developmentshouldbe replacedwith
selectionandrightconfigurationforthirdpartysoftware acquisition.Optionb& c is commonfor
acquiredsoftware aswell.
17. When introducing thin client architecture, which of the following risks regarding servers is
significantly increased?
a. Integrity
b. Concurrency
c. Confidentiality
d. Availability
Ex: In the thin client major processing is taking place at the server level. There is no end-point
processing because the devices having less or no memory. Hence risk of concurrency control
(processing many input at the same time) is the major concerns. CIA has no relevance in this case.
18. Which of the following is an example of addressing social feasibility issue in SDLC project?
a. Organisation decides to use existing infrastructure
b. Beta version of application is made available to users
c. Configuration of purchased software requires more cost
d. Allowing employees to access social media sites.
Ex: Beta version is distributed to all types of intended user. Using beta version free will provide
adequate indication of it’s acceptability socially. Hence option b is the right answer.
19. Whichof the followingisnot an indicator to assessbenefitrealisationfrominternal application
software developed in-house?
a. Increase in number of customers because of new application
b. Decrease in audit findings related to regulatory non-compliance
c. Reduced number of virus attacks after implementing new software.
d. Increase inproductivityof employeesafterimplementation
Ex: Auditfindingsthattoorelatedtoregulatorynon-compliance isnotanindicatortoassessbenefit
realisationof securedin-house software.Otheroptionsare the benefitof in-house developed
software applications.
20. In a webserver,a common gateway interface (CGI) isMOST often usedas a(n):
A. consistent way for data transfer to the application program and back to the
user.
B. computer graphics imaging method for movie and TV.

5. C. graphic user interface for web design.
D. interface to access the private gateway domain.
Ex: The commongatewayinterface (CGI) isastandard wayfor a webservertopass a webuser's
requesttoan applicationprogramandto receive databackand forthto the user. Whenthe user
requestsawebpage (forexample,byclickingonahighlightedwordorenteringawebsite address),
the serversendsbackthe requestedpage.However,whenauserfillsoutaformon a Web page and
sendsitin,it usuallyneedstobe processedbyanapplicationprogram.The webservertypically
passesthe forminformationtoa small applicationprogramthatprocessesthe dataandmay send
back a confirmationmessage.Thismethod,orconventionforpassingdatabackand forthbetween
the serverand the applicationiscalledthe commongatewayinterface (CGI).Itispart of the web's
HTTP protocol
21. Which one of the following types of firewalls would BEST protect a network
from an Internet attack?
A. Screened sub-net firewall
B. Application filtering gateway
C. Packet filtering router
D. Circuit level gateway
Ex: A screenedsub-netfirewall wouldprovide the bestprotection.The screeningroutercanbe a
commercial routerora node withroutingcapabilitiesthatcanfilterpackages,havingthe abilityto
letor avoidtrafficbetweennetsornodesbasedonaddresses,ports,protocols,interfaces,etc.
Applicationlevelgatewaysare mediatorsbetweentwoentitiesthatwanttocommunicate,also
knownas proxygateways.The applicationlevel (proxy) worksatapplicationlevel,notonlyata
package level.The screeningonlycontrolsatpackage level,addresses,ports,etc.butdonotsee the
contentsof the package.Packetfilteringrouterexaminesthe headerof everypacketordata
travelingbetweenthe Internetandthe corporate network
22. Congestion control is BEST handled by which OSI layer?
A. Data link
B. Session layer
C. Transport layer
D. Network layer
Ex: The transportlayeris responsible forreliabledatadelivery.Thislayer implementssophisticated
flowcontrol mechanismthatcandetectcongestionandreduce datatransmissionratesandalso
increase transmissionrateswhenthe networkappearstonolongerbe congested(e.g.,TCPflow
controls).The networklayerisnotcorrect because congestioncontrol (flowcontrol) occursbasedon
routerimplementationsof flowcontrol atthe sub-netlevel (i.e.,source quenchmessagessentout
whenroutermemoryorbuffercapacityreachescapacity;howevernomessage tocancel or discard
messages,whichinactuallymayincrease congestionproblems).Sessionlayeranddatalinkdonot
have any functionalityfornetworkmanagement.
23. Which of the following can a local area network (LAN) administrator use to

6. protect against exposure to illegal or unlicensed software usage by the
network user?
A. Software metering
B. Virus detection software
C. Software encryption
D. Software inventory programs
Ex: The control that a LAN administratorcanuse to protectagainstthe use of illegal or unlicensed
software inventoryprograms.Software inventoryprogramsensure the accurate use of the
authorizednumberof licenses.Software meteringwouldonlycountthe numberof licenses,
whereasvirusdetectionsoftwarepreventsfromvirusinfection,but doesnotpertaintolicenses.
Software encryptionisnotuseful because itsfunctionistociphermessages.
24. Which of the following is most suitable method for ensuring up‐to‐date
Business Continuity Plan (BCP)?
(a) Regular structured walk through tests
(b) Yearly full functional tests
(c) Continuous Liaison among BCP team members
(d) Keep on changing the team members with the more experienced ones
Ex: a) Regular Structured walkthrough teststakesplaceto get idea aboutthe possibleservice
disruption by majorparticipantsinvolved in plan execution.Ithelps in keeping the plan up‐to‐date.
(b) Yearly fully functionaltestsare quite expensiveaswell as damaging thesystemresourcemany a
times asit actually imitates the disaster.Hence, fully functionaltestis notadvisable.
(c) ContinuousLiaison among BCPteammembersmay initiatethe changein BCPbut to keep it up‐
todate,regularstructured walkthrough testsaremust.
(d) Keep on changing theteammemberswith the more experienced oneswill not makethe BCPup‐
todate.
25. When Recovery Point Objective is zero and Recovery Time Objective is 5
hrs, which of the following recovery strategies is advisable?
(a) Hot Site – Shadow File Processing
(b) Cold Site – Shadow File Processing
(c) Hot Site –Tape Back Up
(d) Cold Site – Tape Back Up
Ex: (a) Recovery PointObjective(RPO) isfocused on data and organization’slosstolerancein
relation to the data.And Recovery Time Objective (RTO) is the targeted duration of time and a
service level within which a businessprocessmustbe restored aftera disaster.If RPO is to be Zero
then we need a mirror backup continuously being taken ata remote site called Shadow file

7. processing.Moreover,if RTO is to be 5 hoursthen we need Hotsite which gets ready within couple of
hoursof disaster.
(b) ShadowFileprocessing is desirablefor zero RPO butCold Site will notbe usefulas it takes
numbersof daystogetherto makeCold site ready foralternateprocessing and it will go beyond the
RTO i.e. 5 hrs.
(c) Hot Site is desirableas we need to resumeoperationswithin 5 hrs of disaster butTapeBackup will
notbe usefulas it will not beable to maintain continuesreal time backup of data so as to keep RPO
as zero.
(d) Cold Site will not be usefulasit takesdaystogetherto makeCold site ready foralternate
processing and it will go beyond theRTO i.e. 5 hrs.Tape Backup will also notbe usefulas it will not
be able to maintain continuesreal time backup of data so asto keep RPO aszero.
26. In Disaster Recovery Planning, who is responsible for determining the
requirements of Recovery Time Objective and Recovery Point Objective for the
organization?
(a) Steering committee
(b) Board Of Directors
(c) IT management
(d) Process owners
Ex: (a) Steering Committeeis an administrativebody thatreviews,monitorsand prioritizesmajorIT
projectsfroma cross‐functionalperspectiveand isresponsibleforalignmentof IT strategy with
strategicgoalsof the organization.Thus,determining therequirementsof RTO and RPOis the
responsibilityof steering committeeonly.
(b) Board of Directors (BODs) are responsibleforinitiating BCP and approving BCP.However,
determining requirementsof RTO and RPOis notthe responsibility of BODs.
(c) IT managementisresponsibleforcarrying outthe BCP developmentplan rightfrominitialization
stageto the execution stageasper the strategy.However,determining requirementsof RTOand
RPOis notthe responsibilityof IT management.
(d) Processownersarevery importantstakeholdersof BCP.However,determining requirementsof
RTO and RPOis notthe responsibilityof processowners.
27. ABC Private Limited. Head‐quartered in Mumbai, has 8 branches across
India and the company has limited recovery budget. Which among the
following is the BEST recovery strategy for the company?
(a) Internal reciprocal arrangements among the branches
(b) Hot site maintained in Mumbai
(c) Multiple cold sites at all branches
(d) Reciprocal agreement with another company in Mumbai

8. Ex: (a) Internalreciprocal arrangementsamong thebranchesaretheBEST recovery strategy fora
limited recovery budgetcompany provided thepairof branchesselected for reciprocity is subjectto
differentgeographiclocationsand environments.
(b) To maintain a Hot site is a costly affairand notviable forlimited recovery budget.
(c) Even though cold site is relatively cheaper option compared to a hotsite, multiple cold sites at all
brancheswould entailunnecessary fixed rentaloverheadsultimately shooting up thebudgetof the
company.
(d) In the given case company has8 branchesacrossIndia.Hence,reciprocalagreementwith another
company of Mumbaimay notservethepurposeof overall disasterrecovery strategy of thecompany.
28. An IS auditor conducting a review of software usage and licensing
discovers that numerous PCs contain unauthorized software. What action
should the IS auditor perform FIRST?
A. Personally delete all copies of the unauthorized software.
B. Inform auditee of the unauthorized software and follow-up to confirm
deletion.
C. Report the use of the unauthorized software to auditee management and
the need to prevent recurrence.
D. Take no action, as it is a commonly accepted practice and operations
management is responsible for monitoring such use.
Ex: Ans B
29. Which of the following represents the MOST significant exposure for an
organization that leases personal computers?
A. Accounting for shared peripherals
B. Frequent reassignment of hardware
C. Obsolescence prior to lease termination
D. Software licensing issues on leased machines
Ex: AnsC
30. An IS auditor is assigned to perform a post implementation review of an
application system. Which of the following situations may have impaired the
independence of the IS auditor?
A. He implemented a specific control during the development of the
application system.
B. He designed an embedded audit module exclusively for auditing the
application system.
C. He participated as a member of the application system project team, but
did not have operational responsibilities.

9. D. He provided consulting advice concerning application system best
practices.
Ex: AnsA
31. In a risk-based audit approach, an IS auditor is not only influenced by risk
but also by:
A. the availability of CAATs.
B. management's representations.
C. organizational structure and job responsibilities.
D. the existence of internal and operational controls.
Ex: AnsD
32. While conducting a control self-assessment (CSA) program, an IS auditor
facilitated workshops involving management and staff in judging and
monitoring the effectiveness of existing controls. Which of the following is an
objective of a CSA program?
A. to enhance audit responsibilities.
B. to identify problems.
C. to brainstorm solutions.
D. to complete the entire audit.
Ex: Ans A
33. The IS auditor should be able to identify and evaluate various types of risks
and their potential effects. Accordingly, which of the following risks is
associated with trap doors?
A. Inherent risk.
B. Detection risk.
C. Audit risk.
D. Error risk.
Ex: AnsB
34. When performing a procedure to identify the value of inventory that has
been kept for more than eight weeks, an IS auditor would MOST likely use:
A. test data.
B. statistical sampling.
C. an integrated test facility.
D. generalized audit software.

10. Ex: Ans D
35. When reviewing a system development project at the project initiation
stage, an IS auditor finds that the project team is not proposing to strictly
follow the organization's quality manual. To meet critical deadlines the project
team proposes to fast track the validation and verification processes,
commencing some elements before the previous deliverable is signed-off.
Under these circumstances the IS auditor would MOST likely:
A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project
C. report to IS management the team's failure to follow appropriate
procedures.
D. report the risks associated with fast tracking to the project steering
committee
Ex: AnsD
36. When there is Audit participation in the systems development process, the
IS Auditor should be aware of :
A. An Auditor’s ability to perform an independent evaluation of the application
after implementation will be impaired.
B. An attitude and appearance of independence should be reflected in the
Auditor’s conduct when conducting development reviews.
C. As a control specialist, the Auditor can provide significant value to the
project team by making the final decision on specific controls
D. For ongoing evaluation capability, the Auditor should ensure the computer
Audit Software be implemented in all applications
Ex: Ans A
37. An IS Auditor’s primary objective in testing the integrity of information is to
ensure that
A. sensitive information is protected
B. data are accurate, complete and valid
C. information is critical for making decisions
D. data are relevant to achieving business objectives
Ex: AnsB
38. An IS Audit Report would normally include all of the following EXCEPT :
A. scope, objective and period of coverage
B. nature and extent of audit work performed

11. C. findings, conclusions and recommendations
D. details of programs, procedures and software used
Ex: Ans D
39. Which of the following is a substantive audit test ?
A. verifying that a management check has been regularly performed
B. observing that user Ids and passwords are required to sign on to the
computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable
Ex: Ans D
40. An IS Auditor, performing a review of an application’s controls, discovers
a weakness in system software which could materially impact the application.
The IS Auditor should :
A. Ignore these control weaknesses as a system software review is beyond
the scope of this review.
B. Conduct a detailed system software review and report the control
weaknesses.
C. Include in the report a statement that the Audit was limited to a review of
the application’s controls.
D. Review the system software controls as relevant and recommend a
detailed system software review.
Ex: Ans D
41. Which of the following choices best helps information owners to properly
classify data?
A. Understanding of technical controls that protect data
B. Training on organisational policies and standards
C. Use of an automated data leak prevention tool
D. Understanding which people need to access the data.
Ex: While implementing data classification, it is most essential that organization
policies and standards, including the data classification schema, are understood by
the owner or custodian of the data so they can be properly classified. Automated
DLP may not help in understanding classification schema. It is more important that
owner understand the requirement compare to end-user.
Ex: Ans B

12. 42. Which of the following would be of concern for an information system
auditor auditing BPO (Business Process Outsourcing) Service provider?
A. BPO has identified all External Compliance requirements.
B. BPO exceeds Turn Around Time defined in SLA
C. BPO has a documented security policy
D. BPO has a proper Background checks for staff
Ex: Ans B
43. Whichof the followingchoicesis the most effective control that shouldbe implementedto
ensure accountabilityfor applicationusersaccessing sensitive datain the human resource
managementsystem and among interfacingapplicationsto the HRMS.
a. Two-factorauthentication
b. A digital certificate
c. Audittrails
d. Single sign-onauthentication.
Ex: Audittrailscapture whichuser,atwhat time anddate along withotherdetails,hasperformed
the transactionand thishelpsinestablishingaccountabilityamongapplicationusers.Otherthree
optionsare authenticationmechanism,nottouse for establishingaccountability.
44. During a review of a large data center an IS auditor observed computer
operator acting as backup tape librarians and security administrators. Which
of the these situations would be MOST critical to report to senior
management?
a. Computer operation acting as tape librarians
b. Computer operators acting as security administrator
c. Computer operators acting as tape librarian and security administrator
d. It is not necessary to report any of these situations to senior management
Ex: Ans C
45. An IS Auditor has found that employees are emailing sensitive company
information to public web-based email domains. Which of the following is the
best remediation option for the IS Auditor to recommend?
a. Encrypted mail accounts
b. Training and awareness
c. Activity monitoring
d. Data Loss prevention (DLP)
Ex: data loss prevention is an automated preventive tool that can block sensitive
information from leaving the network, while at the same time logging the offenders.
Encryption will not prevent sending information to unauthorized person. Activity
monitoring is a detective control. Training and awareness is not a strong control
compare to DLP.
46. The primary objective ofvalue optimisationprocess is to ensure:
a. IT-enabledinvestmentsare made atthe lowestcost
b. Appropriate IT-enabledinitiativesare selected
c. Cost-efficientdeliveryof solutionsandservices
d. Qualificationof ITcosts and likelybenefits

13. Ex: The primaryobjective of value optimisationprocessistoensure cost-efficientdeliveryof
solutionsandservices.The focusof value optimisationprocessisnotensuringlowestcostbut
optimal costof all IT-enabledinvestments.Selectionof appropriate ITenabledinitiative isone of the
operational activitiesof value optimisation.Althoughitiscritical butitisnot the primaryobjective.
All IT investmentsbenefitscannotbe quantified.Hence,the optionof quantificationof ITcostsand
likelybenefitsisnotcorrect.Further,thisisnotthe objective butamechanismof performance
monitoring.
47. Whichof the followingisthe key benefitofcapacity management
a. Meetlongterm businessgoalsinacost effectiveandtimelymanner
b. Meetscurrent andfuture requirementsinacost-effectivemanner
c. Define andmaintainrelationshipsbetweenkeyresourcesandcapabilities
d. Assessthe impactof changesand deal withservice incidents
Ex: The keybenefitof capacitymanagementistoensure thatnotjustthe current but the future
businessrequirementsare metinacost effective manner.Capacitymanagementlooksatbothlong-
termas well asshort termbusinessgoalsinacost effective andtimelymanner.Defining,describing
and maintainingrelationshipsbetweenkeyresourcesandcapabilitiesisaprimaryrequirementof
capacitymanagementandnot a benefit.Assessingthe impactof changesanddeal withservice
incidentsisone of the benefitsof capacitymanagementbutcomparedtooptionA,thisisnot a ket
benefit.
48. Whichof the followingismost critical for ensuringsustainedalignmentofIT strategic plans?
The IT strategic plans provide:
a. DirectiontoIT departmentondeployment of informationsystems
b. Keyfunctionariesare involvedindevelopmentandimplementation
c. IT longand short range plansare communicatedtostake holders
d. Feedbackiscaptured,reportedandevaluatedforinclusioninfuture ITplanning.
Ex: Capturing,reportingandevaluatingfeedbackforinclusioninfuture ITplanningismostcritical for
ensuringsustainedalignmentof ITstrategicplansasthisprovidesmetricsformonitoringandalso
ensuringthatperformance ismaintainednotonlyforthe currentbutalso forthe future.Top
managementsharesthe enterprise strategybasedonwhichITstrategyispreparedbythe IT
department.There isnodirectiontoITdepartmentondeploymentof informationsystemsprovided
as part of IT strategicplanning.The involvementof keyfunctionariesindevelopmentand
implementationiscritical toensure successbutitisrequiredinthe initial stages.However,thisdoes
not guarantee the sustainabilityof the initiative.The communicationof ITlongandshort range plans
isimportantto getbuy-inandto keepall stakeholdersinformedbutthisisonlyareportingprocess.
49. From an IT governance perspective,whatis the primary responsibilityofthe board of directors
to ensure that the IT strategy:
a. Is cost effective
b. Is future thinkingandinnovative
c. Is alignedwiththe businessstrategy
d. Has the appropriate prioritylevel assigned.
Ex: AnsC

14. 50. An IS Auditor has beenasked to reviewa contract for a vendor beingconsideredtoprovide
data centre services.Whichis the best way to determine whetherthe termsof the contract are
adheredto after the contract is signed?
a. Require the vendortoprovide monthlystatusreports
b. Have periodicmeetingswiththe clientITmanager
c. Conductperiodicauditreviewsof the vendor
d. Require the performance parametersbe statedwithinthe contract
Ex: AnsC
51. Whichof the followingchoicesisthe primary benefitofrequiringa steeringcommittee to
oversee IT investment?
a. To conduct a feasibilitystudytodemonstrateITvalue
b. To ensure thatinvestmentsare made accordingtobusinessrequirements
c. To ensure thatpropersecuritycontrolsare enforced
d. To ensure thata standarddevelopmentmethodologyisimplemented.
Ex: AnsB
52. An IS Auditor is evaluatinga newly developedITpolicyfor an organisation. Whichof the
followingfacilitywouldthe IS auditor considermost important to facilitate compliance
with the policy upon its implementation.
a. ExistingITmechanismsthatenable compliance
b. Alignmentof the policytothe businessstrategy
c. Currentand future technologyinitiatives
d. Regulatorycompliance objectivesthatare definedinthe policy.
Ex: AnsA
53. An IS Auditor isreviewinga DRP and discoversthat a critical applicationis missingfrom the
plan. Whichof the followingrecommendationswouldbe the best option for the IS auditor
working with an organisation with limited IT resources.
a. Active-active clusters
b. A reciprocal agreement
c. A warm site
d. Active-passive cluster.
Ex: Inactive-passivecluster,the applicationisrunningonlyone (active) node while othernodesare
usedonlyif the applicationfailsonthe active node.Active-activeclusterandwarmsite will require
more resources.Reciprocal arrangementmaynotbe a goodoptionforcritical application.Anactive-
passive clusterwouldbe the bestoptioninthiscase because the passiveclusterwouldrestore the
application.
54. An IS Auditor is reviewing the backup strategy and the backup technology in use by an
organisation. The IS Auditor would be most concerned if:
a. Data restoration tests are not being regularly performed.
b. Disk subsystem are being backed up to other disks, and not to tape.

15. c. Daily backup logs purged quarterly.
d. Backups of critical company data are not encrypted.
Ex:The onlywaytoensure withcertaintythatabackupisworkingistoperformadatarestoration
test.If thiswere notbeingdoneregularly,itwouldbe aconcern.Otheroptions are concernedbut
option a is the most concerned.
55. An organisation is reviewing its contract with cloud computing provider. For which of the
followingreasonswouldthe organisationwanttoremove alock-inclause fromthe contract.
a. Availability
b. Portability
c. Agility
d. Scalability
Ex: When drawing up a contract with a cloud service provider, the ideal practice is to remove the
customerlock-inclause.Itmaybe importantforthe clienttosecure portabilityof theirsystemassets,
i.e., the right to transfer from one vendor to another. Removing lock-in period will not improve
availability.Agilityreferstoefficiencyof solutionenablingorganisationtorespondtobusinessneeds
further.Scalabilityisthe abilitytoadjustservice levelsaccordingtochangingbusinesscircumstances.
56. Which of the following ways is the best for an IS Auditor to verify that critical production
servers are running the latest security updates released by the vendor?
a. Ensure that automatic updates are enabled on critical production servers.
b. Verify manually that the patches are applied on a sample of production servers.
c. Review the change management log for critical production servers.
d. Run an automated tool to verify the security patches on production servers.
Ex: An automated tool can immediately provide a report on which patches have been applied and
which are missing. Ensuring automatic update will not provide assurance that all servers are being
patchedappropriately.Manual testingisdifficultandtime consuming.Change management logmay
not accurately reflect the patch update status.
57. Whichofthe followingchoicesbestensuresaccountabilitywhenupdatingdata directlyin a
production database?
a. Before and after screen images
b. Approved implementation plan
c. Approved validation plan.
d. Data File security.
Ex:Creatingbeforeandafterimageisthebestwaytoensure thatappropriatedatahave beenupdated
in a direct data change. The screen shots would include the data prior to and after the change.
Approved plans may not ensure that appropriate changes were made. Approved validation plan will
also not ensuring that data changes were appropriate and correct. Data file security will also not
ensuring that data changes were correct.
58. A financial institutionhas decidedto outsource its customer service divisionto an offshore
vendor. The most important consideration would be to ensure that the contract contains:
a. A limited liability clause
b. A right-to-audit clause
c. A data ownership clause
d. An early termination clause.
Ex: Data ownership is the most important aspect of outsourced operations. An ownership clause
establishesthatoutsourcingcompanymaintainscomplete ownershipof the informationprovidedto
the vendor and the vendor must maintain confidentiality over the information with which it comes

16. intocontact. The ownershipclause alsoprohibitsthe vendorfromusinganyof the customerdata for
its internal purpose.
59. An IS Auditor of a healthcare organisationis reviewingcontractual termsand conditionsof
a third party cloud provider beingconsideredto host patient health information.Whichof
the following contractual terms would be the greatest risk to the customer organisation.
a. Data ownership is retained by the customer organisation.
b. The third partyproviderreservesthe righttoaccess data to perform certain operations.
c. Bulk data withdrawal mechanisms are identified.
d. The customer organisation is responsible for backup, archive and restore.
Ex: Some service providersreservethe righttoaccesscustomerinformation(thirdpartyaccess) to
performcertaintransactionsandprovide certainservices.Inthe case of protectedhealth
information(PHI),regulationsmayrestrictcertainaccess.Organisationmustreview the regulatory
environmentinwhichthe cloudprovideroperatesbecauseitmayhave requirementsorrestrictions
of itsown.Organisationsmustthendeterminewhetherthe cloudproviderprovidesappropriate
controlsto ensure thatdata are appropriatelysecure.
60. A vendor has released several critical security patches over the past few months and this
has puta strain on the abilityofthe administratorsto keepthe patchestestedanddeployed
in a timely manner. The administrators have asked if they could reduce the testing of the
patches. What approach should the organisation take?
a. Continue the current process of testing and applying patches.
b. Reduce testing and ensure that an adequate backout plan is in place.
c. Delay patching until resources for testing are available.
d. Rely on the vendor’s testing of the patches.
Ex: Applying security software patches promptly is critical to maintain the security of the servers;
further,testingthe patchesisimportantbecause the patchesmay affectother systemsandbusiness
operations.Because the vendorhasrecentlyreleasedseveral criticalpatchesinashorttime,itcanbe
hoped that this is a temporary problem and does not need a revision to policy or procedures.
61. A new business requirement required changing database vendors. Which of the following
areas should the IS Auditor primarily examine in relation to this implementation?
a. Integrity of the data
b. Timing of the cutover
c. Authorisation level of users
d. Normalisation of data.
Ex: A critical issue whenmigratingdatafromone database to anotheristhe integrityof the data and
ensuringthatthe data are migratedcompletelyandcorrectly.
62. Due to resource constraints, a developerrequiresfull access to production data to support
certain problemsreported by productionusers. Which of the followingchoiceswould be a
good compensating control for controlling unauthorised changes in production?
a. Provide andmonitorseparate loginIds that the developerwill use forprogrammingand
production support.
b. Capture activitiesof the developerinthe productionenvironmentbyenablingaudittrails.
c. Back up all effectedrecordsbefore allowingthe developertomake production changes.
d. Ensure that all changes are approved by the change manager.

17. Ex: Providingseparate loginIDsthatwouldonlyallow adeveloperprivilegedaccesswhenrequiredis
a good compensatingcontrol,butitmustalsobe backedup withmonitoringandsupervisionof the
activityof the developer.
63. While conducting an audit on the CRM application, the IS Auditor observes that it takes a
significantly long time for users to log on to the system during peak business hours as
compared with other times of the day. Once loggedon, the average response time for the
system is within acceptable limits. Which of the following choices should the IS Auditor
recommend?
a. The IS Auditorshouldrecommendnothingbecause the systemiscompliantwithcurrent
business requirements.
b. IT should increase the network bandwidth to improve performance.
c. Users should be provided with detailed manuals to use the system properly.
d. The ISAuditorshouldrecommendestablishingperformancemeasurementcriteriaforthe
authentication servers.
Ex: Performance criteriaforthe authenticationserverswouldhelptoquantifyacceptable thresholds
for system performance, which can be measured and remediated.
64. Which of the following controls would be most effective to reduce the risk of loss due to
fraudulent online payment request?
a. Transaction monitoring
b. Protecting web sessions using secured socket layer (SSL)
c. Enforcing password complexity for authentication
d. Inputting validation checks on web forms.
Ex: An electronic payment system could be the target of fraudulent activities. An unauthorised user
could potentially enter false transactions. By monitoring transactions, the payment processor could
identifypotentiallyfraudulent transactions based on the typical usage patterns, monetary amounts,
physical location of purchases, and other data that are part of the transaction process.
65. Whichofthe followingcriteriaare most neededtoensure thatloginformationisadmissible
in court? Ensure that dat have been:
a. Independently time stamped
b. Recorded by multiple logging systems.
c. Encrypted by the most secure algorithm
d. Verified to ensure log integrity.
Ex: It isimportantto assure thatlog informationexistedatacertainpoint of time andit hasnot been
alerted. Therefore, evidential credibility of log informationis enhanced when there is proof that no
one has tampered with this information.
66. The greatest benefit of having well-defined data classification policies and procedures is:
a. A more accurate inventory of information assets
b. A decreased cost of controls.
c. A reduced risk of inappropriate system access.
d. An improved regulatory compliance.
Ex: An important benefit of a well-defined data classificationprocess wouldbe to lower the cost of
protectingdatabyensuringthatthe appropriate controlsare appliedwithrespecttothe sensitivityof
the data. Without proper classification framework, some security controls may be greater and
therefore, more costly than is required based on the data classification.

18. 67. An IS Auditor who is auditing an application determines that, due to resource constraints,
one user holdsrolesas both a developeranda release co-ordinator.Whichofthe following
options would the IS Auditor most likely recommend?
a. Revoke the user’s developer access
b. Revoke the user’s release coordinator access
c. Management review of user activities
d. Periodic audit of user activities.
Ex: If an individual requires role with conflicting segregation of duties, the best control given the
circumstances is to monitor that individual’s access in the productionenvironment.Although this is
notpreferredmethodof resolvingsegregationof dutiesconflicts,itisthe bestcompensationgcontrol
given the current business circumstances.
68. A companyisplanningtoinstall a network-basedintrusiondetectionsystem(IDS) toprotect
the web site that it hosts. Where should the device be installed?
a. On the local network
b. Outside the firewall
c. In the de-militarised zone
d. On the server that hosts the website.
Ex: NetworkbasedIDSsdetectattackattemptsbymonitoringnetworktraffick.A publicwebserveris
typically placed on the protected network segment known as the demilitarised zone( DMZ). An IDS
installedinthe DMZ detectsandreportson maliciousactivityoriginatingfromthe internetaswell as
the internal network, thus allowing the administrator to take action.
69. An ISAuditoris workingwiththe DBA group to mitigate riskassociatedwithindividual users
who have direct access to SQL databases. The IS Auditor recommends using lightweight
directory access protocol (LDAP) groups. What approval should be requiredto ensure least
privilege?
a. Manager approval
b. Database ownerapproval
c. Systemadministratorapproval
d. DBA approval
Ex: Requiringdatabase ownerapproval willensurethatafterthe groupis createdonlyuserswho
require accesswill be added.The groupownerwouldbe the dataownerandwouldbe the best
personto understandaccessneeds.
70. An IS Auditor isreviewinganorganisation’s networkoperationscentre (NOC).Whichof the
following choices is of the greatest concern? The use of
a. A wetpipe-basedfire suppressionsystem
b. A rentedrack space inthe NOC.
c. A CO2-basedfire suppressionsystem.
d. An uninterruptedpowersupplywith10minsof backup power.
Ex: CO2 systemsare a dangerto the people andshouldnotbe usedbecause theycause suffocation
inthe eventof a fire.Controlsshouldconsiderpersonal safetyfirst.
71. An IS Auditor is reviewing access for an accounting system and notices a segregation of
dutiesissue;however,the businessissmall and additional workers are not available.What
is the best recommended compensating control in this situation?
a. Implementingrole-basedaccess.
b. Reviewingaudittrails
c. Performingperiodicaccessreviews
d. Reviewingthe errorlog.
Ex: Reviewingaudittrailswouldbe the bestcompensatingcontrol forasegregationof dutiesissue
that cannot be eliminatedbyaddingemployees.

19. 72. An IS Auditor is reviewing a manufacturing company and finds that mainframe users at a
remote site connect to the mainframe at headquarters over the internet via telnet. Which
of the following is the best recommendation to ensure proper security controls.
a. Use of a point-to-pointleasedline
b. Use of a firewallrule toallow onlythe IPaddressof the remote site
c. Use of two-factorauthentication
d. Use of a non-standardportfortelnet
Ex: A leasedlinewilleffectivelyextendthe LAN of the headquarters tothe remote site,adthe
mainframe Telnetconnectionwouldtravel overthe private line,whichwouldbe lessof asecurity
riskwhenusingan insecure protocol suchastelnet.
73. The primary purpose of installingdata leakpreventionsoftware is to control which of the
followingchoices?
a. Accessprivilegestoconfidentialfilesstoredonservers
b. Attemptstodestroycritical dataon the internetnetwork
c. Whichexternal systemscanaccessinternal resources
d. Confidential documentsleavingthe internal network.
Ex: A serverrunningaDLP software applicationusespredefinedcriteriatocheckwhetherany
confidentialdocumentsordataare leavingthe internal network.
74. Whichof the followinggroupswouldcreate most concern to an IS Auditor ifthey have
direct full access to the productiondatabase?
a. Applicationtesters
b. Systemadministrators
c. The database owner
d. The data recoveryteam.
Ex: Applicationtestersshouldbe restrictedtothe nonproductionenvironmentand,if theyhave full
access to the productiondatabase, the confidentialityandintegrityof databecome questionable.
75. Which of the following tests should be prohibited during peak hours as part of a network
security assessment of a bank’s production environment?
a. Port scanningforopenfirewall ports
b. Testingdatabase serversforweakorblankpasswords
c. Port scanningforopenportsin database server
d. Networkpacketsniffing.
Ex: Testingfordatabase blankor weakpasswordscouldleadtoproductionaccountsbeinglocked
out frommultiple failedlogins,whichcould affectproductionsystems.
76. Whichof the followingchoiceswouldbe consideredan attack vector for social
engineering?
a. A fake email message designedtosteal banklogingcredential.
b. Malware installedonawebsite thatinfectsvisitorstothe site.
c. An attackerstealingthe laptopof a systemadministratortotry to gainaccess.
d. An attackersearchingthroughthe trash dumpsterforconfidential data.
Ex: Social engineering,inthe contextof informationsecurity,referstopsychological manipulationof
people intoperformingactionsordivulgingconfidentialinformation.A fake email message designed
to steal banklogincredentialsisanexampleof one type of social engineeringattackcommonly
calledphishing.
77. A warning message from a public web application system displays specific database error
messages to the user. Which of the following choices would be the major concern?
a. The abilitytopost false transactionstothe database.
b. Unauthorisedaccesstothe database byhijackingthe administratorssession
c. SusceptibilitytoDOSattacks
d. Susceptibilitytohackingattemptstodatabase.

20. Ex: If database error messagesare disclosed,perpetratorscouldknow the database type (vendor,
versionetc.).Thiswouldincreasethe riskof applicationlayerattackssuchas SQL injection.
78. A company determinedthatitswebsite wascompromisedandarootkit was installedonthe
server hosting the application. Which of the following choices would be most likely
prevented the incident.
a. HIPS
b. NIDS
c. A Firewall
d. OS patching.
Ex: A host-basedintrusionpreventionsystempreventsunauthorisedchangestothe host.If a
malware attackattemptedtoinstall arootkit,the IPSwouldrefuse topermitthe installationwithout
the consentof an administrator.
79. An IS Auditor performing an audit has determined that developers have been granted
administrative access to the virtual machine management console to manage their own
servers used for software development and testing. Which of the following choices would
be most concern for the IS Auditor?
a. Developershave the abilitytocreate or de-provisionservers.
b. Developerscouldgainelevatedaccesstoproductionservers.
c. Developerscanaffectthe performance of productionserverswiththeirapplications
d. Developerscouldinstallunapprovedapplicationsto anyservers.
Ex: Virtualisationoffersthe abilitytocreate ordestroyvirtual machines(VMs) throughthe
administrativeinterface withadministrative access.Whileadeveloperwouldbe unlikelytode-
provisionaproductionserver,the administrative console wouldgranthim/herthe abilitytodothis,
whichwouldbe a significantrisk.
80. An IS Auditor performingan audit has discussedserver virtualisationimplementationwith
the system administrators who indicate that the ability to quickly replicate a production
server and create an identical host has saved considerable time and effort.What would be
the greatest risk that the ISAuditor shouldlook for whenauditingthe virtual environment?
a. Making copies of servers will violate the terms of the software licenses for the OS.
b. The copied servers have identical host names and IP addresses
c. Virtual server mis-configurations will be propagated across all servers.
d. The administratormaycreate performance issuesbycreatingtoomany virtual machines
(VMs).
Ex: Like any other technology, the VMs must be configured correctly to provide the security and
performance necessary to support business requirements. If a VMis configured incorrectly, it could
lead to compromise of the physical device and unauthorised activity. The VM configuration that is
used as a template should be reviewed carefully to ensure that it is correctly defined.
81. An IS Auditor is reviewing security incident management procedures for the company.
Which of the following choices is the most important consideration?
a. Chain of custody of electronic evidence
b. System breach notification procedures
c. Escalation procedures to external agencies
d. Procedures to recover lost data.
Ex: The preservationof evidence isthe mostimportantconsiderationinregardtosecurityincident
management.If dataand evidenceare notcollectedproperly,valuableinformationcouldbe lostand
wouldnotbe admissible inthe courtof law shouldthe companydecide topursue litigation.
82. AnIS Auditorisreviewinganetworklogdiscoversthatanemployee ranelevatedcommands
on his/her PC by invoking the task scheduler to launch restricted applications. This is an
example of what type of attack?
a. A race condition

21. b. A privilege escalation
c. A buffer overflow
d. An impersonation
Ex:A privilegeescalationisatype of attackwhere higherlevelsystemauthorityisobtainedbyvarious
methods. In this example, the task scheduler service runs with administrator permissions, and a
security flaw allows programs launched by the scheduler to run at the same permission level.
83. An IS Auditor performing an IS audit of the newly installed voice-over-internet protocol
system was inspecting the wiring closets on each floor of the building. What would be the
greatest concern?
a. LAN switches are not connected to the UPS units
b. Network cabling is disorganised and not properly labelled.
c. The telephones are using the same cable used for LAN connections.
d. The wiring closet also contain power lines and breaker panels.
Ex: VOIPtelephone systemsuse standard networkcablingandtypicallyeachtelephonegetspower
overthe networkcable fromthe wiringclosetwhere the networkswitchisinstalled.If the LAN
switchesdonothave backup power,the phoneswilllose powerif there isautilityinterruptionand
potentiallynotbe able tomake emergencycalls.
84. Sign-onproceduresinclude the creationof aunique user-idandpassword.However,anIS
auditordiscoversthatinmanycases the username and passwordare the same.The Best
control to mitigate thisriskisto:
a. Change the company’ssecuritypolicy
b. Educate usersabout the riskof weakpasswords
c. Buildinvalidationstopreventthisduringusercreationandpasswordchange
d. Require aperiodicreviewof matchingof user-IDandpasswordsfordetectionand
correction.
Ex: Ansb
85. Whichof the followinglogical accessexposuresinvolveschangingdatabefore,orasit is
enteredintothe computer?
a. Data diddling
b. Trojan horse
c. Worm
d. Salami technique
Ex: Ansa
86. All of the followingare commonformsof internetattacksexcept:
a. Exploitationof vulnerabilitiesinvendorprograms
b. Denial of service attacks
c. Sendinghostilecode andattackprograms as mail attachments
d. Systematichackerfoot-printingof anorganization.
Ex: AnsA
87. The scope of a logical accesscontrolsreview would include the evaluationof:
a. Effectivenessandefficiencyof ITsecurityandrelatedcontrols
b. Confidentiality,integrityandavailabilityof informationof authorizedusers.
c. Accessto systemsoftware andapplicationsoftware toensure compliance withthe
access policy.

22. d. Accessto the userauthorizationlevels,parametersandoperational functionsthrough
applicationsoftware.
Ex: AnsC
88. Whichof the followingconcernsassociatedwiththe worldwide webwouldbe addressedby
a firewall?
a. Unauthorizedaccessfrom outside the organization
b. Unauthorizedaccessfromwithinthe organization
c. Delayininternetconnectivity
d. Delayindownloadingusingfiletransferprotocol.
Ex: AnsA
89. If inadequate,whichof the followingwouldmostlikelycontribute toadenial of service
attack?
a. Routerconfigurationandrules
b. Designof the internal network
c. Updatesto the router systemsoftware
d. Audittestingandreviewtechniques
Ex: AnsC
90. Whichof the followingmethodsof providingtelecommunicationcontinuityinvolvesrouting
trafficthroughsplitor duplicate cable facilities?
a. Diverse routing
b. Alternate routing
c. Redundancy
d. Long haul networkdiversity
Ex: Ans a
91. Passwordshouldbe:
a. Assignedbythe securityadministrator
b. Changedevery30 daysat the discretionof the user
c. Reusedoftentoensure the userdoesnotforgetthe password
d. Displayedonthe screensothat the usercan ensure thatit has beenproperlyentered.
Ex: Ans B
92. Whichof the followingdatabase administratoractivitiesisunlikelytobe recordedon
detective control log
a. Deletion of arecord
b. Change of a password
c. Disclosure of password
d. Changesto accessrights.
Ex: AnsC
93. Confidential datastoredona laptopisbestprotectedby:
a. Storage on optical disk
b. Log-onID and password
c. Data encryption

23. d. Physical locks
Ex: AnsB
94. Whichof the followingisthe mosteffective techniqueforprovidingsecurityduringdata
transmission?
a. Communicationlog
b. Systemssoftware log
c. Encryption
d. Standardprotocol
Ex: AnsC
95. An ISauditorwhointendstouse penetrationtestingduringanauditof internetconnections
would:
a. Evaluate configuration
b. Examine securitysettings
c. Ensure virus-scanningsoftware inuse
d. Use toolsandtechniquesthatare available toahacker.
Ex: Ans D
96. Bestapproach formonitoringthe performance of ITresourcesis?
a. Compare lagindicators againstexpectedthresholds
b. Monitorleadindicatorswithindustrybestpractices
c. Define thresholdsforlagindicatorsbasedonlongtermplan
d. Lead indicatorshave correspondinglagindicators.
Ex: Ans b
97. An ISAuditordetectedthatseveral PCsconnectedto the internethave alow securitylevel
that isallowingforfree recordingof cookies.Thiscreatesariskbecause cookieslocally
stores
a. Informationaboutthe internetsite
b. Informationaboutthe user
c. Informationforthe internetconnection
d. Internetpages.
Ex: AnsB
98. Whichof the followingbestensuresthe integrityof aserver’soperatingsystem?
a. Protectingthe serverina secure location
b. Settinga bootpassword
c. Hardeningthe serverconfiguration
d. Implementingactivitylogin
Ex: AnsC
99. When an employee notifies the companythat he/she has
forgotten his/her password,what should be done FIRST by the
security administrator?
A. Allowthe system to randomlygenerate a new password

24. B. Verify the user’s identificationthrough a challenge/response
system
C. Provide the employee with the default password and explain that
it should be changed as soon as possible
D. Ask the employee to move to the administratorterminal to
generate a new password in order to assure confidentiality
Ex: Ans B
100. Which of the followingwould be of MOST concern to an IS
auditorreviewinga VPN implementation?Computers on the
network that are located:
A. on the enterprise’s internal network.
B. at the backup site.
C. in employees’homes.
D. at the enterprise’s remote offices.
Ex: Ans C