IT Audit Recommendations

Questions and Answers

Audit SI mengungkapkan bahwa organisasi tidak secara proaktif menangani kerentanan yang diketahui. Manakah dari berikut ini yang harus direkomendasikan auditor SI agar dilakukan PERTAMA kali oleh organisasi?

Free CISA Quiz A. Planning and Organization 1. An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST? A. Ensure the intrusion prevention system (IPS) is effective. B. Verify the disaster recovery plan (DRP) has been tested. ***C. Assess the security risks to the business. D. Confirm the incident response team understands the issue. 2. Which of the following would BEST facilitate the successful implementation of an IT-related framework? A. Establishing committees to support and oversee framework activities B. Documenting IT-related policies and procedures C. Aligning the framework to industry best practices D***. Involving appropriate business representation within the framework. 3. An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework? A***. Recent third-party IS audit reports B. Current and previous internal IS audit reports C. IT performance benchmarking reports with competitors D. Self-assessment reports of IT capability and maturity 4. Which of the following is the PRIMARY basis on which audit objectives are established? A. Audit risk B***. Consideration of risks C. Assessment of prior audits D. Business strategy 5. Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented? A***. Ensure ownership is assigned. B. Test corrective actions upon completion. C. Ensure sufficient audit resources are allocated. D. Communicate audit results organization-wide. 6. Upon completion of audit work, an IS auditor should: A***. provide a report to the auditee stating the initial findings. B. provide a report to senior management prior to discussion with the auditee. C. distribute a summary of general findings to the members of the auditing team. D. review the working papers with the auditee. B. Network Security Management 1. An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings should be ranked as the HIGHEST risk? A. Network penetration tests are not performed. B. The network firewall policy has not been approved by the information security officer. C. Network firewall rules have not been documented. D***. The network device inventory is incomplete. 2. When auditing the security architecture of an online application, an IS auditor should FIRST review the: A. location of the firewall within the network. B. firewall standards. C. firmware version of the firewall. D***. configuration of the firewall. C. Change Management 1. During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago. Which of the following should the auditor do NEXT? A. Review previous system interface testing records. B. Document the finding in the audit report. C***. Review relevant system changes. D. Review IT testing policies and procedures. 2. Which of the following should an IS auditor be MOST concerned with during a post-implementation review? A. The system does not have a maintenance plan. B***. The system contains several minor defects. C. The system deployment was delayed by three weeks. D. The system was over budget by 15%. 3. Which of the following is the BEST way to ensure that an application is performing according to its specifications? A. Pilot testing B. System testing C***. Integration testing D. Unit testing D. BCP 1. Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)? A***. The BCP has not been tested since it was first issued. B. The BCP is not version-controlled. C. The BCP's contact information needs to be updated. D. The BCP has not been approved by senior management. E. Application Control 1. Which of the following is the GREATEST risk if two users have concurrent access to the same database record? A. Entity integrity B. Availability integrity C. Referential integrity D***. Data integrity F. Physical Acces Security 1. Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor? A***. CCTV recordings are not regularly reviewed. B. CCTV records are deleted after one year. C. CCTV footage is not recorded 24 x 7. D. CCTV cameras are not installed in break rooms. G. Project Management 1. An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that: A***. a clear business case has been established. B. the new hardware meets established security standards. C. a full, visible audit trail will be included. D. the implementation plan meets user requirements. 2. An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime? A. Cutover B. Phased C***. Pilot D. Parallel H. Logical Access Control 1. Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor? A. Conceal data devices and information labels. B. Issue an access card to the vendor. C***. Monitor and restrict vendor activities. D. Restrict use of portable and wireless devices 2. An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage? A***. Data encryption on the mobile device B. The triggering of remote data wipe capabilities C. Awareness training for mobile device users D. Complex password policy for mobile devices 3. During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate: A. cost-benefit analysis. B. acceptance testing. C***. application test cases. D. project plans. Pastikan keefektifan dari Intrusion Detection System (IDS)

Pastikan Disaster Recovery Plan (DRP) telah diuji.

Penilaian risiko keamanan untuk bisnis telah dilakukan. (correct)

Dapatkan konfirmasi bahwa Incident Response Team telah memahami masalah yang terjadi.