IT Governance and Compliance Quiz

Questions and Answers

To which domain can both ITIL and ISO 20000 be applied?

IT governance

IT component management

Activity management

IT service management (correct)

Which framework is designed to ensure alignment between IT and business objectives?

ITIL

VALIT

CobiT (correct)

eSCM

What is a notable advantage of ISO 27001 accreditation?

To indicate financial liability

To demonstrate effective supplier control

To emphasize customer orientation

To show compliance to legislation and regulations (correct)

What does COBIT stand for?

Control Objectives for Information and Related Technology

Which method includes value governance, portfolio management, and investment governance?

Val IT

In the PDCA cycle, what does the 'P' stand for?

Plan

What should an IS auditor do when penetration testing yields inconclusive results?

Publish a report highlighting potential security weaknesses

Which document should an IS auditor FIRST review in a compliance audit of a health care organization?

Network diagram and firewall rules

What essential capabilities should the access control system (ACS) possess according to an IS auditor's review?

All of the above

Which software is primarily associated with collecting users’ personal data for profit?

Spyware

Which user profile in an EFT system should raise the MOST concern for an IS auditor?

Three users with the ability to capture, verify, and send messages of others

Logical access controls primarily serve which of the following purposes?

Identification, authentication, authorization, access, auditing, and accountability.

What is the MOST significant factor to ensure high availability of information assets?

Eliminate single points of failure

When classifying information assets, which classification tier represents the least sensitive information?

Tier 1: Public Information

Which of the following protocols is NOT typically part of logical access controls?

Data encryption techniques

What is one effect of having unauthorized access to sensitive information?

Loss of data integrity

What is the primary benefit of database normalization?

Minimization of redundancy of information in tables required to satisfy users’ needs

Which method is most effective for an IS auditor to test the program change management process?

Trace from the change management documentation to a system-generated audit trail

For mission critical systems with a low tolerance to interruption, which recovery option is recommended?

Hot site

What is the key objective of capacity planning procedures?

Available resources are used efficiently and effectively

‘Understand changes in business environment of the auditee’ is part of which process?

Audit Planning

Which tool is required for creating an audit trail?

Audit Hooks

Which task does not fall under the purview of the IS Auditor during a Hardware Review?

Acquisition plan

What should IS auditors assess to ensure the security of remote access points for authorized users outside the trusted network environment?

Documented and implemented

Which control is critical for the auditor to investigate regarding Bring Your Own Device (BYOD)?

All of the above

Which factor is most important to audit when ensuring effective application controls are maintained?

Manager involvement

What is the first aspect an IS auditor should review when auditing remote access into a computer facility?

All users are connected through secure remote VPN service

To identify who has been granted access to a specific system resource, which document should the IS auditor review?

Access control lists

If a web application firewall is absent from an organization's infrastructure, how should the IS auditor evaluate this finding?

Not appropriate as per good practice

When auditing environmental exposure control of Backup Media, what is the most appropriate focus for protection?

Physical and logical exposures at same level

What is a key factor IS auditors should investigate regarding mobile device security policies?

Regular updates and configuration management

Which of the following is NOT a consideration for auditing remote access security?

Cost benefits of remote access solutions

Which aspect is critical for an organization before appointing an outsourcing service provider?

All of the above

What is the most effective way to maintain data confidentiality during transmission over a network?

Data are encrypted before transmission.

What aspect is most critical in managing the relationship between an organization and its outsourced service provider?

Service Level Agreement (SLA)

What is essential to ensure that third-party contractors are aware of their responsibilities?

Screening

What should an IS auditor prioritize first to detect software licensing violations?

The listing of all licensed software.

What type of software does an NGO use if it is free for a short trial period but requires payment for the full version?

Shareware software

Which type of access control ensures that access credentials cannot be altered by normal users?

Mandatory Access Controls

What is the FIRST feature for 2FA (Factor authentications)?

Clock synchronization between a token generator and an authentication server.

Which control is MOST effective when addressing security in engaging 3rd party vendors?

Vendor to have certified compliance with recognized security standards, e.g., ISO 27001.

What poses the MOST significant risk when a network is not secure?

Unauthorized access.

Electromagnetic emissions from a terminal can be a security concern because they:

can be detected and displayed.

What is a MAJOR risk associated with single sign-on (SSO)?

It represents a single point of failure.

What is the MOST important use of data encryption for messages?

Data transmission.

Which technique allows a hacker to obtain passwords without computer tools?

Social engineering.

In an audit of Network Infrastructure Security, what skill should the operator performing network control functions have?

Cyber security expert.

Study Notes

Question 1

• IS audit has significantly changed over the last decade, including altered relationships between IT and financial audits, evolving focus areas, and advancements in employed technologies.

Question 2

• Inherent risk, particularly risk related to the numerous users and business areas affected by a project, tends to be high in IS projects due to concerns regarding confidentiality.

Question 3

• IS auditors must gather substantial, pertinent, and persuasive evidence to achieve audit objectives.

Question 4

• Key elements of ISO include high-level structure, common core text, and standard definitions.

Question 5

• Auditing standards direct auditors on the extent of auditing steps and procedures required to meet audit specifications and goals.

Question 6

• ISO 27001:2013 is titled "Information Security Management Systems."

Question 7

• IS audits evaluate information systems and resources for adequate asset protection, preventing financial loss, and ensuring appropriate user access and software usage.

Question 8

• The approved audit charter outlines the authority for conducting an IS audit.

Question 9

• ITIL and ISO 20000 are applicable to IT service management.

Question 10

• The CobiT framework ensures alignment between IT objectives and business objectives.

Question 11

• ISO 27001 accreditation demonstrates compliance with regulations and standards.

Question 12

• COBIT stands for Control Objectives for Information and Related Technology.

Question 13

• ISO 9001 addresses value, portfolio, and investment governance.

Question 14

• The "P" in PDCA stands for "Plan."

Question 15

• If an IS audit encounters inconclusive results and the agreed completion date is approaching, the auditor should document findings and advise of further testing needs and if necessary, postpone the audit.

Question 16

• When examining online health care systems in compliance audits, IS auditors must first consider network setup and firewall rules surrounding the online system.

Question 17

• When shared user IDs are detected in a financial services company website’s user access, auditors should document the finding and the potential risks associated with shared IDs.

Question 18

• Auditors must maintain high standards of conduct and integrity without compromising their professional association.

Question 19

• Legal requirements, laws, and regulatory or contractual agreements impact IS audit processes and procedures.

Question 20

• Software audits ensure licensing compliance, monitor quality assurance, and conform to industry standards.

Question 21

• Increasing regulations negatively affect using sampling techniques in IS audits due to issues related to internal controls. This means that it is false

Question 22

• Standards provide characteristics for consistent materials, products, processes, and services.

Question 23

• Iterative Model uses significant regression testing elements.

Question 24

• Completing on an approved time table is not one of the three goals for a successful SDLC.

Question 25

• Integrated testing ensures each component of a project functions together as a system.

Question 26

• Recovery Point Objective (RPO) defines the data loss acceptable to an organization after a disaster.

Question 27

• Recovery Time Objective (RTO) is the point in time an organization needs to recover its data, processes, or application after a disaster.

Question 28

• Low RPO (Recovery Point Objective) suggests utilizing procedures like clustering, remote journaling, or database shadowing for better recovery strategies.

Question 29

• QA (Quality Assurance) teams are responsible for software validation.

Question 30

• A Hot Site will fully replace a company’s primary business operations.

Question 31

• Business Continuity is the ability of an organization to continue delivering products and services in times of disruptions.

Question 32

• The first step in developing a new or updating a business continuity plan is defining the organization's business objectives and strategy.

Question 33

• Quantitative and qualitative risk analysis are common methods during business impact analysis.

Question 34

• Business Continuity Planning Life Cycle involves the steps of Analysis, Solution Design, Implementation, Testing & Acceptance, and Maintenance.

Question 35

• A digital dashboard is an business intelligence tool that displays information related to the business.

Question 36

• Classification as crisis implies a negative material impact to business processes and other related systems.

Question 37

• IS auditors must understand the relationship between business continuity strategies and organizational objectives.

Question 38

• Backup plans (BCP) are investigated through paper walk-throughs in which participants discuss and test the procedures in the various scenarios.

Question 39

• Agile development incorporates test-driven development, continual feedback from customers, and simple solutions to solve common issues.

Question 40

• Business Applications can range from large, specialized tools to third-party and internally developed systems.

Question 41

• Backup rotation schemes are systems that regularly back up data to storage media, such as tapes.

Question 42

• E-commerce involves aspects of services, communications, and business processes—not just buying and selling online.

Question 43

• Risk of cost overrun is a significant concern for auditors.

Question 44

• Functions of e-commerce software include product configuration and data analysis.

Question 45

• The greatest benefit of B2C e-commerce is the ability to reach a global market.

Question 46

• An IS strategic plan encompasses brochures, manager goals, project timelines, and senior management's directives.

Question 47

• IT governance knowledge is critical for understanding an organization's IT strategy, risks, audit timeline, and deliverables.

Question 48

• The primary purpose of the IT steering committee is to establish and define enterprise objectives.

Question 49

• Due to the difficulty in complying with the segregation of duties rules, segregation of tasks for authorization and correction should take priority when tasks cannot be performed in a divided manner.

Question 50

• CMM (Capability Maturity Model) is characterized by measurement, documentation of accomplishments, and evaluation of progress.

Question 51

• Database administration controls cover reviewing access logs and activities, as well as the use of database tools.

Question 52

• Governance for Enterprise IT is the responsibility of the board of directors and executive management.

Question 53

• Steering committees are focused on IT concerns, not departmental issues.

Question 54

• CMM levels in sequence are Initial, Managed, and Repeatable.

Question 55

• IS audit performance measures must align with strategic direction and regulatory reporting standards.

Question 56

• The most important aspect in auditing employee termination is the secure removal of employee access to company resources.

Question 57

• Employees being allowed to copy personal files (prior to termination) would not be a suitable process for compliance.

Question 58

• The balanced scorecard ensures the IT-strategy aligns with the overall business strategy.

Question 59

• Optimal use of IT resources is a key aim for job descriptions and change control review boards.

Question 60

• Additional awareness for cloud audits includes legal requirements.

Question 61

• Employee contracts define the work-relationship as "work for hire."

Question 62

• Outsourcing realigns activities based on core business needs.

Question 63

• Strategy is the process of defining how an organization will accomplish its objectives.

Question 64

• Hacker or Cracker is a more suitable term than Intruders.

Question 65

• NIST reports that 64% of software vulnerabilities stem from programming errors not security flaws. This is true.

Question 66

• Developers' beliefs about embedded device security are considered partially wrong.

Question 67

• Problems concerning sponsor-funded projects include insufficient quality definitions and inadequate controls.

Question 68

• Continuity of service and profitability/added value is critical; these points are integral to sustaining the outsourcing contract. This answer is true.

Question 69

• Inadequate training and awareness can lead to failure of the balanced scorecard.

Question 70

• Reasons for bringing outsourced operations in-house include losses of control, delayed services, and excess costs.

Question 71

• Level 5 maturity in CMM allows a company to pay less to perform outsourcing. This statement is not true.

Question 72

• The ideal correlation with strategy definition revolves around defining the business's objective, guidelines, and target for success.

Question 73

• Change control is a governance issue due to necessity to ensure proper authorization, compliance with policies, and cost reductions.

Question 74

• Ideal compliance monitoring is handled by a central repository.

Question 75

• The IT/information resource policy describes rules about organizational permissions, usage, and information-related resources.

Question 76

• The first step in IT security involves comprehensive security evaluation.

Question 77

• Hash cracking is the act of decrypting hashed passwords via precomputed tables.

Question 78

• Public Key Cryptosystems face a significant challenge in securing the information exchange process.

Question 79

• Cyber-ethics are ethical behaviors in the digital and online environment.

Question 80

• An IS/IT Risk Management Committee is responsible for discussing security, establishing policies, and approving related practices.

Question 81

• The initial step to manage an enterprise IT environment is to assess availability, compatibility, reliability, scalability, performance, and security.

Question 82

• Benefits of outsourcing often involve reduced costs and streamlined processes.

Question 83

• Digital signatures aim to authenticate data and preserve its integrity.

Question 84

• Information categorized as "critical" demands a complete restriction on unauthorized access by third-party support personnel.

Question 85

• The initial feature for 2-Factor Authentication (2FA) involves time-synchronization between the token generator and authentication server.

Question 86

• Effectively managing third-party vendors involves adhering to security standards like ISO 27001.

Question 87

• Network security emphasizes measures like malware protection, proper password security, and consistent monitoring and logging.

Question 88

• Electromagnetic emissions present a security risk due to detectable and potential undesirable effects.

Question 89

• A single sign-on (SSO) system poses a single point of failure.

Question 90

• Data encryption is crucial for protecting data against unauthorized disclosure, particularly in the case of message transmission.

Question 91

• Social engineering is a tactic used to trick someone into disclosing sensitive information.

Question 92

• Determining which IS resources necessitate the involvement of a security expert is a critical aspect in controlling network infrastructure.

Question 93

• Proper due diligence, processes, and activities assessment are necessary for selecting outsourcing service providers.

Question 94

• Encrypting data transmission is the best way to protect data confidentiality.

Question 95

• Effective management of outsourcing provider relationships includes due diligence, ongoing performance evaluations, and a clear Service Level Agreement (SLA).

Question 96

• Suitable contractors should be identified and approved through verification and suitability.

Question 97

• Software licensing violations are identified by contrasting the recorded software with licenses to spot inconsistencies.

Question 98

• Open-source software, freeware, and shareware are all ways software can be made available with varying degrees of functionality and terms of use.

Question 99

• Mandatory Access Controls are the highest level of logical access control.

Question 100

• User access, authentication, identification, and authorization are key aspects of an access control system (ACS).

Question 101

• Data collection firms and malicious actors use these systems to gather and profit from personal financial information.

Question 102

• Using user profiles to capture and verify messages, especially those that enable communication among multiple users, require special attention due to security risks.

Question 103

• In IT, logical access control tools are used for proper identification, authentication, authorization, access control, and accountability.

Question 104

• High availability is ensured through measures such as removing single points of failure.

Question 105

• Information assets should be classified based on sensitivity for effective protection.

Question 106

• Remote access security controls need proper documentation, implementation, and cost assessment.

Question 107

• Auditing mobile device (BYOD) security requires consideration of policies, risk analysis, and organizational alignment.

Question 108

• Auditing remote access to computers needs initial investigation into VPN configurations, prohibited access, and firewall configurations.

Question 109

• Access Control Lists (ACLs) are critical for auditing user access.

Question 110

• A web application firewall (WAF) is critical for security.

Question 111

• Auditing backup media control means evaluating physical and logical controls.

Question 112

• IS auditors should recommend stopping the intrusion and implementing input validation/sanitization.

Question 113

• Misappropriation of assets, improper expenditures, and fraudulent financial reporting are all critical aspects in financial/corporate audit.

Question 114

• IS audit objectives should be clarified to management prior to fieldwork.

Question 115

• In detecting IT incidents, digital evidence collection and analysis is the first phase.

Question 116

• A. IS auditor needs to perform a proper review and report controls weakness, related to system software, and document the extent of the review.

Question 117

• The statement is true that forensic analysis includes review of logical file structure and unused file space.

Question 118

• Evaluating organizational facilities and business processes is of crucial importance in the initial phase of an IS audit.

Question 119

• Functional walkthroughs allow auditors to understand business procedures and evaluate controls.

Question 120

• System log analysis is essential for monitoring authorized modifications to production programs, and other IT processes.

Question 121

• When answers don't align with documented procedures, audit scope expansion or a suspension of the audit is in order.

Question 122

• 100% of transactions should be verified using a GAS such as ACL (Audit Command Language).

Question 123

• Considering limited sampling opportunities during program change request testing highlights a potential assurance of quality issue; therefore the IS auditor should create an alternate testing procedure for a more complete set of changes.

Question 124

• The actions and decisions of an IS auditor directly affect inherent, control, and detection risks.

Question 125

• When reviewing network architecture for inter-premise communications, the first concern should be the system architecture.

Question 126

• Software application classification is heavily reliant on the nature of enterprise business and the application's value.

Question 127

• Database normalization's primary benefit is its improved data integrity and minimization of data redundancy through its structured approach to data storage.

Question 128

• Tracing from a system to a change log provides evidence of program change accuracy.

Question 129

• Hot sites provide a full replacement for the organization’s primary operations in case of interruption.

Question 130

• Effective capacity planning focuses on ensuring that utilization of resources and efficiency are maintained for overall business operations.

Question 131

• Understanding changes in the business environment of a company is a crucial aspect of audit planning.

Question 132

• Audit Trails require various tools, including SCARF/EAM, Snapshot, and Audit Hooks.

Question 133

• IS auditors should not be involved in the acquisition plan, instead should be reviewing procurement processes and capacity management.

Question 134

• Control self-assessment (CSA) is an excellent method that assures organizations that effective controls are in place and maintained.

Question 135

• Situations that increase fraud likelihood often involve changes to production programs without proper approvals or the appropriate oversight procedures.

Question 136

• Auditors should perform assessment of controls prior to the acquisition of new application software and during the requirements phase, not the implementation phase.

Question 137

• IS auditors must ensure that new software applications are compatible with existing hardware, planned OS updates, and the company's current/future system needs.

Question 138

• Firewalls are primarily designed to protect network segments from unauthorized traffic.

Question 139

• Default passwords not updated, failure to encrypt communications, lack of outbound proxies are concern from audit perspective.

Question 140

• Auditing segregation of duties involves observing and interviewing staff members about their tasks.

Question 141

• Supporting documentation obtained from systems, such as screenshots or reports, is critical for evaluating ongoing system configuration.

Question 142

• Determining information assets, data, and related systems is paramount for assessing the risks associated with an organization’s information process.

Question 143

• Test data's main challenge is ensuring the test program’s version aligns with the production version and that test data appropriately covers various situations.

Question 144

• When security procedures are absent, the audit process should go beyond standard procedures to identify practices and implement procedures.

Question 145

• A test-data approach is a suitable method for identifying payroll overpayments within a specific time period.

Question 146

• Cross-checking input data with control totals in the source database enhances the completeness and accuracy of the input data.

Question 147

• Using computer forensic software has the advantage of enabling efficient and comprehensive investigations of data and system information.

Question 148

• After discovering a Trojan horse, auditors should first remove the malicious code from the system.

Question 149

• Repeated or identical user IDs are a critical security concern for an IS auditor.

Question 150

• Prevention of errors is not possible through internal controls in all circumstances; if the possibility of undetected errors exists, then the errors qualify as a control risk.

Description

Test your knowledge on IT governance frameworks such as ITIL, ISO 20000, and COBIT. This quiz covers essential concepts and practices in information security, compliance audits, and access control. Ideal for those looking to strengthen their understanding of IT management standards and frameworks.