IT Governance and Compliance Quiz

Questions and Answers

To which domain can both ITIL and ISO 20000 be applied?

• IT governance
• IT component management
• Activity management
• IT service management (correct)

Which framework is designed to ensure alignment between IT and business objectives?

• ITIL
• VALIT
• CobiT (correct)
• eSCM

What is a notable advantage of ISO 27001 accreditation?

• To indicate financial liability
• To demonstrate effective supplier control
• To emphasize customer orientation
• To show compliance to legislation and regulations (correct)

What does COBIT stand for?

Control Objectives for Information and Related Technology (B)

Which method includes value governance, portfolio management, and investment governance?

Val IT (B)

In the PDCA cycle, what does the 'P' stand for?

Plan (D)

What should an IS auditor do when penetration testing yields inconclusive results?

Publish a report highlighting potential security weaknesses (D)

Which document should an IS auditor FIRST review in a compliance audit of a health care organization?

Network diagram and firewall rules (C)

What essential capabilities should the access control system (ACS) possess according to an IS auditor's review?

All of the above (D)

Which software is primarily associated with collecting users’ personal data for profit?

Spyware (C)

Which user profile in an EFT system should raise the MOST concern for an IS auditor?

Three users with the ability to capture, verify, and send messages of others (A)

Logical access controls primarily serve which of the following purposes?

Identification, authentication, authorization, access, auditing, and accountability. (B)

What is the MOST significant factor to ensure high availability of information assets?

Eliminate single points of failure (C)

When classifying information assets, which classification tier represents the least sensitive information?

Tier 1: Public Information (D)

Which of the following protocols is NOT typically part of logical access controls?

Data encryption techniques (A)

What is one effect of having unauthorized access to sensitive information?

Loss of data integrity (C)

What is the primary benefit of database normalization?

Minimization of redundancy of information in tables required to satisfy users’ needs (D)

Which method is most effective for an IS auditor to test the program change management process?

Trace from the change management documentation to a system-generated audit trail (C)

For mission critical systems with a low tolerance to interruption, which recovery option is recommended?

Hot site (D)

What is the key objective of capacity planning procedures?

Available resources are used efficiently and effectively (D)

‘Understand changes in business environment of the auditee’ is part of which process?

Audit Planning (B)

Which tool is required for creating an audit trail?

Audit Hooks (A)

Which task does not fall under the purview of the IS Auditor during a Hardware Review?

Acquisition plan (C)

What should IS auditors assess to ensure the security of remote access points for authorized users outside the trusted network environment?

Documented and implemented (A)

Which control is critical for the auditor to investigate regarding Bring Your Own Device (BYOD)?

All of the above (D)

Which factor is most important to audit when ensuring effective application controls are maintained?

Manager involvement (C)

What is the first aspect an IS auditor should review when auditing remote access into a computer facility?

All users are connected through secure remote VPN service (C)

To identify who has been granted access to a specific system resource, which document should the IS auditor review?

Access control lists (A)

If a web application firewall is absent from an organization's infrastructure, how should the IS auditor evaluate this finding?

Not appropriate as per good practice (A)

When auditing environmental exposure control of Backup Media, what is the most appropriate focus for protection?

Physical and logical exposures at same level (C)

What is a key factor IS auditors should investigate regarding mobile device security policies?

Regular updates and configuration management (B)

Which of the following is NOT a consideration for auditing remote access security?

Cost benefits of remote access solutions (D)

Which aspect is critical for an organization before appointing an outsourcing service provider?

All of the above (D)

What is the most effective way to maintain data confidentiality during transmission over a network?

Data are encrypted before transmission. (D)

What aspect is most critical in managing the relationship between an organization and its outsourced service provider?

Service Level Agreement (SLA) (D)

What is essential to ensure that third-party contractors are aware of their responsibilities?

Screening (A)

What should an IS auditor prioritize first to detect software licensing violations?

The listing of all licensed software. (C)

What type of software does an NGO use if it is free for a short trial period but requires payment for the full version?

Shareware software (C)

Which type of access control ensures that access credentials cannot be altered by normal users?

Mandatory Access Controls (C)

What is the FIRST feature for 2FA (Factor authentications)?

Clock synchronization between a token generator and an authentication server. (C)

Which control is MOST effective when addressing security in engaging 3rd party vendors?

Vendor to have certified compliance with recognized security standards, e.g., ISO 27001. (B)

What poses the MOST significant risk when a network is not secure?

Unauthorized access. (A)

Electromagnetic emissions from a terminal can be a security concern because they:

can be detected and displayed. (B)

What is a MAJOR risk associated with single sign-on (SSO)?

It represents a single point of failure. (C)

What is the MOST important use of data encryption for messages?

Data transmission. (D)

Which technique allows a hacker to obtain passwords without computer tools?

Social engineering. (D)

In an audit of Network Infrastructure Security, what skill should the operator performing network control functions have?

Cyber security expert. (B)

Flashcards

What is the domain that ITIL and ISO 20000 can be applied to?

ITIL and ISO 20000 are frameworks that can be applied to the management of IT services, encompassing areas like service design, delivery, and support.

Which framework aligns IT and business objectives & ensures efficient implementation of joint decisions?

CobiT focuses on aligning IT objectives with business objectives, ensuring effective implementation of joint decisions impacting both areas.

What is a key advantage of ISO 27001 accreditation?

ISO 27001 accreditation demonstrates an organization's commitment to information security, ensuring compliance with relevant regulations and minimizing security risks.

What does COBIT stand for?

COBIT stands for Control Objectives for Information and Related Technology. It's a framework that sets out guidelines for IT governance and management

Which method addresses value governance, portfolio management, and investment governance?

Val IT is a framework that specifically addresses value governance, portfolio management, and investment governance in IT.

What does the P stand for in the PDCA cycle?

In the PDCA cycle, P stands for Plan. It's the initial phase where you define goals, strategies, and actions.

What should the IS auditor do when penetration testing is inconclusive?

The IS auditor should publish a report outlining the available information, highlighting potential security weaknesses and the need for further testing. The report should clearly state the limitations due to the incomplete testing and the need for additional work.

What should the IS auditor FIRST review during a compliance audit of an online healthcare system?

The IS auditor should first review the network diagram and firewall rules surrounding the online system. This initial assessment provides crucial insights into the security controls protecting the sensitive healthcare information.

Single Sign-On (SSO)

A method of authentication where users only need to log in once to access multiple applications or services.

Data Encryption

The process of converting data into an unreadable format, making it secure from unauthorized access.

Two-Factor Authentication (2FA)

A form of security where users must provide two or more factors of authentication to access resources. These factors are often something you know (password), something you have (token), and something you are (biometric data).

Social Engineering

A technique used by attackers to manipulate individuals into revealing sensitive information or granting access to systems. Often involves social engineering tactics.

Single Point of Failure (SSO)

A security risk inherent in SSO where a single point of failure can compromise access to all connected systems.

Denial-of-Service (DoS)

A type of network attack that aims to overwhelm a server or service with traffic, making it unavailable to legitimate users.

Botnet

A network of computers or devices infected with malware and controlled remotely by attackers.

Network Monitoring and Logging

The practice of monitoring and recording network activity to detect and prevent security incidents.

Screening third-party contractors

A process of assessing the suitability and competence of third-party contractors before engaging them.

Evaluation Criteria for Outsourcing

A set of criteria used to assess the effectiveness of outsourced services. It includes SLAs, risk assessment, security, and economic viability.

Service Level Agreement (SLA)

A formal agreement outlining the terms, responsibilities, and deliverables of a service provider.

Due Diligence in Outsourcing

A process of verifying the legitimacy and reliability of a potential service provider before outsourcing.

Shareware software

A software that is free to use for a limited time or with restricted functionality. After the trial period, you need to purchase a license for full functionality.

Open source software

Software released under a license that allows users to freely use, modify, and distribute the software.

Mandatory Access Controls

Access controls that are enforced by the system and cannot be modified by users. They restrict access based on predefined rules.

Discretionary Access Controls

Access controls where users have the ability to grant or restrict access to resources. They are managed at the user level.

What are IT Governance Frameworks?

A set of guidelines that ensure the safe and efficient management of IT. IT governance frameworks help to establish clear roles and responsibilities for IT and align IT objectives with business goals.

What is COBIT?

A framework that provides a comprehensive set of controls and best practices for the design, implementation and maintenance of IT systems.

What is ITIL?

A set of guidelines and best practices for managing IT services throughout their lifecycle. It emphasizes service delivery and support.

What is ISO 27001?

A collection of standards and specifications that provide guidelines for implementing information security controls.

Why are remote access security controls crucial?

Effective remote access security controls require careful assessments to ensure that the organization's confidential information is safe.

What should an IS auditor review when auditing remote access?

An IS auditor should review if VPN is enabled, ensure remote access is restricted, and evaluate security logs.

What are Access Control Lists (ACLs)?

Access control lists (ACLs) are crucial for managing user access to system resources, as they help determine who can access what.

Why is a Web Application Firewall (WAF) important?

A web application firewall (WAF) acts as a security shield for web applications, protecting them against potential attacks.

Access Control System (ACS)

A system's ability to identify users, verify their identity, and grant or deny access based on their credentials and permissions.

Spyware

Software designed to collect personal information, sometimes without consent, and send it to third parties for profit or malicious purposes.

Users with ability to capture, verify and send messages for themselves and others

A scenario to be very cautious about when auditing EFT systems, as it grants too much power to a small group of users, potentially leading to fraud or unauthorized actions.

Logical Access Controls

The controls and measures in place to restrict access to computer systems and data based on the user's role and permissions.

System Availability

The ability for authorized users to access and modify information quickly and reliably, without interruption.

Information Asset Classification

Three tiers of sensitivity for information assets: Public, Internal, and Restricted, each with specific access and handling guidelines.

Adware

A type of malware designed specifically to display advertisements, often intrusive and disruptive, and can track user behavior.

Eliminating Single Points of Failure

Preventing a single component from causing a system-wide failure, ensuring that if one part fails, the entire system can continue functioning.

Database Normalization's Main Benefit

The primary benefit of database normalization is reducing data redundancy. This ensures data consistency and avoids potential conflicts arising from duplicate information.

Testing Program Change Management

An IS auditor should trace from the system-generated audit trail back to the change management documentation. This ensures that changes were properly documented and followed the established process.

Recovery Option for Critical Systems

For critical systems, a 'hot site' is the best choice. It provides a fully functional duplicate environment immediately ready to takeover, minimizing disruption.

Capacity Planning Objective

Capacity planning's key objective is to ensure efficient and effective use of resources. This means maximizing output and minimizing waste.

Understanding Auditee's Environment

Understanding the auditee's business environment is a crucial part of audit planning. It provides context and helps the auditor identify key risks.

What Is Required for Audit Trails

Audit hooks, also known as audit trails, capture system activity for later review. These records provide evidence of system usage and security events.

What IS Audit Excludes in Hardware Review

During a Hardware Review, an IS auditor wouldn't focus on security of system software. This falls under a different audit scope, like software security reviews.

Auditing Application Controls with Exception Reporting

Exception reporting is crucial for auditing application controls. It identifies unusual activities that might indicate control failures or potential risks.

Study Notes

Question 1

• IS audit has significantly changed over the last decade, including altered relationships between IT and financial audits, evolving focus areas, and advancements in employed technologies.

Question 2

• Inherent risk, particularly risk related to the numerous users and business areas affected by a project, tends to be high in IS projects due to concerns regarding confidentiality.

Question 3

• IS auditors must gather substantial, pertinent, and persuasive evidence to achieve audit objectives.

Question 4

• Key elements of ISO include high-level structure, common core text, and standard definitions.

Question 5

• Auditing standards direct auditors on the extent of auditing steps and procedures required to meet audit specifications and goals.

Question 6

• ISO 27001:2013 is titled "Information Security Management Systems."

Question 7

• IS audits evaluate information systems and resources for adequate asset protection, preventing financial loss, and ensuring appropriate user access and software usage.

Question 8

• The approved audit charter outlines the authority for conducting an IS audit.

Question 9

• ITIL and ISO 20000 are applicable to IT service management.

Question 10

• The CobiT framework ensures alignment between IT objectives and business objectives.

Question 11

• ISO 27001 accreditation demonstrates compliance with regulations and standards.

Question 12

• COBIT stands for Control Objectives for Information and Related Technology.

Question 13

• ISO 9001 addresses value, portfolio, and investment governance.

Question 14

• The "P" in PDCA stands for "Plan."

Question 15

• If an IS audit encounters inconclusive results and the agreed completion date is approaching, the auditor should document findings and advise of further testing needs and if necessary, postpone the audit.

Question 16

• When examining online health care systems in compliance audits, IS auditors must first consider network setup and firewall rules surrounding the online system.

Question 17

• When shared user IDs are detected in a financial services company website’s user access, auditors should document the finding and the potential risks associated with shared IDs.

Question 18

• Auditors must maintain high standards of conduct and integrity without compromising their professional association.

Question 19

• Legal requirements, laws, and regulatory or contractual agreements impact IS audit processes and procedures.

Question 20

• Software audits ensure licensing compliance, monitor quality assurance, and conform to industry standards.

Question 21

• Increasing regulations negatively affect using sampling techniques in IS audits due to issues related to internal controls. This means that it is false

Question 22

• Standards provide characteristics for consistent materials, products, processes, and services.

Question 23

• Iterative Model uses significant regression testing elements.

Question 24

• Completing on an approved time table is not one of the three goals for a successful SDLC.

Question 25

• Integrated testing ensures each component of a project functions together as a system.

Question 26

• Recovery Point Objective (RPO) defines the data loss acceptable to an organization after a disaster.

Question 27

• Recovery Time Objective (RTO) is the point in time an organization needs to recover its data, processes, or application after a disaster.

Question 28

• Low RPO (Recovery Point Objective) suggests utilizing procedures like clustering, remote journaling, or database shadowing for better recovery strategies.

Question 29

• QA (Quality Assurance) teams are responsible for software validation.

Question 30

• A Hot Site will fully replace a company’s primary business operations.

Question 31

• Business Continuity is the ability of an organization to continue delivering products and services in times of disruptions.

Question 32

• The first step in developing a new or updating a business continuity plan is defining the organization's business objectives and strategy.

Question 33

• Quantitative and qualitative risk analysis are common methods during business impact analysis.

Question 34

• Business Continuity Planning Life Cycle involves the steps of Analysis, Solution Design, Implementation, Testing & Acceptance, and Maintenance.

Question 35

• A digital dashboard is an business intelligence tool that displays information related to the business.

Question 36

• Classification as crisis implies a negative material impact to business processes and other related systems.

Question 37

• IS auditors must understand the relationship between business continuity strategies and organizational objectives.

Question 38

• Backup plans (BCP) are investigated through paper walk-throughs in which participants discuss and test the procedures in the various scenarios.

Question 39

• Agile development incorporates test-driven development, continual feedback from customers, and simple solutions to solve common issues.

Question 40

• Business Applications can range from large, specialized tools to third-party and internally developed systems.

Question 41

• Backup rotation schemes are systems that regularly back up data to storage media, such as tapes.

Question 42

• E-commerce involves aspects of services, communications, and business processes—not just buying and selling online.

Question 43

• Risk of cost overrun is a significant concern for auditors.

Question 44

• Functions of e-commerce software include product configuration and data analysis.

Question 45

• The greatest benefit of B2C e-commerce is the ability to reach a global market.

Question 46

• An IS strategic plan encompasses brochures, manager goals, project timelines, and senior management's directives.

Question 47

• IT governance knowledge is critical for understanding an organization's IT strategy, risks, audit timeline, and deliverables.

Question 48

• The primary purpose of the IT steering committee is to establish and define enterprise objectives.

Question 49

• Due to the difficulty in complying with the segregation of duties rules, segregation of tasks for authorization and correction should take priority when tasks cannot be performed in a divided manner.

Question 50

• CMM (Capability Maturity Model) is characterized by measurement, documentation of accomplishments, and evaluation of progress.

Question 51

• Database administration controls cover reviewing access logs and activities, as well as the use of database tools.

Question 52

• Governance for Enterprise IT is the responsibility of the board of directors and executive management.

Question 53

• Steering committees are focused on IT concerns, not departmental issues.

Question 54

• CMM levels in sequence are Initial, Managed, and Repeatable.

Question 55

• IS audit performance measures must align with strategic direction and regulatory reporting standards.

Question 56

• The most important aspect in auditing employee termination is the secure removal of employee access to company resources.

Question 57

• Employees being allowed to copy personal files (prior to termination) would not be a suitable process for compliance.

Question 58

• The balanced scorecard ensures the IT-strategy aligns with the overall business strategy.

Question 59

• Optimal use of IT resources is a key aim for job descriptions and change control review boards.

Question 60

• Additional awareness for cloud audits includes legal requirements.

Question 61

• Employee contracts define the work-relationship as "work for hire."

Question 62

• Outsourcing realigns activities based on core business needs.

Question 63

• Strategy is the process of defining how an organization will accomplish its objectives.

Question 64

• Hacker or Cracker is a more suitable term than Intruders.

Question 65

• NIST reports that 64% of software vulnerabilities stem from programming errors not security flaws. This is true.

Question 66

• Developers' beliefs about embedded device security are considered partially wrong.

Question 67

• Problems concerning sponsor-funded projects include insufficient quality definitions and inadequate controls.

Question 68

• Continuity of service and profitability/added value is critical; these points are integral to sustaining the outsourcing contract. This answer is true.

Question 69

• Inadequate training and awareness can lead to failure of the balanced scorecard.

Question 70

• Reasons for bringing outsourced operations in-house include losses of control, delayed services, and excess costs.

Question 71

• Level 5 maturity in CMM allows a company to pay less to perform outsourcing. This statement is not true.

Question 72

• The ideal correlation with strategy definition revolves around defining the business's objective, guidelines, and target for success.

Question 73

• Change control is a governance issue due to necessity to ensure proper authorization, compliance with policies, and cost reductions.

Question 74

• Ideal compliance monitoring is handled by a central repository.

Question 75

• The IT/information resource policy describes rules about organizational permissions, usage, and information-related resources.

Question 76

• The first step in IT security involves comprehensive security evaluation.

Question 77

• Hash cracking is the act of decrypting hashed passwords via precomputed tables.

Question 78

• Public Key Cryptosystems face a significant challenge in securing the information exchange process.

Question 79

• Cyber-ethics are ethical behaviors in the digital and online environment.

Question 80

• An IS/IT Risk Management Committee is responsible for discussing security, establishing policies, and approving related practices.

Question 81

• The initial step to manage an enterprise IT environment is to assess availability, compatibility, reliability, scalability, performance, and security.

Question 82

• Benefits of outsourcing often involve reduced costs and streamlined processes.

Question 83

• Digital signatures aim to authenticate data and preserve its integrity.

Question 84

• Information categorized as "critical" demands a complete restriction on unauthorized access by third-party support personnel.

Question 85

• The initial feature for 2-Factor Authentication (2FA) involves time-synchronization between the token generator and authentication server.

Question 86

• Effectively managing third-party vendors involves adhering to security standards like ISO 27001.

Question 87

• Network security emphasizes measures like malware protection, proper password security, and consistent monitoring and logging.

Question 88

• Electromagnetic emissions present a security risk due to detectable and potential undesirable effects.

Question 89

• A single sign-on (SSO) system poses a single point of failure.

Question 90

• Data encryption is crucial for protecting data against unauthorized disclosure, particularly in the case of message transmission.

Question 91

• Social engineering is a tactic used to trick someone into disclosing sensitive information.

Question 92

• Determining which IS resources necessitate the involvement of a security expert is a critical aspect in controlling network infrastructure.

Question 93

• Proper due diligence, processes, and activities assessment are necessary for selecting outsourcing service providers.

Question 94

• Encrypting data transmission is the best way to protect data confidentiality.

Question 95

• Effective management of outsourcing provider relationships includes due diligence, ongoing performance evaluations, and a clear Service Level Agreement (SLA).

Question 96

• Suitable contractors should be identified and approved through verification and suitability.

Question 97

• Software licensing violations are identified by contrasting the recorded software with licenses to spot inconsistencies.

Question 98

• Open-source software, freeware, and shareware are all ways software can be made available with varying degrees of functionality and terms of use.

Question 99

• Mandatory Access Controls are the highest level of logical access control.

Question 100

• User access, authentication, identification, and authorization are key aspects of an access control system (ACS).

Question 101

• Data collection firms and malicious actors use these systems to gather and profit from personal financial information.

Question 102

• Using user profiles to capture and verify messages, especially those that enable communication among multiple users, require special attention due to security risks.

Question 103

• In IT, logical access control tools are used for proper identification, authentication, authorization, access control, and accountability.

Question 104

• High availability is ensured through measures such as removing single points of failure.

Question 105

• Information assets should be classified based on sensitivity for effective protection.

Question 106

• Remote access security controls need proper documentation, implementation, and cost assessment.

Question 107

• Auditing mobile device (BYOD) security requires consideration of policies, risk analysis, and organizational alignment.

Question 108

• Auditing remote access to computers needs initial investigation into VPN configurations, prohibited access, and firewall configurations.

Question 109

• Access Control Lists (ACLs) are critical for auditing user access.

Question 110

• A web application firewall (WAF) is critical for security.

Question 111

• Auditing backup media control means evaluating physical and logical controls.

Question 112

• IS auditors should recommend stopping the intrusion and implementing input validation/sanitization.

Question 113

• Misappropriation of assets, improper expenditures, and fraudulent financial reporting are all critical aspects in financial/corporate audit.

Question 114

• IS audit objectives should be clarified to management prior to fieldwork.

Question 115

• In detecting IT incidents, digital evidence collection and analysis is the first phase.

Question 116

• A. IS auditor needs to perform a proper review and report controls weakness, related to system software, and document the extent of the review.

Question 117

• The statement is true that forensic analysis includes review of logical file structure and unused file space.

Question 118

• Evaluating organizational facilities and business processes is of crucial importance in the initial phase of an IS audit.

Question 119

• Functional walkthroughs allow auditors to understand business procedures and evaluate controls.

Question 120

• System log analysis is essential for monitoring authorized modifications to production programs, and other IT processes.

Question 121

• When answers don't align with documented procedures, audit scope expansion or a suspension of the audit is in order.

Question 122

• 100% of transactions should be verified using a GAS such as ACL (Audit Command Language).

Question 123

• Considering limited sampling opportunities during program change request testing highlights a potential assurance of quality issue; therefore the IS auditor should create an alternate testing procedure for a more complete set of changes.

Question 124

• The actions and decisions of an IS auditor directly affect inherent, control, and detection risks.

Question 125

• When reviewing network architecture for inter-premise communications, the first concern should be the system architecture.

Question 126

• Software application classification is heavily reliant on the nature of enterprise business and the application's value.

Question 127

• Database normalization's primary benefit is its improved data integrity and minimization of data redundancy through its structured approach to data storage.

Question 128

• Tracing from a system to a change log provides evidence of program change accuracy.

Question 129

• Hot sites provide a full replacement for the organization’s primary operations in case of interruption.

Question 130

• Effective capacity planning focuses on ensuring that utilization of resources and efficiency are maintained for overall business operations.

Question 131

• Understanding changes in the business environment of a company is a crucial aspect of audit planning.

Question 132

• Audit Trails require various tools, including SCARF/EAM, Snapshot, and Audit Hooks.

Question 133

• IS auditors should not be involved in the acquisition plan, instead should be reviewing procurement processes and capacity management.

Question 134

• Control self-assessment (CSA) is an excellent method that assures organizations that effective controls are in place and maintained.

Question 135

• Situations that increase fraud likelihood often involve changes to production programs without proper approvals or the appropriate oversight procedures.

Question 136

• Auditors should perform assessment of controls prior to the acquisition of new application software and during the requirements phase, not the implementation phase.

Question 137

• IS auditors must ensure that new software applications are compatible with existing hardware, planned OS updates, and the company's current/future system needs.

Question 138

• Firewalls are primarily designed to protect network segments from unauthorized traffic.

Question 139

• Default passwords not updated, failure to encrypt communications, lack of outbound proxies are concern from audit perspective.

Question 140

• Auditing segregation of duties involves observing and interviewing staff members about their tasks.

Question 141

• Supporting documentation obtained from systems, such as screenshots or reports, is critical for evaluating ongoing system configuration.

Question 142

• Determining information assets, data, and related systems is paramount for assessing the risks associated with an organization’s information process.

Question 143

• Test data's main challenge is ensuring the test program’s version aligns with the production version and that test data appropriately covers various situations.

Question 144

• When security procedures are absent, the audit process should go beyond standard procedures to identify practices and implement procedures.

Question 145

• A test-data approach is a suitable method for identifying payroll overpayments within a specific time period.

Question 146

• Cross-checking input data with control totals in the source database enhances the completeness and accuracy of the input data.

Question 147

• Using computer forensic software has the advantage of enabling efficient and comprehensive investigations of data and system information.

Question 148

• After discovering a Trojan horse, auditors should first remove the malicious code from the system.

Question 149

• Repeated or identical user IDs are a critical security concern for an IS auditor.

Question 150

• Prevention of errors is not possible through internal controls in all circumstances; if the possibility of undetected errors exists, then the errors qualify as a control risk.

Description

Test your knowledge on IT governance frameworks such as ITIL, ISO 20000, and COBIT. This quiz covers essential concepts and practices in information security, compliance audits, and access control. Ideal for those looking to strengthen their understanding of IT management standards and frameworks.