习题选
Copyright © 2009 ISACA. Allrights reserved. These questions and answers may not be used, copied, modified,displayed, stored in a retrieval system, or transmitted in any form by anymeans (electronic, mechanical, photocopying, recording or otherwise) withoutthe prior written authorization of ISACA.Enter your name (required):
1. Which of the following is a benefit of a risk-based approach to auditplanning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
2. An IS auditor is assigned to perform a post-implementation review of anapplication system. Which of the following situations may have impaired theindependence of the IS auditor? The IS auditor:
A. implemented a specific control during the development of the applicationsystem.
B. designed an embedded audit module exclusively for auditing the applicationsystem.
C. participated as a member of the application system project team, but did nothave operational responsibilities.
D. provided consulting advice concerning application system best practices.
3. A PRIMARY benefit derived from an organization employing control self-assessment(CSA) techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
4. With regard to the evidence gathered during a computer forensicinvestigation, an IS auditor should be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
5. Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable to the review
D. Reviewing prior IS audit reports
6. During the course of an audit, an IS auditor observes that duties are notproperly segregated. Under such a circumstance, the IS auditor should look for:
A. overlapping controls.
B. preventive controls.
C. compensating controls.
D. logical access controls.
7. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
8. To assist an organization in planning for IT investments, the IS auditorshould recommend the use of:
A. project management tools.
B. an object oriented architecture.
C. tactical planning.
D. enterprise architecture.
9. An IS auditor should expect which of the following items to be included inthe request for proposal (RFP) when IS is procuring services from anindependent service provider (ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
10. IT governance ensures that an organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
11. An IS auditor should ensure that IT governance performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.
12. Which of the following would be included in an IS strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
13. When reviewing a system development project at the project initiationstage, an IS auditor finds that the project team is following the organization’squality manual. To meet critical deadlines the project team proposes to fasttrack the validation and verification processes, commencing some elementsbefore the previous deliverable is complete. Under these circumstances, the ISauditor should:
A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project.
C. report to IS management the team’s failure to follow quality procedures.
D. report the risks associated with fast tracking to the project steeringcommittee.
14. Which of the following risks could result from inadequate softwarebaselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. Inadequate controls
15. Which of the following is critical to the selection and acquisition of thecorrect operating system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
16. When conducting a review of business process reengineering, an IS auditorfound that a key preventive control had been removed. The IS auditor should:
A. inform management of the finding and determine whether management is willingto accept the potential material risk of not having that preventive control.
B. determine if a detective control has replaced the preventive control duringthe process and, if it has, not report the removal of the preventive control.
C. recommend that this and all control procedures that existed before theprocess was reengineered be included in the new process.
D. develop a continuous audit approach to monitor the effects of the removal ofthe preventive control.
17. To assist in testing a core banking system being acquired, an organizationhas provided the vendor with sensitive data from its existing productionsystem. An IS auditor's PRIMARY concern is that the data should be:
A. sanitized.
B. complete.
C. representative
D. current.
18. An organization decides to purchase a package instead of developing it. Insuch a case, the design and development phases of a traditional softwaredevelopment life cycle (SDLC) would be replaced with:
A. selection and configuration phases.
B. feasibility and requirements phases.
C. implementation and testing phases.
D. nothing; replacement is not required.
19. An IS auditor is performing a project review to identify whether a newapplication has met business objectives. Which of the following test reportsoffers the most assurance that business objectives are met?
A. User acceptance
B. Performance
C. Sociability
D. Penetration
20. When reviewing input controls, an IS auditor observes that in accordancewith corporate policy, procedures allow supervisory override of data validationedits. The IS auditor should:
A. not be concerned since there may be other compensating controls to mitigatethe risks.
B. ensure that overrides are automatically logged and subject to review.
C. verify whether all such overrides are referred to senior management forapproval.
D. recommend that overrides not be permitted.
21. Capacity monitoring software is MAINLY used to ensure:
A. maximum use of available capacity.
B. that future acquisitions meet user needs.
C. concurrent use by a large number of users.
D. continuity of efficient operations.
22. Which of the following exposures associated with the spooling of sensitivereports for offline printing should an IS auditor consider to be the MOSTserious?
A. Sensitive data can be read by operators.
B. Data can be amended without authorization.
C. Unauthorized report copies can be printed.
D. Output can be lost in the event of system failure.
23. The database administrator has decided to disable certain normalizationcontrols in the database management system (DBMS) software to provide userswith increased query performance. This will MOST likely increase the risk of:
A. loss of audit trails.
B. redundancy of data.
C. loss of data integrity.
D. unauthorized access to data.
24. An IS auditor evaluating the resilience of a high-availability networkshould be MOST concerned if:
A. the setup is geographically dispersed.
B. the network servers are clustered in a site.
C. a hot site is ready for activation.
D. diverse routing is implemented for the network.
25. When reviewing a service level agreement for an outsourced computer center,an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.
B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business needs.
D. audit access to the computer center is allowed under the agreement.
26. An IS auditor should recommend the use of library control software toprovide reasonable assurance that:
A. program changes have been authorized.
B. only thoroughly tested programs are released.
C. modified programs are automatically moved to production.
D. source and executable code integrity is maintained.
27. Which of the following provides the BEST method for determining the levelof performance provided by similar information-processing-facility environments?
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
28. Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system
C. A smart card requiring the user's PIN
D. User ID along with password
29. Naming conventions for system resources are important for access controlbecause they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources.
C. ensure that user access to resources is clearly and uniquely identified.
D. ensure that internationally recognized names are used to protect resources.
30. Which of the following would MOST effectively reduce social engineeringincidents?
A. Security awareness training
B. Increased physical security measures
C. E-mail monitoring policy
D. Intrusion detection systems
31. To protect a VoIP infrastructure against a denial-of-service attack, it isMOST important to secure the:
A. access control servers.
B. session border controllers.
C. backbone gateways.
D. intrusion detection system.
32. Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis
33. Which of the following BEST provides access control to payroll data beingprocessed on a local server?
A. Logging access to personal information
B. Using separate passwords for sensitive transactions
C. Using software that restricts access rules to authorized staff
D. Restricting system access to business hours
34. Which of the following is the MOST effective anti-virus control?
A. Scanning e-mail attachments on the mail server
B. Restoring systems from clean copies
C. Disabling floppy drives
D. An online antivirus scan with up-to-date virus definitions
35. An IS auditor reviewing the log of failed logon attempts would be MOSTconcerned if which of the following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
36. An IS auditor has just completed a review of an organization that has amainframe and a client-server environment where all production data reside.Which of the following weaknesses would be considered the MOST serious?
A. The security officer also serves as the database administrator.
B. Password controls are not administered over the client-server environment.
C. There is no business continuity plan for the mainframe system's noncriticalapplications.
D. Most local area networks do not back up file-server-fixed disks regularly.
37. A utility is available to update critical tables in case of datainconsistency. This utility can be executed at the OS prompt or as one menuoption in an application. The BEST control to mitigate the risk of unauthorizedmanipulation of data is to:
A. delete the utility software and install it as and when required.
B. provide access to the utility on a need-to-use basis.
C. provide access to the utility to user management.
D. define access so that the utility can be executed only in the menu option.
38. An organization is proposing to install a single sign-on facility givingaccess to all systems. The organization should be aware that:
A. maximum unauthorized access would be possible if a password is disclosed.
B. user access rights would be restricted by the additional securityparameters.
C. the security administrator's workload would increase.
D. user access rights would be increased.
39. An element of an information security program is the monitoring, detectionand prevention of hacking activities and alerting the system administrator whensuspicious activities occur. Which of the following infrastructure componentscould be used for this purpose?
A. Intrusion detection systems
B. Firewalls
C. Routers
D. Proxy servers
40. To address a maintenance problem, a vendor needs remote access to acritical network. The MOST secure and effective solution is to provide thevendor with a:
A. secure shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor supportcontract.
41. Which of the following concerns about the security of an electronic messagewould be addressed by digital signatures?
A. Unauthorized reading
B. Theft
C. Unauthorized copying
D. Alteration
42. Which of the following would be MOST appropriate to ensure theconfidentiality of transactions initiated via the Internet?
A. Digital signature
B. Data Encryption Standard
C. Virtual private network
D. Public key encryption
43. To prevent IP spoofing attacks, a firewall should be configured to drop apacket if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.
44. In the event of a data center disaster, which of the following would be theMOST appropriate strategy to enable complete recovery of a critical database?
A. Daily data backup to tape and storage at a remote site
B. Real-time replication to a remote site
C. Hard disk mirroring to a local server
D. Real-time data backup to the local storage area network (SAN)
45. A PRIMARY objective of testing a business continuity plan (BCP) is to:
A. familiarize employees with the BCP.
B. ensure that all residual risks are addressed.
C. exercise all possible disaster scenarios.
D. identify limitations of the BCP.
46. A structured walk-through test of a disaster recovery plan involves:
A. representatives from each of the functional areas coming together to go overthe plan.
B. all employees who participate in the day-to-day operations coming togetherto practice executing the plan.
C. moving the systems to the alternate processing site and performingprocessing operations.
D. distributing copies of the plan to the various functional areas for review.
47. An organization having a number of offices across a wide geographical areahas developed a disaster recovery plan (DRP). Using actual resources, which ofthe following is the MOST cost-effective test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test
48. Data mirroring should be implemented as a recovery strategy when:
A. recovery point objective is low.
B. recovery point objective is high.
C. recovery time objective is high.
D. disaster tolerance is high.
49. The window of time for recovery of information processing capabilities isbased on the:
A. criticality of the processes affected.
B. quality of the data to be processed.
C. nature of the disaster.
D. applications that are mainframe-based.
50. In a business continuity plan which of the following notificationdirectories is the MOST important?
A. Equipment and supply vendors
B. Insurance company agents
C. Contract personnel services
D. A prioritized contact list
答案:
1 d
2 a
3 a
4 c
5 c
6 c
7 b
8 d
9 a
10 a
11 a
12 b
13 d
14 d
15 c
16 a
17 a
18 a
19 a
20 b
21 d
22 c
23 b
24 c
25 c
26 a
27 c
28 c
29 b
30 a
31 b
32 a
33 c
34 d
35 b
36 b
37 b
38 a
39 a
40 a
41 d
42 d
43 a
44 b
45 d
46 a
47 b
48 a
49 a
50 d
页:
[1]