1. Disabling which of the following would make wireless local area networks MORE secure against unauthorized access?
Select an answer:
A. MAC (Media Access Control) address filtering
B. WPA (Wi-Fi Protected Access Protocol)
C. LEAP (Lightweight Extensible Authentication Protocol)
D. SSID (service set identifier) broadcasting
2. Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees?
Select an answer:
A. To ensure that employees are not misusing corporate resources
B. To prevent conflicts of interest
C. To prevent employee performance issues
D. To prevent theft of IT assets
Answer is B
The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. The other options are not correct because issues such as the misuse of corporate resources, poor performance and theft of IT assets are not as severe as the possible ramifications of a conflict of interest.
3. An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?
Select an answer:
A. The policy has not been updated in more than one year.
B. The policy includes no revision history.
C. The policy is approved by the security administrator.
D. The company does not have an information security policy committee.
4. An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant?
Select an answer:
A. A capability maturity model (CMM)
B. Portfolio management
C. Configuration management
D. Project management body of knowledge (PMBOK)
Answer is B
Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. A CMM would not help determine the optimum portfolio of capital projects since it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.
5. An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?
Select an answer:
A. An audit clause is present in all contracts.
B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs).
C. The contractual warranties of the providers support the business needs of the organization.
D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.
Answer is C
The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.
Select an answer:
A. MAC (Media Access Control) address filtering
B. WPA (Wi-Fi Protected Access Protocol)
C. LEAP (Lightweight Extensible Authentication Protocol)
D. SSID (service set identifier) broadcasting
Answer is D
Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by encrypting the wireless traffic.
2. Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees?
Select an answer:
A. To ensure that employees are not misusing corporate resources
B. To prevent conflicts of interest
C. To prevent employee performance issues
D. To prevent theft of IT assets
Answer is B
The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. The other options are not correct because issues such as the misuse of corporate resources, poor performance and theft of IT assets are not as severe as the possible ramifications of a conflict of interest.
3. An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?
Select an answer:
A. The policy has not been updated in more than one year.
B. The policy includes no revision history.
C. The policy is approved by the security administrator.
D. The company does not have an information security policy committee.
Answer is C
The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a best practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. The lack of a revision history with respect to the IS policy document is an issue, but not as significant as not having it approved by management. An IS policy committee is not required to develop and enforce a good information security policy. The policy could be written by one person, as long as the person who approves the policy has the proper authority and knowledge to review and approve the policy. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.
4. An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant?
Select an answer:
A. A capability maturity model (CMM)
B. Portfolio management
C. Configuration management
D. Project management body of knowledge (PMBOK)
Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. A CMM would not help determine the optimum portfolio of capital projects since it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects, but is not designed for that purpose. PMBOK is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.
5. An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?
Select an answer:
A. An audit clause is present in all contracts.
B. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs).
C. The contractual warranties of the providers support the business needs of the organization.
D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.
Answer is C
The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.
No comments:
Post a Comment