The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
Correct Answer: B
Explanation/Reference: Explanation: The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.
Question 27
Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks?
Correct Answer: A
Section: Protection of Information Assets Explanation: WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP.
Question 28
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment is the software version MOST likely to be the same as production?
Correct Answer: D
Text Description automatically generated with low confidence
Question 29
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
Correct Answer: B
Explanation The best way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster is to involve staff at all levels in periodic paper walk-through exercises. This means that the BCPs are tested and validated by the people who will execute them in a real situation, and any gaps, errors, or inconsistencies can be identified and corrected. Paper walk-through exercises are also a good way to raise awareness and train staff on their roles and responsibilities in a BCP scenario, as well as to evaluate the feasibility and effectiveness of the recovery strategies1. The other options are not the best ways to ensure that BCPs will work effectively, because they do not involve testing or validating the plans. Preparing detailed plans for each business function is important, but it does not guarantee that the plans are realistic, practical, or aligned with the overall business objectives and priorities2. Regularly updating business impact assessments is also essential, but it does not ensure that the BCPs are aligned with the current business environment and risks2. Making senior managers responsible for their plan sections is a good way to assign accountability and authority, but it does not ensure that the plan sections are coordinated and integrated with each other2. References: Best Practice Guide: Business Continuity Planning (BCP)3 Best Practices for Creating a Business Continuity Plan1 Business Continuity Plan Best Practices
Question 30
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:
Correct Answer: B
Explanation/Reference: Explanation: An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project.
