Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false?
Correct Answer: A
Explanation/Reference: Explanation: Proper segregation of duties prevents a computer operator (user) from performing security administration duties.
Question 702
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
Correct Answer: D
The first thing that an IS auditor should review when finding that transaction processing times in an order processing system have significantly increased after a major release is stress testing results. Stress testing is a type of testing that evaluates how a system performs under extreme or abnormal conditions, such as high volume, load, or concurrency of transactions. Stress testing results can help explain why transaction processing times in an order processing system have significantly increased after a major release by revealing any bottlenecks, limitations, or errors in the system's capacity, performance, or functionality under stress. The other options are not as relevant as stress testing results in explaining why transaction processing times in an order processing system have significantly increased after a major release, as they do not directly measure how the system performs under extreme or abnormal conditions. Capacity management plan is a document that defines and implements the processes and activities for ensuring that the system has adequate resources and capabilities to meet current and future demands. Training plans are documents that define and implement the processes and activities for ensuring that the system users have adequate skills and knowledge to use the system effectively and efficiently. Database conversion results are outcomes or outputs of transforming data from one format or structure to another to suit the system's requirements or specifications. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
Question 703
IT control objectives are useful to IS auditors, as they provide the basis for understanding the:
Correct Answer: A
Section: Protection of Information Assets Explanation: An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.
Question 704
An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization?
Correct Answer: A
The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Training of the employees and a simulation should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time.
Question 705
The cost of ongoing operations when a disaster recovery plan is in place, compared to not having a disaster recovery plan, will MOST likely:
Correct Answer: A
Explanation/Reference: Explanation: Due to the additional cost of disaster recovery planning (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation, i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no disaster recovery plan was in place.
