The PRIMARY objective of a logical access control review is to:
Correct Answer: B
The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.
Question 722
A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?
Correct Answer: B
In a small organization, where the number of employees is relatively small, job rotations may not make much sense, and they are likely to be transferred back to their original positions after a while.
Question 723
An IS auditor has audited a business continuity plan (BCP). Which of the following findings is the MOST critical?
Correct Answer: B
Section: Protection of Information Assets Explanation: Failure of a network backbone will result in the failure of the complete network and impact the ability of all users to access information on the network. The nonavailability of an alternate PBX system will result in users not being able to make or receive telephone calls or faxes; however, users may have alternate means of communication, such as a mobile phone or e-mail. Lack of backup systems for user PCs will impact only the specific users, not all users. Failure of the access card system impacts the ability to maintain records of the users who are entering the specified work areas; however, this could be mitigated by manual monitoring controls.
Question 724
Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice?
Correct Answer: A
Section: The process of Auditing Information System Explanation: Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice. Compliance testing is basically an audit of a system carried out against a known criterion. A compliance test may come in many different forms dependent on the request received but basically can be broken down into several different types: Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation. Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer. Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place. Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements. The following answers are incorrect: Substantive testing - A procedure used during accounting audits to check for errors in balance sheets and other financial documentation. A substantive test might involve checking a random sample of transactions for errors, comparing account balances to find discrepancies, or analysis and review of procedures used to execute and record transactions. Sanity testing - Testing to determine if a new software version is performing well enough to accept it for a major testing effort. If application is crashing for initial use, then system is not stable enough for further testing and build or application is assigned to fix. Recovery testing - Testing how well a system recovers from crashes, hardware failures, or other catastrophic problems. Reference: CISA review manual 2014 page number 52 and 53 http://www.wikijob.co.uk/wiki/substantive-testing
Question 725
A maturity model is useful in the assessment of IT service management because it:
Correct Answer: A
Section: Information System Acquisition, Development and Implementation
