Which of the following is the FIRST step in a business
process reengineering (BPR) project?
A. Defining the areas to be reviewed
B. Developing a project plan
C. Understanding the process under review
D. Reengineering and streamlining the process under review
Answer / guest
Answer: A
On the basis of the evaluation of the entire business
process, correctly defining the areas to be reviewed is the
first step in a BPR project. On the basis of the definition
of the areas to be reviewed, the project plan is developed.
Understanding the process under review is important, but the
subject of the review must be defined first. Thereafter, the
process can be reengineered, streamlined, implemented and
monitored for continuous improvement.
| Is This Answer Correct ? | 7 Yes | 0 No |
During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.
Which of the following is the PRIMARY reason for involving an IS auditor in the definition of a system's requirements? A. Post-application reviews do not need to be performed. B. Total budgeted system development costs can be reduced. C. It is costly to institute controls after a system becomes operational. D. The extent of user involvement in design activities is reduced.
Which of the following audit procedures would an IS auditor be LEAST likely to include in a security audit? A. Review the effectiveness and utilization of assets. B. Test to determine that access to assets is adequate. C. Validate physical, environmental and logical access policies per job profiles. D. Evaluate asset safeguards and procedures that prevent unauthorized access to the assets.
IS auditors reviewing access control should review data classification to ensure that encryption parameters are classified as: A. sensitive. B. confidential. C. critical. D. private.
Which is the first software capability maturity model (CMM) level to include a standard software development process? A. Initial (level 1) B. Repeatable (level 2) C. Defined (level 3) D. Optimizing (level 5)
An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the: A. manager's assistant perpetrated the fraud. B. perpetrator cannot be established beyond doubt. C. fraud must have been perpetrated by the manager. D. system administrator perpetrated the fraud.
The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls.
The security level of a private key system depends on the number of: A. encryption key bits. B. messages sent. C. keys. D. channels used.
Electromagnetic emissions from a terminal represent an exposure because they: A. affect noise pollution. B. disrupt processor functions. C. produce dangerous levels of electric current. D. can be detected and displayed.
Controls designed to ensure that unauthorized changes are not made to information residing in a computer file are known as: A. data security controls. B. implementation controls. C. program security controls. D. computer operations controls.
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources.
Antivirus software should be used as a: A. detective control. B. preventive control. C. corrective control. D. compensating control.