Interested to Buy Any Domain ? << Click Here >> for more details...
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?
A. Maximum acceptable downtime metrics have not been defined in the contract.
B. The IT department does not manage the relationship with the cloud vendor.
C. The help desk call center is in a different country, with different privacy requirements.
D. Company-defined security policies are not applied to the cloud application.
- 1 Answers
- 7275 Views
- I also Faced
- E-Mail Answers
the answer is D.
A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario.
B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.
C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy.
D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Question #: 935 CISA Job Practice Task Statement: 2.5
| Is This Answer Correct ? | 5 Yes | 2 No |
To review access to ceratin data base to determine whether the "new user" forms were correctly authorized. This is an example of:
Which of the following BEST describes the early stages of an IS audit? A. Observing key organizational facilities. B. Assessing the IS environment. C. Understanding business process and environment applicable to the review. D. Reviewing prior IS audit reports.
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but not the certificate authorities. B. Customers can make their transactions from any computer or mobile device. C. The certificate authority has several data processing subcenters to administrate certificates. D. The organization is the owner of the certificate authority.
Which of the following line media would provide the BEST security for a telecommunication network? A. Broad band network digital transmission B. Baseband network C. Dial-up D. Dedicated lines
At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error, as it is not possible to get objective evidence for the software error.
Which of the following would be the BEST population to take a sample from when testing program changes? A. Test library listings B. Source program listings C. Program change requests D. Production library listings
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: A. include the finding in the final report because the IS auditor is responsible for an accurate report of all findings. B. not include the finding in the final report because the audit report should include only unresolved findings. C. not include the finding in the final report because corrective action can be verified by the IS auditor during the audit. D. include the finding in the closing meeting for discussion purposes only.
An IS auditor auditing hardware monitoring procedures should review A. system availability reports. B. cost-benefit reports. C. response time reports. D. database utilization reports.
The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.
An IS auditor observed that some data entry operators leave their computers in the midst of data entry without logging off. Which of the following controls should be suggested to prevent unauthorized access? A. Encryption B. Switch off the computer when leaving C. Password control D. Screen saver password
Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code
Data flow diagrams are used by IS auditors to: A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
Cisco Certifications 
