Interested to Buy Any Domain ? << Click Here >> for more details...
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?
A. Maximum acceptable downtime metrics have not been defined in the contract.
B. The IT department does not manage the relationship with the cloud vendor.
C. The help desk call center is in a different country, with different privacy requirements.
D. Company-defined security policies are not applied to the cloud application.
- 1 Answers
- 7387 Views
- I also Faced
- E-Mail Answers
the answer is D.
A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario.
B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.
C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy.
D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Question #: 935 CISA Job Practice Task Statement: 2.5
| Is This Answer Correct ? | 5 Yes | 2 No |
Which of the following would be of MOST concern to an IS auditor reviewing a VPN implementation? Computers on the network that are located: A. on the enterprise's facilities. B. at the backup site. C. in employees' homes. D. at the enterprise's remote offices.
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure the type of transaction is valid for that card type. B. verify the format of the number entered then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.
E-cash is a form of electronic money that: A. can be used over any computer network. B. utilizes reusable e-cash coins to make payments. C. does not require the use of an Internet digital bank. D. contains unique serial numbering to track the identity of the buyer.
Which of the following is the MOST important function to be performed by IT management within an outsourced environment? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance
Automated teller machines (ATMs) are a specialized form of a point-of-sale terminal that: A. allows for cash withdrawal and financial deposits only. B. are usually located in populous areas to deter theft or vandalism. C. utilizes protected telecommunication lines for data transmissions. D. must include high levels of logical and physical security.
Which of the following protocols would be involved in the implementation of a router and interconnectivity device monitoring system? A. Simple network management B. File transfer C. Simple Mail Transfer Protocol D. Telnet
The most common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. B. receiving trap messages. C. reject error rates. D. denial-of-service attacks.
The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve the performance of both the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.
To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the:
The PRIMARY objective of a logical access controls review is to: A. review access controls provided through software. B. ensure access is granted per the organization's authorities. C. walkthrough and assess access provided in the IT environment. D. provide assurance that computer hardware is protected adequately against abuse.
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? A. A substantive test of program library controls B. A compliance test of program library controls C. A compliance test of the program compiler controls D. A substantive test of the program compiler controls
While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on? A. Business processes B. Critical IT applications C. Corporate objectives D. Business strategies
Cisco Certifications 
