Question { 3174 }

To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the:

Answer

the answer is A.

A. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization’s network.

B. A network-based IDS placed between the Internet and the firewall will detect attack attempts, whether they are or are not noticed by the firewall.

C. Placing an IDS outside of the web server will identify attacks directed at the web server, but will not detect attacks missed by the firewall.

D. Placing the IDS after the web server would identify attacks that have made it past the web server, but will not indicate whether the firewall would have been able to detect the attacks.

Question { 6263 }

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?

A. Maximum acceptable downtime metrics have not been defined in the contract.

B. The IT department does not manage the relationship with the cloud vendor.

C. The help desk call center is in a different country, with different privacy requirements.

D. Company-defined security policies are not applied to the cloud application.

Answer

the answer is D.

A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario.

B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.

C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy.

D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.


Question #: 935 CISA Job Practice Task Statement: 2.5

Question { 6949 }

Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system?

A.
Re-performance

B.
Process walk-through

C.
Observation

D.
Documentation review

Answer

the answer is A.

A. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance.

B. Process walk-through may help the auditor to understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions.

C. Observation is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method.

D. Documentation review may be of some value for understanding the control environment; however, conducting re-performance is a better method.