CIS 349 Midterm Exam

Strayer CIS 349 Information Technology Audit and Control, Midterm Exam, for Auditing IT Infrastructures for Compliance.
Question 1
A large organization’s enterprise resource planning (ERP) system is being audited. Which of the following auditing scopes is most likely to apply?


Question 2
Which type of audit is performed primarily as a result of suspicious activity or alleged violations?

IT audit
Investigative audit
Compliance audit
Operational audit

Download Now
(sent via email)

Question 3
Which of the following is the definition of Control Objectives for Information and related Technology (COBIT)?

Oversight agencies that deal with administrative law, codifying, and enforcing rules.
The act of adhering to internal policies, as well as applicable laws, regulations, and industry requirements.
A framework providing best practices for IT governance and control.
An organization with the mission of promoting innovation and competitiveness through the advancement of science, standards, and technology to improve economic security and quality of life.

Question 4
___________ represents the controls that protect and defend information and information systems by ensuring confidentiality, integrity, and availability.

Information assurance
Certification and accreditation
Information resource management

Question 5
A person wants to withdraw funds from a personal banking account. She presents a driver’s license to the bank teller, but the teller doesn’t believe the driver’s license belongs to the customer. Which of the following provides guidance for addressing this situation?
Red Flags Rule

Question 6
What is meant by compliance?

Assurance that information is not disclosed to unauthorized sources.
The act of adhering to internal policies, as well as applicable laws, regulations, and industry requirements.
An audit of federal systems prior to being placed into a production environment.
Protection of the confidentiality, integrity, and availability of data, and providing for authentication and nonrepudiation of services.

Question 7
The following are part of the SANS top 20 critical technical controls list. Which one requires manual rather than automated validation?

Inventory of authorized and unauthorized devices
Boundary defense
Data recovery capability
Malware defenses

Question 8
Security assessments are grouped into different types. A _________ provides a targeted, concise, and technical review of information systems; involves control reviews and identification of vulnerabilities.

high-level security assessment
comprehensive security assessment
preproduction security assessment
security compliance assessment

Question 9
The end users’ operating environment is called the _____________.

User Domain
Workstation Domain
LAN Domain
All options are correctQuestion 10
An organization that provides guidance to executive management on organizational governance, internal controls, and risk management is the definition of:

IT Assurance Framework (ITAF)
Statement on Auditing Standards (SAS) 70, Service Organizations
Information Technology Governance Institute (ITGI)
Committee of Sponsoring Organizations (COSO) of the Treadway Commission

Question 11
Which of the following is not a characteristic of an IT security framework?

Is a conceptual set of rules and ideas that provides structure to a complex situation
Is rigid in structure and content
Provides a consistent system of controls to which IT departments can adhere
Provides an auditor a consistent approach for conducting audits

Question 12
What term is used to describe an audit that combines the assessment of financial reporting along with the assessment of related IT controls?

ISO/IEC 27001
Integrated audit
Auditing Standard No. 5
NIST 800-53AQuestion 13
Of the following frameworks available from ISACA, which one governs IT investments?

Val IT
Risk IT
IT Assurance Framework

Question 14
What is meant by audit scope?

The range of the organization to be included in an audit within a defined time frame.
A security risk-management framework developed by ISO/IEC.
The governing process for managing risks and opportunities.
All the resources or auditable components within an organization.

Question 15
Applying controls is a direct result of the risk assessment process combined with an analysis of the tradeoffs. Which one of the following is a tradeoff?

Operational impact
Security impact
User impact
Policy impact
Question 16
Analyzing potential threats requires the identification of all possible threats first. This is called__________.

threat identification
policy identification
risk identification
risk analysis

Question 17
When assessing risk in an IT environment, which methodology identifies flaws or weaknesses that can be triggered or exploited, which might result in a breach?

System characterization
Impact analysis
Vulnerability identification
Control recommendations

Question 18
IT personnel decide that their company is at low risk of flooding and decide not to purchase insurance or implement other controls that would prevent flood damage. Which of the following risk management strategies has primarily been implemented?


Question 19
When performing a security assessment, using a framework such as NIST 800-15, which is generally the first step?

Target identification
Document review
Target analysis
Exploit and validate vulnerabilities

Question 20
What is generally not tracked in a change management database?

Operating system type
Cost of software
Hardware configuration
Access permissions

Question 21
What is the collective name of tools and techniques, such as general audit software, audit expert systems, and even simple queries, that automate the audit process?

ERMQuestion 22
For security controls, gap analysis involves comparing the present state of controls with a desired state of controls. At a minimum, common baseline security controls should be in place. Any gaps to various types of controls should be clearly documented, for example – “Business continuity management”, which:

Defines the program to provide initial and ongoing security education across the organization.
Defines how staff will execute upon the policies, assign responsibilities, and promote accountability.
Prevents errors and unauthorized misuse of applications.
Provides methods to continue critical operations in spite of business interruptions.