Upload
finnetina
View
223
Download
0
Embed Size (px)
Citation preview
8/13/2019 Test Online - Solved
1/2
1
IT Audit: Test paper - online
1.In the course of performing a risk analysis, a IS auditor has identified threats and potential
impacts. Next, the IS auditor should:
d) disclosure the threats and impacts to management;Organizations use risk analysis to determine the extent of the potential threat and the risk
associated with an IT system. The output of this process helps to identify appropriate controls forreducing or eliminating risk during the risk mitigation process. Upon completion of an audit, a IS
auditor should describe and discuss with management the threats and potential impacts on the
assets.
2.When developing a risk-based audit strategy, a IS auditor should conduct a risk assessment to
ensure that:
b) vulnerabilities and threats are identified;In order to develop a risk-based audit strategy, it is a must identify the risk and vulnerabilities,
and to understand them. As I said in the answer from the first question, this will determine the
areas to be audited and the extent of coverage. Understanding whether appropriate controlsrequired to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent
aspects of auditing, are directly related to the audit process and are not relevant to the risk
analysis of the environment to be audited. A gap analysis would normally be done to comparethe actual state to an expected or desirable state.
3.While conducting an audit, the IS auditor detects the presence of a virus. What should be the
IS auditors next step?
c) Inform appropriate personnel immediately;
After detecting the presence of a virus, IS auditor should alert the organization about itspresence, then wait for their response. Choice a) observe the response mechanism, should be
taken after Choice c) Inform appropriate personnel immediately. In this way a IS auditor can
examine the actual workability and effectiveness of the response system. An IS auditor cannotmake changes to the system which is being audited; ensuring the deletion of the virus is a
management responsibility.
4.An e-mail message from an unknown sender was send to various members of an organizationasking them to contribute funds to a charity organization. This is an example of what type of
attack?
a) Event phishing;Event phishing is a targeted phishing attack based on an event that has recently occurred.
Blended phishing typically involves cross-site scripting in conjunction with fake e-mail
messages engineering is the art of manipulating people into performing actions or divulging
8/13/2019 Test Online - Solved
2/2
2
information. Spear phishing is the act of sending fake e-mail messages targeted to specific
individuals of an organization, but not typically related to a specific event.
5.Which of the following provides the framework for designing and developing logical access
controls?
a) Information systems security policy;The information systems security policy is developed and approved by the top management of an
organization, and represents the basis on which logical access control is designed and developed.
The other choices: access control lists, password management and systems configuration filesrepresent tools for implementing the access controls.