Dow nload Safari Books Online apps: Apple iOS | Android | BlackBerry

Help

Sign In

Safar i Books Onl ine is a digital l ibr ar y pr oviding on-demand subscr iption access to thousands of l ear ning r esour ces.

Reactivate

Fr e e Tri a l

This Book
CISA Exam Prep

Part VI: Final Preparation > Practice Exam Questions

Practice Exam Questions

1.
Search
Contents

Which type of sampling is best when dealing with population characteristics

such as dollar amounts and weights?
A.

Attribute sampling

B.

Variable sampling

C.

Stop-and-go sampling

D.

Discovery sampling

Table of C ontents
Index
C opyright
About the Author
Acknowledgments
We Want to Hear from You!
Reader Services
Introduction
Study and Exam Prep Tips
Pt. I: IT Governance and the
Audit Process
Pt. II: System and
Infrastructure Lifecycle
Management
Pt. III: IT Service Delivery
and Support

2.

Pt. IV: Protection of

Information Assets
Pt. V: Business C ontinuity
and Disaster Recovery

Which of the following sampling techniques is generally applied to

compliance testing?
A.

Attribute sampling

B.

Variable sampling

C.

Stop-and-go sampling

D.

Discovery sampling

Pt. VI: Final Preparation

Fast Facts
Practice Exam
C ertified Information
Systems Auditor (C ISA)
Practice Exam
Questions
Answers to Practice Exam
Questions
Glossary
C ISA Exam Prep Objective
Matrix
Index

3.

4.

To guarantee the confidentiality of client information, an auditor should do

which of the following when reviewing such information?
A.

Contact the CEO or CFO and request what sensitive information

can and cannot be disclosed to authorities

B.

Assume full responsibility for the audit archive and stored data

C.

Leave all sensitive information at the owners facility

D.

Not back up any of his or her work papers

Which of the following best describes materiality?

A.

Subscribe

An audit technique used to evaluate the need to perform an audit

5.

6.

7.

8.

B.

The principle that individuals, organizations, and the community

are responsible for their actions and might be required to explain
them

C.

The auditors independence and freedom from conflict of interest

D.

An auditing concept that examines the importance of an item of

information in regard to the impact or effect on the entity being
audited

Which of the following sampling technique is best to use to prevent

excessive sampling?
A.

Attribute sampling

B.

Variable sampling

C.

Stop-and-go sampling

D.

Discovery sampling

Which of the following descriptions best defines auditor independence?

A.

The auditor has high regard for the company and holds several
hundred shares of the companys stock

B.

The auditor has a history of independence and even though the

auditor has a niece that is employed by the company, he has
stated that this is not a concern

C.

The auditor has previously given advice to the organizations

design staff while employed as the auditor

D.

The auditor is objective, not associated with the organization, and

free of any connections to the client

Which of the following meets the description the primary objective is to

leverage the internal audit function by placing responsibility of control and
monitoring onto the functional areas?
A.

Integrated auditing

B.

Control self-assessment

C.

Automated work papers

D.

Continuous auditing

Which of the following sampling techniques would be best to use if the

expected discovery rate is extremely low?
A.

Attribute sampling

B.

Variable sampling

C.

Stop-and-go sampling

D.

9.

10.

11.

12.

Discovery sampling

Which of the following offers how-to information?

A.

Standards

B.

Policy

C.

Guidelines

D.

Procedures

The type of risk that might not be detected by a system of internal

controls is defined as which of the following?
A.

Control risk

B.

Audit risk

C.

Detection risk

D.

Inherent risk

Which of the following items makes computer-assisted audit techniques

(CAAT) important to an auditor?
A.

A large amount of information is obtained by using specific

techniques to analyze systems.

B.

An assistant or untrained professional with no specialized training

can utilize CAAT tools, which frees up the auditor to participate in
other activities.

C.

CAAT requires more human involvement in the analysis than

multifunction audit utilities.

D.

CAAT requires the auditor to reduce the sampling rate and

provides a more narrow audit coverage.

The risk that a material error will occur because of weak controls or no
controls is known as which of the following?
A.

Control risk

B.

Audit risk

C.

Detection risk

D.

Inherent risk

13.

You have been asked to audit a series of controls. Using Figure E.1 as
your reference, what type of control have you been asked to examine?
A. Amount total

B. Hash total

C. Item total

D. Data checksum

Figure E.1.
[View full size image]

14.

15.

Which of the following is the best tool to extract data that is relevant to
the audit?
A.

Integrated auditing

B.

Generalized audit software

C.

Automated work papers

D.

Continuous auditing

You have been asked to perform an audit of the disaster-recovery

procedures. As part of this process, you must use statistical sampling
techniques to inventory all backup tapes. Which of the following
descriptions best defines what you have been asked to do?
A.

Continuous audit

B.

Integrated audit

C.

Compliance audit

D.

Substantive audit

16.

17.

18.

19.

According to ISACA, which of the following is the fourth step in the riskbased audit approach?
A.

Gather information and plan

B.

Perform compliance tests

C.

Perform substantive tests

D.

Determine internal controls

Which general control procedure most closely maps to the information

systems control procedure that specifies, Operational controls that are
focused on day-to-day activities?
A.

Business continuity and disaster-recovery procedures that provide

reasonable assurance that the organization is secure against
disasters

B.

Procedures that provide reasonable assurance for the control of

database administration

C.

System-development methodologies and change-control

procedures that have been implemented to protect the
organization and maintain compliance

D.

Procedures that provide reasonable assurance to control and

manage data-processing operations

Which of the following is the best example of a detective control?

A.

Access-control software that uses passwords, tokens, and/or

biometrics

B.

Intrusion-prevention systems

C.

Backup procedures used to archive data

D.

Variance reports

Which of the following is not one of the four common elements needed to
determine whether fraud is present?
A.

An error in judgment

B.

Knowledge that the statement was false

C.

Reliance on the false statement

D.

Resulting damages or losses

20.

21.

22.

23.

24.

You have been asked to implement a continuous auditing program. With this
in mind, which of the following should you first identify?
A.

Applications with high payback potential

B.

The format and location of input and output files

C.

Areas of high risk within the organization

D.

Targets with reasonable thresholds

Which of the following should be the first step for organizations wanting to
develop an information security program?
A.

Upgrade access-control software to a biometric or token system

B.

Approve a corporate information security policy statement

C.

Ask internal auditors to perform a comprehensive review

D.

Develop a set of information security standards

Which of the following is primarily tasked with ensuring that the IT

department is properly aligned with the goals of the business?
A.

Chief executive officer

B.

Board of directors

C.

IT steering committee

D.

Audit committee

The balanced score card differs from historic measurement schemes, in that
it looks at more than what?
A.

Financial results

B.

Customer satisfaction

C.

Internal process efficiency

D.

Innovation capacity

Which of the following is the purpose of enterprise architecture (EA)?

A.

Ensure that internal and external strategy are aligned

25.

26.

B.

Map the IT infrastructure of the organization

C.

Map the IT infrastructure of the organization and ensure that its

design maps to the organizations strategy

D.

Ensure that business strategy and IT investments are aligned

Which of the following types of planning entails an outlook of greater than

three years?
A.

Daily planning

B.

Long-term planning

C.

Operational planning

D.

Strategic planning

A new IT auditor has been asked to examine some processing, editing, and
validation controls. Can you help define the control shown in Figure E.2?
A. Validity check

B. Reasonableness check

C. Existence check

D. Range check

Figure E.2.
[View full size image]

27.

28.

29.

30.

Senior management needs to select a strategy to determine who will pay

for the information systems services. Which of the following payment
methods is known as a pay as you go system?
A.

Single cost

B.

Shared cost

C.

Chargeback

D.

Sponsor pays

Which of the following is the best method to identify problems between

procedure and activity?
A.

Policy review

B.

Direct observation

C.

Procedure review

D.

Interview

You are working with a risk-assessment team that is having a hard time
calculating the potential financial loss to the companys brand name that
could result from a risk. What should the team do next?
A.

Calculate the return on investment (ROI)

B.

Determine the single loss expectancy (SLE)

C.

Use a qualitative approach

D.

Review actuary tables

What operation-migration strategy has the highest possible level of risk?

A.

Parallel

31.

32.

33.

34.

B.

Hard

C.

Phased

D.

Intermittent

Many organizations require employees to rotate to different positions. Why?

A.

Help deliver effective and efficient services

B.

Provide effective cross-training

C.

Reduce the opportunity for fraud or improper or illegal acts

D.

Increase employee satisfaction

The balanced score card looks at four metrics. Which of the following is not
one of those metrics?
A.

External operations

B.

The customer

C.

Innovation and learning

D.

Financial data

You have been assigned to a software-development project that has 80

linked modules and is being developed for a system that handles several
million transactions per year. The primary screen of the application has data
items that carry up to 20 data attributes. You have been asked to work
with the audit staff to determine a true estimate of the development effort.
Which of the following is the best technique to determine the size of the
project?
A.

White-boxing

B.

Black-boxing

C.

Function point analysis

D.

Source lines of code

Which of the following is the preferred tool for estimating project time when
a degree of uncertainty exists?
A.

Program Evaluation and Review Technique (PERT)

35.

36.

37.

38.

B.

Source lines of code (SLOC)

C.

Gantt

D.

Constructive Cost Model (COCOMO)

Which of the following techniques is used to determine what activities are

critical and what the dependencies are among the various tasks?
A.

Compiling a list of each task required to complete the project

B.

COCOMO

C.

Critical path methodology (CPM)

D.

Program Evaluation and Review Technique (PERT)

Which of the following is considered a traditional system development

lifecycle model?
A.

The waterfall model

B.

The spiral development model

C.

The prototyping model

D.

Incremental development

You have been assigned as an auditor to a new software project. The team
members are currently defining user needs and then mapping how the
proposed solution meets the need. At what phase of the SDLC are they?
A.

Feasibility

B.

Requirements

C.

Design

D.

Development

Which of the following is not a valid output control?

A.

Logging

B.

Batch controls

C.

Security signatures

D.

39.

Report distribution

The following question references Figure E.3. Item A refers to which of the
following?
A. Foreign key

B. Tuple

C. Attribute

D. Primary key

Figure E.3.
[View full size image]

40.

41.

You have been asked to suggest a control that could be used to determine
whether a credit card transaction is legitimate or potentially from a stolen
credit card. Which of the following would be the best tool for this need?
A.

Decision support systems

B.

Expert systems

C.

Intrusion-prevention systems

D.

Data-mining techniques

You have been asked to suggest a control that can be used to verify that
batch data is complete and was transferred accurately between two
applications. What should you suggest?

42.

43.

44.

45.

A.

A control total

B.

Check digit

C.

Completeness check

D.

Limit check

Which of the following types of programming language is used to develop

decision support systems?
A.

2GL

B.

3GL

C.

4GL

D.

5GL

You have been asked to work with a new project manager. The project
team has just started work on the payback analysis. Which of the following
is the best answer to identify the phase of the system development
lifecycle of the project?
A.

Feasibility

B.

Requirements

C.

Design

D.

Development

In many ways, IS operations is a service organization because it provides

services to its users. As such, how should an auditor recommend that the
percentage of help-desk or response calls answered within a given time be
measured?
A.

Uptime agreements

B.

Time service factor

C.

Abandon rate

D.

First call resolution

What is the correct term for items that can occur without human
interaction?

46.

47.

48.

49.

A.

Lights out

B.

Automated processing

C.

Follow the sun operations

D.

Autopilot operations

Which of the following is an example of a 2GL language?

A.

SQL

B.

Assembly

C.

FORTRAN

D.

Prolog

When discussing web services, which of the following best describes a

proxy server?
A.

Reduces load for the client system

B.

Improves direct access to the Internet

C.

Provides an interface to access the private domain

D.

Provides high-level security services

Regarding cohesion and coupling, which is best?

A.

High cohesion, high coupling

B.

High cohesion, low coupling

C.

Low cohesion, low coupling

D.

Low cohesion, high coupling

Bluetooth class 1 meets which of the following specifications?

A.

Up to 5 m of range and .5 mW of power

B.

Up to 10 m of range and 1 mW of power

C.

Up to 20 m of range and 2.5 mW of power

D.

50.

51.

52.

Up to 100 m of range and 100 mW of power

When discussing electronic data interface (EDI), which of the following

terms best describes the device that transmits and receives electronic
documents between trading partners?
A.

Value Added Network (VAN)

B.

X12

C.

Communications handler

D.

Electronic Data Interchange For Administration Commerce And

Transport (EDIFACT)

Which type of network is used to connect multiple servers to a centralized

pool of disk storage?
A.

PAN

B.

LAN

C.

SAN

D.

MAN

The following question references Figure E.4. Item C refers to which of the
following?
A. Foreign key

B. Tuple

C. Attribute

D. Primary key

Figure E.4.
[View full size image]

53.

54.

55.

Which layer of the OSI model is responsible for packet routing?

A.

Application

B.

Transport

C.

Session

D.

Network

Which of the following types of testing is usually performed at the

implementation phase, when the project staff is satisfied with all other
tests and the application is ready to be deployed?
A.

Final acceptance testing

B.

System testing

C.

Interface testing

D.

Unit testing

Which of the following devices can be on the edge of networks for basic
packet filtering?
A.

Bridge

B.

Switch

C.

Router

D.

56.

57.

58.

59.

60.

VLAN

MAC addresses are most closely associated with which layer of the OSI
model?
A.

Data link

B.

Network

C.

Session

D.

Physical

The IP address of 128.12.3.15 is considered to be which of the following?

A.

Class A

B.

Class B

C.

Class C

D.

Class D

Which of the following statements is most correct? RIP is considered...

A.

A routing protocol

B.

A routable protocol

C.

A distance-vector routing protocol

D.

A link-state routing protocol

Which of the following test types is used after a change to verify that
inputs and outputs are correct?
A.

Regression testing

B.

System testing

C.

Interface testing

D.

Pilot testing

Which of the following is an example of a 5GL language?

61.

62.

63.

64.

A.

SQL

B.

Assembly

C.

FORTRAN

D.

Prolog

Which of the following types of network topologies is hard to expand, with

one break possibly disabling the entire segment?
A.

Bus

B.

Star

C.

Token Ring

D.

Mesh

What is the most important reason to use plenum-grade cable?

A.

Increased network security

B.

Less attenuation

C.

Less cross-talk

D.

Fire-retardant coating

Which of the following copper cable network configurations is considered

the most secure from eavesdropping or interception?
A.

A switched VLAN using multimode fiber cable

B.

A Token Ring network using Cat 5 cabling

C.

A switched network that uses Cat 5e shielded cable

D.

A bus network using 10BASE2 cabling

Which of the following is an iterative development method in which

repetitions are referred to as sprints and typically last 30 days?
A.

Scrum

B.

Extreme programming

65.

C.

RAD

D.

Spiral

Which type of database is shown in Figure E.5?

A. Relational

B. Network

C. Hierarchical

D. Floating flat

Figure E.5.

66.

67.

As a new auditor, you have been asked to review network operations.

Which of the following weaknesses should you consider the most serious?
A.

Data files can be amended or changed by supervisors.

B.

Data files can be lost during power outages because of poor

backup.

C.

Sensitive data files can be read by managers.

D.

Copies of confidential reports can be printed by anyone.

Which of the following is the best example of a control mechanism to be

used to control component failure or errors?
A.

Redundant WAN links

B.

Just a Bunch of Disks/Drives (JBOD)

68.

69.

70.

71.

C.

RAID 0

D.

RAID 1

Which of the following is the best technique for an auditor to verify firewall
settings?
A.

Interview the network administrator

B.

Review the firewall configuration

C.

Review the firewall log for recent attacks

D.

Review the firewall procedure

Which of the following is not a circuit-switching technology?

A.

DSL

B.

POTS

C.

T1

D.

ATM

Which of the following uses a process to standardize code modules to allow

for cross-platform operation and program integration?
A.

Component-based development (CBD)

B.

Web-based application development (WBAD)

C.

Object-oriented systems development (OOSD)

D.

Data-oriented system development (DOSD)

Data warehouses are used to store historic data of an organization. As

such, which of the following is the most accurate way to describe data
warehouses?
A.

Subject-oriented

B.

Object-oriented

C.

Access-oriented

D.

72.

73.

74.

75.

Control-oriented

Which of the following access-control models allows the user to control

access?
A.

Mandatory access control (MAC)

B.

Discretionary access control (DAC)

C.

Role-based access control (RBAC)

D.

Access control list (ACL)

While auditing the identification and authentication system, you want to

discuss the best method you reviewed. Which of the following is considered
the strongest?
A.

Passwords

B.

Tokens

C.

Two-factor authentication

D.

Biometrics

If asked to explain the equal error rate (EER) to another auditor, what
would you say?
A.

The EER is used to determine the clipping level used for password
lockout.

B.

The EER is a measurement that indicates the point at which FRR

equals FAR.

C.

The EER is a rating used for password tokens.

D.

The EER is a rating used to measure the percentage of biometric

users who are allowed access and who are not authorized users.

You have been asked to head up the audit of a business application

system. What is one of the first tasks you should perform?
A.

Interview users

B.

Review process flowcharts

C.

Evaluate controls

D.

Determine critical areas

76.

77.

78.

Closed-circuit TV (CCTV) systems are considered what type of control?

A.

Corrective

B.

Detective

C.

Preventive

D.

Delayed

According to ISACA, the second step in the business continuity planning

(BCP) process is which of the following?
A.

Project management and initiation

B.

Plan design and development

C.

Recovery strategy

D.

Business impact analysis

You have been asked to review the documentation for a planned database.
Which type of database is represented by Figure E.6?
A. Relational

B. Network

C. Hierarchical

D. Floating flat

Figure E.6.

79.

80.

81.

82.

83.

Which of the following issues ticket-granting tickets?

A.

The Kerberos authentication service

B.

The RADIUS authentication service

C.

The Kerberos ticket-granting service

D.

The RADIUS ticket-granting service

Which of the following is the most important corrective control that an

organization has the capability to shape?
A.

Audit plan

B.

Security assessment

C.

Business continuity plan

D.

Network topology

Which one of the following is not considered an application system testing

technique?
A.

Snapshots

B.

Mapping

C.

Integrated test facilities

D.

Base case system evaluation

Which of the following statements regarding recovery is correct?

A.

The greater the recovery point objective (RPO), the more tolerant
the process is to interruption.

B.

The less the recovery time objective (RTO), the longer the
process can take to be restored.

C.

The less the RPO, the more tolerant the process is to interruption.

D.

The greater the RTO, the less time the process can take to be
restored.

Which of the following best defines the service delivery objective (SDO)?
A.

Defines the maximum amount of time the organization can provide

services at the alternate site

84.

85.

86.

87.

B.

Defines the level of service provided by alternate processes

C.

Defines the time that systems can be offline before causing

damage

D.

Defines how long the process can take to be restored

During which step of the business continuity planning (BCP) process is a risk
assessment performed?
A.

Project management and initiation

B.

Plan design and development

C.

Recovery strategy

D.

Business impact analysis

When auditing security for a data center, the auditor should look for which
of the following as the best example of long-term power protection?
A.

Standby generator

B.

Uninterrupted power supply

C.

Surge protector

D.

Filtered power supply

Which of the following would be considered the most complex continuous

audit technique?
A.

Continuous and intermittent simulation (CIS)

B.

Snapshots

C.

Audit hooks

D.

Integrated test facilities

Which of the following is not a replacement for Halon?

A.

FM-200

B.

NAF-S-3

C.

FM-100

D.

88.

89.

90.

91.

Argon

When discussing biometrics, what do Type 1 errors measure?

A.

The point at which the false rejection rate (FRR) equals the false
acceptance rate (FAR)

B.

The accuracy of the biometric system

C.

The percentage of illegitimate users who are given access

D.

The percentage of legitimate users who are denied access

Class A fires are comprised of which of the following?

A.

Electronic equipment

B.

Paper

C.

Oil

D.

Metal

You are performing an audit of an organizations physical security controls,

specifically, emergency controls. When doors that use relays or electric
locks are said to fail soft, what does that mean?
A.

Locks of this type fail open.

B.

Locks of this type are easy to pick.

C.

Locks of this type fail closed.

D.

Locks of this type are hard to pick.

Which type of database is represented by Figure E.7?

A. Relational

B. Network

C. Hierarchical

D. Floating flat

Figure E.7.
[View full size image]

92.

93.

94.

95.

Systems control audit review file and embedded audit modules

(SCARF/EAM) is an example of which of the following?
A.

Output controls

B.

Continuous online auditing

C.

Input controls

D.

Processing controls

Which type of access rights control model is widely used by the DoD, NSA,
CIA, and FBI?
A.

MAC

B.

DAC

C.

RBAC

D.

ACL

Why is the protection of processing integrity important?

A.

To maintain availability to users so they have the availability to

copy and use data without delay

B.

To protect data from unauthorized access while in transit

C.

To prevent output controls from becoming tainted

D.

To maintain data encryption on portable devices so that data can

be relocated to another facility while being encrypted

A privacy impact analysis (PIA) is tied to several items. Which of the

following is not one of those items?

96.

97.

98.

99.

A.

Technology

B.

Processes

C.

People

D.

Documents

Which of the following is ultimately responsible for the security practices of

the organization?
A.

Security advisory group

B.

Chief security officer

C.

Executive management

D.

Security auditor

Which of the following guarantees that all foreign keys reference existing
primary keys?
A.

Relational integrity

B.

Referential integrity

C.

Entity integrity

D.

Tracing and tagging

Which of the following would a company extend to allow network access to

a business partner?
A.

Internet

B.

Intranet

C.

Extranet

D.

VLAN

What term is used to describe the delay that information will experience
from the source to the destination?
A.

Echo

B.

Latency

100.

101.

102.

103.

C.

Delay

D.

Congestion

You have been asked to describe what security feature can be found in the
wireless standard 802.11a. How will you respond?
A.

Wi-Fi Protected Access (WPA)

B.

Wired Equivalent Privacy (WEP)

C.

Temporal Key Integrity Protocol (TKIP)

D.

Wi-Fi Protected Access 2 (WPA2)

Which of the following is not a packet-switching technology?

A.

X.25

B.

ISDN

C.

Frame Rely

D.

ATM

Transport-layer security (TLS) can best be described as being found

between which two layers of the OSI model?
A.

Layers 2 and 3

B.

Layers 3 and 4

C.

Layers 4 and 5

D.

Layers 5 and 6

Which of the following descriptions highlights the importance of domain

name service (DNS)?
A.

Address of a domain server

B.

Resolves fully qualified domain names to IP addresses

C.

Resolves known IP address for unknown Internet addresses

D.

Resolves IP and MAC addresses needed for delivery of Internet

data

104.

Using Figure E.8 as a reference, which of the following best describes a

10BASE5 network design?
A. Item A

B. Item B

C. Item C

D. Item D

Figure E.8.

105.

106.

You have been asked to describe a program that can be classified as

terminal-emulation software. Which of the following would you mention?
A.

Telnet

B.

FTP

C.

SNMP

D.

SMTP

Which of the following services operates on ports 20 and 21?

A.

Telnet

B.

FTP

C.

SMTP

D.

DHCP

107.

108.

109.

110.

111.

Which layer of the OSI model is responsible for reliable data delivery?
A.

Data link

B.

Session

C.

Transport

D.

Network

An objective of the implementation phase of a newly installed system can

include which of the following?
A.

Conducting a certification test

B.

Determining user requirements

C.

Assessing the project to see if expected benefits were achieved

D.

Reviewing the designed audit trails

Which of the following is the best example of a processing control?

A.

Exception reports

B.

Sequence check

C.

Key verification

D.

Logical relationship check

Which of the following devices is most closely related to the data link layer?
A.

Hub

B.

Repeater

C.

Bridge

D.

Router

Which of the following provide the capability to ensure the validity of data
through various stages of processing?
A.

Manual recalculations

112.

113.

114.

115.

B.

Programming controls

C.

Run-to-run totals

D.

Reasonableness verification

You overheard the database administrator discussing normalizing some

tables. What is the purpose of this activity?
A.

Decrease redundancy

B.

Increase redundancy

C.

Decrease application malfunction

D.

Increase accuracy

Which of the following is not included in a PERT chart?

A.

The most optimistic time the task can be completed in

B.

The most cost-effective scenario for the task

C.

The worst-case scenario or longest time the task can take

D.

The most likely time the task will be completed in

Verifications such as existence checks can best be described as:

A.

A processing control that is considered preventive

B.

A validation edit control that is considered preventive

C.

A processing control that is considered detective

D.

A validation edit control that is considered detective

Referential integrity is used to prevent which of the following?

A.

Attribute errors

B.

Relational errors

C.

Dangling tuples

D.

Integrity constraints

116.

117.

Which of the following best describes the difference between accreditation

and certification?
A.

Certification is initiated after the accreditation of the system to

ensure that the system meets required standards.

B.

Certification is initiated before accreditation to ensure that quality

personnel are using the new designed systems.

C.

Accreditation is issued after certification. Accreditation is a

management function, while certification is a technical function.

D.

Production and management might see accreditation and

certification as basically one and the same.

You have been asked to review the organizations planned firewall design.
As such, which of the following best describes the topology shown in
Figure E.9?
A. Packet filter

B. Screened subnet

C. Screened host

D. Dual-homed host

Figure E.9.
[View full size image]

118.

Which of the following database designs is considered a lattice structure

because each record can have multiple parent and child records? Although
this design can work well in stable environments, it can be extremely
complex.
A.

The hierarchical database-management systems

B.

The relational database-management systems

C.

The network database-management systems

D.

The structured database-management systems

119.

120.

121.

122.

123.

Which of the following is not used when calculating function point analysis?
A.

Number of user inquires

B.

Number of files

C.

Number of user inputs

D.

Number of expected users

Which of the following is an example of an interpreted programming

language?
A.

FORTRAN

B.

Assembly

C.

Basic

D.

Java

Which of the following is an example of a 4GL language?

A.

SQL

B.

Assembly

C.

FORTRAN

D.

Prolog

Which of the following database takes the form of a parent/child structure?

A.

The hierarchical database-management systems

B.

The relational database-management systems

C.

The network database-management systems

D.

The structured database-management systems

You have been asked to explain rings of protection and how the concept
applies to the supervisory mode of the operating system (OS). Which of the
following is the best description?
A.

System utilities should run in supervisor mode.

124.

125.

126.

127.

B.

Supervisor state allows the execution of all instructions, including

privileged instructions.

C.

Supervisory mode is used to block access to the security kernel.

D.

Rings are arranged in a hierarchy from least-privileged to the

most-privileged as the most trusted usually has the highest ring
number

You have been asked to design a control. The organization would like to
limit what check numbers are used. Specfically, they would like to be able
to flag a check numbered 318 if the days first check had the number 120
and the days last check was number 144. What type of validation check
does the department require?
A.

Limit check

B.

Range check

C.

Validity check

D.

Sequence check

Which of the following descriptions best describes a delay window?

A.

The time between when an event occurs and when the audit
record is reviewed

B.

The time between when an incident occurs and when it is

addressed

C.

The time between when an event occurs and when the audit
record is recorded

D.

The difference between a threshold and a trigger

You have been asked to review a console log. What type of information
should you expect to find?
A.

Names and passwords of system users

B.

Application access and backup times

C.

System errors

D.

Errors from data edits

During a software change process, auditors might be asked to verify

existing source code at some point. What is the most effective tool for
auditors to compare old and new software for unreported changes?
A.

Function point analysis (FPA)

128.

129.

130.

B.

Manual review of the software

C.

Variation tools

D.

Source code comparison software

Which of the following is not a valid processing control?

A.

Authorization

B.

Processing

C.

Validation

D.

Editing

Which of the following is not part of the project-management triangle?

A.

Scope

B.

Time

C.

Resources

D.

Cost

Using Figure E.10 as a reference, place the four recovery time objectives
in their proper order.
A. Items A, B, C, D

B. Items B, C, D, A

C. Items D, A, C, B

D. Items C, B, D, A

Figure E.10.

131.

132.

133.

When dealing with project-management issues, which of the following is

ultimately responsible and must ensure that stakeholders needs are met?
A.

Stakeholders

B.

Project steering committee

C.

Project manager

D.

Quality assurance

Projects must take on an organizational form. These organizational forms or

frameworks can be either loosely structured or very rigid. Which project
form matches the description The project manager has no real authority,
and the functional manager remains in charge?
A.

Weak matrix

B.

Pure project

C.

Balanced matrix

D.

Influence

Which of the following is the best description of the Constructive Cost

Model (COCOMO)?
A.

COCOMO is a model that forecasts the cost and schedule of

software development, including the number of persons and
months required for the development.

B.

COCOMO is a model that forecasts network costs associated with

hardware, the physical medium, and trained personnel.

C.

COCOMO is a forecast model that estimates the time involved in

producing a product and shipping to the end user.

D.

134.

135.

CreCrePrin

COCOMO is a model that forecasts the construction of additional

companies associated with organizational growth.

Which of the following software-estimating methods does not work as well

in modern development programs because additional factors that are not
considered will affect the overall cost?
A.

Facilited Risk Assessment Process (FRAP)

B.

Gantt

C.

Function point analysis (FPA)

D.

Source lines of code (SLOC)

Which of the following is the best example of a quantitative riskassessment technique?

A.

The Delphi technique

B.

Facilitated risk-assessment process

C.

Actuarial tables

D.

Risk rating of high, medium, or low

Html

ThuZooZooToggle to PrevNex