Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?

A.

A substantive test of program library controls

B.

A compliance test of program library controls

C.

A compliance test of the program compiler controls

D.

A substantive test of the program compiler controls

The executive board has requested that the CISO of an organization define and Key Performance Indicators (KPI) to measure the effectiveness of the security awareness program provided to call center employees. Which of the following can be used as a KPI?

A.

Number of callers who report security issues

B.

Number of callers who report a lack of customer service from the call center

C.

Number of successful social engineering attempts on the call center

D.

Number of callers who abandon the call before speaking with a representative

You have implemented the new controls. What is the next step?

A.

Document the process for the stakeholders

B.

Monitor the effectiveness of the controls

C.

Update the audit findings report

D.

Perform a risk assessment

Which of the following is a term related to risk management that represents the estimated frequency at which a threat is expected to transpire?

A.

Single Loss Expectancy (SLE)

B.

Exposure Factor (EF)

C.

Annualized Rate of Occurrence (ARO)

D.

Temporal Probability (TP)

The effectiveness of social engineering penetration testing using phishing can be used as a Key Performance Indicator (KPI) for the effectiveness of an organization’s

A.

Risk Management Program

B.

Anti-Spam controls

C.

Security Awareness Program

D.

Identity and Access Management Program

Which of the following illustrates an operational control process:

A.

Classifying an information system as part of a risk assessment

B.

Installing an appropriate fire suppression system in the data center

C.

Conducting an audit of the configuration management process

D.

Establishing procurement standards for cloud vendors

The amount of risk an organization is willing to accept in pursuit of its mission is known as

A.

Risk mitigation

B.

Risk transfer

C.

Risk tolerance

D.

Risk acceptance

With respect to the audit management process, management response serves what function?

A.

placing underperforming units on notice for failing to meet standards

B.

determining whether or not resources will be allocated to remediate a finding

C.

adding controls to ensure that proper oversight is achieved by management

D.

revealing the “root cause” of the process failure and mitigating for all internal and external units

Which of the following organizations is typically in charge of validating the implementation and effectiveness of security controls?

A.

Security Administrators

B.

Internal/External Audit

C.

Risk Management

D.

Security Operations

When working in the Payment Card Industry (PCI), how often should security logs be review to comply with the standards?

A.

Daily

B.

Hourly

C.

Weekly

D.

Monthly