In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:
Correct Answer: A
Explanation/Reference: Explanation: The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.
Question 77
An IS auditor Is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes Which of the following findings should be me auditor's GREATEST concern?
Correct Answer: D
Question 78
The practice of periodic secure code reviews is which type of control?
Correct Answer: D
Question 79
When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?
Correct Answer: A
Explanation The IS auditor's greatest concern when reviewing a business case for a proposed implementation of a third-party system should be A. Lack of ongoing maintenance costs. This is because ongoing maintenance costs are an essential part of the total cost of ownership (TCO) of a third-party system, and they can have a significant impact on the return on investment (ROI) and the feasibility of the project. If the business case does not include ongoing maintenance costs, it may underestimate the true cost of the project and overestimate the benefits. This could lead to poor decision making and unrealistic expectations. Lack of training materials (B), lack of plan for pilot implementation , and lack of detailed work breakdown structure (D) are also potential issues that could affect the quality and success of the project, but they are not as critical as lack of ongoing maintenance costs. Training materials can be developed or acquired later, pilot implementation can be planned during the project initiation or planning phase, and work breakdown structure can be refined as the project progresses. However, ongoing maintenance costs are difficult to change or estimate once the project is approved and implemented, and they can have long-term implications for the organization. Therefore, they should be included and analyzed in the business case.
Question 80
The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment:
Correct Answer: A
Section: Protection of Information Assets Explanation: The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed; its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker's activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools.
