1. Before implementing an IT balanced scorecard, an organization must:

A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.

The correct answer is:
B. define key performance indicators.


Explanation:
A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.

Area 2: IT Governance (15%)

2. Which of the following is the initial step in creating a firewall policy?

A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods

The correct answer is:
B. Identification of network applications to be externally accessed



Explanation:
Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for and possible methods of controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Area 2: IT Governance (15%)

3. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?

A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan.

The correct answer is:
A. References from other customers



Explanation:
The IS auditor should look for an independent verification that the ISP can perform the tasks being contracted. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows—issues which would be of concern to the IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.

Area 2: IT Governance (15%)

4. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization’s quality manual. To meet critical deadlines the project team proposes to fast track the validation and verification processes, commencing some elements before the previous deliverable is complete. Under these circumstances, the IS auditor would MOST likely:

A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project.
C. report to IS management the team’s failure to follow quality procedures.
D. report the risks associated with fast tracking to the project steering committee.

The correct answer is:
D. report the risks associated with fast tracking to the project steering committee.



Explanation:
It is important that quality processes are appropriate to individual projects. Attempts to apply inappropriate processes will often find their abandonment under pressure. A fast-tracking process is an acceptable option under certain circumstances; however, it is important that the project steering committee is informed of the risks associated with this (i.e., possibility of rework if changes are required).

Area 3: Systems and Infrastructure Lifecycle Management (16%)

 

5. Which of the following risks could result from inadequate software baselining?

A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. Inadequate controls

The correct answer is:
A. Scope creep



Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices B, C and D may not always result, but choice A is inevitable.

Area 3: Systems and Infrastructure Lifecycle Management (16%)