Deck 14: Information Systems and Controls

A) COBIT contributors do not have the pay the subscription fee.
B) COBIT has an organizational focus on HR governance.
C) COBIT is designed to assist in IT governance and implementing IT controls.
D) COBIT has a control scope that encompasses all internal controls.

A) Internal and external
B) Organization and implementation
C) Governance and management
D) Management and assessment

A) EDM relates to the operational side of IT projects and support.
B) EDM focuses on whether IT projects are meeting organizational objectives.
C) EDM assesses IT requirements for acquiring technology.
D) EDM states that the board of directors must assess needs and provide oversight.

A) COBIT is an open-source model that has an online platform for feedback.
B) COBIT is a part of the COSO Internal Controls
C) COBIT focuses on addressing risk from a strategic perspective.
D) COBIT has a control scope that encompasses all internal controls.

A) IT governance requires a dedicated department.
B) IT governance ensures effective and efficient use of IT.
C) IT governance should be scheduled to occur once per year.
D) IT governance standards framework, COSO, focuses on minimizing risk.

A) COSO
B) COBIT
C) ISACA
D) ITGC

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)

A) Structure
B) Components
C) Data
D) Risk

A) Management
B) Monitoring
C) Objections
D) Implementation

A) ITGC
B) COSO
C) ISACA
D) COBIT

A) ITGC
B) COSO
C) ISACA
D) COBIT

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Evaluate, Direct, and Monitor (EDM)

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate, and Assess (MEA)

A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate, and Assess (MEA)

A) Creator
B) Read-only
C) User
D) Administrator

A) User access provisioning
B) User authentication
C) User role assignment
D) User validation

A) Username and password
B) Login name
C) Electronic safe
D) Employee handbook

A) User access reviews are periodic reviews of current power users and their system roles.
B) User access reviews move infrequently used accounts to a dormant status.
C) A user access review should be a simple, quick process that is completed frequently.
D) A user access review lowers inappropriate use risks associated with employee changes.

A) Administrator
B) Read-only
C) User
D) Creator

A) Creator
B) Read-only
C) User
D) Administrator

A) Permission roles
B) User access roles
C) Creator roles
D) Read-only roles

A) Administrator
B) Read-only
C) User
D) Creator

A) Employee new hire
B) Employee reprimand
C) Employee transfer
D) Employee award

A) Security badge
B) Multifactor authentication
C) Biometric authentication
D) Fingerprint scanner

A) Role-based access controls
B) Individual permissions
C) Physical access controls
D) User access de-provisioning

A) Termination
B) New hire
C) Transfer
D) Dormancy

A) Analytical automation
B) Machine learning algorithm
C) User access software
D) Dormancy software tools

A) User access de-provisioning is the formal process of changing a user's access.
B) User access de-provisioning should occur after an employee's termination or transfer.
C) Removing someone's access does not create risk for the system.
D) Removing access to systems is not required for employee promotions.

A) Enable two-factor authentication
B) Enable fingerprint scanners
C) Enable read-only access for all users
D) Enable administrator access for all users

A) Creator
B) Read-only
C) User
D) Administrator

A) Request tickets require the employee to explain why they need access to the system.
B) Request tickets require the user's direct supervisor's information.
C) Managers and system owners must review the request tickets.
D) All of these statements are true.

A) Administrator
B) Creator
C) User
D) Read-only

A) Security system
B) Fire protection
C) Physical access
D) All answer choices are correct.

A) Wind damage
B) Piggybacking
C) Provisioning
D) Flood damage

A) Information Security Manager
B) Data Center Manager
C) Facilities Manager
D) All answer choices are correct.

A) A data center with a two-phase fire suppression system and fire extinguishers
B) A data center with cables suspended from the ceiling or bundled up to racks
C) A data center located on the top floor of a building to prevent easy access
D) A data center located on a raised floor near the center of an offsite building

A) User name and password
B) Fingerprint scanner
C) Locked door
D) Man-in-the-middle trap

A) Single entrance
B) Security camera at entrance
C) Multifactor authentication
D) All answer choices are correct.

A) A natural disaster causing damage to systems and equipment may result in a disruption of business activities and financial losses.
B) An unauthorized user gaining access to physical equipment may result in theft, malicious attacks, fraud, or data breaches.
C) Failure to maintain facilities in accordance with laws and regulations may result in fines and reputational losses.
D) All answer choices are correct.

A) System center
B) Network operations center
C) Access center
D) All of these answer choices are correct.

A) MSD should expand their current on-site data center so that all components will be secure in one location.
B) MSD should lease data center space nearby to allow current IT staff easy access to additional components.
C) MSD should locate a space for an off-site data center in an area away from the risk of bad weather to mitigate the risk of losing both centers at the same time.
D) All of these statements are correct.

A) someone from breaking in through the window.
B) damage occurring to systems when a window breaks in a storm.
C) unauthorized access to the room.
D) All answer choices are correct.

A) Climate controls
B) Raised floors
C) Interior room with no windows
D) All answer choices are correct.

A) Climate control systems keep NOCs cool.
B) Climate control systems remove humidity in the NOC to prevent moisture damage.
C) Climate control systems prevent NOC components from overheating.
D) All answer choices are correct.

A) An uninterruptable power supply is used to protect systems from outage and surges.
B) An uninterruptable power supply is used to protect systems from varied power voltage.
C) Power and network cables are run along the back of machines along the floor to keep them out of the way.
D) Power and network cables are bundled up to racks suspended from the ceiling to keep them clean and visible.

A) Only employees directly involved with operating the data center are authorized to enter.
B) Employees must scan their badge then enter a PIN on a keypad to gain access to the data center.
C) Security personnel regularly walk the building perimeter and look through the outside windows to check for unauthorized access to the data center.
D) Security cameras at the data center entrance door record all entrances and exits from the data center.

A) The man-in-the middle trap forces users to spend time in the trap before entering the data center, so only those who really need in will enter.
B) The man-in-the middle trap allows only one person to be between two doors, each with security measures, at a time.
C) The man-in-the middle trap will not allow a person to exit if they do not have the verbal passcode to enter the data center.
D) The man-in-the middle trap allows data center employees to trap intruders using trapdoors in the raised floor.

A) Eating and drinking is prohibited where IT equipment is stored.
B) Policies and procedures for maintaining physical equipment are documented.
C) Access to buildings is justified, authorized, logged, and monitored.
D) Inappropriate access to IT equipment is immediately revoked.

A) Eating and drinking is prohibited where IT equipment is stored.
B) Policies and procedures for maintaining physical equipment are documented.
C) Access to buildings is justified, authorized, logged, and monitored.
D) Inappropriate access to IT equipment is immediately revoked.

A) Crisis reaction plans indicating who leads the organization's response
B) Plans for essential equipment to be protected or to have alternative equipment
C) Return to normal procedures that prescribe how to return to normal operations
D) All answer choices are correct

A) Retail point of sale system
B) Employee benefits system
C) Customer service management system
D) Payroll system

A) Hot backup site
B) Warm backup site
C) Cold backup site
D) Frozen backup site

A) A data backup is the output of copying computer data to store.
B) Backup storage can be costly and time consuming.
C) Incremental backups are the cheapest backup strategy.
D) All answer choices are correct.

A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup

A) Alternative backup site plan
B) Backup team plan
C) Alternative operations site plan
D) Backup direction site plan

A) Hot backup site
B) Warm backup site
C) Cold backup site
D) Frozen backup site

A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup

A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup

A) Backup cycle
B) Backup time
C) Backup calendar
D) Backup event

A) BCP includes the procedures taken to protect employees, stakeholders, and assets in the event of a disruptive event.
B) BCP procedures focus on hot backup sites as all systems are critical and must be recovered quickly.
C) After the BCP manager develops the BCP, plans need to be memorized and not changed over time so that all employees know what to expect and do when a disruptive event occurs.
D) BCP plans could be triggered by a variety of disruptive events, such as natural disasters, cyberattacks, social unrest, or a global pandemic.

A) Data center
B) Backup site
C) Recovery center
D) Strategy site

A) A cold backup site may be an almost empty room.
B) A cold backup site is the least expensive type of backup site for a company to implement.
C) A cold backup site imports data at the end of each business day.
D) A cold backup site may take days or weeks to recover.

A) Warm and cold backup sites depend on which backup cycle is used.
B) A backup cycle determines the frequency in which data is backed up.
C) One of the most common backup cycle methods is know as the Grandfather-Father-Son backup scheme.
D) The Grandfather-Father-Son backup cycle removes the need to conduct quarterly, or annual backups.

A) Full backup once per month and week and a smaller backup each day
B) Full backup once per month, differential once per week, and incremental once per day
C) Full backup once per quarter and month and a smaller backup each week and day
D) Full backup once per year, differential once per month, and incremental each day

A) Recovery Technology Objective (RTO) and Recovery Process Objective (RPO)
B) Recovery Technology Objective (RTO) and Recovery Point Objective (RPO)
C) Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
D) Recovery Time Objective (RTO) and Recovery Process Objective (RPO)

A) The RTO is how much time a system can be down before it causes significant damage to the business.
B) The RTO may be as short as a few seconds.
C) The RTO considers how long the system restoration and data re-load process takes.
D) All of these statements are true.

A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup

A) By controlling the identification of changes to a system
B) By controlling the implementation of changes to a system
C) By ensuring that changes are reviewed appropriately before being finalized
D) All answer choices are correct.

A) Test
B) Model
C) Production
D) Live

A) Developer writes code.
B) Code implemented into production
C) User reviews and approves code.
D) User requests change.

A) Test
B) Sandbox
C) Model
D) Production

A) Incongruency with users
B) Incongruency of prioritization
C) Internal code irregularities
D) Internal fraud

A) Test
B) Model
C) Production
D) Alteration

A) User requests change.
B) Developer writes code.
C) Code implemented into production
D) User reviews and approves code.

A) Test environment
B) Model environment
C) Production environment
D) Development environment

A) User acceptance testing
B) User code review
C) User developer check
D) User production run