Interested to Buy Any Domain ? << Click Here >> for more details...
An IS auditor conducting a review of disaster recovery
planning at a financial processing organization has
discovered the following:
* The existing disaster recovery plan was compiled two years
ago by a systems analyst in the organization's IT department
using transaction flow projections from the operations
department.
* The plan was presented to the deputy CEO for approval and
formal issue, but it is still awaiting his attention.
* The plan has never been updated, tested or circulated to
key management and staff, though interviews show that each
would know what action to take for their area in the event
of a disruptive incident.
The basis of an organization's disaster recovery plan is to
reestablish live processing at an alternative site where a
similar, but not identical hardware configuration is already
established. The IS auditor should:
A. take no action as the lack of a current plan is the only
significant finding.
B. recommend that the hardware configuration at each site
should be identical.
C. perform a review to verify that the second configuration
can support live processing.
D. report that the financial expenditure on the alternative
site is wasted without an effective plan.
- 1 Answers
- 5136 Views
- I also Faced
- E-Mail Answers
Answer / guest
Answer: C
The IS auditor does not have a finding unless it can be
shown that the alternative hardware cannot support the live
processing system. Even though the primary finding is the
lack of a proven and communicated disaster recovery plan, it
is essential that this aspect of recovery is included in the
audit. Since, if it is found to be inadequate the finding
will materially support the overall audit opinion. It is
certainly not appropriate to take no action at all, leaving
this important factor untested, and unless it is shown that
the alternative site is inadequate, there can be no comment
on the expenditure (even if this is considered a proper
comment for the IS auditor to make). Similarly, there is no
need for the configurations to be identical. The alternative
site could actually exceed the recovery requirements if it
is also used for other work, such as other processing or
systems development and testing. The only proper course of
action at this point would be to find out if the recovery
site can actually cope with a recovery.
| Is This Answer Correct ? | 2 Yes | 0 No |
Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)? A. Segment counts built into the transaction set trailer B. A log of the number of messages received, periodically verified with the transaction originator C. An electronic audit trail for accountability and tracking D. Matching acknowledgement transactions received to the log of EDI messages sent
Which of the following is a control to compensate for a programmer having access to accounts payable production data? A. Processing controls such as range checks and logic edits B. Reviewing accounts payable output reports by data entry C. Reviewing system-produced reports for checks (cheques) over a stated amount D. Having the accounts payable supervisor match all checks (cheques) to approved invoices
WHICH OF THE FOLLOWING IS OFTEN AN ADVANTAGE OF USING PROTOTYPING GOR DYDTEM DVELOPMENT
Separation of duties between computer opeartors and other data processing personnel is intended to: A. Prevent unauthorized modifications to program or data. B. Reduce overall cost of operations C. Allow operators to concentrate on their assigned duties D. Restrict operator access to data
Which of the following duties would be a concern if performed along with systems administration? A. Maintenance of access rules B. Review of system audit trail C. Data librarian D. Performance monitoring
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure (PKI) with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. B. Customers can make their transactions from any computer or mobile device. C. The CA has several data processing subcenters to administer certificates. D. The organization is the owner of the CA.
Which of the following has the LEAST effect on controlling physical access? A. Access to the work area is restricted through a swipe card. B. All physical assets have an identification tag and are properly recorded. C. Access to the premises is restricted and all visitors authorized for entry. D. Visitors are issued a pass and escorted in and out by a concerned employee.
Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? A. Review the parameter settings B. Interview the firewall administrator C. Review the actual procedures D. Review the device's log file for recent attacks
Which of the following BEST determines that complete encryption and authentication protocols exist for protecting information while transmitted? A. A digital signature with RSA has been implemented. B. Work is being done in tunnel mode with the nested services of AH and ESP C. Digital certificates with RSA are being used. D. Work is being done in transport mode, with the nested services of AH and ESP
An IS auditor performing a review of an application's controls would evaluate the: A. efficiency of the application in meeting the business processes. B. impact of any exposures discovered. C. business processes served by the application. D. the application's optimization.
Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.
Cisco Certifications 
