Interested to Buy Any Domain ? << Click Here >> for more details...
During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?
A. Maximum acceptable downtime metrics have not been defined in the contract.
B. The IT department does not manage the relationship with the cloud vendor.
C. The help desk call center is in a different country, with different privacy requirements.
D. Company-defined security policies are not applied to the cloud application.
- 1 Answers
- 7494 Views
- I also Faced
- E-Mail Answers
the answer is D.
A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario.
B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department.
C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy.
D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
Question #: 935 CISA Job Practice Task Statement: 2.5
| Is This Answer Correct ? | 5 Yes | 2 No |
Which of the following should be in place to protect the purchaser of an application package in the event that the vendor ceases to trade? A. Source code held in escrow. B. Object code held by a trusted third party. C. Contractual obligation for software maintenance. D. Adequate training for internal programming staff.
Which of the following imaging technologies captures handwriting from a preprinted form and converts it into an electronic format? A. Magnetic ink character recognition (MICR) B. Intelligent voice recognition (IVR) C. Bar code recognition (BCR) D. Optical character recognition (OCR)
An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the: A. EDI trading partner agreements. B. physical controls for terminals. C. authentication techniques for sending and receiving messages. D. program change control procedures.
Which of the following provides the framework for designing and developing logical access controls? A. Information systems security policy B. Access control lists C. Password management D. System configuration files
A MAJOR risk of using single sign-on (SSO) is that it: A. has a single authentication point. B. represents a single point of failure. C. causes an administrative bottleneck. D. leads to a lockout of valid users.
When implementing continuous monitoring systems an IS auditor's first step is to identify: A. reasonable target thresholds. B. high-risk areas within the organization. C. the location and format of output files. D. applications that provide the highest potential payback.
LANs: A. protect against virus infection. B. protect against improper disclosure of data. C. provide program integrity from unauthorized changes. D. provide central storage for a group of users.
Which of the following would an IS auditor place LEAST reliance on when determining management's effectiveness in communicating information systems policies to appropriate personnel? A. Interviews with user and IS personnel B. Minutes of IS steering committee meetings C. User department systems and procedures manuals D.Information processing facilities operations and procedures manuals
To develop a successful business continuity plan, end user involvement is critical during which of the following phases? A. Business recovery strategy B. Detailed plan development C. Business impact analysis D. Testing and maintenance
Which of the following procedures can a biometric system perform? A. Measure airborne contamination. B. Provide security over physical access. C. Monitor temperature and humidity levels. D. Detect hazardous electromagnetic fields in an area.
Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. A system downtime log B. Vendors' reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule
A database administrator is responsible for: A. defining data ownership. B. establishing operational standards for the data dictionary. C. creating the logical and physical database. D. establishing ground rules for ensuring data integrity and security.
Cisco Certifications 
