1.

In a multinational organization, local security

regulations should be implemented over global
security policy because:

o global security policies include unnecessary controls for local

businesses
o business objectives are defined by local business unit managers
o requirements of local regulations take precedence
o deploying awareness of local regulations is more practical than of
global policy
2. Which of the following is a step in establishing a
security policy?

o Developing platform-level security baselines.

o Developing configurations parameters for the network,
o Implementing a process for developing and maintaining the policy.
o Creating a RACI matrix.
3. A large number of exceptions to an organization’s
information security standards have been granted
after senior management approved a bring your own
device (BYOD) program. To address this situation, it is
MOST important for the information security manage
to:

o introduce strong authentication on devices

o reject new exception requests
o require authorization to wipe lost devices
o update the information security policy
4. Which of the following is MOST important for the IS
auditor to verify when reviewing the development
process of a security policy?

o Evidence of active involvement of key stakeholders

o Output from the enterprise’s risk management system
o Identification of the control framework
o Evidence of management approval
5. Which of the following should be the PRIMARY reason
to establish a social media policy for all employees?

o To publish acceptable messages to be used by employees when

posting
o To raise awareness and provide guidance about social media risks
o To restrict access to social media during business hours to maintain
productivity
o To prevent negative public social media postings and comments
6. An internal IS auditor discovers that a service
organization did not notify its customers following a
data breach. Which of the following should the
auditor do FIRST?

o Notify audit management of the finding.

o Report the finding to regulatory authorities.
o Notify the service organization’s customers.
o Require the service organization to notify its customers.
7. A small organization is experiencing rapid growth and
plans to create a new information security policy.
Which of the following is MOST relevant to creating
the policy?

o Industry standards
o The business impact analysis (BIA)
o The business objectives
o Previous audit recommendations
8. A CEO requests access to corporate documents from a
mobile device that does not comply with
organizational policy. The information security
manager should FIRST:

o evaluate the business risk

o evaluate a third-party solution
o initiate an exception approval process
o deploy additional security controls
9. Which of the following is MOST important to consider
when developing a bring your own device (BYOD)
policy?

o Supported operating systems

o Procedure for accessing the network
o Application download restrictions
o Remote wipe procedures
10. An IT steering committee assists the board of
directors to fulfill IT governance duties by:

o developing IT policies and procedures for project tracking.

o focusing on the supply of IT services and products.
o overseeing major projects and IT resource allocation.
o implementing the IT strategy.
11. Which of the following can provide assurance that
an IT project has delivered its planned benefits?
 o User acceptance testing (UAT)
o Steering committee approval
o Post-implementation review
o Quality assurance evaluation
12. Which of the following is MOST important when
evaluating the retention period for a cloud provider’s
client data backups?

o Cost of data storage

o Contractual commitments
o Previous audit recommendations
o Industry best practice
13. Which of the following is MOST important to
include in a contract with a software development
service provider?

o A list of key performance indicators (KPIs)

o Ownership of intellectual property
o Service level agreement (SLA)
o Explicit contract termination requirements
14. Which of the following is a distinguishing feature
at the highest level of a maturity model?

o There are formal standards and procedures.

o Projects are controlled with management supervision.
o A continuous improvement process is applied.
o Processes are monitored continuously.
15. The PRIMARY purpose of a precedence
diagramming method in managing IT projects is to:

o monitor project scope creep.

o identify the critical path.
o identify key milestones.
o minimize delays and overruns.
16. Reports to the executive level concerning IT
performance should focus on:

o third-party compliance with organizational practices.

o IT performance in relation to operational improvements.
o IT deliverables against organizational strategies.
o capacity planning effectiveness within the organization.
17. To enable the alignment of IT staff development
plans with IT strategy, which of the following should
be done FIRST?

o Include strategic objectives in IT staff performance objectives.

 o Review IT staff job descriptions for alignment.
o Identify required IT skill sets that support key business processes.
o Develop quarterly training for each IT staff member.
18. Which of the following should be the PRIMARY
basis for planning and prioritizing IT infrastructure
security audits?

o Asset value to the organization

o Management requests
o The organization’s risk appetite
o Security best practice
19. Which of the following is the MOST effective
control to reduce the risk of information leakage
through social media?

o Use of keystroke loggers

o Periodic review of the data classification policy
o Limited access to social media sites in the workplace
o Security awareness training
20. An operations manager has recently moved to
internal audit. Which of the following would be of
GREATEST concern when assigning audit projects to
this individual?

o A control within the audit scope was implemented by the operations

manager six months ago.
o A control within the audit scope was downgraded to low risk by the
operations manager six months ago.
o The owner of a process within the audit scope worked for the
operations manager six month ago.
o A system within the audit scope is supported by an emerging
technology for which the operations manager lacks experience.