Auditing IT Infrastructures For Compliance 2nd Edition Martin Weiss, Michael G. Solomon - Solutions

Unlock the full potential of your studies with our comprehensive resources for "Auditing IT Infrastructures For Compliance 2nd Edition" by Martin Weiss and Michael G. Solomon. Access the online answers key and explore detailed solutions in our solution manual and solutions PDF, designed to provide step-by-step answers to all solved problems. Enhance your understanding with our test bank and chapter solutions, offering questions and answers that are meticulously crafted for your success. Our instructor manual and textbook resources are available for free download, ensuring you have everything you need to excel in your coursework.

What are the five phases of projects? List three operational audit steps for each of them.
Explain the triple constraints model and its implications for effective project management.
Describe three audit procedures related to each of the three triple constraints model elements.
What is the CPM and why should PMs use one during their projects?
List five reasons IT projects often fail. Describe two controls for each reason that could help to mitigate their occurrence and the audit procedures to test them.
Describe RAD and how it differs from traditional waterfall methods.
Describe three types of systems testing and their importance for project success.
List five key metrics that are useful to manage project progress.
List three features that the software used to manage large projects should contain.
Explain how an organization can demonstrate its adherence with the principle that management decisions are based on a long-term philosophy (principle 1).
Provide three examples of how organizations can create continuous process flows to bring problems to the surface (principle 2).
Explain the difference between a pull and a push system, and the pros and cons of each model (principle 3).
What evidence would you ask to examine to determine if an organization is leveling the workload (principle 4)?
Give three examples of how organizations can build a culture of stopping to fix problems so quality is right the first time (principle 5).
Use three tools to describe how a process can be improved to standardize its tasks and processes in pursuit of continuous improvement and employee empowerment (principle 6).
Provide three examples of effective visual controls that make sure that problems come to the surface (principle 7).
What specific recommendations would you make to an organization that wants to grow leaders who understand the work and live the philosophy (principle 9) and develops exceptional people and teams (principle 10)?
How do organizations show that they respect their extended network of partners and suppliers(principle 11) and what evidence would you evaluate?
Describe genba walks and explain how managers can use them to thoroughly understand situations (principle 12).
List and describe the three most common types of organizational structure.
Which organizational structure, while typically providing greater clarity about roles and responsibilities, often slows operational responsiveness?
Which structure is most often used when operations are relatively stable and there is a low rate of change?
Which two structures often provide the greatest opportunities for workers to learn from each other thus facilitating the transfer of knowledge laterally in the organization?
Why are org charts commonly reviewed by internal auditors?
Why is Variation in Approach important to the success of organizations and what are the implications for internal auditors?
Relate the three main forms of resistance to Situational Positioning and how awareness of this impacts risk assessments.
List five attributes that characterize exceptional organizations and explain their significance to operational auditors.
Explain why employee involvement is important for operational effectiveness.
Develop an operational audit program that includes procedures to determine if a unit is effectively balancing flexibility and stability.
A security assessment is a method for proving the strength of security systems.A. True B. False
Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________.
Whereas only qualified auditors perform security audits, anyone may do security assessments.A. True B. False
NIST 800-53A provides ________.
Which one of the following is not a method used for conducting an assessment of security controls?A. Examine B. Interview C. Test D. Remediate
Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker?A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan
An IT security audit is an ________ assessment of an organization’s internal policies, controls, and activities.
Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations?A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit
The internal audit function may be outsourced to an external consulting firm.A. True B. False
Compliance initiatives typically are efforts around all except which one of the following?A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor’s recommendation
At all levels of an organization, compliance is closely related to which of the following?A. Governance B. Risk management C. Government D. Risk assessment E. Both A and B F. Both C and D
Which one of the following is true with regard to audits and assessments?A. Assessments typically result in a pass or fail grade, whereas audits result in a list of recommendations to improve controls.B. Assessments are attributive and audits are not.C. An audit is typically a precursor to an
Noncompliance with regulatory standards may result in which of the following?A. Brand damage B. Fines C. Imprisonment D. All of the above E. B and C only
Which of the following companies engaged in fraudulent activity and subsequently filed for bankruptcy?A. WorldCom B. Enron C. TJX D. All of the above E. A and B only
Some regulations are subject to ________, which means even if there wasn’t intent of noncompliance, an organization can still incur large fines.
Which of the following acknowledges the importance of sound information security practices and controls in the interest of national security?A. FISMA B. GLBA C. HIPAA D. FACTA E. FERPA
What organization was tasked to develop standards to apply to federal information systems using a risk-based approach?A. Public Entity Risk Institute B. International Organization for Standardization C. National Institute of Standards and Technology D. International Standards Organization E.
RMF provides for the authorization of the operation of an information system based on an acceptable level of ________.
Which of the following organizations was tasked to develop and prescribe standards and guidelines that apply to federal information systems?A. NIST B. FISMA C. Congress D. PCI SSC E. U.S. Department of the Navy
What section of Sarbanes-Oxley requires management and the external auditor to report on the accuracy of internal controls over financial reporting?A. Section 301 B. Section 404 C. Section 802 D. Section 1107
Sarbanes-Oxley explicitly addresses the IT security controls required to ensure accurate financial reporting.A. True B. False
Which of the following was established to have oversight of public accounting firms and is responsible for defining the process of SOX compliance audits?A. COSO B. Enron C. PCAOB D. Sarbanes-Oxley E. None of the above
Which of the following is not one of the titles within Sarbanes-Oxley?A. Corporate Responsibility B. Enhanced Financial Disclosures C. Analyst Conflicts of Interest D. Studies and Reports E. Auditor Conflicts of Interest
Which one of the following is not considered a principal part of the Gramm-Leach-Bliley Act?A. Financial Privacy Rule B. Pretexting provisions C. Safeguards Rule D. Information Security Rule
Which regulatory department is responsible for the enforcement of HIPAA laws?A. HHS B. FDA C. U.S Department of Agriculture D. U.S. EPA E. FTC
Which one of the following is not one of the safeguards provided within the HIPAA Security Rule?A. Administrative B. Operational C. Technical D. Physical
In accordance with the Children’s Internet Protection Act, who determines what is considered inappropriate material?A. FCC B. U.S. Department of Education C. The local communities D. U.S. Department of the Interior Library E. State governments
While the Family Educational Rights and Privacy Act prohibits the use of Social Security numbers as directory information, the act does permit the use of the last four digits of a SSN.A. True B. False
PCI DSS is a legislative act enacted by Congress to ensure that merchants meet baseline security requirements for how they store, process, and transmit payment card data.A. True B. False
To comply with the Red Flags Rule, financial institutions and creditors must do which of the following?A. Identify red flags for covered accounts.B. Detect red flags.C. Respond to detected red flags.D. Update the program periodically.E. All of the above F. Answers B and C only
After mapping existing controls to new regulations, an organization needs to conduct a ________ analysis.
Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information?A. Security management B. Compliance management C. Privacy management D. Personal management E. Collection
The process of selecting security controls is considered within the context of risk management.A. True B. False
If a baseline security control cannot be implemented, which of the following should be considered?A. Compensating control B. Baseline security standard revision C. Policy revision D. None of the above
Account management and separation of duties are examples of what type of controls?A. Audit and accountability B. Access control C. Security assessment and authorization D. Personal security
Which one of the following is not one of the seven domains of a typical IT infrastructure?A. User Domain B. Workstation Domain C. LAN-to-LAN Domain D. WAN Domain E. Remote Access Domain
Which of the following policies would apply to the User Domain concerning the seven domains of a typical IT infrastructure?A. Acceptable use policy B. Internet access policy C. Security incident policy D. Firewall policy E. Answers A and B F. Answers B and D
Mitigating a risk from an IT security perspective is about eliminating the risk to zero.A. True B. False
Which of the following is an example of why an ongoing IT compliance program is important?A. Organizations are dynamic, growing environments.B. Threats evolve.C. Laws and regulations evolve.D. All of the above
Policies, standards, and guidelines are part of the policy ________.
Which one of the following is not part of the change management process?A. Identify and request B. Evaluate change request C. Decision response D. Implement unapproved change E. Monitor change
Regarding the seven domains of IT infrastructure, the Workstation Domain includes which of the following? (Select three.)A. Desktop computers B. Laptop computers C. Remote access systems D. E-mail servers E. Handheld devices
Adequate controls over privacy data helps prevent ________ theft.
A _______ is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
Frameworks differ from each other in that they might offer varying levels of depth and breadth.A. True B. False
Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures.A. True B. False
Which of the following should organizations do when selecting a standard? (Select three.)A. Select a standard that can be followed.B. Employ the selected standard.C. Select a flexible standard.D. Select a standard that other organizations in the same geographic location are using.
The COSO framework is targeted to which of the following groups within a company?A. Executive management B. First-line management C. Security analysts D. Application developers
COSO is the acronym for which of the following?A. Compliance Objectives Standards Organization B. Committee of Sponsoring Organizations C. Compliance Organization Standard Operation D. Committee on Standard Objectives
Responding to business requirements in alignment with the business strategy is an example of an IT ________.
Which one of the following is not true of COBIT?A. It is business-focused.B. It is security-centered.C. It is process-oriented.D. It is controls-based.E. It is measurement-driven.
Which one of the following is not one of the four domains of COBIT?A. Plan and Organize B. Implement and Support C. Acquire and Implement D. Deliver and Support E. Monitor and Evaluate
SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame.A. True B. False
Organizations may be audited for both ISO/IEC 27001 and ISO/IEC 27002 and receive a formal certification for each.A. True B. False
ISO/IEC 27002 is a code of ________ for information security management.
What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process?A. Auditing Standard No. 1 B. Auditing Standard No. 11 C. Auditing Standard No. 55 D. Auditing Standard No. 5
Which of the following provides a framework for assessing the adequacy of implemented controls?A. NIST 800-53 B. NIST 800 C. NIST 800-53A D. NIST 800A
Which one of the following can an audit help identify?A. Fraud B. Ineffective IT practices C. Improper use of resources D. Inadequate security E. All of the above
Which of the following is the discipline of managing and understanding uncertainty?A. Audit management B. Metrology C. Risk management D. Cryptology
Threat is synonymous with risk and can be used interchangeably.A. True B. False
Identifying potential dangers to an organization is part of the process called ________ identification.
Which of the following is the best example of a potential vulnerability to an IT system?A. Hacker B. Terrorist C. Unpatched operating system D. None of the above
The results of a risk assessment help define the audit objectives.A. True B. False
When applying controls, which of the following is not an example of what needs to be considered when examining the tradeoffs?A. Feasibility B. Cost C. Operational impact D. Due diligence
The audit ________ includes the area or areas to be reviewed.
Which of the following defines the goals for an audit?A. Audit objective B. Audit scope C. Audit frequency D. Audit report
Which of the following is not a category of IT security controls defined by NIST?A. Physical controls B. Management controls C. Operational controls D. Technical controls
Which of the following documents should be included in the gathering process of an IT audit?A. Policies and procedures B. Previous audit reports C. Network diagrams D. Answers A and C only E. Answers A, B, and C
Only security operations personnel need to follow IT security policies.A. True B. False
Fraudulent activity uncovered during interviews would be a reason to expand the scope of an audit.A. True B. False
Which of the following describes all the auditable components within an organization?A. Cosmos domains of IT B. Domains of applications C. IT universe D. Universal audit

Showing 900 - 1000 of 1793

First
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Last

Auditing IT Infrastructures For Compliance 2nd Edition Martin Weiss, Michael G. Solomon - Solutions

Step by Step Answers