1. The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors.

Answer: D
Normally the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

2. Which of the following is an IS control objective? A. Output reports are locked in a safe place. B. Duplicate transactions do not occur. C. System backup/recovery procedures are updated periodically. D. System design and development meet users' requirements.

Answer: B
Preventing duplicate transactions is a control objective. Having output reports locked in a safe place is an internal accounting control system, backup/recovery procedures are an operational control, and system design and development meeting user requirement is an administrative control.

3. A goal of processing controls is to ensure that: A. the data are delivered without compromised confidentiality. B. all transactions are authorized. C. accumulated data are accurate and complete through authorized routines. D. only authorized individuals perform sensitive functions.

Answer: C
Processing controls include reconciliation of file totals, reasonableness verification, programmed checks, etc. Data delivered without compromised confidentiality is an output control goal. Having all transactions authorized and having only authorized individuals perform sensitive functions are input control objectives.

4. Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

Answer: A
"Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs be stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in

development and do not directly impact the live processing of data. Operations support staff implementing changes to batch schedules will affect the scheduling of the batches only this does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database." 5. Which of the following would be considered a business risk? A. Former employees B. Part-time and temporary personnel C. Loss of competitive edge D. Hackers Answer: C Many organizations, especially service firms such as banks, savings and loans and investment firms, need credibility and public trust to maintain a competitive edge. A security violation can severely damage this credibility, resulting in the loss of business and prestige. Loss of credibility is a risk. The other choices are threats. Former employees, who left on unfavorable terms, are potential logical or physical access violators. Part-time and temporary personnel often have a great deal of physical access and may well be competent in computing. Hackers are typically attempting to test the limits of access restrictions to prove their ability to overcome the obstacles. Although they usually do not access a computer with the intent of destruction, this is quite often the result.

6. The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors. Answer: D Normally the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

7. A goal of processing controls is to ensure that: A. the data are delivered without compromised confidentiality. B. all transactions are authorized. C. accumulated data are accurate and complete through authorized routines. D. only authorized individuals perform sensitive functions. Answer: C Processing controls include reconciliation of file totals, reasonableness verification, programmed checks, etc. Data delivered without compromised confidentiality is an output control goal. Having all transactions authorized and having only authorized individuals perform sensitive functions are input control objectives.

8. Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures. Answer: A "Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs be stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. Operations support staff implementing changes to batch schedules will affect the scheduling of the batches only this does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database."

9. Which of the following is an objective of a control self-assessment (CSA) program? A. Concentration on areas of high risk B. Replacement of audit responsibilities C. Completion of control questionnaires D. Collaborative facilitative workshops Answer: A The objectives of CSA programs include education for line management in control responsibility and monitoring and concentration by all on areas of high risk. The objectives of CSA programs include the enhancement of audit responsibilities, not replacement of audit responsibilities. Choices C and D are tools of CSA, not objectives. 10. Which of the following should be included in an organization's IS security policy? A. A list of key IT resources to be secured B. The basis for access authorization C. Identity of sensitive security features D. Relevant software security features The security policy provides the broad framework of security, as laid down and approved by the senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, Band C are more detailed than that which should be included in a policy. 11. A key element in a risk analysis is/are: A. audit planning. B. controls. C. vulnerabilities. D. liabilities. Answer: C Vulnerabilities are a key element in the conduct of a risk analysis. Audit planning consists of short and long-term processes that may detect threats to the information assets. Controls mitigate risks associated with specific threats. Liabilities are part of business and are not inherently a risk.