24. 4.1.10 Quality Assurance Verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment. 4.1 Information Systems Operations

25. 4.1.11 Information Security Management • Performing risk assessments on information assets • Performing business impact analyses • Conducting security assessments on a regular basis • Implementing a formal vulnerability management process 4.1 Information Systems Operations

26. Chapter 4 Question 1 When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that: A. the cost proposed for the services is reasonable. B. security mechanisms are specified in the agreement. C. the services in the agreement are based on an analysis of business needs. D. audit access to the computer center is allowed under the agreement.

27. Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process? A. Trace from system generated information to the change management documentation. B. Examine change management documentation for evidence of accuracy. C. Trace from the change management documentation to a system generated audit trail. D. Examine change management documentation for evidence of completeness. Chapter 4 Question 2

28. A university’s IT department and financial services office (FSO) have an existing service level agreement that requires availability during each month to exceed 98 percent. FSO has analyzed availability and noted that it has exceeded 98 percent for each of the last 12 months, but has averaged only 93 percent during month-end closing. Which of the following options BEST reflects the course of action FSO should take? A. Renegotiate the agreement. B. Inform IT that it is not meeting the required availability standard. C. Acquire additional computing resources. D. Streamline the month-end closing process. Chapter 4 Question 3

40. Which one of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments? A. User satisfaction B. Goal accomplishment C. Benchmarking D. Capacity and growth planning Chapter 4 Question 4

41. The key objective of capacity planning procedures is to ensure that: A. available resources are fully utilized. B. new resources will be added for new applications in a timely manner. C. available resources are used efficiently and effectively. D. utilization of resources does not drop below 85%. Chapter 4 Question 5

59. When conducting an audit of client-server database security, the IS auditor should be MOST concerned about the availability of: A. system utilities. B. application program generators. C. systems security documentation. D. access to stored procedures . Chapter 4 Question 6

60. The PRIMARY benefit of database normalization is the: A. minimization redundancy of information in tables required to satisfy users’ needs. B. ability to satisfy more queries. C. maximization of database integrity by providing information in more than one table. D. minimization of response time through faster processing of information. Chapter 4 Question 7

82. Chapter 4 Question 8 An IS auditor when reviewing a network used for Internet communications will FIRST examine the: A. validity of password change occurrences. B. architecture of the client-server application. C. network architecture and design. D. firewall protection and proxy servers .

83. Which of the following would allow a company to extend its enterprise’s intranet across the Internet to its business partners? A. Virtual private network B. Client-server C. Dial-up access D. Network service provider Chapter 4 Question 9

84. Which of the following statements relating to packet switching networks is correct? A. Packets for a given message travel the same route. B. Passwords cannot be embedded within the packet. C. Packet lengths are variable and each packet contains the same amount of information. D. The cost charged for transmission is based on the packet, not the distance or route traveled. Chapter 4 Question 10