1.

Which of the following shall BEST help in deciding upon the protection
level for information asset?
A. Location of asset.
B. Impact of risk.
C. Vulnerabilities in asset.
D. Inventory of threats
2. Which of the following is a risk response option?
A. Determine likelihood of threat
B. Determine probability of risk
C. Deciding amount of insurance cover
D. Prepare risk profile report
3. After a Tsunami, a business decides to shift the location of data centre
from coastal area to mid land. Which type of risk response option it has
exercised?
A. Accept
B. Avoid
C. Mitigate
D. Transfer
 Introduction to Protection of Information
Assets

4. Organizations capacity to sustain loss due to uncertainty and expressed in

monetary terms is best known as:
A. Risk appetite
B. Risk tolerance
C. Risk acceptance
D. Risk mitigation
5. Main use of maintaining and updating risk register is to:
A. Define controls
B. Identify risk owner
C. Built risk profile
D. Maintain evidence
6. Of the following, who is accountable for deciding and implementing
controls based on risk mitigation plan?
A. Chief risk officer
B. Risk owner
C. IT operations manager
D. Board of directors
7. Which of the following is a risk factor that may have impact on organization?
A. Management decides to acquire new application software.
B. A new application required by organization is released.
C. Vendor decides to stop supporting existing application.
D. Organization retires old application that is not in use.
8. While auditing risk monitoring process which of the following IS auditor
should review FIRST?
A. Risk assessment process
B. Risk management framework
C. Alignment with business risks
D. Annual review of risk register
Background Material on Information Systems Audit 3.0 Course (Module 5)

9. The quantum of risk after enterprise has implemented controls based on risk
mitigation plan is:
A. Accepted risk
B. Residual risk
C. Inherent risk
D. Current risk
10. Which of the following shall best help in aligning IT risk with
enterprise risk?
A. Presenting IT risk results in business terms.
B. Conducting business impact analysis.
C. Making Chief risk officer accountable.
D. Align IT strategy with business strategy.
 2.1
1. The Primary objective of implementing Information security management is to:
A. Ensure reasonable security practices
B. Comply with internal audit requirements
C. Adopt globally recognized standards
D. Protect information assets
2. Which of the following is primary function of information security policies?
A. Align information security practices with strategy
B. Communicate intent of management to stakeholders
C. Perform risk assessment of IT operations and assets
D. Ensure compliance with requirements of standards
3. Information security policies are set of various policies addressing
different information systems areas based on the IT infrastructure of
organization. Which of the following policy is most common in all
organizations?
A. Acceptable use policy

B. BYOD (Bring Your Own Device) policy

C. Data encryption policy
D. Biometric security policy
4. Protecting integrity of data primarily focuses on:
A. Intentional leakage of data
B. Accidental loss of data
C. Accuracy and completeness
D. Data backup procedures
5. Which of the following is primary reason for periodic review of security policy?
A. Compliance requirements
B. Changes on board of directors’
C. Changes in environment
D. Joining of new employees
6. Which of the following is best evidence indicting support and
commitment of senior management for information security initiatives?
A. Directive for adopting global security standard
B. Higher percentage of budget for security projects
C. Assigning responsibilities for security to IT head
D. Information security is on monthly meeting agenda
7. Which of the following is a concern for compliance with information
security policy?
A. Decrease in low risk findings in audit report
B. High number of approved and open policy exceptions
C. Security policy is reviewed once in two years
D. Security policy is signed by Chief Information Officer
8. Which of the following is Primary purpose of Information classification?
A. Comply with regulatory requirement
B. Assign owner to information asset
C. Provide appropriate level of protection
D. Reduce costs of data protection
 3.1
1. Which of the following is first action when a fire detection system
raises the alarm?
A. Turn off the air conditioner
B. Determine type of fire
C. Evacuate the facility
D. Turn off power supply
2. Which of the following are most important controls for unmanned data center?
A. Access control for entry and exit for all doors
B. The humidity levels need not be maintained
C. The temperature must be at sub-zero level
D. Halon gas-based fire suppression system
3. Primary purpose of access controlled dead man door, turnstile, mantrap is to:
A. Prevent unauthorized entry
B. Detect perpetrators
C. Meet compliance requirement
D. Reduce cost of guard
4. Which of the following is the main reason for appointing human guards at
main entrance of facilities?
A. Address visitors’ requirements to visit
B. Issue the access cards to visitors
C. Cost of automation exceeds security budget
D. Deter the unauthorized persons
5. Which of the following is a major concern associated with biometric
physical access control?
Background Material on Information Systems Audit 3.0 Course (Module 5)
 A. High acceptability
B. High false positives
C. High false negatives
D. High cost
6. Which of the following evidence is best to provide assurance on
automated environmental controls?
A. Annual maintenance contract with vendor
B. Simulation testing of devices during audit
C. Device implementation report by vendor
D. Documented results of periodic testing
7. What are the problems that may be caused by humidity in an area with
electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion
B. High humidity causes power fluctuations, and low humidity causes
static electricity
C. High humidity causes corrosion, and low humidity causes static electricity
D. High humidity causes corrosion, and low humidity causes power
fluctuations.
8. Automated access controls open doors based on access cards, pins,
and/or biometric devices and are powered by electricity. Which of the
following is the best policy in case of power failure?
A. Keep the door in locked state
B. Open door and appoint guard
C. Find root cause of power failure
D. Arrange for battery backup
9. While selecting site for a data center which of the site is best to be selected?
A. On topmost floor to delay the unauthorized visitor to reach
B. In the basement not easily accessible to perpetrator
C. On ground floor so that users can access it easily
D. On middle floor to strike the balance for above concerns
 Physical and Environmental
Controls

10. Which of the following is main reason for not allowing mobile devices into data
center?
A. Unauthorized changes and access in configuration
B. Prevent photography of data center layout
C. User can provide information to attacker on phone
D. Mobile devices generate wireless communication

1. Which of the following pair of authentications can be considered as two factors?

A. Password and passphrase
B. Passphrase and PIN
C. Token and access card
D. Access card and PIN
2. Which of the following is primary requirement of granting user access
to information asset?
A. Identification
B. Authorization
C. Authentication
 D. Need to know
3. Mandatory access controls are those controls that are:
A. Based on global standards
B. Defined by security policy
C. Part of compliance requirements
D. Granted by asset owner

Logical Access Controls

4. Which of the following is a major concern associated with Single-Sign-on?

A. Multiple passwords are noted
B. User may select easy password
C. It is a single point of failure
D. High maintenance cost
5. Which of the following non-compliance with information security policy is
most difficult to detect or get evidence for?
A. Use of removable media
B. Password sharing by user
C. Access to banned web sites
D. Passing information over phone
6. Which of following processes in user access management is most
essential to detect errors and omissions resulting in unauthorized or excess
accesses to users?
A. Identification
B. Authentication
C. Authorization
D. Review
7. While auditing compliance with password policy, IS auditor observed
that configuration of password parameters in system is as per information
security policy. Which of the following the auditor should verify?
A. Review enforcement for sample users
B. Verify all assets have same configuration
 C. Review log for password configuration
D. Interview users on policy enforcement
8. One-time password is considered strong because they are:
A. Active for short period
B. Communicated on mobile
C. Unique for each user
D. Unique for session

Background Material on Information Systems Audit 3.0 Course (Module 5)

9. Which of the following attack to break the user password is difficult to control?
A. Brute Force
B. Dictionary attack
C. Spoofing
D. Social engineering
10. Which of the following is a primary objective of implementing logical
access controls?
A. Identify users on the system
B. Fixing accountability of actions
C. Authorize users based on role
D. Compliance with policy
 Logical Access Controls

5.1
1. Which of the following is a method used to gather information
about the communication network?
A. Reconnaissance
B. Brute force
C. Eavesdropping
D. Wiretapping
2. Message digest helps organization in getting assurance on:
A. Communication delivery
B. Data availability
C. Data integrity
D. Data confidentiality
3. While auditing organization’s network which of the following control
IS auditor must verify first?
A. Encrypted communication
 Network Security Controls

B. Network zoning
C. Firewall configuration
D. Penetration test report
4. Cryptographic checksum is a network control that:
A. Adds a parity bit after adding the data bits.
B. Translates data in a file into a hash value.
C. Transmits the data after encryption.
D. Translates the data into a parity checksum combination.
5. Primary function of Security operations center (SOC) is to:
A. Define baseline
B. Configure firewall
C. Monitor logs
D. Implement Antivirus
6. The intrusion detection monitoring on a host for data integrity attack by
malicious software is a:
A. Technical control
B. Corrective control
C. Detective Control
D. Preventive Control
7. Which of the following is most important while performing penetration
testing?
A. Maintain secrecy about testing
B. Get consent from affected stakeholders
C. Report to be provided to all users
D. Perform test after office hours
8. Most web based application attacks can be prevented by:
A. Input validation
B. Encryption
C. Penetration test
D. Access controls
Background Material on Information Systems Audit 3.0 Course (Module 5)

9. Social engineering attacks can best be prevented by:

A. Intrusion detection system
B. Strong access controls
C. Two factor authentication
D. Awareness training
10. Which of the following is a type of malware that does not use system resources for
execution of malicious codes?
A. Virus
B. Logic bomb
C. Trojan
D. Worm