Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?

A. Employees are not required to sign a non-compete agreement.
B. Security education and awareness workshops have not been completed.
C. Users lack technical knowledge related to security and data protection.
D. Desktop passwords do not require special characters.

Which of the following would be of MOST concern during an audit of an end user computing system containing sensitive information?

A. Audit logging is not available.
B. System data is not protected.
C. Secure authorization is not available.
D. The system is not included in inventory.

An organization has software that is not compliant with data protection requirements. To help ensure that appropriate and relevant data protection controls are implemented in the future, the auditor’s BEST course of action would be to:

A. conduct a privacy impact assessment to identity gaps in the organization’s privacy.
B. recommend that privacy checks are included within the solution development life cycle.
C. recommend an executive be appointed to oversee privacy program improvements.
D. map the organization’s business processes to identify personally identifiable information (PII).

Which of the following is BEST addressed when using a timestamp within a digital signature to deliver sensitive financial information?

A. Replay protection
B. Authentication
C. Nonrepudiation
D. Data integrity

Which of the following IT governance best practices improves strategic alignment?

A. Supplier and partner risks are managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediate between the imperatives of business and technology.

As an outcome of information security governance, strategic alignment provides:

A. security requirements driven by enterprise requirements.
B. baseline security following best practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.

IT governance is PRIMARILY the responsibility of the:

A. chief executive officer.
B. board of directors.
C. IT steering committee.
D. audit committee.

Establishing the level of acceptable risk is the responsibility of:

A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

Effective IT governance will ensure that the IT plan is consistent with the organization's:

A. business plan.
B. audit plan.
C. security plan.
D. investment plan.

Involvement of senior management is MOST important in the development of:

A. strategic plans.
B. IS policies.
C. IS procedures.
D. standards and guidelines.