Information Systems And Controls Chapter 14 Test Bank - Digital Test Bank | Accounting Info Systems 1e by Arline A. Savage. DOCX document preview.
Accounting Information Systems, 1e (Savage)
Chapter 14 Information Systems and Controls
1) Which statement about Information Technology (IT) is FALSE?
A) IT includes the technology and processes involved with technology.
B) IT is concerned with both hardware and software.
C) IT includes controls for facility power and utilities.
D) IT includes systems for the processing and distribution of data.
Diff: 1
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Technology and Tools
2) Which statement describing COBIT 2019 is TRUE?
A) COBIT contributors do not have the pay the subscription fee.
B) COBIT has an organizational focus on HR governance.
C) COBIT is designed to assist in IT governance and implementing IT controls.
D) COBIT has a control scope that encompasses all internal controls.
Diff: 1
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Risk Assessment, Analysis, and Management
3) COBIT 2019 controls are organized into five domains that are divided into what two categories based on their objectives?
A) Internal and external
B) Organization and implementation
C) Governance and management
D) Management and assessment
Diff: 1
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Risk Assessment, Analysis, and Management
4) Which of the following statements about the COBIT 2019 IT governance domain, Evaluate, Direct and Monitor (EDM) is TRUE?
A) EDM relates to the operational side of IT projects and support.
B) EDM focuses on whether IT projects are meeting organizational objectives.
C) EDM assesses IT requirements for acquiring technology.
D) EDM states that the board of directors must assess needs and provide oversight.
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
5) Which of the following statements about COBIT 2019 is TRUE?
A) COBIT is an open-source model that has an online platform for feedback.
B) COBIT is a part of the COSO Internal Controls
C) COBIT focuses on addressing risk from a strategic perspective.
D) COBIT has a control scope that encompasses all internal controls.
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
6) Which of the following statements concerning IT governance are TRUE?
A) IT governance requires a dedicated department.
B) IT governance ensures effective and efficient use of IT.
C) IT governance should be scheduled to occur once per year.
D) IT governance standards framework, COSO, focuses on minimizing risk.
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
7) What is the most widely used international standard for IT governance?
A) COSO
B) COBIT
C) ISACA
D) ITGC
Diff: 1
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Risk Assessment, Analysis, and Management
8) ABC Technology Management, InC. is seeking guidance on managing risk, security, budgets, and innovation. Which COBIT 2019 management IT objective should ABC consult?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)
Diff: 3
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Risk Assessment, Analysis, and Management
9) Which of the following COBIT 2019 management IT objectives includes topics that would help an organization define project requirements, change management guidelines, and project execution plans?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Risk Assessment, Analysis, and Management
10) Which of the following COBIT 2019 management IT objectives includes topics that would help an organization manage operations, problems, continuity, and business process controls?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Risk Assessment, Analysis, and Management
11) Which of the following COBIT 2019 management IT objectives includes topics that would help an organization define compliance with external requirements, performance monitoring, and a system of internal control?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate and Assess (MEA)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Risk Assessment, Analysis, and Management
12) What elements of IT are IT general controls (ITGCs) designed to protect? Select all that apply.
A) Structure
B) Components
C) Data
D) Risk
Diff: 1
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Risk Assessment, Analysis, and Management
13) IT governance frameworks define the criteria that a company uses for which aspects of IT governance? Select all that apply.
A) Management
B) Monitoring
C) Objections
D) Implementation
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
14) Accounting professionals utilize multiple frameworks. Which framework would a manager select to make sure that all internal controls are Sarbanes Oxley compliant?
A) ITGC
B) COSO
C) ISACA
D) COBIT
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Risk Assessment, Analysis, and Management
15) Which framework would an IT manager select to make sure that access to sensitive customer data is limited to only those who require access?
A) ITGC
B) COSO
C) ISACA
D) COBIT
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Risk Assessment, Analysis, and Management
16) The objectives of which COBIT domain include frameworks, resource optimization, and being transparent with stakeholders?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Evaluate, Direct, and Monitor (EDM)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
17) Angela is tasked with reviewing the IT service request process for her accounting firm. Which COBIT domain should she reference?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate, and Assess (MEA)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
18) Wade is tasked with evaluating and recommending improvements to the project management framework for his accounting firm. Which COBIT domain should he reference?
A) Align, Plan and Organize (APO)
B) Build, Acquire and Implement (BAI)
C) Deliver, Service and Support (DSS)
D) Monitor, Evaluate, and Assess (MEA)
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Risk Assessment, Analysis, and Management
19) Select the appropriate role assigned to a leader in the IT team who needs unlimited access and is responsible for assigning roles to other users.
A) Creator
B) Read-only
C) User
D) Administrator
Diff: 3
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Systems and Process Management
20) New users to a system are granted access through what formal process?
A) User access provisioning
B) User authentication
C) User role assignment
D) User validation
Diff: 1
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
21) Which of the following is an example of a user authentication control?
A) Username and password
B) Login name
C) Electronic safe
D) Employee handbook
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Technology
Bloom's: Application
AICPA: AC: Systems and Process Management
22) Which of the following statements concerning user access reviews is TRUE?
A) User access reviews are periodic reviews of current power users and their system roles.
B) User access reviews move infrequently used accounts to a dormant status.
C) A user access review should be a simple, quick process that is completed frequently.
D) A user access review lowers inappropriate use risks associated with employee changes.
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
23) Which of these access roles would you assign a graphic designer working on updating the internal corporate data dashboard to include key financial data?
A) Administrator
B) Read-only
C) User
D) Creator
Diff: 3
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Systems and Process Management
24) What role should be assigned to a new team member who just needs access to review files and not make changes?
A) Creator
B) Read-only
C) User
D) Administrator
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Technology
Bloom's: Application
AICPA: AC: Systems and Process Management
25) Which type of authorization uses groups with pre-defined permissions to which users are assigned?
A) Permission roles
B) User access roles
C) Creator roles
D) Read-only roles
Diff: 1
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
26) Which of these access roles would you assign an internal auditor reviewing accounts payable and accounts receivable transactions?
A) Administrator
B) Read-only
C) User
D) Creator
Diff: 3
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Systems and Process Management
27) Sushma, the IT employee responsible for setting up user names and passwords, handles user access updates daily to prevent inappropriate access to the organization's system. After what event should Sushma complete user access de-provisioning for an organization employee?
A) Employee new hire
B) Employee reprimand
C) Employee transfer
D) Employee award
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
28) Select each of the following examples of a logical user access control? Choose all that apply.
A) Security badge
B) Multifactor authentication
C) Biometric authentication
D) Fingerprint scanner
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Technology
Bloom's: Application
AICPA: AC: Systems and Process Management
29) Adrian evaluated Branch Technologies user access assignment procedures and found them to be inefficient. Rather than assign each user permissions individually, Adrian recommends that Branch Technologies define roles with pre-defined access criteria and assign users to roles. What type of authorization is Adrian recommending?
A) Role-based access controls
B) Individual permissions
C) Physical access controls
D) User access de-provisioning
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
30) User access de-provisioning should occur when which of the following user access status changes occur? Choose all that apply.
A) Termination
B) New hire
C) Transfer
D) Dormancy
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
31) A user access review is an important yet tedious and time-consuming process. What kind of newer technology can be implemented to automate or semi-automate the process?
A) Analytical automation
B) Machine learning algorithm
C) User access software
D) Dormancy software tools
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
32) Which of the following statements about user access de-provisioning is FALSE?
A) User access de-provisioning is the formal process of changing a user's access.
B) User access de-provisioning should occur after an employee's termination or transfer.
C) Removing someone's access does not create risk for the system.
D) Removing access to systems is not required for employee promotions.
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
33) Alejandro reviewed the user access protocols for Ponder Products. Alejandro is concerned that the accounting system could be subject to malicious attacks on user accounts that are currently protected with a user name and password. The system has the capability to send a message to a user's cell phone or email address. How could Alejandro use the messaging capabilities of the system to further protect it from attack?
A) Enable two-factor authentication
B) Enable fingerprint scanners
C) Enable read-only access for all users
D) Enable administrator access for all users
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
34) What role should be assigned to a new team member who needs access to make changes to the system, create files, download and upload files, and edit files.
A) Creator
B) Read-only
C) User
D) Administrator
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Technology
Bloom's: Application
AICPA: AC: Systems and Process Management
35) Which statement about user access provisioning request tickets is TRUE?
A) Request tickets require the employee to explain why they need access to the system.
B) Request tickets require the user's direct supervisor's information.
C) Managers and system owners must review the request tickets.
D) All of these statements are true.
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
36) What user access role includes permission to add, remove, and set access rights on all objects?
A) Administrator
B) Creator
C) User
D) Read-only
Diff: 1
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
37) An internal auditor inspecting a data center will look at all the following components.
A) Security system
B) Fire protection
C) Physical access
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
38) Controlled access to data centers often includes multifactor authentication to mitigate the high risk to the equipment that is powering the business. An increased security measure used at very high security data centers is a man-in-the-middle trap. What kind of risk does the trap prevent?
A) Wind damage
B) Piggybacking
C) Provisioning
D) Flood damage
Diff: 3
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Systems and Process Management
39) Which of the following roles have control ownership related to protecting the physical computer systems?
A) Information Security Manager
B) Data Center Manager
C) Facilities Manager
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
40) Which of the following statements represents a poor design element for a data center protected from the outside environment?
A) A data center with a two-phase fire suppression system and fire extinguishers
B) A data center with cables suspended from the ceiling or bundled up to racks
C) A data center located on the top floor of a building to prevent easy access
D) A data center located on a raised floor near the center of an offsite building
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
41) What kind of security method can help prevent against piggybacking?
A) User name and password
B) Fingerprint scanner
C) Locked door
D) Man-in-the-middle trap
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
42) Which of the following are physical security measures used to prevent unauthorized access to a data center?
A) Single entrance
B) Security camera at entrance
C) Multifactor authentication
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
43) Which of the following are risks to physical IT equipment and systems?
A) A natural disaster causing damage to systems and equipment may result in a disruption of business activities and financial losses.
B) An unauthorized user gaining access to physical equipment may result in theft, malicious attacks, fraud, or data breaches.
C) Failure to maintain facilities in accordance with laws and regulations may result in fines and reputational losses.
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
44) What kind of facility is used to protect the physical components on which systems and data are stored?
A) System center
B) Network operations center
C) Access center
D) All of these answer choices are correct.
Diff: 1
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Technology
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
45) Moore Software Development (MSD), Inc. began operations in Moore, Oklahoma, an area prone to tornadoes. Recent business growth necessitates the need for a larger data center. Select the most appropriate statement associated with MSD's new data center.
A) MSD should expand their current on-site data center so that all components will be secure in one location.
B) MSD should lease data center space nearby to allow current IT staff easy access to additional components.
C) MSD should locate a space for an off-site data center in an area away from the risk of bad weather to mitigate the risk of losing both centers at the same time.
D) All of these statements are correct.
Diff: 3
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Evaluation
AICPA: AC: Systems and Process Management
46) Data centers should be situated in a room with no windows to prevent
A) someone from breaking in through the window.
B) damage occurring to systems when a window breaks in a storm.
C) unauthorized access to the room.
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
47) Caribbean Technologies is located on the island of Grand Cayman in the Caribbean SeA. The management team established a data center both onsite and offsite in Ohio. What onsite protection measures would you recommend be implemented?
A) Climate controls
B) Raised floors
C) Interior room with no windows
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
48) In what ways do climate control systems protect computer system components in a network operations center (NOC)?
A) Climate control systems keep NOCs cool.
B) Climate control systems remove humidity in the NOC to prevent moisture damage.
C) Climate control systems prevent NOC components from overheating.
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
49) Which of the following is a poor network operations center (NOC) power practice?
A) An uninterruptable power supply is used to protect systems from outage and surges.
B) An uninterruptable power supply is used to protect systems from varied power voltage.
C) Power and network cables are run along the back of machines along the floor to keep them out of the way.
D) Power and network cables are bundled up to racks suspended from the ceiling to keep them clean and visible.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
50) Which of the following is a poor policy for physical access control for a data center?
A) Only employees directly involved with operating the data center are authorized to enter.
B) Employees must scan their badge then enter a PIN on a keypad to gain access to the data center.
C) Security personnel regularly walk the building perimeter and look through the outside windows to check for unauthorized access to the data center.
D) Security cameras at the data center entrance door record all entrances and exits from the data center.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
51) How does a man-in-the middle trap create another level of security?
A) The man-in-the middle trap forces users to spend time in the trap before entering the data center, so only those who really need in will enter.
B) The man-in-the middle trap allows only one person to be between two doors, each with security measures, at a time.
C) The man-in-the middle trap will not allow a person to exit if they do not have the verbal passcode to enter the data center.
D) The man-in-the middle trap allows data center employees to trap intruders using trapdoors in the raised floor.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
52) Which control activity related to physical security is managed by the data center manager?
A) Eating and drinking is prohibited where IT equipment is stored.
B) Policies and procedures for maintaining physical equipment are documented.
C) Access to buildings is justified, authorized, logged, and monitored.
D) Inappropriate access to IT equipment is immediately revoked.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
53) Which control activity related to physical security is managed by the facilities manager?
A) Eating and drinking is prohibited where IT equipment is stored.
B) Policies and procedures for maintaining physical equipment are documented.
C) Access to buildings is justified, authorized, logged, and monitored.
D) Inappropriate access to IT equipment is immediately revoked.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
54) Which of the following plans are included in business continuity planning?
A) Crisis reaction plans indicating who leads the organization's response
B) Plans for essential equipment to be protected or to have alternative equipment
C) Return to normal procedures that prescribe how to return to normal operations
D) All answer choices are correct
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
55) Disaster recovery planning involves categorizing systems and data based on importance to the business. Which of the following types of systems going down could have a detrimental impact on a business and should have a restoration plan that minimizes downtime to a few hours or less?
A) Retail point of sale system
B) Employee benefits system
C) Customer service management system
D) Payroll system
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
56) Which of the following backup sites is the most expensive but has the fastest recovery speed?
A) Hot backup site
B) Warm backup site
C) Cold backup site
D) Frozen backup site
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
57) Which of the following statements concerning data backups are TRUE?
A) A data backup is the output of copying computer data to store.
B) Backup storage can be costly and time consuming.
C) Incremental backups are the cheapest backup strategy.
D) All answer choices are correct.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
58) The CEO of All-Farm Insurance asked you to verify that organization data is fully backed up each weekend and that all new data is backed up daily. On the daily backups, the CEO requests that all new data since the full backup is stored. What type of backup strategy should you choose?
A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
59) IT Solutions Express (ITSE) is a database service firm in an area prone to tornadoes. Because ITSE stores critical data, they have a hot backup site for systems and data. As part of ITSE's disaster recovery plan, they need a plan that allows key personnel to resume work offsite within 4 hours if a tornado happens to strike their main facility. What kind of disaster recovery plan is necessary to meet the business requirements of ITSE?
A) Alternative backup site plan
B) Backup team plan
C) Alternative operations site plan
D) Backup direction site plan
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
60) Which of the following backup sites is the least expensive but has the slowest recovery speed?
A) Hot backup site
B) Warm backup site
C) Cold backup site
D) Frozen backup site
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
61) Which type of backup copies all data during every backup?
A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
62) Which type of backup copies only new or updated data every time?
A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
63) What determines when data is being stored during data back?
A) Backup cycle
B) Backup time
C) Backup calendar
D) Backup event
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
64) Which statements concerning Business Continuity Planning (BCP) are TRUE? Select all statements that are TRUE.
A) BCP includes the procedures taken to protect employees, stakeholders, and assets in the event of a disruptive event.
B) BCP procedures focus on hot backup sites as all systems are critical and must be recovered quickly.
C) After the BCP manager develops the BCP, plans need to be memorized and not changed over time so that all employees know what to expect and do when a disruptive event occurs.
D) BCP plans could be triggered by a variety of disruptive events, such as natural disasters, cyberattacks, social unrest, or a global pandemic.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
65) What physical location is used to recover systems and data after a disaster?
A) Data center
B) Backup site
C) Recovery center
D) Strategy site
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
66) What statement about the functionality of a cold backup site is FALSE?
A) A cold backup site may be an almost empty room.
B) A cold backup site is the least expensive type of backup site for a company to implement.
C) A cold backup site imports data at the end of each business day.
D) A cold backup site may take days or weeks to recover.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
67) What statement concerning backup cycles is FALSE?
A) Warm and cold backup sites depend on which backup cycle is used.
B) A backup cycle determines the frequency in which data is backed up.
C) One of the most common backup cycle methods is know as the Grandfather-Father-Son backup scheme.
D) The Grandfather-Father-Son backup cycle removes the need to conduct quarterly, or annual backups.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
68) If a company were to utilize the Grandfather-Father-Son backup scheme, what backup cycles are implemented?
A) Full backup once per month and week and a smaller backup each day
B) Full backup once per month, differential once per week, and incremental once per day
C) Full backup once per quarter and month and a smaller backup each week and day
D) Full backup once per year, differential once per month, and incremental each day
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
69) When disaster strikes, what two metrics concerning system and data restoration are important to consider?
A) Recovery Technology Objective (RTO) and Recovery Process Objective (RPO)
B) Recovery Technology Objective (RTO) and Recovery Point Objective (RPO)
C) Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
D) Recovery Time Objective (RTO) and Recovery Process Objective (RPO)
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
70) Which statement concerning the disaster response Recovery Time Objective (RTO) is TRUE?
A) The RTO is how much time a system can be down before it causes significant damage to the business.
B) The RTO may be as short as a few seconds.
C) The RTO considers how long the system restoration and data re-load process takes.
D) All of these statements are true.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
71) Which type of backup strategy copies all data created since the most recent full backup in its entirety every time?
A) Hot backup
B) Full backup
C) Differential backup
D) Incremental backup
Diff: 1
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Knowledge
AICPA: AC: Systems and Process Management
72) How does a standardized change management process decrease risk?
A) By controlling the identification of changes to a system
B) By controlling the implementation of changes to a system
C) By ensuring that changes are reviewed appropriately before being finalized
D) All answer choices are correct.
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
73) In which change management environment does a developer write code to make the change in the system?
A) Test
B) Model
C) Production
D) Live
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
74) Which of the following change management steps occurs in the model environment?
A) Developer writes code.
B) Code implemented into production
C) User reviews and approves code.
D) User requests change.
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
75) An emergency change request bypasses which stage of the change management process?
A) Test
B) Sandbox
C) Model
D) Production
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
76) Unauthorized or incorrectly executed changes to a system may result in what kind of risk?
A) Incongruency with users
B) Incongruency of prioritization
C) Internal code irregularities
D) Internal fraud
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
77) Which development environment is often referred to as the sandbox because developers can test without having impact on the live systems?
A) Test
B) Model
C) Production
D) Alteration
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
78) Which of the following change management steps occurs in the model environment?
A) User requests change.
B) Developer writes code.
C) Code implemented into production
D) User reviews and approves code.
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
79) Which of the stages of the formal change management process includes a recent copy of the production environment where tests are performed?
A) Test environment
B) Model environment
C) Production environment
D) Development environment
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
80) Joel has developed new code and implemented it into the model environment so that the user can test it to see if it works as required. What stage in the change management process is Joel preparing for?
A) User acceptance testing
B) User code review
C) User developer check
D) User production run
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
81) What role in an organization assumes responsibility for testing code before implementation in the production environment?
A) Developer
B) User
C) IT analyst
D) All of these are correct.
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
82) A formal change management process includes multiple environments to reduce risk. A formal change must go through the environments in what order?
A) Test, Model, then Production
B) Model, Test, then Production
C) Production, Model, then Test
D) Production, Test, then Model
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Technology
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
83) Which of the following change management steps occurs in the test environment?
A) Production control implements change.
B) Developer writes code.
C) IT Analyst documents testing.
D) User reviews and approves code.
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
84) Which of the following change management steps occurs in the production environment?
A) User requests change.
B) Developer tests code.
C) Code is live in system.
D) User reviews and approves code.
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
85) Which user has access to all three change management environments?
A) Developer
B) IT Analyst
C) Production control
D) No user has access to all environments.
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
86) What kind of occurrence would constitute an emergency change to a system?
A) System outage
B) Compliance issue
C) Security risk
D) All of these answer choices are correct.
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
87) Enoch developed code in response to a request ticket submitted by Cody. Enoch tested his code in the sandbox and is ready for Cody to test the code to see if it meets his requirements. In what environment will Cody test the new code?
A) Test environment
B) Model environment
C) Production environment
D) Live environment
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
88) In what way do the three change management environment stages work together to prevent a change being accidentally implemented?
A) The three stages are isolated from one another.
B) The same IT staff member works with the issue in all three stages to ensure error free completion.
C) Code flows through each stage and then is tested by the developer to ensure that it meets the user's requirements.
D) The three stages are symbolic of the iterative process.
Diff: 3
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Synthesis
AICPA: AC: Systems and Process Management
89) The Griffin Academy board approved a major change to the method for tuition calculation that will require a system change. A board member calls Julia, a developer in the IT department at Griffin, and requests that she make the change and implement the change immediately. If Jane does as she is told by the board member and does not put the change through the change management process, what kind of risk potential exists for Griffin?
A) The change could contain code that miscalculates tuition and costs the company money.
B) The change could contain code that opens Griffin up for the potential for fraud.
C) The change could contain code that opens student data for inappropriate access.
D) All of these risk statements are correct and avoidable using a change management process.
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Analysis
AICPA: AC: Systems and Process Management
90) Which role in the change management process tests the functionality of the code submitted to the model environment and documents the results of the test?
A) Developer
B) User
C) IT Analyst
D) Production Control
Diff: 1
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Comprehension
AICPA: AC: Systems and Process Management
91) Explain the concept of IT governance.
Diff: 2
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
92) COBIT includes 5 domains, 40 control objectives, and over 300 generic IT controls. Explain how IT auditors use the COBIT framework to ensure that a company meets its control objectives.
Diff: 3
Learning Objective: 14.1 Describe the COBIT framework and its five domains.
Section Reference: What Framework Can We Use to Mitigate Risk Around Our Systems?
AACSB: Analytic
Bloom's: Synthesis
AICPA: AC: Systems and Process Management
93) What permissions are granted to a Creator role?
Diff: 2
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Technology
Bloom's: Application
AICPA: AC: Systems and Process Management
94) Explain how user access reviews protect the data and security of a system.
Diff: 3
Learning Objective: 14.2 Evaluate logical user access controls.
Section Reference: How Do We Decide Who Can Access Systems?
AACSB: Analytic
Bloom's: Synthesis
AICPA: AC: Systems and Process Management
95) Use what you have learned about how to protect the inside environment of a data center to describe how you would protect the center from fire damage.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
96) Describe a well-designed backup data center for a business with primary operations in an area subject to severe weather.
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
97) How does a test environment reduce risk by ensuring that a developer does not make rogue changes to the production system?
Diff: 2
Learning Objective: 14.5 Summarize the change management process.
Section Reference: How Do We Make Changes to Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
98) Google and Amazon have invested in off-site data centers, but other companies, like Apple and Netflix, do not. What is another way for these companies to reduce risk?
Diff: 2
Learning Objective: 14.3 Explain how physical access controls protect equipment and systems.
Section Reference: How Do We Physically Protect Our Systems?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
99) When a company creates a disaster recovery (DR) plan, systems and data are categorized based on importance. Explain how and why a clothing store that conducts business at a storefront and online would categorize their customer facing website, retail point-of-sale, employee database, and accounting/payroll online software system.
Diff: 2
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Application
AICPA: AC: Systems and Process Management
100) The Cardinal Company is considering a backup site for their organization. Explain to Cardinal management the major differences between a hot and warm backup site.
Diff: 3
Learning Objective: 14.4 Compare backup and recovery efforts.
Section Reference: How Do We Keep Our Systems Running?
AACSB: Analytic
Bloom's: Synthesis
AICPA: AC: Systems and Process Management
© 2022 John Wiley & Sons, Inc. All rights reserved. Instructors who are authorized users of this course are permitted to download these materials and use them in connection with the course. Except as permitted herein or by law, no part of these materials should be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise.