ICAI ISA 3.0 Question Bank 2024: Comprehensive Guide to Success

Explanation:
(a) When designing an audit plan, it is important to identify the areas of highest risk to determine the areas to be audited.
(b) Skill sets of audit staff is an important consideration. However, unless risks are identified it will not be known how and where to utilize the skills.
(c) Compliance test and substantial test can be effectively carried out only once auditor is aware about areas of high risk.
(d) Allotment of time is important but not the first & primary step like identification of high-risk areas

Explanation: Primary Risk involved here is critical risks are not identified and may remain unnoticed. Other areas are not of that concern.

Question explanation: Strategic planning sets corporate or departmental objectives into motion. It is time and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans will not achieve objectives by other
choice.

Question explanation: In developing a risk-based audit strategy, risks and vulnerabilities are to be understood. This determines areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state.

Question explanation: To stop or prevent a wrong entry is a function of error prevention. All other options work after an error. Prevention works before occurrence of error.

Question explanation: Inherent risk means overall risk of management which is on account of entity’s business operations as a whole. Controllable risk is the risk present in the internal control system and the enterprise can control this risk completely and eliminate it from the system. Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk or the controllable risk.

Question explanation: Audit risk means the rate at which opinion of the IS Auditor would change if he selects a larger sample size. Audit risk can be high, moderate or low depending on the sample size selected by the IS Auditor. A risk-based audit approach is usually adapted to develop and improve the continuous audit process. Materiality means importance of information to the users. It is totally the matter of the professional judgment of the IS Auditor to decide whether the information is material or immaterial.

Question explanation ; Rate of change of technology increases the importance of implementing and enforcing good practices.

Question explanation: Controls are most commonly used to mitigate risks discovered by organizations. This is what organizations implement as a result of the risks an organization discovers. Resources and personnel are often expended to implement controls

Question explanation: To conduct IS Audit by the IS Auditor, the primary requirement is that he should be able to understand the system and technology being audited. He is not required to be the expert in all subjects. There is no comparison of his knowledge with that of auditee’s staff. He should have the knowledge of audit along with the technology in the related subject of audit.

Question explanation: Corrective Controls classification identify the cause of a problem and minimize the impact of threat. The goal of these controls is to identify the root cause of an issue whenever possible and eliminate the potential for that occurring again. The other controls are useful but perform other functions instead.

Explanation: An audit charter describes the authority, responsibility of the audit department. These are established by the senior management.

Explanation:
(a) Detection risks are directly affected by the auditor's selection of audit procedures and techniques.
(b) Inherent risks usually are not affected by the IS auditor.
(c) Control risks are controlled by the actions of the company's management.
(d) Business risks are not affected by the IS auditor.

Question explanation : IS Audit and Assurance Standards suggest that an IS Auditor should gather sufficient and appropriate audit evidence on which his opinion is based. Here the IS Auditor needs to determine whether this is an isolated incident or a systematic failure. It would be a good practice to make management informed about the incident.

Question explanation : As per the IS Audit and Assurance Standards, any finding, whether subsequently corrected or not should be included in the IS Audit Report if it is material.

Question explanation: Professional Independence carries the highest weight in Assurance Services field.  If due to any action of the IS Auditor, his capacity to carry out audit independently is hindered then the same amounts to failure to maintain Professional Independence.

Question explanation: The IS Auditor requires documented evidence to be submitted during audit procedures. Control self-assessment though is a good control but it cannot work as an evidence. Trend and ratio analysis can be used to justify some conclusion but cannot be considered as a conclusive evidence whereas a confirmation letter is.

Question explanation: Business unit manager is the owner of that business unit and he is the right authority to provide the required information in this context. First point of interview should be with the person related to business not the programmer or legal staff

Question explanation : During pre-audit planning there is no question of doing any compliance test. Compliance test starts during the process of audit. All other options are the process of collecting information during pre-audit process

Question explanation: The compliance tests determine whether prescribed controls are working as intended. Answer "B" is NOT the best choice. Current and accurate documentation may be a good procedure but it is only one type of control procedure, therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "C" is NOT the best choice because segregation of duties is only one type of control procedure; therefore, answer 'A' is a better choice as more control procedures are evaluated. Answer "D" is NOT the correct choice. Exposures are defined and quantified to determine audit scope. Compliance tests provide reasonable assurance that controls are working as prescribed.

Question explanation: IS auditor will most probably perform the test of internal control when control environment is poor. When inherent risks are low and control risks are within acceptable limit, likelihood of testing internal controls get reduced. Concluding the cost effectiveness of substantive approach is not the outcome of testing internal controls.

Question explanation: The size of the system is the least important of the factors listed. All other factors have specific financial implications and an IS Auditor can be used to help mitigate the risk to the corporation with the development of a new system.

Question explanation: Balancing of daily control totals relates to specific applications and is not considered an overall general control concern. Answer "B" is NOT the correct answer since documentation procedures within the IS Department are an important general control concern. Answer "A" is NOT the correct answer since organization of the IS Department is an important general control concern. Answer "D" is NOT the correct answer since physical access controls and security measures are important general control concerns.

Question explanation: The IS Auditor needs specialized type of education in hardware and operating system software. Options at B, C and D can be performed when an IS auditor has a basic level of data processing technical knowledge and usually requires no special
training.

Question explanation :  Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming manual process that does not guarantee proper control.

Question explanation: C. is the correct answer. Policy is not a static document. When an exception is a regular requirement, the best control is to modify the policy accordingly.

Question explanation: C. This ensures that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.

Question explanation: A. is the correct answer as the source data capture is not proper. Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design.

Question explanation: C. It represents what auditor verifies but not that what he/she implements. Rest is part of the definition and purpose of application controls.

Question explanation: When testing the security of the entire application system including operating system, database and application security, the auditor will most likely use a utility software that assists in reviewing the configuration settings. In contrast, the Auditor may use GAS to perform a substantive testing of data and configuration files of the application. Test
data are normally used to check the integrity of the data and expert systems are used to inquire on specific topics. Hence correct answer is C.

Question explanation: Statistical software packages use all data resources impacting the processing time and response time. Network traffic analyzers also use the system resources but not putting stress on production data. Test data generator is not resource intensive and test drivers are for specific use without impacting much resources. Correct answer is B.

Question explanation : Generalised Audit software is mainly used to find duplicate data. Options A and D are on line application audit tools and statistical sampling may not be able to find duplicates. Correct answer is C.

Question explanation: CAAT is one of the tools useful for carrying out the detection of suspicious transactions as a pre-emptive or post fraud activity. Hence, answer at Option A is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is establishing relationship between two or more areas & identify duplicate transactions. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is establishing whether the set controls are working as intended. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is the carrying out of  various types of statistical analysis which could throw up areas of inconsistencies, defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is identification of data which is inconsistent or erroneous. The IS auditor can set the criteria based upon the sort of data which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: One of the many key tests that can be carried out by CAATs is identification of potential areas of fraud. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Correct answer is A.

Question explanation : One of the many key tests that can be carried out by CAATs is identification of  exceptional transactions based upon set criteria. The IS auditor can set the criteria based upon the sort of transactions which are not expected to occur on the basis of the controls which presumably have been incorporated in the organization’s systems. CAATs are more in the nature of audit tools & would not be ideal for the other purposes listed in Options B to D above. Hence, answer at Option A alone is correct.

Question explanation: A. An IS auditor’s responsibility for detecting fraud includes evaluating fraud indicators and deciding whether any additional action is necessary or whether an additional investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.

Question explanation : A. A holistic approach to deterrence and prevention of fraud would require strengthening of governance and management framework. The answers in options B to D address the issue in bits and pieces and, hence, are not the right answers. Answer at Option A alone is correct.

Question explanation: A. Segregation of duties is an important control tool whereby, conflicting roles in particular, are segregated and handled by different individuals. It reduces the risk of fraud since one person cannot independently commit any fraud but would need to collude with the second. Also, since the output of one individual may become the input for another, an independent accuracy check of one person’s work by another person becomes a built-in reality. Hence, the answer in Option A is correct.

Question explanation: B. Preserve refers to practice of retrieving identified information and preserving it as evidence. This practice generally includes the imaging of original media in presence of an independent third party.

Question explanation: C. The first step in managing risk is the identification and classification of critical information resources (assets). Once the assets have been identified, the process moves onto the identification of threats, vulnerabilities and calculation of potential damages.

Question explanation: C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, and they will not discover new trends. Neural networks are inherently nonlinear and make no assumption about the shape of any curve relating variables to the output. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable.

Question explanation: A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of controls in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to database structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

Question explanation: B. The password control weaknesses mean that any of the other three options could be true. Password security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt.

Question explanation: B. An error is the least likely element to contribute to the potential for fraud. Answer A and C are incorrect since volume and value of transactions give an indication of the maximum potential loss through fraud. Answer D is incorrect since gross risk less existing controls give net risk.

Question explanation: D. Use of audit software merely refers to a technique that can be used in performing an audit. It has no relevance to the development of the annual audit plan.

Question explanation: Correct answer is A. Maximum mileage can be gained from e-commerce by converting those business activities which are paper-based, time consuming & inconvenient for customers as indicated in Option A. This will help us reduce paperwork, accelerate delivery & make it convenient for customers to operate from the comfort of their homes as also at any other place of their convenience. Hence, the other options are wrong.

Question explanation: Correct answer is A. The word-processing software pops up suggested words based upon the first few words keyed in by the user. Also, when the user keys in a new word which is not available in its repertoire, it adds it to its collection & reflects it as an option the next time similar letters are initiated. In effect, the software is able to observe & record patterns and improves through ‘learning’. The other answers in
Options B to D involve the basic computing functions of a computer which are based on a ‘go / no-go’ logic which does not involve pattern recognition or further learning. Hence, the correct answer is only as in Option A which displays characteristics of artificial intelligence.

Question explanation: Correct answer is A. Cognitive Science. This is an area based on research in disciplines such as biology, neurology, psychology, mathematics and allied disciplines. It focuses on how human brain works and how humans think and learn. Applications of AI in the cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B. Robotics: This technology produces robot machines with computer intelligence and human-like physical capabilities. This area includes applications that give robots visual perception, capabilities to feel by touch, dexterity and locomotion. C. Natural Languages: Being able to 'converse' with computers in human languages is the goal of research in this area. Interactive voice response and natural programming languages, closer to human conversation, are some of the applications. D. Virtual reality is another important application that can be classified under natural interfaces.

Question explanation: Correct answer is A. Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, Biometric access, RFID cards, access cards protective barriers, locks, access control protocols, and many other techniques. B is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. C is incorrect – This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organization- owned or leased. D is incorrect – This policy defines the
requirements to ensure continuity of business-critical operations. It is designed to minimize the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels.

Question explanation: Correct answer is B. the first thing to do as soon as an employee leaves the company is to disable his/her access rights in system. This needs to be done to prevent frauds being committed. Other answers may be valid but are not the first thing to do.

Question explanation: Correct answer is A. User controls are not properly defined. User controls need to be defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment of user profiles created in the system.

Question explanation: Correct answer is B. One of the major bottlenecks in data ware house is time synchronisation as the data of different time zones is merged in data ware house. It ultimately results in in-complete data for decision making purposes.

Question explanation: Correct answer is D. Snapshot is the right answer as in this technique, IS auditor can create evidence through IMAGE capturing. A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined.

Question explanation: Correct answer is B. It goes with the purpose and definition of decision support system.

Question explanation : Correct answer is D. Purpose of Data warehouse is to take business decisions and frame future policies based on the analysis of transactional data. It cannot act as an alternative to backup. Purpose of the data ware house is not for business continuity nor is it for regulatory requirements.

Question explanation: D. is the answer as this is a duplicate check.

Question explanation : B. Dependency check is one where value of one field is related to that of another.

Question explanation: B. is the correct answer. After detecting the deficiency, it is correcting the situation hence it is a corrective control.

Question explanation: B. is the right answer. A, is not an answer as action by RBI is based on fraud detection. Repair is done to rectify an error which has occurred in a working system.

Question explanation: D is correct. For finding the anomaly between input and output, reconciliation is the
best option. Re-calculation and run-to-run total will provide the same result as earlier  and limit check is a data validation control.

Question explanation: D. is the correct answer. The IS Auditor may process test data on application controls to see how it responds.

Question explanation: A is the correct answer. Project Sponsor is a stake holder having maximum interest /
stake in the success of project and his primary responsibility is to coordinate with various stakeholders for success of project. Option B: Project Manager is responsible for executing the project activities. Option C: Steering Committee monitors project progress but is not ongoing activity. Option D: Board of Directors provides direction.

Question explanation: C is the correct answer. Integrated test facility compares processing output with independently calculated data. Explanation: An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy. Option A, B and D are not the dimensions of integrated test facility.

Question explanation: A is the correct answer. Processing controls ensure the completeness and accuracy of accumulated data, for example, editing and run-to-run totals. Option B data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Option C output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner, for example, using report distribution. Option D "Application Controls" is a general term comprising all kinds of controls used in an application.

Question explanation: B is the correct answer. Access Security is not part of application domain. However options A, C and D are part of the Application Controls.

Question explanation: B is the correct answer. It checks the transposition of the digits. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is used to check the integrity of all records.

Question explanation : B is the correct answer. It may check the validity and concurrency of the job code. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is a figure calculated by the system, adding the values in one of the fields in a segment. This field is called the control totals key figure field.

Question explanation: B is the correct answer. Boundary Value Analysis is based on testing at the boundaries between partitions and checks the output with expected output. Option A White Box testing evaluates the code and the internal structure of a program. Option C also known as Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D is not applicable.

Question explanation: B is the correct answer. Portability Testing shows the ease with which a computer software component or application can be moved from one environment to another, e.g. moving of any application from Windows XP to Windows 7. Option A Interoperability testing checks whether software can inter-operate with other software component, software or systems. Option C Usability Testing, is a non-functional testing technique that is a measure of how easily the system can be used by end users. Option D Performance Testing is the process of determining the speed, responsiveness and stability of a computer, network, software program or device under a workload.

Question explanation: B is the correct answer. Usability Testing is mostly done by users. They are not familiar with internal structure of the system and hence Black Box technique is correct answer. Option A White Box testing evaluates the code and the internal structure of a program. Option C Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D does not exist.

Question explanation: C is the correct answer. Separately testable components are tested in Unit Testing or Component Testing. A Unit Testing tends to test a function, individual program or even a procedure. Option B Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release. Option A Integration Testing allows individuals to find interface defects between the modules/functions. Option D System Testing is the first level in which the complete application is tested as a whole.

Question explanation: C is the correct answer. System Testing is based on Functional Requirement Specification (FRS), which tells about general behavior of a system. Acceptance testing (or User Acceptance Testing) determines whether the system is ready for release. Component Testing, also known as Unit, Module or Program Testing, is defined as a software testing type, in which the testing is performed on each individual component separately without integrating with other components. Integration testing allows individuals to find interface defects between the modules/functions.

Question explanation: D is the correct answer. Test levels can be combined or reorganized depending upon
nature of a project or system architecture. Unit testing refers to test a function, individual program or even a procedure. Integration Testing allows individuals to find interface defects between the modules/functions. System Testing is the first level in which the complete application is tested as a whole. Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release.

Question explanation: B is the correct answer. Black Box testing focuses on the inputs and outputs without
knowing their internal code implementation. Option A White Box testing evaluates the
code and the internal structure of a program. Option C Load Testing is performed to determine a system's behavior under both normal and at peak conditions. Option D Regression Testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features.

Question explanation: D is the correct answer. Sanitized data generally may not cover all paths the data can
take and hence system cannot be tested for all possible cases. Option B leakage of production data is not a major concern since data is sanitized. Options A and C are not concerns.

Question explanation: C is the correct answer. Beta testing is making product available to users for feedback before launching. Option A Internal Audits seek to identify any shortcomings in a company's internal controls. Option B Alpha Testing is performed by the developers to identify bugs before releasing the product to real or intended users. Option D User Training helps successful system implementation.

Question explanation : B is the correct answer. UAT is mainly conducted to confirm from the users and application owners that application meets their requirements. Option C is a formality to be completed only if requirements are met. Training and implementation planning are different activities which are not dependent on UAT.

Question explanation : C is the correct answer. Since the application is for internal use and developed in house it has nothing to do with reduction in virus attacks. This can be benefit realization for anti-virus solution.

Question explanation: B is the correct answer. In order to ensure the acceptability by users, beta version of solution is made available to users. Based on feedback changes are made so that the solution can be socialized. Option A addresses technical feasibility, Option C addresses economic feasibility. Option D addresses IT policy that has nothing to do with SDLC.

Question explanation: A is correct answer. Non availability of skilled resources required for application development is primary reason for outsourcing the SDLC project. Other reasons can be addressed. i.e. (B) budget can be made available; (C) security processes can be established. (D) Infrastructure can be acquired, depending upon design of new application and hence it is not a reason.

Question explanation: B is the correct answer. Business case is a document that narrates all aspect including benefit realization, cost and effort estimates, outcome of feasibility study, available budget. That helps management in decision on the need of the SDLC project. Rest are secondary aspects.

Question explanation: D is correct answer. When a competitor launches new IT based efficient service, it becomes necessary for management to consider the impact in market place and in order to remain in competition organization should provide similar or better services. Option A and C may not require SDLC since it can be adopted with change management process. B may help in deciding for D, but is not the reason for initiating SDLC project.

D is the correct answer. Active role of IS Auditor in design and development of controls affects the independence. Hence, IS Auditor cannot perform review or audit of the application system. However, developing integrated test facility within the application is not a control, but a facility to be used by auditors in future. Hence, this does not impact independence of IS auditor. Options A, B and C affect independence of an IS Auditor.

Question explanation: B is the correct answer. Make or buy decision is the outcome of feasibility study where technical, economical and social feasibilities are considered. Option A is a statement that indicates what a system needs to do in order to provide a capability. Options C and D are the phases of developing a software.

Question explanation: C is correct answer. Adopting coding standards helps organization in ensuring quality of coding and in minimizing the errors. It also helps in reducing obvious errors which may lead to vulnerabilities in application. A is not true since it is required for all languages; B is partially true but is not main reason. D is not main reason.

Question explanation: A is correct answer. SDLC primarily focuses on identifying IT based solution to improve business processes delivering services to customers. Other activities may be part of SDLC however, these are IT projects not SDLC projects.

Question explanation : A is the correct answer. A Project Manager must have experience in working on projects in various roles including the role of a Project Manager. Options B, C and D are secondary aspect.

Question explanation: A is the correct answer. The Project Manager is responsible for collective project success. The Project Manager integrates a project as a whole. He/she unifies various aspects and processes of initiating, planning, executing, monitoring, control and closure. Options B, C and D is not the role of the Project Manager.

Question explanation: C is the correct answer. A Project Manager is responsible to ensure high quality in a way that the final product meets the specifications and quality benchmarks. Options A, B and C are not the main responsibility of a Project Manager.

Question explanation : A is the correct answer. Auditor should primarily focus on risk management that will provide inputs on events that has impact on all aspects of project. Options B, C and D help in confirming the findings from review of Risk Management process.

Question explanation: C is the correct answer. Automated tools help team in improving productivity as these tools help in managing mundane and structure activities and developers can focus on core activities. Developers’ workbench provides various functions that help in improving productivity. Option A: Use of standards help in following uniform methods and reducing rework. Option B: Software Sizing is the main input parameter to cost estimation models. Option D: HR policies may help in motivating team but it is secondary.

Question explanation: A is the correct answer. Quality is most important aspect for SDLC project, since it minimizes errors that can impact operations. Options B, C and D are of prior to monitoring phase.

Question explanation : D is the correct answer. Scope Creep of continued changes in requirements during SDLC project is most common risk. If not properly handled the project may be delayed and benefit realization from the project shall be affected. The Project Manager therefore, must freeze the scope by base-lining requirements. Any change after baselining shall follow. Option A: Change Management process without base-lining may not help. Project Manager may or may not. Option B: is used for freezing the requirements. Option D: revised effort estimate is applicable after change is approved.

Question explanation: B is the correct answer. A program is concerned with the benefits received, from implementing it, whereas project deals with specific deliverables. The scope of the program is wider in comparison to the project. The project works on a single functional unit, while the program works on various functional units. A portfolio contains both projects and programs and is managed by a portfolio manager. Option D: Feasibility study either has been completed or shall be initiated as part of program.

Question explanation: C is the correct answer. Integrated test facility compares processing output with independently calculated data. Explanation: An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means
of verifying processing accuracy. Option A, B and D are not the dimensions of integrated test facility.

Question explanation: A is the correct answer. Processing controls ensure the completeness and accuracy of accumulated data, for example, editing and run-to-run totals. Option B data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Option C output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner, for example, using report distribution. Option D "Application Controls" is a general term comprising all kinds of controls used in an application.

Question explanation: B is the correct answer. Access Security is not part of application domain. However options A, C and D are part of the Application Controls.

Question explanation: B is the correct answer. It checks the transposition of the digits. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is used to check the integrity of all records.

Question explanation: B is the correct answer. It may check the validity and concurrency of the job code. Option A is used for checking the integrity of the data. Option C is used for keeping input up to a certain limit and option D is a figure calculated by the system, adding the values in one of the fields in a segment. This field is called the control totals key figure field.

Question explanation: B is the correct answer. Boundary Value Analysis is based on testing at the boundaries between partitions and checks the output with expected output. Option A White Box testing evaluates the code and the internal structure of a program. Option C also known as Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D is not applicable.

Question explanation: B is the correct answer. Portability Testing shows the ease with which a computer software component or application can be moved from one environment to another, e.g. moving of any application from Windows XP to Windows 7. Option A Interoperability testing checks whether software can inter-operate with other software component, software or systems. Option C Usability Testing, is a non-functional testing technique that is a measure of how easily the system can be used by end users. Option D Performance Testing is the process of determining the speed, responsiveness and stability of a computer, network, software program or device under a workload.

Question explanation: B is the correct answer. Usability Testing is mostly done by users. They are not familiar with internal structure of the system and hence Black Box technique is correct answer. Option A White Box testing evaluates the code and the internal structure of a program. Option C Grey Box testing is a process for debugging software applications by making an input through the front-end, and verifying the data on the back-end. Option D does not exist.

Question explanation: C is the correct answer. Separately testable components are tested in Unit Testing or Component Testing. A Unit Testing tends to test a function, individual program or even a procedure. Option B Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release. Option A Integration Testing allows individuals to find interface defects between the modules/functions. Option D System Testing is the first level in which the complete application is tested as a whole.

Question explanation: C is the correct answer. System Testing is based on Functional Requirement Specification (FRS), which tells about general behavior of a system. Acceptance testing (or User Acceptance Testing) determines whether the system is ready for release. Component Testing, also known as Unit, Module or Program Testing, is defined as a software testing type, in which the testing is performed on each individual component
separately without integrating with other components. Integration testing allows individuals to find interface defects between the modules/functions.

Question explanation: D is the correct answer. Test levels can be combined or reorganized depending upon nature of a project or system architecture. Unit testing refers to test a function, individual program or even a procedure. Integration Testing allows individuals to find interface defects between the modules/functions. System Testing is the first level in which the complete application is tested as a whole. Acceptance Testing (or User Acceptance Testing) determines whether the system is ready for release.

Question explanation: B is the correct answer. Black Box testing focuses on the inputs and outputs without
knowing their internal code implementation. Option A White Box testing evaluates the code and the internal structure of a program. Option C Load Testing is performed to determine a system's behaviour under both normal and at peak conditions. Option D Regression Testing is defined as a type of software testing to confirm that a recent program or code change has not adversely affected existing features.

Question explanation: D is the correct answer. Sanitized data generally may not cover all paths the data can take and hence system cannot be tested for all possible cases. Option B leakage of production data is not a major concern since data is sanitized. Options A and C are not concerns.

Question explanation: C is the correct answer. Beta testing is making product available to users for feedback before launching. Option A Internal Audits seek to identify any shortcomings in a company's internal controls. Option B Alpha Testing is performed by the developers to identify bugs before releasing the product to real or intended users. Option D User Training helps successful system implementation.

Question explanation: B is the correct answer. UAT is mainly conducted to confirm from the users and application owners that application meets their requirements. Option C is a formality to be completed only if requirements are met. Training and implementation planning are different activities which are not dependent on UAT.

Question explanation: C is the correct answer. Since the application is for internal use and developed in house it has nothing to do with reduction in virus attacks. This can be benefit realization for anti-virus solution.

Question explanation: B is the correct answer. In order to ensure the acceptability by users, beta version of solution is made available to users. Based on feedback changes are made so that the solution can be socialized. Option A addresses technical feasibility, Option C addresses economic feasibility. Option D addresses IT policy that has nothing to do with SDLC.

Question explanation: A is correct answer. Non availability of skilled resources required for application development is primary reason for outsourcing the SDLC project. Other reasons can be addressed. i.e. (B) budget can be made available; (C) security processes can be established. (D) Infrastructure can be acquired, depending upon design of new application and hence it is not a reason.

Question explanation: B is the correct answer. Business case is a document that narrates all aspect including benefit realization, cost and effort estimates, outcome of feasibility study, available budget. That helps management in decision on the need of the SDLC project. Rest are secondary aspects.

Question explanation: D is correct answer. When a competitor launches new IT based efficient service, it becomes necessary for management to consider the impact in market place and in order to remain in competition organization should provide similar or better services. Option A and C may not require SDLC since it can be adopted with change management process. B may help in deciding for D, but is not the reason for initiating SDLC project.

Question explanation: D is the correct answer. Active role of IS Auditor in design and development of controls affects the independence. Hence, IS Auditor cannot perform review or audit of the application system. However, developing integrated test facility within the application is not a control, but a facility to be used by auditors in future. Hence, this does not impact independence of IS auditor. Options A, B and C affect independence of an IS Auditor.

Question explanation: A is the correct answer. Security requirements must be considered during requirement definition. Option B is a phase in which technical, economical and social feasibilities are considered. Option C is the phase during which, the nature of controls to be implemented for security must be considered first. This will ensure that necessary security controls are built while developing application.

Question explanation: B is the correct answer. Make or buy decision is the outcome of feasibility study where technical, economical and social feasibilities are considered. Option A is a statement that indicates what a system needs to do in order to provide a capability. Options C and D are the phases of developing a software.

Question explanation: C is correct answer. Adopting coding standards helps organization in ensuring quality of coding and in minimizing the errors. It also helps in reducing obvious errors which may lead to vulnerabilities in application. A is not true since it is required for all languages; B is partially true but is not main reason. D is not main reason.

Question explanation: A is correct answer. SDLC primarily focuses on identifying IT based solution to improve business processes delivering services to customers. Other activities may be part of SDLC however, these are IT projects not SDLC projects.

Question explanation: A is the correct answer. A Project Manager must have experience in working on projects in various roles including the role of a Project Manager. Options B, C and D are secondary aspect.

Question explanation: A is the correct answer. The Project Manager is responsible for collective project success. The Project Manager integrates a project as a whole. He/she unifies various aspects and processes of initiating, planning, executing, monitoring, control and closure. Options B, C and D is not the role of the Project Manager.

Question explanation: C is the correct answer. A Project Manager is responsible to ensure high quality in a way that the final product meets the specifications and quality benchmarks. Options A, B and C are not the main responsibility of a Project Manager.

Question explanation: A is the correct answer. Auditor should primarily focus on risk management that will provide inputs on events that has impact on all aspects of project. Options B, C and D help in confirming the findings from review of Risk Management process.

Question explanation: C is the correct answer. Automated tools help team in improving productivity as these tools help in managing mundane and structure activities and developers can focus on core activities. Developers’ workbench provides various functions that help in improving productivity. Option A: Use of standards help in following uniform methods and reducing rework. Option B: Software Sizing is the main input parameter to cost estimation models. Option D: HR policies may help in motivating team but it is secondary.

Question explanation: A is the correct answer. Quality is most important aspect for SDLC project, since it minimizes errors that can impact operations. Options B, C and D are of prior to monitoring phase.

Question explanation: B is the correct answer. A program is concerned with the benefits received, from implementing it, whereas project deals with specific deliverables. The scope of the program is wider in comparison to the project. The project works on a single functional unit, while the program works on various functional units. A portfolio contains both projects and programs and is managed by a portfolio manager. Option D: Feasibility study either has been completed or shall be initiated as part of program.

Question explanation: D is the correct answer. Scope Creep of continued changes in requirements during SDLC project is most common risk. If not properly handled the project may be delayed and benefit realization from the project shall be affected. The Project Manager therefore, must freeze the scope by base-lining requirements. Any change after baselining shall follow. Option A: Change Management process without base-lining may not
help. Project Manager may or may not. Option B: is used for freezing the requirements. Option D: revised effort estimate is applicable after change is approved.

Question explanation: A is the correct answer. Project Sponsor is a stake holder having maximum interest / stake in the success of project and his primary responsibility is to coordinate with various stakeholders for success of project. Option B: Project Manager is responsible for executing the project activities. Option C: Steering Committee monitors project progress but is not ongoing activity. Option D: Board of Directors provides direction.

Question explanation : The correct answer is B
When a breach is first discovered, in the containment phase, the Incident Response team after having gathered the information and gained an understanding of the incident, will begin to combat the threat by taking actions to prevent further damage, such as closing ports or blocking IPs. Hence Option B is the correct answer.

Question explanation: The correct answer is A
Incident response program can be broken down into four broad phases: (1) Preparation; (2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post- Event Activity. Hence Option A Prepare, Respond, and follow up, are in correct order. Options B, C and D are incomplete.

Question explanation : The correct answer is C
Without clear executive support, a SOC may be ineffective, and its value will not be realized. Creating an effective SOC requires support to establish a clear mandate for the SOC and a long-term strategy, and also a strong SOC leader to drive organizational change and develop a culture of security. The SOC leader shall take care of Risks and Quality.

Question explanation : The correct answer is A
Incident Response Management Program aims to manage the lifecycle of all Incidents (unplanned interruptions or reductions in quality of IT services). The primary objective of this program is to identify, assess, analyze, and correct the incidents to prevent a future re-occurrence and to make available the IT service to users as quickly as possible.

Question explanation : The correct answer is B
A Security Operation Centre (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to security incidents. Reporting is not the part of SOC.

Question explanation : The correct answer is A
An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or
indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. Option B Forwarding the security alert is not harmful to the organization. Option C Implementing individual solutions is unlikely and inefficient, but not a serious risk. Option D Users failing to understand the threat would not be a serious concern.

Question explanation : The correct answer is B
A privileged user with some knowledge on the internal structure of the SIEM data can easily delete logs, backdate logs, or modify existing logs. Hashing log files or log entries and storing the hash on disk for future verification ensuring integrity and completeness of the logs. For encryption, signing and time stamping you need a well-managed public key infrastructure (PKI) with secure hardware storage for keys.

Question explanation: The correct answer is D
Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. Option D is not part of SIEM applications.

Question explanation: The correct answer is C
SIEM is defined as a complex set of technologies to provide real-time event collection, monitoring, correlating, and analyzing events across disparate sources, making it easier to monitor and troubleshoot IT infrastructure in real time. An Agent is third party tool for supporting devices. Options A, B and D are part of SIEM tools.

Question explanation: The correct answer is D
Log correlation is about constructing rules that look for sequences and patterns in log events that are not visible in the individual log sources. The basic function of an SIEM is to correlate logs online and perform analysis that would otherwise be done by repetitive human analysis.

Question explanation: The correct answer is B.
An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but are not an IS auditor's responsibility.

Question explanation: The correct answer is D
Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules. Option A Stress testing relates to capacity and availability and does not apply in these circumstances. Option B Black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed. Option C Interface testing would test the interaction with external systems, but would not validate the performance of the changed system.

Question explanation : The correct answer is C
It is isolation not insulation. A transaction in a database should be designed in such a way that, it satisfies ACID property. A is Atomicity, C is Consistency, I is Isolation and D is Durability. This means that, when a programmer or DA defines a transaction (such as Insert or Update), it should be defined in such a way that it will satisfy the ACID test i.e. the transaction will be atomic (not divisible further), when completed it will keep the database in consistent state, it will be isolated while it is executing and it will be written on a persistent (permanent) storage such as secondary storage.

Question explanation: The correct answer is A
Normalization is a database design technique that organizes tables in a manner that reduces redundancy and dependency of data. Normalization divides larger tables into smaller tables and links them using relationships. The purpose of Normalization is to eliminate redundant (useless) data and ensure data is stored logically. The main idea with this is that a table should be about a specific topic and only supporting topics included. By limiting a table to one purpose you reduce the number of duplicate data contained within your database. This eliminates some issues stemming from database modifications.

Question explanation: The correct answer is D
Foreign key. Primary key does not represent relation, it is the same key in another table and represents relation with table where it is the primary key.

Question explanation: The correct answer is A
Tuple. Record is called tuple. Choice B, C and D does not represent a record. Choice B is many rows and not a single row.

Question explanation: The correct answer is A
A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. Option B Vendor’s reliability figures are not an effective measure of a preventive maintenance program. Option C Reviewing the log is a good detective
control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. Option D A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.

Question explanation: The correct answer is D
Referential integrity in a relational database refers to consistency between linked tables. Referential integrity is usually enforced by the combination of a primary key and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table’s primary key. Option A Field definitions describe the layout of the table, but are not directly related to referential integrity. Option B Master table definition describes the structure of the database, but is not directly related to referential integrity. Option C Composite keys describe how the keys are created, but are not directly related to referential integrity.

Question explanation: The correct answer is A
Integration testing is a level of software testing where individual units are combined and tested as a group. The purpose of this level of testing is to expose faults in the interaction between integrated units. Option B is module testing, while C is complete system testing and Option D is testing of internal logic as well.

Question explanation: The correct answer is C

Acceptance testing is a testing technique performed to determine whether or not the software system has met the requirement specifications. The main purpose of this test is to evaluate the system's compliance with the business requirements and verify if it is has met the required criteria for delivery to end users. Choices A, B and D are not the focus of acceptance testing.

Question explanation: The correct answer is B
Atomicity is either a complete transaction or a failed transaction. It does not permit transient stage or partially complete transactions. Choice A, C and D are not correct.

Question explanation: The correct answer is B
Projects receive multiple change requests and these must be evaluated by the change control board. A change control board is a group of individuals responsible for reviewing and analyzing change requests and recommending or making decisions on requested changes to the baselined work. Poor change control can significantly impact the project in terms of scope, cost, time, risk, and benefits. Choice A, C and D do not have
authority to approve or reject major changes.

Question explanation: The correct answer is B
Version Control. Choice A and cCare steps before version control

Question explanation: The correct answer is B
Level 0, because it is self-service. Choice A, C and D are those, where help desk operator would help the user.

Question explanation: The correct answer is C
Asset Management is a process used to keep track of the equipment and inventory vital to day-to-day operation of the business. Asset management requirements should be aligned with the business objectives. Choice A and B may assist in selection of an appropriate system based on the needs of the organization but are not top priority requirements.

Question explanation: The correct answer is D
Software Configuration Management is defined as a process to systematically manage, organize, and control the changes in the software programs, documents, codes, and other entities during the Software Development Life Cycle. Any change in the software configuration Items will affect the final product. Therefore, changes to configuration items need to be controlled and managed. Hence all the options are important.

Question explanation: The correct answer is C
Auditors certainly will question if they find that users have greater privileges than they need to perform their jobs, but the real risk is that a disgruntled user could abuse their elevated privileges, so C is the right answer and not A, B and D.

Question explanation: The correct answer is A
The principle of least privilege is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. The users are granted permission to read, write or execute only the files or resources they need to do their jobs, or restricting access rights for applications, systems, processes and devices to only those permissions required to perform authorized activities. Enforcing least privilege plays a key role in limiting (containing) the damage that malicious users may cause. Choice B, C and D do not indicate the principle of least privilege.

Question explanation: The correct answer is D
Without understanding what logging capabilities, the organization has (or doesn't have) and what information is needed from those logs, it's impossible to implement an effective log management program. Choice A, B and C may help in selection of the vendor but are not the starting points.

Question explanation: The correct answer is D
Log management systems provide insight into a variety of incidents / issues with systems and devices, as well as being a compliance requirement under many regulations. For all of the above reasons, log management is a necessity for enterprise security.

Question explanation: The correct answer is D.
Personally, identifiable information (PII) is any information about an individual that can be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar Number, date and place of birth, mother's maiden name, or biometric records. The HRM System stores PII of all employee data. Choices A, B, C do not store or process employee personal information, they have operations or transaction data.

Question explanation : The correct answer is A.
Operational level manager is the lowest level of manager and engaged in day-to-day activities, which require detailed information. Hence the decision-making environment is required to be structured. For administrative and top management, the decision-making environment is semi structured and unstructured respectively.

Question explanation: The correct answer is C
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery / operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.

Question explanation: The correct answer is B
When individuals serve multiple roles, this represents a separation of duties problem and is associated with risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system. The other combinations of roles are valid from a separation of duties perspective. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of security and programming, which would allow nearly unlimited abuse of privilege. In some distributed environments, especially with small staffing levels, users may also manage security. While a database administrator is a very privileged position and it would not be in conflict with the role of a systems analyst.

Question explanation : The correct answer is A
The main challenge while choosing outsourcing data processing is data confidentiality. Companies feel comfortable in sharing data, only with employees whom they trust or who are bounded by the contractual commitments to keep the data undisclosed. Majority of the outsourcing firms sign a strict non disclosure agreement with the companies which assures that the data would be kept confidential and any breach on
the agreement would be punishable under the law. Choices B and D are advantages of outsourcing. Data integrity is the overall completeness, accuracy and consistency of data. Data integrity although very important but does not pose a greater challenge than data confidentiality.

Question explanation: The correct answer is D.

The data owner has the ability to create, edit, modify, share and restrict access to the data. Data ownership also defines the data owner’s ability to assign, share or surrender all of these privileges to a third party. The IT Department acts as the Data Custodian, responsible for the safe custody, transport, storage of the data and implementation of business rules. System Owner is a person or department having responsibility for the
development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system. Process Owner is a person, who is accountable for the performance of the process and manages the process on a daily basis.

Question explanation: The correct answer is B.
Agility is the organization's ability to quickly or proactively react to technological changes. Choices A, C, and D are based on the need of the organization and not necessarily due to change in technology or the environment in which the organization operates.

Question explanation: The correct answer is A.
E-learning is a learning environment which uses information and communication technologies (ICT's) as a platform for teaching and learning activities. Rest of the trainings require in person attendance and cannot be done from the office desk.

Question explanation: The correct answer is C
Approval of the Policy is responsibility of the Governing Board of the organization. All other options are the functions of the HRM.

Question explanation: The correct answer is C
An Acceptable use policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. It must be abided by all employees of the organization. Choices A, B, and D are not common to all policies.

Question explanation : D is correct answer. Worms are self-executable. Rest of the options use system resources for execution of malicious codes.

Question explanation : D is correct answer. Social engineering attack is attack on human and hence no technology can prevent it. Awareness training best prevents it.

Question explanation : A is correct answer. Most web application attacks like SQL injection can be prevented by validating input, which can reject the attackers input that can exploit vulnerability. Encryption may or may not prevent an attack. Penetration test shall provide input on vulnerability that must be closed. Access controls may prevent some attacks.

Question explanation : B is correct answer. It is most essential to get consent from affected asset owners before performing test, so that they can ensure that operations are not affected. Maintaining secrecy shall depend upon type of test. Report must be kept confidential and accessed only by select few. Test generally is performed when it will have least impact, but is not most important.

Question explanation : C is correct answer. Intrusion detection detects the possible intrusion attempt. It does not prevent or corrects it. It is a control implemented using technology.

Question explanation : C is correct answer. Primary function of SOC is to collect and monitor logs based on identified rules. It also defines correlation between various logs and identifies possible incidents, which are communicated to respective asset owners. A is role of security manager; B and D are roles of network team.

Question explanation : B is correct answer. Checksum is a type of hash that is used to check integrity of data after communication. It is different that parity bit that adds an extra bit for each byte and word.

Question explanation : B is correct answer. Network segmentation or zoning is first control to implement network security. Other controls depend upon segmentation.

Question explanation : C is correct answer. Message digest is a hash function that helps in confirming integrity
of data communicated over network.

Question explanation : A is correct answer. Other methods are active attacks on network after getting information about networks.

Question explanation : C is correct answer. Primary objective of implementing access controls is to restrict access to authorized people. Fixing accountability of actions is the primary objective of audit trail. Others are means to implement access controls not objectives.

Question explanation : D is correct answer. In Social engineering attacks, the weakest link is unsuspecting human user. Attacker uses techniques to compel users to reveal passwords and other confidential information. For example, in Phishing. Other options are technology-based attacks and can be detected or controlled.

Question explanation : A is correct answer. Strength of one-time password is that it is active for short time, if user does not login during that time the one-time password expires. One-time password is unique for each session and user; however, it is not a strength. It can be communicated by suitable means.

Question explanation : C is correct answer. Review of log for password configuration may disclose the compliance of policy because policy is configured in the system through password configuration. This may also detect unwarranted changes made by a malicious user (who obtains administrative access) in the password configuration. However, option A and D may provide assurance for compliance of password policy configurations in the system, not the policy itself. Option D is not relevant.

Question explanation : D is correct answer. Periodic user access review helps in ensuring that all users have appropriate level of accesses. This happens due to changes in internal environment like role, emergency, resignation and retiring of employees. In such situations sometimes revocation of accesses is missed out, which can be corrected during review.

Question explanation : B is correct answer. Password sharing by user is most difficult to get evidence for or detect. Others can be monitored or enforced using technology.

Question explanation : C is correct answer. Single point of failure is a major concern. One password if compromised, all accesses for that user are available to perpetrator.

Question explanation : B is correct answer. Mandatory accesses are those controls that are to be applied uniformly across organization and are defined by information security policy. D is discretionary access controls. B and C generally do not specify such requirements.

Question explanation : A is correct answer. Identification of user is first and primary requirement of granting access. Next will be authentication method to be established and finally finding authorization levels based on role that also addresses need to know.

Question explanation : D is correct answer. The three factors are what a user knows (PIN, Password, and Passphrase), what user possesses (Access card, Token) and what unique characteristics of user (Biometric). Use of any two factors for authentication is called two factors. Option A, B and C use only one factor.

Question explanation : A is the correct answer. Mobile devices can be connected to servers, resulting in unauthorized changes. Other concerns are secondary.

Question explanation: D is the correct answer. Top floor and basement have risk of seepage and flooding. Ground floor has risk of easy attack.

Question explanation: B is the correct answer. Best policy is to keep door open and appoint guard temporarily for monitoring accesses. Keeping doors locked shall be a problem in evacuation in case of emergency. Finding root cause can be done independently. Arranging Battery backup after power failure is not right policy.

Question explanation: C is the correct answer. High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static electricity can short out devices or cause loss of information.

Question explanation: D is the correct answer. Automated environmental controls must be tested periodically by expert and provide report on effective performance of equipment. Simulated tests may not be possible for all controls. AMC is a contract; periodic testing is performance of contract.

Question explanation: B is the correct answer. False positive is a concern in biometric access security as it results in unauthorized access. Other option does not result in unauthorized access.

Question explanation: A is the correct answer. Human guard makes decisions and can address visitor’s requirement and direct them appropriately. Others are supplementary functions.

Question explanation: A is the correct answer. Primary purpose of all types of physical access control is to prevent unauthorized entry. Other objectives are secondary.

Question explanation: A is the correct answer. Unmanned data center requires strong physical access controls and environmental access controls too. However most essential are strong access controls. B, C and D are inappropriate controls. Halon is environmentally hazardous gas.

Question explanation: C is the correct answer. Life safety takes precedence. Although other answers are important steps human life always is a priority.

Question explanation: B is the correct answer. Training users on how to classify information as per definition provided in classification schema shall best help users in classifying the information. A. Number of classes shall depend upon organization’s objectives. C and D are performed after classification of information.