# Certified Information Systems Auditor Exam Prep: Understanding the Role of IT Governance

• Print
This chapter is from the book

### This chapter is from the book 

You have seen in this chapter the importance of risk assessment. Inventorying assets, determining the risk to those assets, and evaluating countermeasure options are all part of good IT governance.

### Exercises

#### 2.1 Determining the steps for quantitative risk assessment

In this exercise, you examine the proper order for quantitative risk assessment.

Estimated Time: 5 minutes

1. Place the following quantitative risk analysis steps and calculations in the proper sequential order (first step = 1, last step = 6):

_____ Determine the annual rate of occurrence (likelihood of occurrence).

_____ Identify threats to the asset.

_____ Determine the asset value (AV).

_____ Calculate the annualized loss expectancy for each asset.

_____ Calculate the single loss expectancy.

_____ Identify the exposure factor for each asset in relation to the threat.

1. Determine the asset value (AV).
2. Identify threats to the asset.
3. Identify the exposure factor for each asset in relation to the threat.
4. Calculate the single loss expectancy.
5. Determine the annual rate of occurrence.
6. Calculate the annualized loss expectancy for each asset.

#### 2.2 Calculate single loss expectancy

In this exercise, you calculate single loss expectancy.

Estimated Time: 10 minutes

1. Examine Table 2.7 and fill in the ALE for each item shown.

#### Table 2.7. Annualized Loss Expectancy

 IT Asset Name SLE Value Threat ARO Value ALE Value Cisco PIX firewall \$4,795 DoS attack .05 WAN circuits (2 remote data centers) \$3,250 Power failure .15 Cisco 6500 switch/router \$5,400 Power failure .15 LAN connectivity \$18,500 Hardware failure .12 Gateway servers—Pentium 4s \$4,950 Power failure .20 Microsoft SQL Server \$6,000 Software vulnerability .60 Oracle SQL data (customer data) \$120,000 Hacker attack .30
2. Now compare your results to the values shown in Table 2.8:

#### Table 2.8. Annualized Loss Expectancy Values

 IT Asset Name SLE Value Threat ARO Value ALE Value Cisco PIX firewall \$4,795 DoS attack .05 \$239 WAN circuits (2 remote data centers) \$3,250 Power failure .15 \$487 Cisco 6500 switch/router \$5,400 Power failure .15 \$810 LAN connectivity \$18,500 Hardware failure .12 \$2,220 Gateway servers—Pentium 4s \$4,950 Power failure .20 \$990 Microsoft SQL Server \$6,000 Software vulnerability .60 \$3,600 Oracle SQL data (customer data) \$120,000 Hacker attack .30 \$36,000
3. Which item in Table 2.8 represents the greatest dollar risk when ranked per ALE?
4. What three methods can be used to deal with risk?

### Exam Questions

1. Which of the following control documents describes a software-improvement process that is characterized by five levels, where each level describes a higher level of maturity?

1. ISO 17799
2. CMM
3. COSO
4. CobiT
2. A network administrator should not share the duties of which of the following roles?

1. Quality assurance
3. Application programmer
4. Systems analyst
3. You are auditing a credit card payment system. Which of the following methods provides the best assurance that information is entered correctly?

1. Audit trails
2. Separation of data entry and computer operator duties
3. Key verification
4. Supervisory review
4. Which level of the CMM is characterized by its capability to measure results by qualitative measures?

1. Level 1
2. Level 2
3. Level 3
4. Level 4
5. Which of the following is most closely associated with bottom-up policy development?

1. Aligns policy with strategy
2. Is a very slow process
3. Does not address concerns of employees
4. Involves risk assessment
6. Which of the following offers the best explanation of a balanced score card?

1. Used for benchmarking a preferred level of service
2. Used to measure the effectiveness of IT services by customers and clients
3. Verifies that the organization's strategy and IT services match
4. Measures the evaluation of help-desk employees
7. Your organization is considering using a new ISP now that the current contract is complete. From an audit perspective, which of the following would be the most important item to review?

1. The service level agreement
2. The physical security of the ISP site
3. References from other clients of the ISP
4. Background checks of the ISP's employees
8. Separation of duties is one way to limit fraud and misuse. Of the four separation-of-duties controls, which most closely matches this explanation: "This control allows employees access to cash or valuables"?

1. Authorization
2. Custody
3. Recordkeeping
4. Reconciliation
9. Which of the following job roles can be combined to create the least amount of risk or opportunity for malicious acts?

1. Systems analyst and quality assurance
2. Computer operator and systems programmer
3. Security administrator and application programmer
4. Database administrator and systems analyst
10. You have been asked to perform a new audit assignment. Your first task is to review the organization's strategic plan. Which of the following should be the first item reviewed?

1. Documentation that details the existing infrastructure
2. Previous and planned budgets
3. Organizational charts