B 、 accept the project manager's position as the project manager is accountable for the outcome of the project. C 、 offer to work with the risk manager when one is appointed. D 、 inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project. ANSWER:A NOTE:The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management. 5 、 In a public key infrastructure, a registration authority: A 、 verifies information supplied by the subject requesting a certificate. B 、 issues the certificate after the required attributes are verified and the keys are generated. C 、 digitally signs a message to achieve nonrepudiation of the signed message. D 、 registers signed messages to protect them from future repudiation. ANSWER:A NOTE:A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request certificate attributes and that the requestor actually possesses the private key corresponding to the public key being sent. Certification authorities, not registration authorities, actually
issue certificates once verification of the information has been completed; because of this, choice B is incorrect. On the other hand, the sender who has control of their private key signs the message, not the registration authority. Registering signed messages is not a task performed by registration authorities. 6 、 Which of the following should be of MOST concern to an IS auditor reviewing the BCP? A 、 The disaster levels are based on scopes of damaged functions, but not on duration.
You've reached the end of your free preview.
Want to read all 265 pages?
- Summer '15