During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate
risk management function, and the organization’s operational risk documentation only contains a few broadly
described IT risks. What is the MOST appropriate recommendation in this situation?

An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on
an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the
following should the IS auditor recommend to management?

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

Which of the following should be the MOST important consideration when deciding areas of priority for IT
governance implementation?

As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:

Which of the following should be considered FIRST when implementing a risk management program?

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

An IS auditor reviewing the risk assessment process of an organization should FIRST:

A poor choice of passwords and transmission over unprotected communications lines are examples of:

To address the risk of operations staff’s failure to perform the daily backup, management requires that the
systems administrator sign off on the daily backup. This is an example of risk: