School Improvement Plan Essay Example | Topics and Well Written Essays - 750 words - 2

School Improvement Plan - Essay Example In order to achieve the two, managers must always manage their resources effectively. Key among the resources is human resource. The motivation of teachers in a school is fundamental in creating a competitive workforce, one that will steer the school’s improvement plan. As such, the management must always credit others while taking the blame. This way, the teaching and support staff feel appreciated thus increasing the efficiency of operations at the school. Developing and managing teamwork is the most appropriate way of ensuring effective utilization of the resources thereby ensuring that the school maintains optimal operations despite the variations that may exist. The development of effective teams in such organizations as schools requires the management to develop effective relationships that will enhance the efficient management of the school. A school consists of various stakeholders whose input influence the performance of the students. The stakeholders include parents, teachers, students and the government among many others. The formulation and implementation of the No Child Left behind Act by the Bush administration for example is a portrayal of the government’s influence in the education system in the country (Gray & Streshly, 2008). As such, the management of the school must strive to develop effective teams that will incorporate the existing laws besides improving the performance of both the teachers and the students thus improving the performance of the school. In building the effective relationships among the stakeholders who influence the success of a school, the management must uphold professionalism. Professionalism in this context will influence the relationship between teachers and their students and parents among many others as all the parties work in tandem ad in compliance with the existing state laws. Effective and functional

Banana Cake Essay Example for Free

Banana Cake Essay Greetings, my fellow visitors, today, I would like to recommend a few local dishes which you might want to indulge yourself while you are here. Firstly, I would like to recommend you an intercontinental dish known as†¦ Chilli Crab Chilli Crab, also known as Singapore’s unofficial â€Å"national dish† is cooked in various ways. The most common style is done with chilli and sweet-sour sauce ribboned with beaten egg. My favourite way and probably the most common, is to eat it with French bread or Chinese buns called Mantou to help you soak every last drop of delicious sauce. I strongly recommend all of you to try this dish as it is by far the best seafood dish in Singapore. Secondly, I would like to recommend to you the famous Chinese dish†¦ Fried Hokkien Mee You can easily imagine, from this description, how good this dish tastes! Egg noodles and rice vermicelli otherwise known locally as bee hoon, stir-fried with pork, prawn, squid, bean sprouts and loads of garlic, and then braised in a rich pork and prawn stock. The dish is served steaming hot and garnished with fresh lime and a dollop of spicy chilli sambal. Alive with the pungencies of both China and Southeast Asia, Fried Hokkien Mee is one of the favourite Singapore dishes. Now, I would like to recommend a unique dish eaten by all races. This dish is none other than†¦ Mee Rebus Translated into English, this dish means simply ‘boiled noodles’ — but the dish is anything but simple. It is yellow egg noodles in thick, spicy, slightly sweet gravy, garnished with boiled eggs, sliced green chilies, fried cubes of beancurd, and fresh lime. Some people add a dash of dark soy sauce as a finishing touch†¦. Just like our multiracial society, Mee rebus is a fine example of a fusion cuisine. The egg noodles, beancurd and dark soy sauce are Chinese touches, while the gravy speaks of combined influences from Indian and Malay cuisine, with its curry-like flavour and use of dried shrimp and tamarind. Last but not least, I would like to recommend the traditional Indian dish†¦ ? Roti Prata A dough-based flat pancake that is cooked by heating over a flat grill plate. Roti prata is commonly served with either vegetable or fish curries, but it is not unusual to see it being eaten plain with white large-grain sugar. Prata-making has been refined to such an art that if youre lucky, youll sometimes see cooks get theatrical with the flipping and turning of the prata as its being cooked over the plate.

Macbeths Atmosphere :: Macbeth essays

Macbeth's Atmosphere      Ã‚   There are many questions concerning the atmosphere in William Shakespeare's Macbeth that this essay will answer: Is it realistic or unrealistic? Are there two atmospheres - one of purity and one of black magic? And many other questions.    Roger Warren comments in Shakespeare Survey 30 , regarding Trervor Nunn's direction of Macbeth at Stratford-upon-Avon in 1974-75, on opposing imagery used to support the opposing atmospheres of purity and black magic:    Much of the approach and detail was carried over, particularly the clash between religious purity and black magic. Purity was embodied by Duncan, very infirm (in 1974 he was blind), dressed in white and accompanied by church organ music, set against the black magic of the witches, who even chanted 'Double, double to the Dies Irae. (283)    L.C. Knights in the essay "Macbeth" mentions equivocation, unreality and unnaturalness in the play - contributors to an atmosphere that may not be very realistic:    The equivocal nature of temptation, the commerce with phantoms consequent upon false choice, the resulting sense of unreality ("nothing is, but what is not"), which has yet such power to "smother" vital function, the unnaturalness of evil ("against the use of nature"), and the relation between disintegration in the individual ("my single state of man") and disorder in the larger social organism - all these are major themes of the play which are mirrored in the speech under consideration. (94)    Charles Lamb in On the Tragedies of Shakespeare comments on the atmosphere surrounding the play:    The state of sublime emotion into which we are elevated by those images of night and horror which Macbeth is made to utter, that solemn prelude with which he entertains the time till the bell shall strike which is to call him to murder Duncan, - when we no longer read it in a book, when we have given up that vantage-ground of abstraction which reading possesses over seing, and come to see a man in his bodily shape before our eyes actually preparing to commit a muder, if the acting be true and impressive as I have witnessed it in Mr. K's performance of that part, the painful anxiety about the act, the natural longing to prevent it while it yet seems unperpetrated, the too close pressing semblance of reality,give a pain and an uneasiness [. . .]. (134)

Supply and Demand :: essays research papers

Supply 1   Ã‚  Ã‚  Ã‚  Ã‚  The rubber supply in Japan is at an all time low. The article chosen discusses how the low supplies of rubber are not typical for the time of year. Tokyo rubber or TOCOM is the Tokyo Commodity Exchange which regulates the rubber market in Japan. A rally was held recently which was the largest in years because of the concerns about low supplies and historically low rubber stocks.   Ã‚  Ã‚  Ã‚  Ã‚  The benchmark December rubber contract on the Tokyo Commodity Exchange rose as high as 169.2 yen per kg, the priciest for TOCOM's key contract since March 11, 1996, when prices hit 174.6. At the close it was up 3.4 yen at 168.7 (TOCOM.). The contracts that are already signed between different companies for delivery from August to November of 2005 are not looking too good. The price for rubber is expected to rise five yen on the stock exchange. July’s contracts, which have no price limit, finished up seven at 189.8 yen per kg of rubber. This meant that the rubber contracts hit their life-time high. The expectations of investors in Tokyo are that the price of rubber will peak in August and begin to decrease when rubber supplies increase.   Ã‚  Ã‚  Ã‚  Ã‚  The price gap of rubber between the December and July widened to 21.1 yen. Rubber supplies have been low due to a delay in shipments from Thailand. Thailand is the world's largest manufacturer and exporter of natural rubber. The shipments of rubber have fallen due to bad weather conditions. Rubber supplies normally drop from the beginning of February which is winter and the dry season in southern Thailand. During Supply 2 this season, latex output declines because the rubber trees shed their leaves. Production in general, returns to normal by beginning of May, but the buyers are still not getting enough shipments.   Ã‚  Ã‚  Ã‚  Ã‚  Japan purchases over 60 percent of its rubber imports from Thailand. Because the signs of short production, rubber stocks in Japan have decreased to the lowest level in forty years. According to the he Rubber Trade Association of Japan, Prior to June of 2005, the lowest the stock had been was back in 1962. Because of the high costs of rubber and the decrease in supply, manufacturers are considering shifting to natural rubber from expensive synthetic rubber. High oil costs have also driven up rubber costs.   Ã‚  Ã‚  Ã‚  Ã‚  Because of the low supplies of rubber, companies are forced to increase the price.

Pygmalion. Diary entries for Higgins and Eliza

Stage 1: Eliza's diary Today it was raining and we all had to take shelter in Covent Garden. I met a young and sweet man named Freddy and he was sweet and kind. I met military gentlemen named Colonel Pickering and he was a real gentleman. I tried to sell him some flowers but he did not want them and told me in a polite and gentlemanly way but he did give me three hapence. Anyway, that's better than nothing. Suddenly a young man a stranger said to me â€Å"there's a bloke over there taking down every blessed word your saying† I turned round and looked at him and said † I'm a good girl I am† . I thought he was a Police informer until a man shouted out † He's a busybody, that's what he is, look at his boots.† Then the note-taker told him he was from Selsey and everyone was amazed and he knew where everyone was from it was as if he was trying to impress everybody and he knew what road they lived on. I later found out that this note-takers name was Higgins and I realised he was a snob. He was very cheeky and did not have very good manners. He insults be by calling me a â€Å"creature† and he called me a â€Å"gutter-snipe† and â€Å"a squashed cabbage leaf† and I don't even like cabbage. He was very rude towards me and did not show respect. He said that I couldn't speak English and he had a very posh accent and spoke perfect English. I overheard him talking to Pickering saying how he could pass me off as a duchess. I was quite shocked me a duchess (never in a million years). I tried to sell him some flowers and he threw me a handful of money. I had ridden in a taxi for the first time when I returned home. Stage1: Higgins diary Today I was in Covent Garden listening to the different accents and making notes. They all thought I was a Police informer and it was quite difficult explain to them because most of them could not understand proper English. I met a true cockney creature today and she was a flower girl. She spoke so much rubbish it was very difficult to understand her and she always made these horrible noises. I called her a â€Å"gutter snipe† and a â€Å"squashed cabbage leaf† I was referring to her brain but of course she did not understand. I began talking to Colonel Pickering and I said to him that I could pass this creature as a duchess. Colonel Pickering was quite an interesting man I told him that he was from Cambridge, Harrow and had traveled India. I was going to go to India to meet him but I was quite lucky to meet him here. I took Pickering to dinner and we had an interesting conversation. Stage2: Eliza's diary Today I went to see that heartless stubborn snob Higgins. I dressed up well and asked him if he could teach me some English. I had overhead him talking to Pickering how you can become everything with your pronunciation. When I asked him he made fun of me and treated me like an object or as dirt on his shoe where as Pickering treated me as a lady and I meant something to him. I offered to pay 2/5 of my wages towards lessons. Higgins offered me a room in his house and I agreed to live in his bungalow. The housekeeper Mrs. Perch reluctantly agreed to me staying. She made me do a dreadful thing she made me have a bath in warm water. Also they made me wear nightdress when I went to sleep I normally slept in my underclothes and I slept in a luxurious room. It made me quite angry and I started to cry. Stage 2: Higgins diary Today that â€Å"bilious pigeon† Eliza came to see me. I joked around with her at first and I asked for sixty pounds (what a joke from a creature in the gutter). She offered to pay me 2/5 of her wages but I knew this was too much. I betted with Colonel Pickering that I could experiment with the girl and pass her off as a duchess. Mrs. Pearce asked me to be nice to the creature but it is hard to be nice to an object. Also today another common-breed (guttersnipe) it was Eliza's father. He had come for money I could see it but reluctantly I gave him five pounds. He had referred to himself as the â€Å"undeserving poor† and I show great respect to people who admit they are poor. I was quite impressed with Mr. Alfred Dolittle (dustbin man). He was quite happy with his money and in sent him on his way. Stage 3: Eliza's diary I went to see Higgins's mum today (sorry mother. There were guests at her house; there was sweet Freddy, Clara and her mother Mrs. Eynsford Hill. I was quite beautifully dressed no one hardly recognised me. According to Higgins I was talking the new â€Å"small talk† or new slang. That sweet Freddy seemed quite attracted to me and I was quite flattered by this. I did make a slip of the tongue because I said â€Å"bloody hell†. Higgins seemed slightly disappointed with me but I thought I did quite well for my first test. Stage 3: Higgins diary Today I took Eliza to my mothers' house. This was to try her out in society. I knew that the guests that were there elza had met before and I wanted to see if they recognised the transformation of Eliza and it seemed they were impressed. One thing that I realised today was that Eliza now knows how to speak but not what to say. Her grammar is incorrect and she uses her vocabulary as the subject matter of the street not as if she was talking in a high society. She uses an awful lot of slang words like â€Å"bloody† and â€Å"devil†. Also I am quite concerned about that witty creature Freddy he seemed to never stop looking at Eliza. Stage 4: Eliza's diary After the ambassadors reception Higgins Pickering and me were all very tired. I overheard Pickering and Higgins talking. Higgins referred to me as a â€Å"creature† and then said, â€Å"I made this thing† it was as if I was an object and an experiment or a bet. He said he was glad the whole scenario was over. Higgins was very rude and I lost my temper and he called me a â€Å"presumptuous insect†. I had had enough and I called him a â€Å"selfish brute†. He does not care me at all and my feelings. I am unfit for employment because I am too educated. He does not care about me and sees me as and experiment that has worked. I left the house and was planning to throw myself in the river because I was very depressed. I met lovesick Freddy and we went off in a taxi. Stage 4: Higgins diary Today I took Eliza to the Ambassadors reception to see if I could pass her off as a duchess. I had won the bet with Colonel Pickering and I was very happy. When we returned home that â€Å"squashed cabbage leaf† Eliza was very moody and stroppy. I was tired and was about to go to bed I said â€Å"Put out the lights Eliza and tell Mrs. Pearce not to make coffee. I'll take tea† I was looking for my slippers and suddenly she threw them at me. I thought what was up with that â€Å"presumptuous insect†. I was tired and was not in the mood for an argument. I tried to explain to her that I had given her every thing. She thinks that I am using her as an experiment which of I am not (It was only a joke†). She thought I was going to hit the â€Å"infamous creature†. I would not even hurt a fly. She has â€Å"wounded my heart†. She made me leave a note because she wasn't going to tell Mrs. Pearce. In a rage she stormed up the stairs and I decided to go to sleep. Stage 5: Retrospect Eliza's diary I think that if I had the chance to do it all again I probably would. I think that learning to speak proper English has improved my lifestyle. I have learnt how to speak proper English and I could get a good job and maybe be someone of High-class society, which obviously I am not. On the other hand maybe I was meant to be an â€Å"undeserving poor† and maybe I had to big ambitions. I should mix with people of my society and who understand me more. I should remember my roots. I was quite happy where I was and nobody laughed at me or made fun of me and treated me as equal as them. I think that I could have led a happy life even if I was poor. Also I think that Higgins should have made it clear that I was just an â€Å"experiment.† I think the biggest blow was Higgins being nasty and did not respect me and I was an â€Å"object†. What annoyed me the most was that at parties and receptions he could be a true gentlemen so if he can do that at parties then I should try to him respect me. Higgins does not see me as the â€Å"new† Eliza but as a â€Å"dirty flower girl† who has transformed due to his experiment. He thinks, † I am mutton dressed as lamb†. The adult Higgins actions are the same as a child. Looking back I think I would have done it all again but a few minor adjustments. I would have seen what sort of person Higgins really is and see if would like to be part of his experiment. All in all it did not cost me anything and I have learnt to speak proper English and Higgins only gained money. (He won his bet won Colonel Pickering) Higgins' diary I think that if I had the chance to do it all again I probably would not. Eliza is too moody and cannot fit into high-class society. England is full of people who can't speak proper English I would have picked someone quieter and someone who does not complain as much. Eliza must like me for who I am and if she does not like it then tough. I find it very had to talk to people from the gutter because they don't understand them and I try explaining to them to learn proper English. This experiment has helped me gain confidence that I could pass anyone as a duchess. All in all I would not do it all again with Eliza I would pick someone more suitable. There is plenty of the â€Å"gutter snipe breed†.

Cisa Essays

Cisa Essays Cisa Essay Cisa Essay 1. A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment. ANSWER: A NOTE: Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers systems cannot or will not interface with existing systems. . An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged B. Hash keys are calculated periodical ly for programs and matched against hash keys calculated for the most recent authorized versions of the programs C. Access to the operating system command line is granted through an access restriction tool with preapproved rights D. Software development tools and compilers have been removed from the production environment ANSWER: B NOTE: The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access was already granted- it does not matter how. Choice D is wrong because files can be copied to and from the production environment. 3. In the context of effective information security governance, the primary objective of value delivery is to: A. optimize security investments in support of business objectives. B. implement a standard set of security practices. C. institute a standards-based solution. D. implement a continuous improvement culture. ANSWER: A NOTE: In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event. 4. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective. ANSWER: B NOTE: Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and severity assessment would provide information necessary in declaring a disaster. Once a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying this step until a disaster has been declared would negate the effect of having response teams. Potential crisis recognition is the first step in responding to a disaster. 5. When implementing an IT governance framework in an organization the MOST important objective is: A. IT alignment with the business. B. accountability. C. value realization with IT. D. enhancing the return on IT investments. ANSWER: A NOTE: The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business (choice A). To achieve alignment, all other choices need to be tied to business practices and strategies. 6. When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find: A. an integrated services digital network (ISDN) data link. B. traffic engineering. C. wired equivalent privacy (WEP) encryption of data. D. analog phone terminals. ANSWER: B NOTE: To ensure that quality of service requirements are achieved, the Voice-over IP (VoIP) service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog. 7. An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? A. The tools used to conduct the test B. Certifications held by the IS auditor C. Permission from the data owner of the server D. An intrusion detection system (IDS) is enabled ANSWER: C NOTE: The data owner should be informed of the risks associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owners responsibility for the security of the data assets. 8. Which of the following is a risk of cross-training? A. Increases the dependence on one employee B. Does not assist in succession planning C. One employee may know all parts of a system D. Does not help in achieving a continuity of operations ANSWER: C NOTE: When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations. 9. The use of digital signatures: A. requires the use of a one-time password generator. B. provides encryption to a message. C. validates the source of a message. D. ensures message confidentiality. ANSWER: C NOTE: The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures. 0. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading ANSWER: A NOTE: The purchaser of an item wil l not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern. 11. A lower recovery time objective (RTO) results in: A. higher disaster tolerance. B. higher cost. C. wider interruption windows. D. more permissive data loss. ANSWER: B NOTE: A recovery time objective (RTO) is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss. 12. During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing: A. test data covering critical applications. B. detailed test plans. C. quality assurance test specifications. D. user acceptance testing specifications. ANSWER: D NOTE: A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. The other choices are generally performed during the system testing phase. 13. The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all: A. outgoing traffic with IP source addresses external to the network. B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts. ANSWER: A NOTE: Outgoing traffic with an IP source address different than the IP range in the network is invalid. In most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack. 14. What is the BEST backup strategy for a large database with data supporting online sales? A. Weekly full backup with daily incremental backup B. Daily full backup C. Clustered servers D. Mirrored hard disks ANSWER: A NOTE: Weekly full backup and daily incremental backup is the best backup strategy; it ensures the ability to recover the database and yet reduces the daily backup time requirements. A full backup normally requires a couple of hours, and therefore it can be impractical to conduct a full backup every day. Clustered servers provide a redundant processing capability, but are not a backup. Mirrored hard disks will not help in case of disaster. 15. Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks? A. Session keys are dynamic B. Private symmetric keys are used C. Keys are static and shared D. Source addresses are not encrypted or authenticated ANSWER: A NOTE: WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP. 16. The ultimate purpose of IT governance is to: A. encourage optimal use of IT. B. reduce IT costs. C. decentralize IT resources across the organization. D. centralize control of IT. ANSWER: A NOTE: IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact. 17. The MAIN purpose of a transaction audit trail is to: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning. ANSWER: B NOTE: Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used to trace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc. 18. An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: A. tress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans. B. accept the project managers position as the project manager is accountable for the outcome of the project. C. offer to work with the risk manager when one is appointed. D. inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project. ANSWER: A NO TE: The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management. 19. A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center? A. Badge readers are installed in locations where tampering would be noticed B. The computer that controls the badge system is backed up frequently C. A process for promptly deactivating lost or stolen badges exists D. All badge entry attempts are logged ANSWER: C NOTE: Tampering with a badge reader cannot open the door, so this is irrelevant. Logging the entry attempts may be of limited value. The biggest risk is from unauthorized individuals who can enter the data center, whether they are employees or not. Thus, a process of deactivating lost or stolen badges is important. The configuration of the system does not change frequently, therefore frequent backup is not necessary. 20. Which of the following would impair the independence of a quality assurance team? A. Ensuring compliance with development methods B. Checking the testing assumptions C. Correcting coding errors during the testing process D. Checking the code to ensure proper documentation ANSWER: C NOTE: Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the teams independence. The other choices are valid quality assurance functions. 1. Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors? A. A security information event management (SIEM) product B. An open-source correlation engine C. A log management tool D. An extract, transform, load (ETL) system A NSWER: C NOTE: A log management tool is a product designed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (e. . , exception reports showing different statistics including anomalies and suspicious activities), and to answer time-based queries (e. g. , how many users have entered the system between 2 a. m. and 4 a. m. over the past three weeks? ). A SIEM product has some similar features. It correlates events from log files, but does it online and normally is not oriented to storing many weeks of historical information and producing audit reports. A correlation engine is part of a SIEM product. It is oriented to making an online correlation of events. An extract, transform, load (ETL) is part of a business intelligence system, dedicated to extracting operational or production data, transforming that data and loading them to a central repository (data warehouse or data mart); an ETL does not correlate data or produce reports, and normally it does not have extractors to read log file formats. 22. To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the senders: A. public key and then encrypt the message with the receivers private key. B. private key and then encrypt the message with the receivers public key. C. public key and then encrypt the message with the receivers public key. D. private key and then encrypt the message with the receivers private key. ANSWER: B NOTE: Obtaining the hash of the message ensures integrity; signing the hash of the message with the senders private key ensures the authenticity of the origin, and encrypting the resulting message with the receivers public key ensures confidentiality. The other choices are incorrect. 23. An IS auditor observes a weakness in the tape management system at a data center in that some parameters are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? A. Staging and job set up B. Supervisory review of logs C. Regular back-up of tapes D. Offsite storage of tapes ANSWER: A NOTE: If the IS auditor finds that there are effective staging and job set up processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none of which would serve as good compensating controls. 24. What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A. Malicious code could be spread across the network B. VPN logon could be spoofed C. Traffic could be sniffed and decrypted D. VPN gateway could be compromised ANSWER: A NOTE: VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organizations network. Though choices B, C and D are security risks, VPN technology largely mitigates these risks. 25. The activation of an enterprises business continuity plan should be based on predetermined criteria that address the: A. duration of the outage. B. ype of outage. C. probability of the outage. D. cause of the outage. ANSWER: A NOTE: The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. 26. After observing suspicious activities in a server, a manager requests a forensic anal ysis. Which of the following findings should be of MOST concern to the investigator? A. Server is a member of a workgroup and not part of the server domain B. Guest account is enabled on the server C. Recently, 100 users were created in the server D. Audit logs are not enabled for the server ANSWER: D NOTE: Audit logs can provide evidence which is required to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a guest account enabled on a system is a poor security practice but not a forensic investigation concern. Recently creating 100 users in the server may have been required to meet business needs and should not be a concern. 27. Minimum password length and password complexity verification are examples of: A. etection controls. B. control objectives. C. audit objectives. D. control procedures. ANSWER: D NOTE: Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives a re the specific goals of an audit. 28. Which of the following is an advantage of the top-down approach to software testing? A. Interface errors are identified early B. Testing can be started before all programs are complete C. It is more effective than other testing approaches D. Errors in critical modules are detected sooner ANSWER: A NOTE: The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing. 29. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: A. expand activities to determine whether an investigation is warranted. B. report the matter to the audit committee. C. report the possibility of fraud to top management and ask how they would like to proceed. D. consult with external legal counsel to determine the course of action to be taken. ANSWER: A NOTE: An IS auditors responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel. 30. As a driver of IT governance, transparency of ITs cost, value and risks is primarily achieved through: A. performance measurement. B. strategic alignment. C. value delivery. D. resource management. ANSWER: A NOTE: Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. 31. A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation? A. Audit logs are not enabled for the system B. A logon ID for the technical lead still exists C. Spyware is installed on the system D. A Trojan is installed on the system ANSWER: A NOTE: Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult. 32. When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to: A. carry the flash drive in a portable safe. B. assure management that you will not lose the flash drive. C. equest that management deliver the flash drive by courier. D. encrypt the folder containing the data with a strong key. ANSWER: D NOTE: Encryption, with a strong key, is the most secure method for protecting the information on the flash drive. Carrying the flash drive in a portable safe does not guarantee the safety of the information in the event that the safe is stolen or lost. No matter what measures you take, the chance of losing the flash drive still exists. It is possible that a courier might lose the flash drive or that it might be stolen. 33. The FIRST step in a successful attack to a system would be: A. gathering information. B. aining access. C. denying services. D. evading detection. ANSWER: A NOTE: Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered. 34. An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? A. The corporate network is using an intrusion prevention system (IPS) B. This part of the network is isolated from the corporate network C. A single sign-on has been implemented in the corporate network D. Antivirus software is in place to protect the corporate network ANSWER: B NOTE: If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physically separated. An IPS would detect possible attacks, but only after they have occurred. A single sign-on would ease authentication management. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk. 5. While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructural damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: A. the salvage team is trained to use the notification system. B. the notification system pro vides for the recovery of the backup. C. redundancies are built into the notification system. D. the notification systems are stored in a vault. ANSWER: C NOTE: If the notification system has been severely impacted by the damage, redundancy would be the best control. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it. The recovery of the backups has no bearing on the notification system and storing the notification system in a vault would be of little value if the building is damaged. 36. The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data? A. SSL encryption B. Two-factor authentication C. Encrypted session cookies D. IP address verification ANSWER: A NOTE: The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The remaining options deal with authentication issues. 37. Regarding a disaster recovery plan, the role of an IS auditor should include: A. identifying critical applications. B. determining the external service providers involved in a recovery test. C. observing the tests of the disaster recovery plan. D. etermining the criteria for establishing a recovery time objective (RTO). ANSWER: C NOTE: The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the auditor should provide a report of the test results. All other choices are a responsibility of management. 38. Which o f the following is the BEST practice to ensure that access authorizations are still valid? A. Information owner provides authorization for users to gain access B. Identity management is integrated with human resource processes C. Information owners periodically review the access controls D. An authorization matrix is used to establish validity of access ANSWER: B NOTE: Personnel and departmental changes can result in authorization creep and can impact the effectiveness of access controls. Many times when personnel leave an organization, or employees are promoted, transferred or demoted, their system access is not fully removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes. When an employee transfers to a different function, access rights are adjusted at the same time. 39. The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? A. Rewrite the patches and apply them B. Code review and application of available patches C. Develop in-house patches D. Identify and test suitable patches before applying them ANSWER: D NOTE: Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewrite the patches. Code review could be possible but tests need to be performed before applying the patches. Since the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches. 40. Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls B. Increased development and maintenance costs C. Increased application development time D. Decision-making may be impaired due to diminished responsiveness to requests for information ANSWER: A NOTE: End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to managements information requests. 41. The MAJOR consideration for an IS auditor reviewing an organizations IT project portfolio is the: A. IT budget. B. existing IT environment. C. business plan. D. investment plan. ANSWER: C NOTE: One of the most important reasons for which projects get funded is how well a project meets an organizations strategic objectives. Portfolio management takes a holistic view of a companys overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan. 42. Which of the following is an attribute of the control self-assessment (CSA) approach? A. Broad stakeholder involvement B. Auditors are the primary control analysts C. Limited employee participation D. Policy driven ANSWER: A NOTE: The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organizations business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, all of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach. 43. The BEST method for assessing the effectiveness of a business continuity plan is to review the: A. plans and compare them to appropriate standards. B. results from previous tests. C. emergency procedures and employee training. D. offsite storage and environmental controls. ANSWER: B NOTE: Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity plan but will not reveal anything about its effectiveness. Reviewing emergency procedures, offsite storage and environmental controls would provide insight into some aspects of the plan but would fall short of providing assurance of the plans overall effectiveness. 4. An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? A. Review and evaluate the business continuity plan for adequacy B. Perform a full simulation of the business continuity plan C. Train and educate employees regarding the business continuity plan D. Notify critical contac ts in the business continuity plan ANSWER: A NOTE: The business continuity plan should be reviewed every time a risk assessment is completed for the organization. Training of the employees and a simulation should be performed after the business continuity plan has been deemed adequate for the organization. There is no reason to notify the business continuity plan contacts at this time. 45. Which of the following insurance types provide for a loss arising from fraudulent acts by employees? A. Business interruption B. Fidelity coverage C. Errors and omissions D. Extra expense ANSWER: B NOTE: Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization. 46. An IS auditor reviewing the risk assessment process of an organization should FIRST: A. identify the reasonable threats to the information assets. B. analyze the technical and organizational vulnerabilities. C. identify and rank the information assets. D. evaluate the effect of a potential security breach. ANSWER: C NOTE: Identification and ranking of information assets- e. g. , data criticality, locations of assets- will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organizations assets should be analyzed according to their value to the organization. Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets. 47. An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? A. User-level permissions B. Role-based C. Fine-grained D. Discretionary ANSWER: B NOTE: Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the users role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large nterprise. Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management. 48. The sender of a public key would be authenticated by a: A. certificate authority. B. digital signature. C. digital certificate. D. registration authority. ANSWER: C NOTE: A digital certificate is an electronic document that declar es a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. A certificate authority issues the digital certificates, and distributes, generates and manages public keys. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. The registration authority would perform most of the administrative tasks of a certificate authority, i. e. , registration of the users of a digital signature plus authenticating the information that is put in the digital certificate. 49. Which of the following is the MOST reliable form of single factor personal identification? A. Smart card B. Password C. Photo identification D. Iris scan ANSWER: D NOTE: Since no two irises are alike, identification and verification can be done with confidence. There is no guarantee that a smart card is being used by the correct person since it can be shared, stolen or lost and found. Passwords can be shared and, if written down, carry the risk of discovery. Photo IDs can be forged or falsified. 50. A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organizations data? A. Introduce a secondary authentication method such as card swipe B. Apply role-based permissions within the application system C. Have users input the ID and password for each database transaction D. Set an expiration period for the database password embedded in the program ANSWER: B NOTE: When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a users role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire. 51. Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation? A. Process maturity B. Performance indicators C. Business risk D. Assurance reports ANSWER: C NOTE: Priority should be given to those areas which represent a known risk to the enterprises operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority. 52. An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditors MAIN concern should be that the: A. omplexity and risks associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. project deliverables have been identified. D. a contract for external parties involved in the project has been completed. ANSWER: A NOTE: Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project. 3. Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices? A. Policies that require instant dismissal if such devices are found B. Software for tracking and managing USB storage devices C. Administratively disabling the USB port D. Searching personnel for USB storage devices at the facilitys entrance ANSWER: B NOTE: Software for centralized tracking and monitoring would allow a USB usage policy to be applied to each user based on changing business requirements, and would provide for monitoring and reporting exceptions to management. A policy requiring dismissal may result in increased employee attrition and business requirements would not be properly addressed. Disabling ports would be complex to manage and might not allow for new business needs. Searching of personnel for USB storage devices at the entrance to a facility is not a practical solution since these devices are small and could be easily hidden. 54. When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: A. recommend that the database be normalized. B. review the conceptual data model. C. review the stored procedures. D. review the justification. ANSWER: D NOTE: If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing the database until further investigation takes place. Reviewing the conceptual data model or the stored procedures will not provide information about normalization. 55. Which of the following would be the GREATEST cause for concern when data are sent over the Internet using HTTPS protocol? A. Presence of spyware in one of the ends B. The use of a traffic sniffing tool C. The implementation of an RSA-compliant solution D. A symmetric cryptography is used for transmitting data ANSWER: A NOTE: Encryption using secure sockets layer/transport layer security (SSL/TLS) tunnels makes it difficult to intercept data in transit, but when spyware is running on an end users computer, data are collected before encryption takes place. The other choices are related to encrypting the traffic, but the presence of spyware in one of the ends captures the data before encryption takes place. 56. At the completion of a system development project, a postproject review should include which of the following? A. Assessing risks that may lead to downtime after the production release B. Identifying lessons learned that may be applicable to future projects C. Verifying the controls in the delivered system are working D. Ensuring that test data are deleted ANSWER: B NOTE: A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. An assessment of potential downtime should be made with the operations group and other specialists before implementing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the postimplementation review. Test data should be retained for future regression testing. 57. While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should: A. recommend the use of disk mirroring. B. review the adequacy of offsite storage. C. eview the capacity management process. D. recommend the use of a compression algorithm. ANSWER: C NOTE: Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirroring solution and offsite storage is unrelated to the problem. Though data compression may save disk space, it coul d affect system performance. 58. Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit? A. Data backups are performed on a timely basis B. A recovery site is contracted for and available as needed C. Human safety procedures are in place D. Insurance coverage is adequate and premiums are current ANSWER: C NOTE: The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan. 59. While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the: A. audit trail of the versioning of the work papers. B. approval of the audit phases. C. access rights to the work papers. D. confidentiality of the work papers. ANSWER: D NOTE: Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requiring encryption. 60. An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to: A. review the integrity of system access controls. B. accept managements statement that effective access controls are in place. C. stress the importance of having a system control framework in place. D. review the background checks of the accounts payable staff. ANSWER: C NOTE: Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed. Intelligent design should permit additional detective and corrective controls to be established that dont have high ongoing costs, e. g. , automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risks to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur. 61. A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? A. Reviewing logs frequently B. Testing and validating the rules C. Training a local administrator at the new location D. Sharing firewall administrative duties ANSWER: B NOTE: A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important. 62. When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of: A. xcessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals. ANSWER: C NOTE: Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although risks, are not as significant. 63. The PRIMARY objective of implementing corporate governance by an organizations management is to: A. provide strategic direction. B. control business operations. C. align IT with business. D. implement best practices. ANSWER: A NOTE: Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled. 64. To determine if unauthorized changes have been made to production code the BEST audit procedure is to: A. xamine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system. ANSWER: C NOTE: The procedure of examining object code files to establish in stances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. The other choices are valid procedures to apply in a change control audit but they do not directly address the risk of unauthorized code changes. 65. When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be ompleted and the business case be updated later. ANSWER: B NOTE: An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project. 66. Which of the following audit techniques would BEST aid an auditor in determining whether there hav e been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures ANSWER: C NOTE: An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements. A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes. 67. Doing which of the following during peak production hours could result in unexpected downtime? A. Performing data migration or tape backup B. Performing preventive maintenance on electrical systems C. Promoting applications from development to the staging environment D. Replacing a failed power supply in the core router of the data center ANSWER: B NOTE: Choices A and C are processing events which may impact performance, but ould not cause downtime. Enterprise-class routers have redundant hot-swappable power supplies, so replacing a failed power supply should not be an issue. Preventive maintenance activities should be scheduled for non-peak times of the day, and preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker could result in unplanned downtime. 68. Which of the following is the MOST robust method for disposing of magnetic media that contains confidential information? A. Degaussing B. Defragmenting C. Erasing D. Destroying ANSWER: D NOTE: Destroying magnetic media is the only way to assure that confidential information cannot be recovered. Degaussing or demagnetizing is not sufficient to fully erase information from magnetic media. The purpose of defragmentation is to eliminate fragmentation in file systems and does not remove information. Erasing or deleting magnetic media does not remove the information; this method simply changes a files indexing information. 69. The MAIN criterion for determining the severity level of a service disruption incident is: A. cost of recovery. B. negative public opinion. C. geographic location. D. downtime. ANSWER: D NOTE: The longer the period of time a client cannot be serviced, the greater the severity of the incident. The cost of recovery could be minimal yet the service downtime could have a major impact. Negative public opinion is a symptom of an incident. Geographic location does not determine the severity of the incident. 70. During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: A. responsibility for maintaining the business continuity plan. B. criteria for selecting a recovery site provider. C. recovery strategy. D. responsibilities of key personnel. ANSWER: C NOTE: The most appropriate strategy is selected based on the relative risk level and criticality identified in the business impact analysis (BIA. ), The other choices are made after the selection or design of the appropriate recovery strategy. 71. What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists? A. Repeatable but Intuitive B. Defined C. Managed and Measurable D. Optimized ANSWER: B NOTE: Defined (level 3) is the lowest level at which an IT balanced scorecard is defined. 2. During the system testing phase of an application development project the IS auditor should review the: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests. ANSWER: C NOTE: Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in re cognizing erroneous data and review the procedures for resolving errors. A conceptual design specification is a document prepared during the requirements definition phase. A vendor ontract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase. 73. When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures: A. allow changes, which will be completed using after-the-fact follow-up. B. allow undocumented changes directly to the production library. C. do not allow any emergency changes. D. allow programmers permanent access to production programs. ANSWER: A NOTE: There may be situations where emergency fixes are required to resolve system problems. This involves the use of special logon IDs that grant programmers temporary access to production programs during emergency situations. Emergency changes should be completed using after-the-fact follow-up procedures, which ensure that normal procedures are retroactively applied; otherwise, production may be impacted. Changes made in this fashion should be held in an emergency library from where they can be moved to the production library, following the normal change management process. Programmers should not directly alter the production library nor should they be allowed permanent access to production programs. 4. Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should: A. include the statement of management in the audit report. B. identify whether such software is, indeed, being used by the organization. C. reconfirm with management the usage of the software. D . discuss the issue with senior management since reporting this could have a negative impact on the organization. ANSWER: B NOTE: When there is an indication that an organization might be using nlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtained from management cannot be independently verified. If the organization is using software that is not licensed, the auditor, to maintain objectivity and independence, must include this in the report. 75. Which of the following would be BEST prevented by a raised floor in the computer machine room? A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water flood damage ANSWER: A NOTE: The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risks posed when cables are placed in a spaghetti-like fashion on an open floor. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage. 76. The network of an organization has been the victim of several intruders attacks. Which of the following measures would allow for the early detection of such incidents? A. Antivirus software B. Hardening the servers C. Screening routers D. Honeypots ANSWER: D NOTE: Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators. All activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems and applications. If honeypots are to be used by an organization, qualified incident handlers and intrusion detection analysts should manage them. The other choices do not provide indications of potential attacks. 77. The purpose of a deadman door controlling access to a computer facility is primarily to: A. prevent piggybacking. B. prevent toxic gases from entering the data center. C. starve a fire of oxygen. D. prevent an excessively rapid entry to, or exit from, the facility. ANSWER: A NOTE: The purpose of a deadman door controlling access to a computer facility is primarily intended to prevent piggybacking. Choices B and C could be accomplished with a single self-closing door. Choice D is invalid, as a rapid exit may be necessary in some circumstances, e. g. , a fire. 78. The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to: A. comply with regulatory requirements. B. rovide a basis for drawing reasonable conclusions. C. ensure complete audit coverage. D. perform the audit according to the defined scope. ANSWER: B NOTE: The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only identifying control weakness es but also documenting and validating them. Complying with regulatory requirements, ensuring coverage and the execution of audit are all relevant to an audit but are not the reason why sufficient and relevant evidence is required. 9. During the audit of a database server, which of the following would be considered the GREATEST exposure? A. The password does not expire on the administrator account B. Default global security settings for the database remain unchanged C. Old data have not been purged D. Database activity is not fully logged ANSWER: B NOTE: Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as B. 80. An IS auditor finds that a DBA has read and write access to production data. The IS auditor should: A. accept the DBA access as a common practice. B. assess the controls relevant to the DBA function. C. recommend the immediate revocation of the DBA access to production data. D. review user access authorizations approved by the DBA. ANSWER: B NOTE: It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBA should have access based on a need-to-know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA. 81. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)? A. The copying of sensitive data on them B. The copying of songs and videos on them C. The cost of these devices multipl

Anglo-Saxon Characteristics in society today essays

Anglo-Saxon Characteristics in society today essays What characteristics are necessary in our society today? Does society think that valor, selflessness, or loyalty is important? In Anglo-Saxon times those characteristics were what held their people together and without them their society would perish. Some people over look the benefits of having those characteristics and they are not always important to everyone, but for the most part, they are very necessary in our society. Selflessness means that instead of worrying or caring about oneself all the time a person does things for others. If a person is selfless they are willing to put their own needs aside and even may jeopardize their own safety for another. There are too many people in this world thinking about only their own well being. It is necessary to have people who devote their lives to helping others; otherwise we as a society would never survive. There is always a need for nurses, health care professionals and specialized doctors who like to help others in need. The next characteristic necessary to society is Loyalty. Loyalty is when a person is totally devoted to a place, person, thing, or religion and even when everything is against him for being devoted that person does not stray. There are some exceptions but for the most part many people in society today would not be willing to give up there life for our country. Back in the Anglo-Saxon days loyalty is what held a clan together. All the people would fight and defend until the death. Like the Anglo-Saxons many individuals in the Army, Navy, and Air Force are fighting for the United States every day. They are willing to give up everything they have to keep this country safe. That is being loyal. Its necessary for our society today to have the military and other people devoted to the United States because otherwise our country would fall apart. Lastly, valor means being brave and having courage. If our society didnt have valor we would...

Reaction Paper Essay Example

Reaction Paper Essay Example Reaction Paper Essay Reaction Paper Essay The speech of the Commander of the Naval Education and Training Command (CENT) discuss the seriousness of the conduct of Naval Command and Staff Course Class (NCSC) due to his active involvement in the class activities. He also underscores Mind Power Precedes Sea Power. Our Navy is lagging behind but with our strategy, tactics and utilizing what we have we can win battles wherein, he looks at the Vietnamese as the model of true fighting force. That is what he wants to develop to the officers, to carry on the mission of the Philippine Navy. He also emphasizes on the modernization of our navy which is very important and with that, we have a lot of work to do. Taking NCSC is not just for promotion but to be able to handle what is demanded from us, the students of NCSC. He wants us to have a positive outlook on the challenges that we face, to develop a system and a good scheduling of our activities. He also stress that we have a lot of resources and sometimes we do not need to go far to look for what we need. Also, he wants us to generate new ideas, new ideas from old once and fresh view of things, views that can move us, the Navy, forward very fast. If the countries that cause threat to us are moving leap and bounce we cannot afford or merely crawl or walk we have to be running very fast. He also said that we will be future staff officers and commanders and a lot is expected from us in a way. We are the hope of our navy we have to stand up on your own. Moreover, he said what we need are people like you who will be able help us be a navy that will be able to defend our country without aid hopefully. It is for us a matter of pride that we can defend what we have. He also underscore also that dying is not good if you have not done your mission. Mission accomplishment precedes dying a heroic death. And lastly, he bid good luck, challenge us to find the value in the challenge and hope that e will be more useful in our respective units after the course. Body: As I understand from the opening statement of the Commander of Naval Education and Training Command (CENT) the conduct of Naval Command and Staff Course (NCSC) will be taken seriously since it was made serious by the commander himself. He underscores Mind Power Precedes Sea Power. He is correct in saying that We must be first of all sharp of mind so that we must be able to predict or even prevent superior opponents. Since with the present force capability of our Navy we are inferior compared to the overpowers and the only thing we can do is utilized effectively and efficiently what we have with Our God given talent and skills and our unmatched strategy and tactics, we can win battles. Agree with CENT that it is no secret that the Philippine Navy is lagging behind in force capabilities compared to our neighboring countries more particularly those executing or posting threat to our sovereignty and our interest, it is in this light that we should take extra effort in building ourselves up. First of all thru personal positive building, our strength will depend on the viability of our men, women particularly Officers, to develop strategy and tactics. To win battles you will need use what you have. Yes, with what we have in our Navy force capability it is true that we are lagging behind the navy of countries that are executing or posting threat to our sovereignty and our interest but what can we do it is utilize all what we have, we should just make the most out of it. Truly, what we can do is to educate and train our officers, men and women to develop strategy and tactics with the resources that we have. He looks at the Vietnamese as the model of a true fighting Orca, because the Vietnamese can easily overcome and determinable overcome every obstacle. They have beaten the superpowers, they have done their history, beaten the Chinese, Japanese, and the French then before they beaten the United States of America. It is no secret that they were on their pajamas, slippers and straw hats when they were battling the bombers, fighter jets, aircraft carriers, tanks, helicopters and other weapons of the superpowers and in the end they prevail. Not so much with their material resources but more with their spirit and ingenuity of their people. And that is hat he wants for the Naval Command and Staff Course. He wants to develop staff officers that can carry the load the navy requires. Yes the Vietnamese triumph in their battles against the superpowers during that time and they are so proud of that. They have successfully utilized all their resources and they successfully taken all advantage on their side thats why they succeeded. Live that the superpowers during that time have all the resources, that is why they are called superpowers, however they lacks the strategy and tactics that they need to win their battles. And this is also what I expect to attain or enhanced during the course. But it does not stop there, we should also continue our modernization program since Rear Admiral Shares said The Navy now is in the verge of modernizing or actually modernizing and a lot is a matter. We cannot go on thinking that we have no wo rk to do, we have to do a lot of work. While we are modernizing our equipment or upgrading our force capability, building up our personnel capability should also go hand and hand. This is to make sure that we have the right person for the right job and also to utilize our modern equipment properly, effectively and efficiently. Moreover, it is true that taking NCSC is not just for promotion but to be equipped to handle what is demanded from us by the Navy with our modernization programs at hand. Further, modernizing our navy will give a strong posture of our military might to uphold our sovereignty and national interest. Rear Admiral Square wants us to have positive outlook on the challenges that we will be facing. We have to develop a system and a good scheduling of your activities. We have a lot of resources, sometimes we do not need to go far. In life challenges are everywhere, challenges are difficult if it is not it is not a challenge anymore. They are difficult but there is always a way to solve it. It is only up to us to figure out. For me, taking up NCSC is a challenge since some officers do prefer to take their advance courses outside the Navy, for them NCSC is difficult while for those who already finished, it is worth the effort. I believe that I will just do what is required and make extra effort to learn and manage my time so I can cope up with the standards of .NET as what we can see printed on the buildings, Raise the Standards. Also, he wants us to generate new ideas, new ideas from old once and fresh view of things, views that can move us forward very fast. If the countries that cause threat to us are moving leap and bounce we cannot afford or merely crawl or walk we have to be running very fast. For me this means that we should be creative, we should not keep on using those obsolete ideas by our forebears. Their time is already expired and it is already our time now. Remember the saying nothing is constant except changeewe change for the betterment of our Navy, but then again, we should not forget their ideas, thinking and knowledge. We can still improve those ideas to create suitable once during our present time. According to the Rear Admiral, we will be the future staff officers and meanders, and a lot is expected from us in a way. We are the hope of our navy we have to stand up on your own. What we need are people like you who will be able help us be a navy that will be able to defend our country without aid hopefully. It is for us a matter of pride that we can defend what we have. Hopefully when our time comes to be the staff officers and commanders that he is talking about, we were able to fulfill what are the expectations from us. Truly it is a pride and honor to be able to defend our country and people without the aid of other countries. With this I can say that our Navy is Strong and Credible. He also underscore also that dying is not good if you have not done your mission. Mission accomplishment precedes dying a heroic death. It is so easy to die heroically but if you have not done your mission that is useless death. So I want you to look at this mind set because it is so easy for us to abandon things telling that we are brave, we can just face the bullets coming at us but We still have people to protect, We have territories to defend and We have sovereignty to uphold and that requires us to triumph to win. For the Rear Admiral, what understand is that, if you die and failed to accomplish the session it is failure, if you die but accomplished your mission it is good while if you survive and accomplish the mission its better. Same is true with my beliefs, except that it is right to recognize in natty even if you die but failed to accomplish your mission specifically when I knew that at least you die trying. Lastly, Rear Admiral Square bid us the students good luck, challenge us to find the value in the challenge and hope that we will be more useful in our respective units after the course. For me, it will be a rewarding opportunity to be included in this NCSC Class 78 after my almost 3 years stint s a brigade staff in the area Central Mindanao, expecting that will learn a lot from this schooling and plus the eligibility of being promoted as a bonus. Conclusion: In conclusion, truly there are lots of things to be done taking into account our Navy Vision by Year 2020. I will always remember Rear Admiral Square when he said Mind Power Precedes Sea Power. Our Navy is lagging behind our neighboring countries in terms of force capability but with our strategy and tactics we will win battles against the superpowers. So much for the inferiority of the Philippine Navy in terms of force capability we have our Modernization Program for that, for now my task is to be educated and trained in this prestigious institution. With this schooling Im taking, Im looking forward to Raising My Standards for the Philippine Navy. I do believe that everyone can have their fair share in contributing to the Philippine Navy to move forward and I do believe will be exerting a lot of effort to learn much in this Naval Command and Staff Course to help the Philippine Navy attain its mission By 2020: We shall be Strong and Credible Navy that our Maritime Nation can be Proud of. And I hope that our Navy Organization and the Marine Corps will be proud of me in the near future.

God's Existence and Essence Philosophical Theory Essay

God's Existence and Essence Philosophical Theory - Essay Example It was during this time that Aristotle’s teachings were common. He used these teachings in his own theological work although Aristotle’s teachings were really at the neck of the Christians during his reign. The intent of this paper is to discuss issues that reveal through Thomas Aquinas’ way of thinking on the existence of God. Ideas According to Thomas Aquinas came up with five ways that prove the existence of God. Then, in his first away he observed that some of the things found on earth are in constant motion. It is from his point of view that anything that is moving is likely to get started by another item, which was also in motion (Aquinas, 2006). The other item in motion was also exposed to motion by another moving item then the process continues in the same manner. The series of moving objects cannot go back to infinity to indentifying the first mover. It is true that there was a first mover of the objects that are in motion though the mover is unknown. Th is gives an impression that there is a mover who does not move. In this context, the unmoved mover is God. In the second way, he states that everything has a cause and nothing can cause be a cause of itself. In this context, the causes go back to infinity since all causes depend on the past cause and the eventual cause depended on the previous cause leading to an infinitive cause. This means that the first cause is unidentified (Aquinas, 2006). The absentee of the first cause cannot end with our scrutiny. Therefore, there must be a first cause of all these events, in which all people refer to as God. The third way to identify that there are things in nature that we observe to be possible and others are impossible as they come to exist and pass away from existence. In this context, nothing that could not exist at one point can exist. It requires that, first something exists before it can find itself existing at another moment (Aquinas, 2006). Form this statement, if there was nothing that existed in the first place, then there could be nothing existing at this time in the world. Since an effect has its cause and the subsequent cause goes to infinitive without indentifying the cause it is possible that something existed first to cause the other to exist. The unidentified cause of events in this context is the Almighty God. It is true that God existed first then caused other things on earth to exist. The fourth states that the world has characteristics that vary in degree. Some of the characteristics are more or less true, good, noble and many more examples. The grading of these characteristics is done in relation to maximum. This indicates that there should be something truest, noblest and best. According to Aristotle, there are some things, which are supreme in truth. In his view, something causes supreme truth in these characteristics and any perfection that we get in every beings of the world. He refers to this supreme cause as God. Aquinas observes nonintell igent and inanimate objects in nature that act in the direction of achieving the best probable purpose although the objects themselves would lack awareness of doing so (Aquinas, 2006). It is possible that the objects achieve their purpose though an organized a plan. The objects that are nonitelignt

Equitable Discretion in Determining Relief Case Study - 1

Equitable Discretion in Determining Relief - Case Study Example According to Lord Upjohn in Redland Bricks v Morris4 the grant of a mandatory injunction will depend upon the individual circumstances of a particular case; unlike a negative injunction, it can never be â€Å"as of course†. In the case of Charrington v Simons and Co5, Buckley J granted an injunction but suspended it for three years and in stating his reasons, he has highlighted the issue of fairness and justice to both parties in granting the remedy that was sought: The underlying issue of fairness and justice as the basis for determining the grant of a mandatory injunction was similarly elucidated in the case of Sheperd Homes v Sandham7 where Meggary J stated that relevant grounds would also include â€Å"the triviality of damage to the Plaintiff, and a â€Å"disproportion between the detriment that the injunction would inflict on the defendant and the benefit that it would confer on the plaintiff.† The stated goal, according to Meggary J was a â€Å"fair result† and this involved the â€Å"exercise of judicial discretion.†Ã‚   In the matter of an interlocutory injunction, the purpose behind the issue of such an injunction is to protect the rights of the parties until the time of final disposition of the case. The guiding principles of fairness and justice to both parties were laid out in the case of American Cyanid Co v Ethicon9, which is one of the most significant cases, since it overturned earlier criteria for assessing the merit of an interlocutory injunction, i.e, to examine the probabilities that a prima facie case had been established for the grant of a permanent injunction.  Ã‚  

Mothers abusing prescrition drugs Research Paper

Mothers abusing prescrition drugs - Research Paper Example sociological perspective of drug reality is directly inverse in definition and explanation to what majority call â€Å"chemicalistic fallacy†, which explains that a certain drug causes a certain given behavior and that what we view as behavioral effects are linked with the drug mainly as a function of the drug’s biochemical functions reacting with the organism’s certain structure of its character (Barber 27). The effects of drug and related behavior are highly contingent, variable, and complicated basing more importantly on the social and contextual nature that a person is in as its easier to tell the effects of drug on a person compared to experimenting the drug on a rat which will have very little information on human behavior hence the importance of a social context comes out clear. In defining drugs the sociological aspects focuses on both the meaning of the drug and the meaning of drug experience although the definitions differ among societies, subgroups and subcultures existing within the same society. The society views drug differently according to its current use, in that a substance can be a drug in a specific social context and are something different in another. According to Barber (39), the sociological aspect on drug believes that anything can be termed as a drug not withstanding its biological or physical component. The society draws a clear line between drug addiction and dependence, it states that the addiction-dependence equation have two separable components: the direct drug’s physical action and the behavioral response of the people to the physical action of the drug. There is no automatic translation from one component into the other. Prescription drugs are mostly currently abused by women with a purpose of getting high as a means of relieving stress. The three classification of commonly abused prescribed drugs include: The Opioids including morphine prescribed mostly as pain relievers or pain killers, depressants of the central