CISA Exam-Test 12 /30 248 CISA EXAM-TEST 12 1 / 30 1. Which of the following is the PRIMARY objective of an IT performance measurement process? Optimize performance. Minimize errors. Gather performance data. Establish performance baselines. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. 2 / 30 2. An IS auditor performing an audit of the risk assessment process should FIRST confirm that: the effects of potential security breaches have been evaluated. technical and organizational vulnerabilities have been analyzed. assets have been identified and ranked. reasonable threats to the information assets are identified. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset. 3 / 30 3. Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure (PKI) for enterprise email? The certificate revocation list has not been updated. The private key certificate has not been updated The PKI policy has not been updated within the last year The certificate practice statement has not been published 4 / 30 4. Which of the following is the key benefit of a control self-assessment (CSA)? Internal auditors can shift to a consultative approach by using the results of the assessment. Fraud detection will be improved because internal business staff are engaged in testing controls. Audit expenses are reduced when the assessment results are an input to external audit work. Management ownership of the internal controls supporting business objectives is reinforced. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. 5 / 30 5. he PRIMARY benefit of implementing a security program as part of a security governance framework is the: reduction of the cost for IT security. implementation of the chief information security officer's (CISO's) recommendations. alignment of the IT activities with IS audit recommendations. enforcement of the management of security risk. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. 6 / 30 6. When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? Resource recovery analysis Risk assessment Business continuity self-audit Gap analysis Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. 7 / 30 7. After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? A comparison of the cost of the IPS and firewall and the cost of the business systems An annual loss expectancy (ALE) calculation A cost-benefit analysis A business impact analysis (BIA) In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option. 8 / 30 8. Assess the skill set within the security function Detective Corrective Compensating Directive 9 / 30 9. Which of the following statement INCORRECTLY describes the traditional audit approach in comparison to the Control self-assessment approach? Traditional approach assigns duties/supervises staff Traditional approach is a policy driven approach Traditional approach requires limited employee participations In traditional approach, Staffs at all level, in all functions, are the primary control analyst 10 / 30 10. While reviewing the IT governance processes of an organization, an IS auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. IT service level agreements (SLAs) may not be accurate. Misleading indications of IT performance may be presented to management. IT projects could suffer from cost overruns. The IT balanced scorecard (BSC) is designed to measure IT performance. To measure performance, a sufficient number of "performance drivers" or key performance indicators (KPIs) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading. 11 / 30 11. Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system for key financial reports. What is the GREATEST risk to the organization in this situation? Undetected fraud may occur. Decisions may be made based on incorrect information Financial reports may be delayed. The key financial reports may no longer be produced. 12 / 30 12. Which of the following is an attribute of the control self-assessment (CSA) approach? Auditors are the primary control analysts Broad stakeholder involvement Policy driven Limited employee participation The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement. 13 / 30 13. Before implementing an IT balanced scorecard (BSC), an organization must: control IT expenses. deliver effective and efficient services. provide business value to IT projects. define key performance indicators. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. 14 / 30 14. An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Risk mitigation Risk transfer Risk avoidance Risk reduction Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. 15 / 30 15. Which of the following must exist to ensure the viability of a duplicate information processing facility? The site is near the primary site to ensure quick and efficient recovery. The site contains the most advanced hardware available. The hardware is tested when it is installed to ensure it is working properly. The workload of the primary site is monitored to ensure adequate backup is available. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. 16 / 30 16. When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? Avoidance Transfer Mitigation Acceptance Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. 17 / 30 17. During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? No recommendation is necessary because the current approach is appropriate for a medium-sized organization. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date. 18 / 30 18. What is the most effective means of determining that controls are functioning properly within an operating system? Review of software control features and/or parameters Interview with product vendor Review of operating system manual Interview with computer operator 19 / 30 19. An organization is deciding whether to outsource its customer relationship management systems to a provider located in another country. Which of the following should be the PRIMARY influence in the outsourcing decision? Time zone differences Cross-border privacy laws Current geopolitical conditions The service provider's disaster recovery plan 20 / 30 20. As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: performance measurement. value delivery. strategic alignment. resource management. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. 21 / 30 21. An IS auditor is reviewing an IT security risk management program. Measures of security risk should: result in the identification of vulnerability tolerances. address all of the network risk. take into account the entire IT environment. be tracked over time against the IT strategic plan. When assessing IT security risk, it is important to take into account the entire IT environment. 22 / 30 22. which of the following type of testing uses a set of test cases that focus on the control structure of the procedural design? Interface testing Final acceptance testing Unit Testing System Testing 23 / 30 23. Which of the following should be considered FIRST when implementing a risk management program? An understanding of the risk exposures and the potential consequences of compromise A determination of risk management priorities based on potential consequences An understanding of the organization's threat, vulnerability and risk profile A risk mitigation strategy sufficient to keep risk consequences at an acceptable level Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. 24 / 30 24. Who is responsible for reviewing the result and deliverables within and at the end of each phase, as well as confirming compliance with requirements? Project Sponso Senior Management Quality Assurance User Management 25 / 30 25. Which of the following insurance types provide for a loss arising from fraudulent acts by employees? Errors and omissions Business interruption Fidelity coverage Extra expense Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. 26 / 30 26. To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: transfer. acceptance. avoidance. mitigation. Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By requiring the system's administrator to sign off on the completion of the backups, this is an administrative control that can be validated for compliance. 27 / 30 27. Which of the following type of testing has two major categories: QAT and UAT? System Testing Unit Testing Interface testing Final acceptance testing 28 / 30 28. Which of the following is the MOST reliable network connection medium in an environment where there is strong electromagnetic interface? Coaxial cable Shielded twisted-pair cable Wireless link Fiber optic cable 29 / 30 29. A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: probabilities. threats. vulnerabilities. impacts. Vulnerabilities represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that could be addressed by the security specialist, they are examples of vulnerabilities. 30 / 30 30. An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? The approval process for risk response is in place. The risk management framework is based on global standards. Controls are implemented based on cost-benefit analysis. IT risk is presented in business terms. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms. Your score is LinkedIn Facebook Twitter Exit Jute Bags in Sharjah | Cotton Bags in Sharjah | Canvas Bags in Sharjah
