CISA Exam-Test 24 /30 182 Sorry, Your time is over. CISA EXAM-TEST 24 1 / 30 1. The PRIMARY objective of service-level management (SLM) is to: monitor and report any legal noncompliance to business management. define, agree on, record and manage the required levels of service. ensure that services are managed to deliver the highest achievable level of availability. keep the costs associated with any service at a minimum. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. 2 / 30 2. Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party? A recent disaster recovery plan (DRP) test report The current service level agreement (SLA) A recent external audit report The current business continuity plan (BCP) procedures An independent third-party audit report such as Statements on Standards for Attestation Engagements (SSAE) 16 would provide assurance of the existence and effectiveness of internal controls at the third party. 3 / 30 3. An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources (HR) department. Which of the following should be the GREATEST concern to an IS auditor? The cloud provider's data centers are in multiple cities and countries. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud provider. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. The service level agreement (SLA) ensures strict limits for uptime and performance. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. 4 / 30 4. When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: is not listed in the approved software standards document. license will expire in the next 15 days. was installed, but not documented in the IT department records. was being used by users not properly trained in its use. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. 5 / 30 5. An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? Review the request for proposal (RFP). Review the service level agreement (SLA). Research other clients of the ISP. Review monthly performance reports generated by the ISP. A service level agreement (SLA) provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service. 6 / 30 6. An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? Contract an independent third party to provide weekly reports on application uptime. Implement an online polling tool to monitor the application and record outages. Log all application outages reported by users and aggregate the outage time weekly. Ask the SaaS vendor to provide a weekly report on application uptime. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. 7 / 30 7. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? Developments may result in hardware and software incompatibility. The recovery plan cannot be tested. The security infrastructures in each company may be different. Resources may not be available when needed. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. 8 / 30 8. Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? A commercial cold site A hot site maintained by the business A reciprocal arrangement between its offices A third-party hot site For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. 9 / 30 9. Establishing data ownership is an important first step for which of the following processes? Assigning user access privileges Creating roles and responsibilities Classifying data Developing organizational security policies 10 / 30 10. In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? Total number of subscribers Number of subscribers permitted to use a site at one time References by other users Physical security measures The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers. 11 / 30 11. What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Close supervision Employee security awareness training Screensaver passwords Administrator alerts 12 / 30 12. Which of the following provides the strongest authentication for physical access control? Sign-in logs Key verification Biometrics Dynamic passwords 13 / 30 13. Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? A utilization report of automatic failover services generated by the enterprise Downtime reports on the telecommunication services generated by the enterprise Downtime reports on the telecommunication services generated by the ISP A bandwidth utilization report provided by the ISP The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. 14 / 30 14. The MAIN reason for requiring that all computer clocks across an organization be synchronized is to: ensure that email messages have accurate time stamps. ensure smooth data transition from client machines to servers. support the incident investigation process. prevent omission or duplication of transactions. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events occurring on different systems might not be easily established. 15 / 30 15. The PRIMARY benefit of an IT manager monitoring technical capacity is to: ensure that the service level agreement (SLA) requirements are met. determine the future capacity need based on usage. identify the need for new hardware and storage procurement. ensure that systems operate at optimal capacity. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement (SLA) between the business and IT. 16 / 30 16. To verify that the correct version of a data file was used for a production run, an IS auditor should review: operator work schedules. output distribution reports. operator problem reports. system logs. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run. 17 / 30 17. When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact At will have on: task capacity output future task updates enterprise architecture (EA). employee retention 18 / 30 18. When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following? Recovery point objective (RPO) Recovery time objective (RTO) Maximum acceptable outage (MAO) Service level objective (SLO) 19 / 30 19. Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Determining if the services were provided as contracted Evaluating the process for transferring knowledge to the IT department Prohibiting the provider from subcontracting services Minimizing costs for the services provided From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. 20 / 30 20. Which of the following is the GREATEST benefit of implementing an incident management process? Reduction in the business impact of incidents Reduction in security threats Opportunity for frequent reassessment of incidents Reduction of cost by the efficient use of resources 21 / 30 21. While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering: an inadequate software escrow agreement. inadequate operational documentation for the system. an inadequate alternate service provider listing. inadequate procedures for ensuring adequate system portability. The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business. 22 / 30 22. Determining the service delivery objective (SDO) should be based PRIMARILY on: meeting the recovery time objectives (RTOs). the cost-effectiveness of the restoration process. the allowable interruption window (AIW). the minimum acceptable operational capability. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. 23 / 30 23. An IS auditor reviewing a cloud computing environment managed by a third party should be MOST concerned when: the organization is using an older version of a browser and is vulnerable to certain types of security risk. the service level agreement (SLA) does not address the responsibility of the vendor in the case of a security breach. the organization is not permitted to assess the controls in the participating vendor's site. laws and regulations are different in the countries of the organization and the vendor. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. 24 / 30 24. Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? The complexity of application logs used for service monitoring made the review difficult. Performance measures were not included in the SLA. The document is updated on an annual basis. A service adjustment resulting from an exception report took a day to implement. Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. 25 / 30 25. Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry? Data corruption Skimming Data diddling Salami attack 26 / 30 26. During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Staging and job setup Offsite storage of tapes Supervisory review of logs Regular backup of tapes If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. 27 / 30 27. Which of the following is used to evaluate biometric access controls? EER FRR FAR EAR 28 / 30 28. The information security function in a large organization is MOST effective when: the function reports directly to the IS operations manager. partnered with the IS development team to determine access rig decentralized as close to the user as possible established at a corporate-wide level. 29 / 30 29. During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Draft a service level agreement (SLA) for the two departments. Confirm the content of the agreement with both departments. Report the existence of the undocumented agreement to senior management. Postpone the audit until the agreement is documented. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties are in agreement with the terms of the agreement. 30 / 30 30. Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy? The encryption mechanism selected by the organization for protecting personal data Whether there is explicit permission from regulators to collect personal data The organization's legitimate purpose for collecting personal data Whether sharing of personal information with third-party service providers is prohibited Your score is LinkedIn Facebook Twitter Exit