CISA Exam-Test 8 /30 330 Sorry, Your time is over. CISA EXAM-TEST 8 1 / 30 1. An IS audit reveals an organization's IT department reports any deviations from its security standards to an internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's GREATEST concern? The IT risk committee has no reporting line to any governance committee outside IT. The list of IT risk committee members does not include the board member responsible for IT. The IT risk committee meeting minutes are not signed off by all participants. The chief information officer (CIO) did not attend a number of IT risk committee meetings during the past year. 2 / 30 2. Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IT department? Evaluating hardware needs Conducting control self-assessment Allocating resources Keeping current with technology advances The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor will ensure that the resources are being managed adequately. 3 / 30 3. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IT strategy? That it: has been approved by line management. supports the business objectives of the organization. complies with procurement procedures. does not vary from the IT department's preliminary budget. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. 4 / 30 4. Which of the following goals would you expect to find in an organization's strategic plan? Implement a new project planning system within the next 12 months. Test a new accounting package. Become the supplier of choice for the product offered. Perform an evaluation of information technology needs. Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization's strategic plan. 5 / 30 5. When reviewing an organization's strategic IT plan, an IS auditor should expect to find: actions to reduce hardware procurement cost. a description of the technical architecture for the organization's network perimeter security. a listing of approved suppliers of IT contract resources. an assessment of the fit of the organization's application portfolio with business objectives. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. 6 / 30 6. To help ensure the accuracy and completeness of end-user computing output, it is MOST important to include strong: change management controls access management controls reconciliation controls documentation controls 7 / 30 7. Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited? Conduct a penetration test Review service desk reports Implement key performance indicators (KPIs) Perform log analysis 8 / 30 8. An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: review the metrics for quality evaluation. verify how the organization follows the standards. request all standards that have been adopted by the organization. identify and report the controls currently in place. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. 9 / 30 9. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Unauthorized users may have access to originate, modify or delete data. Audit recommendations may not be implemented. User management coordination does not exist. Specific user accountability cannot be established. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. 10 / 30 10. The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: does not exceed the existing IT budget. is aligned with the business plan. is aligned with the investment strategy. has been approved by the IT steering committee. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor. 11 / 30 11. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? Review the strategic alignment of IT with the business. Implement accountability rules within the organization. Create a chief risk officer (CRO) role in the organization. Ensure that independent IT audits are conducted periodically. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. 12 / 30 12. What is the MOST effective way to ensure security policies and procedures are up-to-date? Align the organization’s security practices with industry standards and best practice Prevent security documentation audit issues from being raised Verify security requirements are being identified and consistently applied Define and document senior management’s vision for the direction of the security 13 / 30 13. Which of the following is the MOST effective means of helping management and the IT strategy committee to monitor IT performance? End-user satisfaction surveys Gap analysis Measurement of service levels against metrics Infrastructure monitoring reports 14 / 30 14. The PRIMARY focus of audit follow-up reports should be to: verify the completion date of the implementation. determine if past findings are still relevant. assess if new risks have developed. determine if audit recommendations have been implemented. 15 / 30 15. The rate of change in technology increases the importance of: hiring qualified personnel. implementing and enforcing sound processes. meeting user requirements. outsourcing the IT function. Change control requires that good change management processes be implemented and enforced. 16 / 30 16. Which of the following is the BEST enabler for strategic alignment between business and IT? A maturity model Goals and metrics Control objectives A responsible, accountable, consulted and informed (RACI) chart Goals and metrics ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment. 17 / 30 17. Which of the following is the BEST reason to implement a policy which places conditions on secondary employment for IT employees? To prevent conflicts of interest To prevent theft of IT assets To prevent the misuse of corporate resources To prevent employee performance issues The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing company. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. 18 / 30 18. When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: specifies project management practices. articulates the IT mission and vision. incorporates state of the art technology. addresses the required operational controls. The IT strategic plan must include a clear articulation of the IT mission and vision. 19 / 30 19. An IS auditor reviewing an organization's IT strategic plan should FIRST review: the business plan. the existing IT environment. current technology trends. the present IT budget. The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize himself/herself with the business plan. 20 / 30 20. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: this lack of knowledge may lead to unintentional disclosure of sensitive information. IS audit should provide security training to the employees. information security is not critical to all functions. the audit finding will cause management to provide continuous training to staff. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. 21 / 30 21. A security company and service provider have merged and the CEO has requested one comprehensive set of security policies be developed for the newly formed company. The IS auditor s BEST recommendation would be to: implement the service provider's policies adopt an industry standard security policy implement the security company s policies, conduct a policy gap assessment 22 / 30 22. An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? Report the absence of documented approval. Recommend immediate management approval of the policies. Ignore the absence of management approval because employees follow the policies. Emphasize the importance of approval to management. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit. 23 / 30 23. Which of the following controls should be implemented to BEST minimize system downtime for maintenance? Nightly full backups Clustering Warm site Virtualization 24 / 30 24. When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT: uses its equipment and personnel efficiently and effectively. has all the personnel and equipment it needs. plans are consistent with management strategy. has sufficient excess capacity to respond to changing directions. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans. 25 / 30 25. Effective IT governance will ensure that the IT plan is consistent with the organization's: security plan. business plan. investment plan. audit plan. To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. 26 / 30 26. When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: the support and stability of the archiving solution manufacturer. the level of user awareness concerning email use. the existence of a data retention policy. the storage capacity of the archiving solution. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. 27 / 30 27. An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk? The DR site has not undergone testing to confirm its effectiveness. Network firewalls and database firewalls at the DR site do not provide high availability. No disaster recovery plan (DRP) testing has been performed during the last six months. The DR site is in a shared location that hosts multiple other enterprises. 28 / 30 28. An organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager's FIRST step to support this strategy Develop a business case for a data loss prevention solution Incorporate social media into the security awareness program Employ the use of a web content filtering solution - Develop a guideline on the acceptable use of social media 29 / 30 29. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: a business impact analysis (BIA). control self-assessments. business process reengineering (BPR). an IT balanced scorecard (BSC). An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. 30 / 30 30. An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? The policy has not been updated in more than one year. The policy is approved by the security administrator. The company does not have an information security policy committee. The policy includes no revision history. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. Your score is LinkedIn Facebook Twitter Exit
