CISA Exam-Test 10 /30 305 Sorry, Your time is over. CISA EXAM-TEST 10 1 / 30 1. The PRIMARY control purpose of required vacations or job rotations is to: allow cross-training for development. provide a competitive employee benefit. help preserve employee morale. detect improper or illegal employee acts. The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. 2 / 30 2. Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations? Assurance reports Process maturity Business risk Performance indicators Priority should be given to those areas which represent a known risk to the enterprise's operations. 3 / 30 3. An organization's disaster recovery plan (DRP) should address early recovery of: all financial processing applications. only those applications designated by the IS manager. all information systems processes. processing in priority order, as defined by business management. Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs. 4 / 30 4. An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? Portfolio management A capability maturity model (CMM) Configuration management Project management body of knowledge (PMBOK) Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. 5 / 30 5. The risk associated with electronic evidence gathering would MOST likely be reduced by an email: audit policy. security policy. archive policy. destruction policy. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible. 6 / 30 6. An IT steering committee assists the board of directors to fulfill IT governance duties by implementing the IT strategy focusing on the supply of IT services and products overseeing major projects and IT resource allocation developing IT policies and procedures for project tracking 7 / 30 7. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? Define a balanced scorecard (BSC) for measuring performance. Select projects according to business benefits and risk. Consider user satisfaction in the key performance indicators (KPIs). Modify the yearly process of defining the project portfolio. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the BEST measure for achieving alignment of the project portfolio to an organization's strategic priorities. 8 / 30 8. The PRIMARY objective of implementing corporate governance is to: control business operations. implement good practices. align IT with business. provide strategic direction. Corporate governance is a set of management practices to provide strategic direction to the organization as a whole, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. 9 / 30 9. Which of the following is MOST indicative of the effectiveness of an information security awareness program? Most employees have attended an awareness session. Employees report more information regarding security incidents. All employees have signed the information security policy. Information security responsibilities have been included in job descriptions. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are taking action as a consequence of the awareness program. 10 / 30 10. When reviewing a contract for a disaster recovery hot site, which of the following would be the MOST significant omission? Equipment provided Audit rights Testing procedures Exposure coverage 11 / 30 11. Post-implementation testing is an example of which of the following control types? Preventive Directive Detective Deterrent 12 / 30 12. The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a disaster recovery plan, will MOST likely: be unpredictable. increase. remain the same decrease. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place). 13 / 30 13. Which of the following situations is addressed by a software escrow agreement? An IT auditor requires access to software code written by the organization. The vendor of custom-written software goes out of business. The system administrator requires access to software to recover from a disaster. A user requests to have software reloaded onto a replacement hard drive. A software escrow is a legal agreement between a software vendor and a customer, to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement. 14 / 30 14. Which of the following is MOST important for the IS auditor to verify when reviewing the development process of a security policy? - Evidence of management approval Output from the enterprise's risk management system Evidence of active involvement of key stakeholders Identification of the control framework 15 / 30 15. Which of the following is the MOST important function to be performed by IT management when a service has been outsourced? Monitoring the outsourcing provider's performance Renegotiating the provider's fees Participating in systems design with the provider Ensuring that invoices are paid to the provider In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required. 16 / 30 16. Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority? Security architecture review Regular clean desk reviews Comprehensive end-user training Regular policy updates by management 17 / 30 17. A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy? The business impact analysis Industry standards The business objectives Previous audit recommendations 18 / 30 18. Which of the following BEST supports the prioritization of new IT projects? Information systems audit Internal control self-assessment (CSA) Investment portfolio analysis Business risk assessment It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. 19 / 30 19. .A large number of exceptions to an organization's information security standards have been granted after senior management approved a bring your own device program. To address this situation, it is MOST important for the information security manage to reject new exception requests require authorization to wipe lost devices update the information security policy introduce strong authentication on devices 20 / 30 20. During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan (BCP) is to: review the experience of the vendor's staff. test the BCP. evaluate the adequacy of the service levels that the vendor can provide in a contingency. evaluate the financial stability of the service bureau and its ability to fulfill the contract. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. 21 / 30 21. In the context of effective information security governance, the primary objective of value delivery is to: implement a continuous improvement culture. implement a standard set of security practices. optimize security investments in support of business objectives. institute a standards-based solution. In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. 22 / 30 22. The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: existing IT environment. IT budget. business plan. investment plan One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. 23 / 30 23. Which of the following can provide assurance that an IT project has delivered its planned benefits? Steering committee approval Quality assurance evaluation User acceptance testing (UAT) Post-implementation review 24 / 30 24. After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs. Project management and progress reporting is combined in a project management office which is driven by external consultants. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. 25 / 30 25. Which of the following is the BEST way to minimize the impact of a ransomware attack? Perform more frequent system backups Maintain a regular schedule for patch updates. Provide user awareness training on ransomware attacks. Grant system access based on least privilege 26 / 30 26. 5 year audit plan provides for general audits every year and application audits on alternating years. To achieve higher efficiency, the IS audit manager would MOST likely: Have control self-assessments (CSAs) and formal audits of application on alternating years Alternate between control self-assessment (CSA) and general audits every year. Implement risk assessment criteria to determine audit priorities Proceed with the plan and integrate all new applications 27 / 30 27. A benefit of open system architecture is that it: facilitates interoperability. facilitates the integration of proprietary components. allows for the achievement of more economies of scale for equipment. will be a basis for volume discounts from equipment vendors. Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. 28 / 30 28. The initial step in establishing an information security program is the: performance of a comprehensive security control review by the IS auditor. purchase of security access control software. development and implementation of an information security standards manual. adoption of a corporate information security policy statement. A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. 29 / 30 29. An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: access control software. hardware configuration. application development methodology. ownership of intellectual property. The contract must specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. 30 / 30 30. IS control objectives are useful to IS auditors because they provide the basis for understanding the: best IS security control practices relevant to a specific entity. security policy. desired result or purpose of implementing specific control procedures. techniques for securing information. An IS control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IS activity. Your score is LinkedIn Facebook Twitter Exit Juco Bags in Dubai | Juco Bags in Sharjah | Juco Bags in UAE