CISA Exam-Test 11 /30 278 Sorry, Your time is over. CISA EXAM-TEST 11 1 / 30 1. Assessing IT risk is BEST achieved by: evaluating threats and vulnerabilities associated with existing IT assets and IT projects. reviewing published loss statistics from comparable organizations. reviewing IT control weaknesses identified in audit reports. using the firm's past actual loss experience to determine current exposure. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. 2 / 30 2. Which of the following is a corrective control that reduces the impact of a threat event? Segregation of duties (SoD) Business process analysis Security policy Business continuity plan (BCP) 3 / 30 3. With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? Periodic renegotiation is not specified in the outsourcing contract. The outsourcing contract fails to cover every action required by the business. Core activities that provide a differentiated advantage to the organization have been outsourced. Similar activities are outsourced to more than one vendor. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that should be concerned. 4 / 30 4. The MOST important function of a business continuity plan is to:ensure that all business functions are restored - provide procedures for evaluating tests of the business continuity plan provide a schedule of events that has to occur if there is a disaster ensure that the critical business functions can be recovered ensure that all business functions are restored 5 / 30 5. When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? Require the IT security officer to approve each risk rating during the workshop. Ensure that the IT security risk assessment has a clearly defined scope. Suggest that the IT security officer accept the business unit risk and rating. Select only commonly accepted risk with the highest submitted rating The IT risk assessment should have a clearly defined scope to be efficient and meet the objectives of risk identification. The IT risk assessment should include relationships with risk assessments in other areas, if appropriate. 6 / 30 6. While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? Periodic independent audit of the work delegated to the subcontractor Monthly committee meetings include the subcontractor's IS manager Permission is obtained from the government agent regarding the contract Monthly committee meetings include the subcontractor's IS manager Periodic independent audits provide reasonable assurance that the requirements for protecting confidentiality of information are not compromised. 7 / 30 7. Overall quantitative business risk for a particular threat can be expressed as: the magnitude of the impact should a threat source successfully exploit the vulnerability. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. the collective judgment of the risk assessment team. the likelihood of a given threat source exploiting a given vulnerability. Overall business risk takes into consideration the likelihood and magnitude of the impact when a threat exploits a vulnerability and provides the best measure of the risk to an asset. 8 / 30 8. Which of the following Is the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)? Assess the skill set within the security function Verify that the organization is using correlated data for security monitoring Review the validity of external Internet Protocol (IP) addresses accessing the network Verify that the organization has adequate levels of cyber insurance 9 / 30 9. A financial institution suspects that a manager has been crediting customer accounts without authorization. Which of the following is the MOST effective method to validate this concern? Variable sampling Discovery sampling Stop or go sampling Attribute sampling 10 / 30 10. Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model? Bridge Repeater Gateway Router 11 / 30 11. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: agrees to be subject to external security reviews. claims to meet or exceed industry security standards. has a good market reputation for service and experience. complies with security policies of the organization. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. 12 / 30 12. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: apply a qualitative approach. calculate a return on investment (ROI). compute the amortization of the related assets. apply a qualitative approach. The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). 13 / 30 13. An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: can support the organization in the long term. is of similar financial standing as the organization. can deliver on the immediate contract. has significant financial obligations that can impose liability to the organization. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. 14 / 30 14. An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? Check the budget available for risk management. Immediately report the risk to the chief information officer (CIO) and chief executive officer (CEO). Identify threats and the likelihood of occurrence. Examine the e-business application in development. To determine the risk associated with e-business, an IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. 15 / 30 15. Establishing the level of acceptable risk is the responsibility of: senior business management. the chief security officer (CSO). the chief information officer (CIO). quality assurance (QA) management. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization. 16 / 30 16. An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A high penalty clause should be included in the contract. Due diligence should be performed on the software vendor. A quarterly audit of the vendor facilities should be performed. There should be a source code escrow agreement in place. A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business. 17 / 30 17. While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: outsourcer will approach the other service provider directly for further work. contract may be terminated because prior permission from the outsourcer was not obtained. requirement for protecting confidentiality of information could be compromised. other service provider to whom work has been outsourced is not subject to audit. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. 18 / 30 18. Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement (SLA) with an external IT service provider? Default resolution Indemnification clause Uptime guarantee Payment terms The most important element of an SLA is the measurable terms of performance, such as uptime agreements. 19 / 30 19. What information within change records would provide an IS auditor with the MOST assurance that configuration management is operating effectively? Implementation checklist for release management Post-implementation review documentation Affected configuration items and associated impacts Configuration management plan and operating procedures 20 / 30 20. Which of the following does a lack of adequate security controls represent? Asset Threat Vulnerability Impact The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the "potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets." The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability. 21 / 30 21. An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? At contract termination, support is guaranteed by each outsourcer for new outsourcers. The service level agreement (SLA) of each contract is substantiated by appropriate key performance indicators (KPIs). An audit clause is present in all contracts. The contractual warranties of the providers support the business needs of the organization. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. 22 / 30 22. A start-up company acquiring servers for its order-taking system is unable to predict the volume of transactions. Which of the following is MOST important for the company to consider? Compatibility Scalability Optimization Configuration 23 / 30 23. When developing a risk management program, what is the FIRST activity to be performed? Criticality analysis Inventory of assets Classification of data Threat assessment Identification of the assets to be protected is the first step in the development of a risk management program. 24 / 30 24. An external audit team is deciding whether to rely on internal audit’s work for an annual compliance audit. Which of the following is the GREATEST consideration when making this decision? Independence of the internal audit department from management’s influence Years of experience each of the internal auditors have in performing compliance audits The level of documentation maintained by internal audit and the methods used to collect evidence Professional certifications held by the internal audit team members 25 / 30 25. The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? The right to audit clause was not included in the contract. The business case was not established. The contract does not cover change management procedures. There was no source code escrow agreement. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. 26 / 30 26. An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place? The service port used by the database server has been changed. The default configurations have been changed All tables in the database are normalized. The default administration account is used after changing the account password. 27 / 30 27. An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: documentation of staff background checks. reporting staff turnover, development or training. independent audit reports or full audit access. reporting the year-to-year incremental cost reductions. When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. 28 / 30 28. An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? Security policies should be modified to address compliance by third-party users. Mandatory security awareness training is implemented for all users. Sign-off is required on the enterprise's security policies for all users. An indemnity clause is included in the contract with the service provider. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies because any violations discovered would lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. 29 / 30 29. In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents? Data encryption Non-standard event logs Compressed customer data Access to the hardware 30 / 30 30. The output of the risk management process is an input for making: security policy decisions. software design decisions. business plans. audit charters. The risk management process is about making specific, security-related decisions such as the level of acceptable risk. Your score is LinkedIn Facebook Twitter VKontakte Exit Jute Bags in Dubai | Cotton Bags in Dubai | Canvas Bags in Dubai
