CISA Exam-Test 12 /30 246 CISA EXAM-TEST 12 1 / 30 1. An IS auditor is reviewing an IT security risk management program. Measures of security risk should: address all of the network risk. take into account the entire IT environment. be tracked over time against the IT strategic plan. result in the identification of vulnerability tolerances. When assessing IT security risk, it is important to take into account the entire IT environment. 2 / 30 2. What is the most effective means of determining that controls are functioning properly within an operating system? Interview with computer operator Review of software control features and/or parameters Review of operating system manual Interview with product vendor 3 / 30 3. When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? Acceptance Mitigation Transfer Avoidance Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. 4 / 30 4. While reviewing the IT governance processes of an organization, an IS auditor discovers that the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? IT service level agreements (SLAs) may not be accurate. Key performance indicators (KPIs) are not reported to management and management cannot determine the effectiveness of the BSC. IT projects could suffer from cost overruns. Misleading indications of IT performance may be presented to management. The IT balanced scorecard (BSC) is designed to measure IT performance. To measure performance, a sufficient number of "performance drivers" or key performance indicators (KPIs) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading. 5 / 30 5. Who is responsible for reviewing the result and deliverables within and at the end of each phase, as well as confirming compliance with requirements? User Management Project Sponso Senior Management Quality Assurance 6 / 30 6. Which of the following should be considered FIRST when implementing a risk management program? An understanding of the risk exposures and the potential consequences of compromise An understanding of the organization's threat, vulnerability and risk profile A risk mitigation strategy sufficient to keep risk consequences at an acceptable level A determination of risk management priorities based on potential consequences Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. 7 / 30 7. Which of the following is the key benefit of a control self-assessment (CSA)? Fraud detection will be improved because internal business staff are engaged in testing controls. Management ownership of the internal controls supporting business objectives is reinforced. Internal auditors can shift to a consultative approach by using the results of the assessment. Audit expenses are reduced when the assessment results are an input to external audit work. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. 8 / 30 8. An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? Risk reduction Risk avoidance Risk transfer Risk mitigation Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. 9 / 30 9. A poor choice of passwords and unencrypted data transmissions over unprotected communications lines are examples of: vulnerabilities. threats. probabilities. impacts. Vulnerabilities represent weaknesses of information resources that may be exploited by a threat. Because these are weaknesses that could be addressed by the security specialist, they are examples of vulnerabilities. 10 / 30 10. After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? A business impact analysis (BIA) A comparison of the cost of the IPS and firewall and the cost of the business systems A cost-benefit analysis An annual loss expectancy (ALE) calculation In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option. 11 / 30 11. An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? IT risk is presented in business terms. The approval process for risk response is in place. The risk management framework is based on global standards. Controls are implemented based on cost-benefit analysis. In order for risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms. 12 / 30 12. Before implementing an IT balanced scorecard (BSC), an organization must: provide business value to IT projects. define key performance indicators. control IT expenses. deliver effective and efficient services. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. 13 / 30 13. To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk: transfer. mitigation. acceptance. avoidance. Risk mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. By requiring the system's administrator to sign off on the completion of the backups, this is an administrative control that can be validated for compliance. 14 / 30 14. Which of the following is the MOST reliable network connection medium in an environment where there is strong electromagnetic interface? Fiber optic cable Wireless link Shielded twisted-pair cable Coaxial cable 15 / 30 15. Which of the following insurance types provide for a loss arising from fraudulent acts by employees? Extra expense Errors and omissions Business interruption Fidelity coverage Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. 16 / 30 16. Which of the following statement INCORRECTLY describes the traditional audit approach in comparison to the Control self-assessment approach? Traditional approach requires limited employee participations In traditional approach, Staffs at all level, in all functions, are the primary control analyst Traditional approach is a policy driven approach Traditional approach assigns duties/supervises staff 17 / 30 17. which of the following type of testing uses a set of test cases that focus on the control structure of the procedural design? Interface testing Final acceptance testing Unit Testing System Testing 18 / 30 18. Which of the following is the PRIMARY objective of an IT performance measurement process? Gather performance data. Establish performance baselines. Minimize errors. Optimize performance. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. 19 / 30 19. Which of the following is an attribute of the control self-assessment (CSA) approach? Broad stakeholder involvement Auditors are the primary control analysts Policy driven Limited employee participation The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement. 20 / 30 20. As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: value delivery. resource management. strategic alignment. performance measurement. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. 21 / 30 21. he PRIMARY benefit of implementing a security program as part of a security governance framework is the: reduction of the cost for IT security. alignment of the IT activities with IS audit recommendations. implementation of the chief information security officer's (CISO's) recommendations. enforcement of the management of security risk. The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk. 22 / 30 22. Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system for key financial reports. What is the GREATEST risk to the organization in this situation? The key financial reports may no longer be produced. Undetected fraud may occur. Financial reports may be delayed. Decisions may be made based on incorrect information 23 / 30 23. When developing a business continuity plan (BCP), which of the following tools should be used to gain an understanding of the organization's business processes? Resource recovery analysis Business continuity self-audit Gap analysis Risk assessment Risk assessment and business impact assessment are tools for understanding the business as a part of BCP. 24 / 30 24. Which of the following type of testing has two major categories: QAT and UAT? Unit Testing System Testing Interface testing Final acceptance testing 25 / 30 25. During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? No recommendation is necessary because the current approach is appropriate for a medium-sized organization. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization's risk management. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date. 26 / 30 26. An organization is deciding whether to outsource its customer relationship management systems to a provider located in another country. Which of the following should be the PRIMARY influence in the outsourcing decision? The service provider's disaster recovery plan Current geopolitical conditions Cross-border privacy laws Time zone differences 27 / 30 27. An IS auditor performing an audit of the risk assessment process should FIRST confirm that: technical and organizational vulnerabilities have been analyzed. assets have been identified and ranked. the effects of potential security breaches have been evaluated. reasonable threats to the information assets are identified. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets) will set the tone or scope of how to assess risk in relation to the organizational value of the asset. 28 / 30 28. Assess the skill set within the security function Compensating Directive Detective Corrective 29 / 30 29. Which of the following must exist to ensure the viability of a duplicate information processing facility? The site is near the primary site to ensure quick and efficient recovery. The hardware is tested when it is installed to ensure it is working properly. The site contains the most advanced hardware available. The workload of the primary site is monitored to ensure adequate backup is available. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient. 30 / 30 30. Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure (PKI) for enterprise email? The certificate practice statement has not been published The certificate revocation list has not been updated. The PKI policy has not been updated within the last year The private key certificate has not been updated Your score is LinkedIn Facebook Twitter Exit Jute Bags in Sharjah | Cotton Bags in Sharjah | Canvas Bags in Sharjah