CISA Exam-Test 22 /30 192 Sorry, Your time is over. CISA EXAM-TEST 22 1 / 30 1. Which of the following BEST ensures the integrity of a server's operating system (OS)? Hardening the server configuration Setting a boot password Implementing activity logging Protecting the server in a secure location Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. 2 / 30 2. Which of the following attacks would MOST likely result in the interception and modification of traffic for mobile phones connecting to potentially insecure public Wi-Fi networks? Man-in-the-middle Vishing Phishing Brute force 3 / 30 3. Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: assess whether the planned cost benefits are being measured, analyzed and reported. review subsequent program change requests. review controls built into the system to assure that they are operating as designed. determine user feedback on the system has been documented. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. 4 / 30 4. An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning (ERP) system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? Request vendor technical support to resolve performance issues. Review the implementation of selected integrated controls. Request additional IS audit resources. Review the results of stress tests during user acceptance testing (UAT). The appropriate recommendation is to review the results of stress tests during user acceptance testing (UAT) that demonstrated the performance issues. 5 / 30 5. An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence? Evidence collected through transaction reports provided by the organization's IT administration Evidence collected through systems logs provided by the organization's security administration Evidence collected through personal observation Evidence collected through surveys collected from internal staff 6 / 30 6. Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? The number of required test runs should be reduced by retesting only defect fixes. Test coverage should be restricted to functional requirements. Requirements should be tested in terms of importance and frequency of use. Automated tests should be performed through the use of scripting. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. 7 / 30 7. During a postimplementation review, which of the following activities should be performed? Updates of the state of enterprise architecture (EA) diagrams User acceptance testing (UAT) Return on investment (ROI) analysis Activation of audit trails Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. 8 / 30 8. Which of the following line media would provide the BEST security for a telecommunication network? Dedicated lines Baseband network Broadband network digital transmission Dial-up Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower. 9 / 30 9. Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: review control balances and verify that the system is processing data accurately. determine whether the system's objectives were achieved. review the impact of program changes made during the first phase on the remainder of the project. assess whether the planned cost benefits are being measured, analyzed and reported. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. 10 / 30 10. During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: distributed denial-of-service attack (DDoS). war dialing attack. brute force attack. buffer overflow. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. 11 / 30 11. Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Verify that the number of records is the same for both databases. Compare the control totals of all of the transactions. Compare the hash total before and after the migration. Perform sample testing of the migrated account balances. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration. 12 / 30 12. An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk? Network firewalls and database firewalls at the DR site do not provide high availability The DR site is in a shared location that hosts multiple other enterprises No disaster recovery plan (DRP) testing has been performed during the last six months. The DR site has not undergone testing to confirm its effectiveness 13 / 30 13. When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the: users list. network diagram. acceptance test report. node list. To properly review a local area network (LAN) implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure. 14 / 30 14. Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor? The billing cost allocation method has not been determined. A training program does not exist. Multiple application owners exist. Process owners have not been identified. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. In the absence of a defined process owner, there may be issues in respect to monitoring or authorization controls. 15 / 30 15. Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? The overall response time to correct failures The reporting of the mean time between failures over time The first report of the mean time between failures The overall mean time to repair failures The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. 16 / 30 16. In assessing the priority given to systems covered in an organization's business continuity plan (BCP), an IS auditor should FIRST: Validate the recovery time objectives and recovery point objectives Review the backup and restore process Verify the criteria for disaster recovery site selection Review results of previous business continuity plan (BCP) tests 17 / 30 17. A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? A packet filtering firewall is used. Access to a network port is not restricted. The IP address space is smaller than the number of PCs. Most employees use laptops. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network. 18 / 30 18. What topology provides the greatest redundancy of routes and the greatest network fault tolerance? A mesh network topology with packet forwarding enabled at each host A bus network topology A ring network topology A star network topology 19 / 30 19. An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? Wireless mobile devices are not password-protected. An outbound web proxy does not exist. Default passwords are not changed when installing network devices. All communication links do not utilize encryption. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment. 20 / 30 20. An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? Undocumented approval of some project changes Incomplete testing of the standard functionality of the ERP subsystem Faulty migration of historical data from the old system to the new system Duplication of existing payroll permissions on the new ERP subsystem The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. 21 / 30 21. A financial institution has a system interface that is used by its branches to obtain applicable currency exchange rates when processing transactions Which of the following should be the PRIMARY control objective for maintaining the security of the system interface? Ensuring the availability of the data being transferred Preventing unauthorized access to the data via malicious activity Preventing unauthorized access to the data via interception Ensuring the integrity of the data being transferred 22 / 30 22. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: evaluate system testing. evaluate interface testing. review detailed design documentation. review access control configuration. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. 23 / 30 23. An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: verify that security requirements have been properly specified in the project plan. validate whether security controls are based on requirements which are no longer valid determine whether system administrators have disabled security controls for any reason. determine whether system developers have proper training on adequate security measures. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. 24 / 30 24. Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? Virtual local area networks (VLANs) Firewalls Routers Layer 2 switches Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. 25 / 30 25. An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? Consider the feasibility of a separate user acceptance environment. Schedule user testing to occur at a given time each day. Implement a source code version control tool. Only retest high-priority defects. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. 26 / 30 26. Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? Phased changeover Parallel changeover Abrupt changeover Rollback procedure Parallel changeover involves first running the old system, then running both the old and new systems in parallel, and finally fully changing to the new system after gaining confidence in the functionality of the new system. 27 / 30 27. An IT service desk has recorded several incidents related to server downtime following the failure of a network time protocol (NTP) server. Which of the following is the BEST methodology to help identify the root cause? Cause-and-effect diagram Crow-functional diagram Data flow diagram Server architecture diagram 28 / 30 28. Which of the following should occur EARLIEST in a business continuity management lifecycle? Carrying out a threat and risk assessment Identifying critical business processes Developing a training and awareness program Defining business continuity procedures 29 / 30 29. An organization's IT security policy states that user ID's must uniquely identify individual's and that user should not disclose their passwords. An IS auditor discovers that several generic user ID's are being used. Recommend a change in security policy. Investigate the noncompliance. Include the finding in the final audit report. Recommend disciplinary action. 30 / 30 30. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? Wavelength can be absorbed by the human body RFID eliminates line-of-sight reading Issues of privacy RFID tags may not be removable The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern. Your score is LinkedIn Facebook Twitter Exit