CISA Exam-Test 24 /30 179 Sorry, Your time is over. CISA EXAM-TEST 24 1 / 30 1. Determining the service delivery objective (SDO) should be based PRIMARILY on: the cost-effectiveness of the restoration process. the allowable interruption window (AIW). the minimum acceptable operational capability. meeting the recovery time objectives (RTOs). The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. 2 / 30 2. Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party? The current business continuity plan (BCP) procedures A recent disaster recovery plan (DRP) test report A recent external audit report The current service level agreement (SLA) An independent third-party audit report such as Statements on Standards for Attestation Engagements (SSAE) 16 would provide assurance of the existence and effectiveness of internal controls at the third party. 3 / 30 3. Which of the following is the GREATEST benefit of implementing an incident management process? Opportunity for frequent reassessment of incidents Reduction in security threats Reduction of cost by the efficient use of resources Reduction in the business impact of incidents 4 / 30 4. The PRIMARY objective of service-level management (SLM) is to: ensure that services are managed to deliver the highest achievable level of availability. monitor and report any legal noncompliance to business management. define, agree on, record and manage the required levels of service. keep the costs associated with any service at a minimum. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. 5 / 30 5. An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? Contract an independent third party to provide weekly reports on application uptime. Implement an online polling tool to monitor the application and record outages. Log all application outages reported by users and aggregate the outage time weekly. Ask the SaaS vendor to provide a weekly report on application uptime. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. 6 / 30 6. The PRIMARY benefit of an IT manager monitoring technical capacity is to: identify the need for new hardware and storage procurement. determine the future capacity need based on usage. ensure that the service level agreement (SLA) requirements are met. ensure that systems operate at optimal capacity. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement (SLA) between the business and IT. 7 / 30 7. In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? Number of subscribers permitted to use a site at one time Physical security measures References by other users Total number of subscribers The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers. 8 / 30 8. The MAIN reason for requiring that all computer clocks across an organization be synchronized is to: support the incident investigation process. ensure smooth data transition from client machines to servers. prevent omission or duplication of transactions. ensure that email messages have accurate time stamps. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events occurring on different systems might not be easily established. 9 / 30 9. An IS auditor reviewing a cloud computing environment managed by a third party should be MOST concerned when: the organization is not permitted to assess the controls in the participating vendor's site. laws and regulations are different in the countries of the organization and the vendor. the organization is using an older version of a browser and is vulnerable to certain types of security risk. the service level agreement (SLA) does not address the responsibility of the vendor in the case of a security breach. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. 10 / 30 10. When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: is not listed in the approved software standards document. was being used by users not properly trained in its use. was installed, but not documented in the IT department records. license will expire in the next 15 days. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. 11 / 30 11. Establishing data ownership is an important first step for which of the following processes? Developing organizational security policies Creating roles and responsibilities Classifying data Assigning user access privileges 12 / 30 12. Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? The complexity of application logs used for service monitoring made the review difficult. The document is updated on an annual basis. A service adjustment resulting from an exception report took a day to implement. Performance measures were not included in the SLA. Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. 13 / 30 13. Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry? Salami attack Data corruption Skimming Data diddling 14 / 30 14. Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Prohibiting the provider from subcontracting services Minimizing costs for the services provided Determining if the services were provided as contracted Evaluating the process for transferring knowledge to the IT department From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. 15 / 30 15. To verify that the correct version of a data file was used for a production run, an IS auditor should review: system logs. output distribution reports. operator problem reports. operator work schedules. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run. 16 / 30 16. While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering: an inadequate software escrow agreement. inadequate procedures for ensuring adequate system portability. inadequate operational documentation for the system. an inadequate alternate service provider listing. The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business. 17 / 30 17. Which of the following is used to evaluate biometric access controls? EAR FRR FAR EER 18 / 30 18. Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? A utilization report of automatic failover services generated by the enterprise Downtime reports on the telecommunication services generated by the enterprise A bandwidth utilization report provided by the ISP Downtime reports on the telecommunication services generated by the ISP The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. 19 / 30 19. An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources (HR) department. Which of the following should be the GREATEST concern to an IS auditor? The service level agreement (SLA) ensures strict limits for uptime and performance. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud provider. The cloud provider's data centers are in multiple cities and countries. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. 20 / 30 20. During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Confirm the content of the agreement with both departments. Postpone the audit until the agreement is documented. Draft a service level agreement (SLA) for the two departments. Report the existence of the undocumented agreement to senior management. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties are in agreement with the terms of the agreement. 21 / 30 21. Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? A hot site maintained by the business A commercial cold site A third-party hot site A reciprocal arrangement between its offices For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. 22 / 30 22. The information security function in a large organization is MOST effective when: decentralized as close to the user as possible established at a corporate-wide level. partnered with the IS development team to determine access rig the function reports directly to the IS operations manager. 23 / 30 23. When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following? Recovery time objective (RTO) Service level objective (SLO) Recovery point objective (RPO) Maximum acceptable outage (MAO) 24 / 30 24. What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Close supervision Administrator alerts Employee security awareness training Screensaver passwords 25 / 30 25. During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Regular backup of tapes Supervisory review of logs Offsite storage of tapes Staging and job setup If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. 26 / 30 26. Which of the following provides the strongest authentication for physical access control? Biometrics Sign-in logs Key verification Dynamic passwords 27 / 30 27. An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? Review the service level agreement (SLA). Review the request for proposal (RFP). Research other clients of the ISP. Review monthly performance reports generated by the ISP. A service level agreement (SLA) provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service. 28 / 30 28. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? The security infrastructures in each company may be different. Developments may result in hardware and software incompatibility. The recovery plan cannot be tested. Resources may not be available when needed. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. 29 / 30 29. When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact At will have on: employee retention future task updates enterprise architecture (EA). task capacity output 30 / 30 30. Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy? Whether there is explicit permission from regulators to collect personal data The encryption mechanism selected by the organization for protecting personal data The organization's legitimate purpose for collecting personal data Whether sharing of personal information with third-party service providers is prohibited Your score is LinkedIn Facebook Twitter Exit