CISA Exam-Test 28 /30 206 Sorry, Your time is over. CISA EXAM-TEST 28 1 / 30 1. When reviewing a hardware maintenance program, an IS auditor should assess whether: the program is validated against vendor specifications. it has been approved by the IS steering committee. the schedule of all unplanned maintenance is maintained. it is in line with historical trends. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications. 2 / 30 2. An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes? Perform a walk-through by tracing a program change from start to finish. Use query software to analyze all change tickets for missing fields. Trace a sample of modified programs to supporting change tickets. Select a sample of change tickets and review them for authorization. Tracing a sample of modified programs to supporting change tickets is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. 3 / 30 3. Doing which of the following during peak production hours could result in unexpected downtime? Reconfiguring a standby router in the data center Performing preventive maintenance on electrical systems Promoting applications from development to the staging environment Performing data migration or tape backup Preventive maintenance activities should be scheduled for non-peak times of the day, and preferably during a maintenance window time period. A mishap or incident caused by a maintenance worker could result in unplanned downtime. 4 / 30 4. Emergency changes that bypass the normal change control process are MOST acceptable if: management has preapproved all emergency changes. the changes are documented in the change control system by the operations department. management reviews and approves the changes after they have occurred. the changes are reviewed by a peer at the time of the change. Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur. 5 / 30 5. Which of the following BEST limits the impact of server failures in a distributed environment? Dial backup lines Redundant pathways Clustering Standby power Clustering allows two or more servers to work as a unit so that when one of them fails, the other takes over. 6 / 30 6. Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? Incident management Change management Backup and recovery Configuration management The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. 7 / 30 7. An IS auditor should recommend the use of library control software to provide reasonable assurance that: source and executable code integrity is maintained. program changes have been authorized. modified programs are automatically moved to production. only thoroughly tested programs are released. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. 8 / 30 8. An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? Commands typed on the command line are logged. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Software development tools and compilers have been removed from the production environment. Access to the operating system command line is granted through an access restriction tool with preapproved rights. The matching of hash keys over time would allow detection of changes to files. 9 / 30 9. During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: patches are validated using parallel testing in production. only systems administrators perform the patch process. the client's change management process is adequate. an approval process of the patch, including a risk assessment, is developed. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. 10 / 30 10. Which of the following is the MOST important factor when an organization is developing information security policies and procedures? Alignment with an information security framework Inclusion of mission and objectives Compliance with relevant regulations Consultation with security staff 11 / 30 11. Which of the following is the MOST critical element of an effective disaster recovery plan (DRP)? Availability of a replacement data center Clearly defined recovery time objective (RTO) Up-to-date list of key disaster recovery contacts Offsite storage of backup data Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. 12 / 30 12. The BEST way to prevent fraudulent payments is to implement segregation of duties between payment processing and: vendor setup check creation. requisition creation. payment approval. 13 / 30 13. An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties. Which of the following audit responses is correct in this situation? No audit finding is recorded as it is normal to distribute a key of this nature in this manner No audit finding is recorded as the key can only be used once An audit finding is recorded as the key should be asymmetric and therefore changed An audit finding is recorded as the key should be distributed in a secure manner 14 / 30 14. Which of the following is the MOST efficient way to test the design effectiveness of a change control process? Test a sample population of change requests Test a sample of authorized changes Perform an end-to-end walk-through of the process Interview personnel in charge of the change control process Observation is the best and most effective method to test changes to ensure that the process is effectively designed. 15 / 30 15. To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review legal and regulatory requirements. the IT infrastructure. the adherence to organizational policies, standards, and procedures. organizational policies, standards, and procedures 16 / 30 16. The purpose of code signing is to provide assurance that: the application can safely interface with another signed application. the private key of the signer has not been compromised. the software has not been subsequently modified. the signer of the application is trusted. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed. 17 / 30 17. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? Utilization of an intrusion detection system to report incidents Training provided on a regular basis to all current and new employees Mandating the use of passwords to access all software Installing an efficient user log system to track the actions of each user 18 / 30 18. When reviewing system parameters, an IS auditor's PRIMARY concern should be that: they are set to meet security and performance requirements. changes are authorized and supported by appropriate documents. access to parameters in the system is restricted. changes are recorded in an audit trail and periodically reviewed. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. 19 / 30 19. A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: with the shared DBA account to make the changes. to the server administrative account to make the changes to the user's account to make the changes. with their named account to make the changes. Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes. 20 / 30 20. The BEST audit procedure to determine if unauthorized changes have been made to production code is to: examine the change control system records and trace them forward to object code files. review change approved designations established within the change control system. examine object code to find instances of changes and trace them back to change control records. review access control permissions operating within the production program libraries. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. 21 / 30 21. control prevent the display of fares if they are not within the defined threshold? For me it is a Preventive control Detective control Preventive control Corrective control Compensating control In this case, control prevents the display of fares if they are not within the defined range. So it is a Preventive control 22 / 30 22. Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system? Phased implementation Pilot implementation Direct cutover Parallel simulation Direct cutover implies switching to the new system immediately, this is a risky way and may cause a significant impact on the organization 23 / 30 23. Which of the following is the initial step in creating a firewall policy? Creation of an applications traffic matrix showing protection methods A cost-benefit analysis of methods for securing the applications Identification of network applications to be externally accessed 24 / 30 24. Applying a retention date on a file will ensure that: backup copies are not retained after that date. data cannot be read until the date is set. data will not be deleted before that date. datasets having the same name are differentiated. A retention date will ensure that a file cannot be overwritten or deleted before that date has passed. 25 / 30 25. In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? Obtain secondary approval before releasing to production. Limit developer access to production to a specific time frame. Approve and document the change the next business day. Disable the compiler option in the production machine. It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. 26 / 30 26. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? Telecommunications cost could be much higher in the first year. Privacy laws could prevent cross-border flow of information. Time zone differences could impede communications between IT teams. Software development may require more detailed specifications 27 / 30 27. During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: manager initiates a change request and subsequently approves it. manager approves a change request and then reviews it in production. programmer codes a change in the development environment and tests it in the test environment. user raises a change request and tests it in the test environment. Initiating and subsequently approving a change request violates the principle of segregation of duties. A person should not be able to approve their own requests. 28 / 30 28. An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: ensure that a good change management process is in place. approve the patch after doing a risk assessment. thoroughly test the patch before sending it to production. apply the patch according to the patch's release notes. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. 29 / 30 29. In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable a complete recovery of a critical database? Hard disk mirroring to a local server Real-time replication to a remote site Daily data backup to tape and storage at a remote site Real-time data backup to the local storage area network (SAN) With real-time replication to a remote site, data are updated simultaneously in two separate locations; therefore, a disaster in one site would not damage the information located in the remote site. This assumes that both sites were not affected by the same disaster. 30 / 30 30. When developing a security architecture, which of the following steps should be executed FIRST? Defining a security policy Developing security procedures Specifying an access control methodology Defining roles and responsibilities Your score is LinkedIn Facebook Twitter Exit