CISA Exam-Test 6 /30 398 Sorry, Your time is over CISA Exam-Test 6 1 / 30 1. Responsibility for the governance of IT should rest with the: audit committee. chief information officer (CIO). board of directors. IT strategy committee. Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly 2 / 30 2. An enterprise's risk appetite is BEST established by: the chief legal officer. security management. the steering committee. the audit committee. The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management. 3 / 30 3. . Which of the following is the PRIMARY benefit of including IT management and staff when conducting control self-assessments (CSAs) within an organization? It reduces the workload of external and internal auditors It improves the efficiency of business and IT operational processes. It increases buy-in for more stringent controls. It helps to identify risks to the business. 4 / 30 4. What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset? To comply with information security best practices To avoid future audit findings To protect the associated intangible business value To maintain the residual value of the asset 5 / 30 5. Which of the following is the MOST important step in the development of an effective IT governance action plan? Setting up an IT governance framework for the process Conducting a business impact analysis (BIA) Measuring IT governance key performance indicators (KPIs) Preparing a statement of sensitivity 6 / 30 6. An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern? Chargeback of IT cost is not consistent. Senior management has limited involvement. Risk appetite is not quantified. Return on investment (ROI) is not measured. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the role of senior management when evaluating the soundness of IT governance. 7 / 30 7. Which of the following is the MOST important element for the successful implementation of IT governance? Performing a risk assessment Identifying organizational strategies Implementing an IT scorecard Creating a formal security policy The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective. 8 / 30 8. A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network. Which of the following is the BEST course of action to address the situation? Require that new systems that can meet the standards be implemented. Develop processes to compensate for the deficiencies Disconnect the legacy system from the rest of the network Document the deficiencies in the risk register 9 / 30 9. IT governance is PRIMARILY the responsibility of the: IT steering committee. audit committee. chief executive officer (CEO). board of directors. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). 10 / 30 10. Which of the following is a function of an IT steering committee? Ensuring a separation of duties within the information's processing environment Liaising between the IT department and end users Monitoring vendor-controlled change control and testing Approving and monitoring major projects, such as the status of IT plans and budgets The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets. 11 / 30 11. The ultimate purpose of IT governance is to: encourage optimal use of IT. reduce IT costs. decentralize IT resources across the organization. centralize control of IT. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. 12 / 30 12. An IT steering committee should: be briefed about new trends and products at each meeting by a vendor. maintain minutes of its meetings and keep the board of directors informed. include a mix of members from different departments and staff levels. ensure that IS security policies and procedures have been executed properly. It is important to keep detailed IT steering committee minutes to document the decisions and activities of the IT steering committee, and the board of directors should be informed about those decisions on a timely basis. 13 / 30 13. Which of the following is the MOST important consideration when incorporating data analytics into an audit? Ability of the auditor to perform complex analysis Complexity of the data and related audit process Availability and cost of the tools Availability and quality of data 14 / 30 14. A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server. Which of the following would MOST effectively allow the hospital to avoid paying the ransom? A continual server replication process A property tested offline backup system A property configured firewall Employee training on ransomware 15 / 30 15. The MOST likely effect of the lack of senior management commitment to IT strategic planning is: technology not aligning with organization objectives. an absence of control over technology contracts. a lack of investment in technology. a lack of a methodology for systems development. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with organization strategy. 16 / 30 16. Which of the following IT governance good practices improves strategic alignment? Supplier and partner risk is managed. A structure is provided that facilitates the creation and sharing of business information. Top management mediates between the imperatives of business and technology. A knowledge base on customers, products, markets and processes is in place. Top management mediating between the imperatives of business and technology is an IT strategic alignment good practice. 17 / 30 17. Which of the following MOST effectively mitigates the risk of disclosure of sensitive data stored on company-owned smartphones? Data leakage prevention (DLP) tools Secure containers Physical device tagging Mobile device management (MDM) 18 / 30 18. An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? A policy to ensure that systems are patched in a timely manner does not exist. The audit committee did not review the global mission statement. An organizational policy related to malware protection does not exist. The organization's information security policy is not periodically reviewed by senior management. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure and therefore, this is the greatest concern. 19 / 30 19. Many organizations require employees to take a mandatory vacation each year PRIMARILY because the organization wants to ensure that: Employee satisfaction is maintained to reduce the risk of processing errors potential irregularities in processing are identified by temporarily replacing an employee in the job function. rotation of employees reduces the risk of processing errors. adequate cross-training exists between all functions of the organization. Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected. 20 / 30 20. Effective IT governance requires organizational structures and processes to ensure that: the business strategy is derived from an IT strategy. IT governance is separate and distinct from the overall governance. the IT strategy extends the organization's strategies and objectives. risk is maintained at a level acceptable for IT management. Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives, and that the strategy is aligned with business strategy. 21 / 30 21. Sharing risk is a key factor in which of the following methods of managing risk? Tolerating risk Treating risk Terminating risk Transferring risk Transferring risk (e.g., by taking an insurance policy) is a way to share risk. 22 / 30 22. When auditing a role-based access control system (RBAC), the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? Implement controls to detect the changes. Ensure that backups of the transaction logs are retained. Ensure that these employees are adequately supervised. Ensure that transaction logs are written in real time to Write Once and Read Many (WORM) drives. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution. 23 / 30 23. In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs. Wch one following is BEST recommendation? Restrict the computer operator's access to the production environment. Assign an independent second reviewer to verify the application logs Develop procedures to verify that the application logs are not modified Prevent the operator from performing application development activities. 24 / 30 24. Which of the following represents an example of a preventive control with respect to IT personnel? An accounting system that tracks employee telephone calls A log server that tracks logon IP addresses of users Review of visitor logs for the data center Implementation of a badge entry system for the IT facility Preventive controls are used to reduce the probability of an adverse event occurring. A badge entry system would prevent unauthorized entry to the facility. 25 / 30 25. When implementing an IT governance framework in an organization the MOST important objective is: IT alignment with the business. value realization with IT. enhancing the return on IT investments. accountability. The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies. 26 / 30 26. An IS auditor reviewing the IT organization would be MOST concerned if the IT steering committee: is responsible for project approval and prioritization. is responsible for determining business goals. reports the status of IT projects to the board of directors. is responsible for developing the long-term IT plan. Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around 27 / 30 27. As an outcome of information security governance, strategic alignment provides: an understanding of risk exposure. security requirements driven by enterprise requirements. baseline security following good practices. institutionalized and commoditized solutions. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. 28 / 30 28. An IT governance framework provides an organization with a basis for directing and controlling IT. assurance that there will be IT cost reductions. assurance that there are surplus IT investments. organizational structures to enlarge the market share through IT. 29 / 30 29. An employee has accidentally posted confidential data to the company's social media page. Which of the following is the BEST control to prevent this from recurring? Perform periodic audits of social media updates. Require all updates to be made by the marketing director Implement a moderator approval process. Establish two-factor access control for social media accounts. 30 / 30 30. A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? Aligning IT to business objectives Advising on IT compliance risk Approving IT project plans and budgets Promoting IT governance practices An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee because it provides insight and advice to the board. Your score is LinkedIn Facebook Twitter Exit