CISA Exam-Test 7 /30 355 Sorry, Your time is over. CISA Exam-Test 7 1 / 30 1. A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? Terminate the developer's logical access to IT resources. Initiate the handover process to ensure continuity of the project. Set up an exit interview with human resources (HR). Ensure that management signs off on the termination paperwork. To protect IT assets, terminating logical access to IT resources is the first and most important action to take after management has confirmed the employee's clear intention to leave the enterprise. 2 / 30 2. In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: there is an integration of IT and business personnel within projects. there is a clear definition of the IT mission and vision. the plan correlates business objectives to IT goals and objectives. a strategic information technology planning scorecard is in place. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IT short-range plan. 3 / 30 3. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? Reviewing transaction and application logs Restricting physical access to computing equipment Locking user sessions after a specified period of inactivity Performing background checks prior to hiring IT staff Reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. 4 / 30 4. Involvement of senior management is MOST important in the development of: IT procedures. strategic plans. IT policies. standards and guidelines. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. 5 / 30 5. In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a: process for formalized exit interviews. requirement for new employees to sign a nondisclosure agreement (NDA). termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination. requirement for job rotation on a periodic basis. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of company property issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. 6 / 30 6. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: a disruption of operations dependency on a single person. one person knowing all parts of a system. inadequate succession planning. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. 7 / 30 7. Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall? Logs are being collected in a separate protected host. Insider attacks are being controlled. Access to configuration files is restricted Automated alerts are being sent when a risk is detected. 8 / 30 8. Which of the following would BEST provide assurance of the integrity of new staff? References Bonding Background screening Qualifications listed on a resume A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc. 9 / 30 9. In a database management system (DBMS) normalization is used to: reduce access time reduce data redundancy standardize data names eliminate processing deadlocks 10 / 30 10. Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine? Use of test transactions Interviews with knowledgeable users Review of program documentation Review of source code 11 / 30 11. From a control perspective, the key element in job descriptions is that they: communicate management's specific job performance expectations. are current, documented and readily available to the employee. provide instructions on how to do the job and define authority. establish responsibility and accountability for the employee's actions. From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access. 12 / 30 12. What is the FIRST line of defense against criminal insider activities? Signing security agreements by critical personnel Stringent and enforced access controls Validating the integrity of personnel Monitoring employee activities 13 / 30 13. Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? Job descriptions contain clear statements of accountability for information security. No actual incidents have occurred that have caused a loss or a public embarrassment. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. 14 / 30 14. An IS auditor of a large organization is reviewing the roles and responsibilities for the IT function and has found some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? System administrators are application programmers. End users are security administrators for critical applications. Network administrators are responsible for quality assurance. Systems analysts are database administrators. When individuals serve multiple roles this represents a separation of duties problem with associated risk. Security administrators should not be system programmers, due to the associated rights of both functions. A person with both security and programming rights could do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective. 15 / 30 15. An IS auditor would MOST likely recommend that IT management use a balanced scorecard to: ensure that IT staff meet performance requirements. train and educate IT staff. indicate whether the organization meets quality standards. assess IT functions and processes. 16 / 30 16. Which of the following is MOST likely to be included in computer operating procedures in a large data center? Procedures for resequencing source code Procedures for utility configuration Guidance on setting security parameters Instructions for job scheduling 17 / 30 17. Which of the following is the GREATEST concern associated with migrating computing resources to a cloud virtualized environment? An increase in residual risk An increase in the number of e-discovery requests An increase in inherent vulnerability An increase in the potential for data leakage 18 / 30 18. An organization has outsourced many application development activities to a third party that uses contract programmers extensively. Which of the following would provide the BEST assurance that the third party’s contract programmers comply with Include penalties for noncompliance in the contracting agreement Require annual signed agreements of adherence to security policies Conduct periodic vulnerability scans of the application Perform periodic security assessments of the contractors’ activities 19 / 30 19. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: provide proper cross-training for another employee. reduce the opportunity for an employee to commit an improper or illegal act. eliminate the potential disruption caused when an employee takes vacation one day at a time. ensure the employee maintains a good quality of life, which will lead to greater productivity. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. 20 / 30 20. An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training and: staff job evaluation. responsibilities definitions. succession planning. employee award programs. Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. 21 / 30 21. When an employee is terminated from service, the MOST important action is to: disable the employee's logical access. hand over all of the employee's files to another designated employee. notify other employees of the termination. complete a backup of the employee's work. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take. 22 / 30 22. Which of the following is normally a responsibility of the chief information security officer (CISO)? Executing user application and software testing and evaluation Periodically reviewing and evaluating the security policy Granting and revoking user access to IT resources Approving access to data and applications The role of the chief information security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. 23 / 30 23. Which of the following activities performed by a database administrator (DBA) should be performed by a different person? Implementing database optimization tools Defining backup and recovery procedures Monitoring database usage Deleting database activity logs Because database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. 24 / 30 24. A local area network (LAN) administrator normally would be restricted from: having end-user responsibilities. being responsible for LAN security administration. having programming responsibilities. having end-user responsibilities. A LAN administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities. 25 / 30 25. To support an organization's goals, an IT department should have: plans to acquire new hardware and software. long- and short-range plans a low-cost philosophy. leading-edge technology. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. 26 / 30 26. A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? The business analyst writes the requirements and performs functional testing. The developers promote code into the production environment. The IT manager also performs systems administration. The database administrator (DBA) also performs data backups. If developers have access to the production environment, there is a risk that untested code can be migrated into the production environment. 27 / 30 27. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? Overlapping controls Compensating controls Boundary controls Access controls Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. 28 / 30 28. An IT governance framework provides an organization with: a basis for directing and controlling IT. assurance that there are surplus IT investments assurance that there will be IT cost reductions organizational structures to enlarge the market share through IT 29 / 30 29. Which of the following is the MOST important factor when an organization is developing information security policies and procedures? Consultation with management Cross-references between policies and procedures Inclusion of mission and objectives Compliance with relevant regulations 30 / 30 30. A long-term IT employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be PRIMARILY based on the individual's experience and: IT knowledge, because this will bring enhanced credibility to the audit function. age, because training in audit techniques may be impractical. length of service, because this will help ensure technical competence. ability, as an IS auditor, to be independent of existing IT relationships. Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. Your score is LinkedIn Facebook Twitter Exit