CISA Exam-Test 8 /30 326 Sorry, Your time is over. CISA EXAM-TEST 8 1 / 30 1. The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: does not exceed the existing IT budget. is aligned with the investment strategy. has been approved by the IT steering committee. is aligned with the business plan. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor. 2 / 30 2. Effective IT governance will ensure that the IT plan is consistent with the organization's: investment plan. business plan. security plan. audit plan. To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. 3 / 30 3. When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT: has all the personnel and equipment it needs. plans are consistent with management strategy. has sufficient excess capacity to respond to changing directions. uses its equipment and personnel efficiently and effectively. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans. 4 / 30 4. What is the MOST effective way to ensure security policies and procedures are up-to-date? Prevent security documentation audit issues from being raised Verify security requirements are being identified and consistently applied Define and document senior management’s vision for the direction of the security Align the organization’s security practices with industry standards and best practice 5 / 30 5. An IS auditor is verifying IT policies and found that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? Report the absence of documented approval. Recommend immediate management approval of the policies. Ignore the absence of management approval because employees follow the policies. Emphasize the importance of approval to management. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee were terminated as a result of violating a company policy and it was discovered that the policies had not been approved, the company could be faced with an expensive lawsuit. 6 / 30 6. When reviewing an organization's strategic IT plan, an IS auditor should expect to find: actions to reduce hardware procurement cost. an assessment of the fit of the organization's application portfolio with business objectives. a description of the technical architecture for the organization's network perimeter security. a listing of approved suppliers of IT contract resources. An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization's business objectives. 7 / 30 7. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IT strategy? That it: complies with procurement procedures. supports the business objectives of the organization. has been approved by line management. does not vary from the IT department's preliminary budget. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. 8 / 30 8. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? Unauthorized users may have access to originate, modify or delete data. User management coordination does not exist. Specific user accountability cannot be established. Audit recommendations may not be implemented. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals could gain (be given) system access when they should not have authorization. The ability of unauthorized users being able to modify data is greater than the risk of authorized user accounts not being controlled properly. 9 / 30 9. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: this lack of knowledge may lead to unintentional disclosure of sensitive information. the audit finding will cause management to provide continuous training to staff. information security is not critical to all functions. IS audit should provide security training to the employees. All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. 10 / 30 10. Which of the following is the BEST enabler for strategic alignment between business and IT? Goals and metrics A maturity model A responsible, accountable, consulted and informed (RACI) chart Control objectives Goals and metrics ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment. 11 / 30 11. An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: review the metrics for quality evaluation. identify and report the controls currently in place. request all standards that have been adopted by the organization. verify how the organization follows the standards. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. 12 / 30 12. Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited? Perform log analysis Conduct a penetration test Review service desk reports Implement key performance indicators (KPIs) 13 / 30 13. Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IT department? Evaluating hardware needs Conducting control self-assessment Keeping current with technology advances Allocating resources The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor will ensure that the resources are being managed adequately. 14 / 30 14. Which of the following controls should be implemented to BEST minimize system downtime for maintenance? Virtualization Nightly full backups Warm site Clustering 15 / 30 15. The PRIMARY focus of audit follow-up reports should be to: verify the completion date of the implementation. determine if audit recommendations have been implemented. assess if new risks have developed. determine if past findings are still relevant. 16 / 30 16. Which of the following goals would you expect to find in an organization's strategic plan? Become the supplier of choice for the product offered. Implement a new project planning system within the next 12 months. Test a new accounting package. Perform an evaluation of information technology needs. Becoming the supplier of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and would, thus, be a part of the organization's strategic plan. 17 / 30 17. An IS auditor reviewing an organization's IT strategic plan should FIRST review: the business plan. the present IT budget. current technology trends. the existing IT environment. The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize himself/herself with the business plan. 18 / 30 18. An organization's senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager's FIRST step to support this strategy Incorporate social media into the security awareness program Employ the use of a web content filtering solution Develop a business case for a data loss prevention solution - Develop a guideline on the acceptable use of social media 19 / 30 19. Which of the following is the BEST reason to implement a policy which places conditions on secondary employment for IT employees? To prevent theft of IT assets To prevent employee performance issues To prevent the misuse of corporate resources To prevent conflicts of interest The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing company. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or other improprieties. 20 / 30 20. An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? The policy has not been updated in more than one year. The company does not have an information security policy committee. The policy includes no revision history. The policy is approved by the security administrator. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. 21 / 30 21. To help ensure the accuracy and completeness of end-user computing output, it is MOST important to include strong: change management controls documentation controls access management controls reconciliation controls 22 / 30 22. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: a business impact analysis (BIA). control self-assessments. an IT balanced scorecard (BSC). business process reengineering (BPR). An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. 23 / 30 23. A security company and service provider have merged and the CEO has requested one comprehensive set of security policies be developed for the newly formed company. The IS auditor s BEST recommendation would be to: adopt an industry standard security policy implement the service provider's policies conduct a policy gap assessment implement the security company s policies, 24 / 30 24. When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: the existence of a data retention policy. the level of user awareness concerning email use. the support and stability of the archiving solution manufacturer. the storage capacity of the archiving solution. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. 25 / 30 25. The rate of change in technology increases the importance of: hiring qualified personnel. implementing and enforcing sound processes. meeting user requirements. outsourcing the IT function. Change control requires that good change management processes be implemented and enforced. 26 / 30 26. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? Implement accountability rules within the organization. Create a chief risk officer (CRO) role in the organization. Review the strategic alignment of IT with the business. Ensure that independent IT audits are conducted periodically. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. 27 / 30 27. An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk? Network firewalls and database firewalls at the DR site do not provide high availability. No disaster recovery plan (DRP) testing has been performed during the last six months. The DR site is in a shared location that hosts multiple other enterprises. The DR site has not undergone testing to confirm its effectiveness. 28 / 30 28. An IS audit reveals an organization's IT department reports any deviations from its security standards to an internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's GREATEST concern? The IT risk committee meeting minutes are not signed off by all participants. The list of IT risk committee members does not include the board member responsible for IT. The IT risk committee has no reporting line to any governance committee outside IT. The chief information officer (CIO) did not attend a number of IT risk committee meetings during the past year. 29 / 30 29. Which of the following is the MOST effective means of helping management and the IT strategy committee to monitor IT performance? Infrastructure monitoring reports End-user satisfaction surveys Measurement of service levels against metrics Gap analysis 30 / 30 30. When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: specifies project management practices. addresses the required operational controls. articulates the IT mission and vision. incorporates state of the art technology. The IT strategic plan must include a clear articulation of the IT mission and vision. Your score is LinkedIn Facebook Twitter Exit