CISA Exam-Test 9 /30 312 Sorry, Your time is over. CISA EXAM-TEST 9 1 / 30 1. Data analytics Tools are BEST suited for which of the following purposes? Examining low-frequency business transactions Quantifying business impact analysis (BIA) results Analyzing the effectiveness of risk assessment processes Identifying business process errors 2 / 30 2. Which of the following is MOST influential when defining disaster recovery strategies? Maximum tolerable downtime Existing server redundancies Data classification scheme Annual loss expectancy 3 / 30 3. Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: is driven by an IT department's objectives. is published, but users are not required to read the policy. does not include information security procedures. has not been updated in over a year. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. 4 / 30 4. A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor reviewing the evaluation process would expect the team to have considered each vendor's: security policy. development methodology. financial stability acceptance test plan 5 / 30 5. Which of the following would impair the independence of a quality assurance team? Checking the test assumptions Checking the code to ensure proper documentation Ensuring compliance with development methods Correcting coding errors during the testing process Correction of code should not be a responsibility of the quality assurance team because it would not ensure segregation of duties and would impair the team's independence. 6 / 30 6. Which of the following findings would be of GREATEST concern to an IS auditor performing an information security audit of critical server log management activities? Logging procedures are insufficiently documented Logs are monitored using manual processes Log records are dynamically into different servers Log records can be overwritten before being reviewed 7 / 30 7. A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: retention. rebuilding. reuse. recovery. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention policy of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. 8 / 30 8. A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor? The virtual machine management server The virtual antivirus server The virtual file server The virtual application server 9 / 30 9. When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: establishment of a review board. effective support of an executive sponsor. selection of a security process owner. creation of a security unit. The executive sponsor would be in charge of supporting the organization's strategic security program and would aid in directing the organization's overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). 10 / 30 10. When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: provide direction for implementing security procedures. are aligned with globally accepted industry good practices. strike a balance between business and security requirements. are approved by the board of directors and senior management. Information security policies must be first of all aligned with an organization's business and security objectives. 11 / 30 11. An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: report this issue as a finding in the audit report. re-scope the audit to include the separate project as part of the current audit. recommend that this separate project be completed as soon as possible. recommend the adoption of the Zachmann framework. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. 12 / 30 12. When developing a security architecture, which of the following steps should be executed FIRST? Specifying an access control methodology Developing security procedures Defining roles and responsibilities Defining a security policy Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. 13 / 30 13. Corporate IT policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? Implement individual user accounts for all staff. Amend the IT policy to allow shared accounts. Have the current configuration approved by operations management. Ensure that there is an audit trail for all existing accounts. Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. 14 / 30 14. Which of the following is the initial step in creating a firewall policy? Identification of network applications to be externally accessed Creation of an application traffic matrix showing protection methods A cost-benefit analysis of methods for securing the applications Identification of vulnerabilities associated with network applications to be externally accessed Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. 15 / 30 15. To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: adherence to organizational policies, standards and procedures. legal and regulatory requirements. the IT infrastructure. organizational policies, standards and procedures. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures. 16 / 30 16. For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? Member service representative training cost will be much higher. There are regulations regarding data privacy It is harder to monitor remote databases. Time zone differences could impede customer service. Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another country. 17 / 30 17. : An IS auditor finds that application servers had inconsistent configurations leading to potential security vulnerabilities. Which of the following should the auditor recommend FIRST? Enforce server baseline standards Hold the application owner accountable for monitoring metrics. Use a single vendor for the application servers Improve change management processes using a workflow tool. 18 / 30 18. An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? User acceptance testing (UAT) occur for all reports before release into production Management sign-off on requirements for new reports Standard software tools be used for report development Organizational data governance practices be put in place This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. 19 / 30 19. An organization issues digital certificates to employees to enable connectivity to a web-based application. Which of the following public key infrastructure (PKI) components MUST be included in the application architecture for determining the on-going validity of connections? Secure hash algorithm (SHA) Certificate authority (CA) Registration authority (RA) Certificate revocation list (CRL) 20 / 30 20. Which of the following should be included in an organization's information security policy? The basis for access control authorization Identity of sensitive security assets Relevant software security features A list of key IT resources to be secured The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. 21 / 30 21. The BEST way to validate whether a malicious act has actually occurred in an application is to review: segregation of duties access controls activity logs change management logs 22 / 30 22. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? Time zone differences could impede communications between IT teams. Software development may require more detailed specifications. Telecommunications cost could be much higher in the first year. Privacy laws could prevent cross-border flow of information. Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. 23 / 30 23. In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: implementation. compliance. sufficiency. documentation. An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements. 24 / 30 24. A top-down approach to the development of operational policies helps ensure: that they are reviewed periodically. that they are implemented as a part of risk assessment. compliance with all policies. that they are consistent across the organization. Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. 25 / 30 25. Which of the following is responsible for the approval of an information security policy? The board of directors The security committee The security administrator The IT department Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors. 26 / 30 26. Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment? The issues identified during the testing may require significant remediation efforts. The testing may identify only known operating system vulnerabilities Internal security staff may not be qualified to conduct application penetration testing. The testing could create application availability issues. 27 / 30 27. Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? Policy alignment to the most restrictive regulations Inclusion of a blanket legal statement in each policy Periodic review by subject matter experts Annual sign-off by senior management on organizational policies Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements. 28 / 30 28. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? Utilizing of intrusion detection system to report incidents Training provided on a regular basis to all current and new employees Installing an efficient user log system to track the actions of each user Mandating the use of passwords to access all software Regular training is an important part of a security awareness program. 29 / 30 29. From a risk management perspective, which of the following is MOST important to be tracked in continuous monitoring? Changes in the threat environment Changes in user privileges Number of prevented attacks Number of failed logins 30 / 30 30. Which of the following is MOST critical for the successful implementation and maintenance of a security policy? Stringent implementation, monitoring and enforcing of rules by the security officer through access control software Management support and approval for the implementation and maintenance of a security policy Assimilation of the framework and intent of a written security policy by all appropriate parties Enforcement of security rules by providing punitive actions for any violation of security rules Assimilation of the framework and intent of a written security policy by all levels of management and users of the system is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. Your score is LinkedIn Facebook Twitter Exit