Independence Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Isaca CISA Certified Information Systems Auditor Exam Practice Test

Demo: 34 questions
Total 231 questions

Certified Information Systems Auditor Questions and Answers

Question 1

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Question 2

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Question 3

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees' social networking usage

Question 4

IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?

Options:

A.

More frequent data backups

B.

Periodic table link checks

C.

Concurrent access controls

D.

Performance monitoring tools

Question 5

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Question 6

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Question 7

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Question 8

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Question 9

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Question 10

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Options:

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Question 11

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Question 12

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Options:

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Question 13

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Options:

A.

Rotate job duties periodically.

B.

Perform an independent audit.

C.

Hire temporary staff.

D.

Implement compensating controls.

Question 14

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Question 15

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Question 16

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Question 17

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Question 18

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Question 19

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Question 20

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Question 21

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Question 22

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Question 23

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Question 24

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Question 25

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

Options:

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Question 26

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Question 27

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Question 28

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Question 29

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Options:

A.

Write access to production program libraries

B.

Write access to development data libraries

C.

Execute access to production program libraries

D.

Execute access to development program libraries

Question 30

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

Options:

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application level firewalls

Question 31

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Question 32

Which of the following occurs during the issues management process for a system development project?

Options:

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Question 33

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Question 34

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Demo: 34 questions
Total 231 questions