Last Updated on December 13, 2021 by Admin 3
CISA : Certified Information Systems Auditor : Part 100
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172
-
A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?
- Rotation of log monitoring and analysis responsibilities
- Additional management reviews and reconciliations
- Third-party assessments
- Mandatory vacations
Explanation:
Reference: https://www.computerweekly.com/tip/Segregation-of-duties-Small-business-best-practices
-
Which of the following BEST facilitates compliance with requirements mandating the security of confidential data?
- Classification of data
- Security awareness training
- Encryption of external data transmissions
- Standardized escalation protocols for breaches
-
An IS auditor is performing an audit of a large organization’s operating system maintenance procedures. Which of the following findings presents the GREATEST risk?
- Some internal servers cannot be patched due to software incompatibility.
- The configuration management database is not up-to-date.
- Vulnerability testing is not performed on the development servers.
- Critical patches are applied immediately while others follow quarterly release cycles.
-
Which of the following should occur EARLIEST in a business continuity management lifecycle?
- Defining business continuity procedures
- Identifying critical business processes
- Developing a training and awareness program
- Carrying out a threat and risk assessment
-
While performing a risk-based audit, which of the following would BEST enable an IS auditor to identify and categorize risk?
- Understanding the control framework
- Developing a comprehensive risk model
- Understanding the business environment
- Adopting qualitative risk analysis
-
Which of the following is a MAJOR benefit of using a wireless network?
- Faster network speed
- Stronger authentication
- Protection against eavesdropping
- Lower installation cost
-
Which of the following is appropriate when an IS auditor is conducting an exit meeting with senior management?
- Eliminate significant findings where audit and management agree on risk acceptance.
- Agree with senior management on the risk grading of the audit report.
- Document written responses from management along with an implementation plan.
- Escalate disputed recommendations to the audit committee.
-
When conducting a follow-up of previous audit findings, an IS auditor is told by management that a recommendation to make security changes to an application has not been implemented. The IS auditor should FIRST determine whether:
- additional time to implement changes is needed.
- the associated risk is still relevant.
- the recommendation should be re-issued.
- the issue should be escalated.
-
A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?
- Document last-minute enhancements.
- Perform user acceptance testing.
- Perform a pre-implementation audit.
- Ensure that code has been reviewed.
-
Which of the following actions should an organization’s security policy require an employee to take upon finding a security breach?
- Report the incident to the manager immediately.
- Inform IS audit management immediately.
- Confirm the breach can be exploited.
- Devise appropriate countermeasures.
-
The performance of an order-processing system can be measured MOST reliably by monitoring:
- input/request queue length.
- turnaround time of completed transactions.
- application and database servers’ CPU load.
- heartbeats between server systems.
-
In planning a major system development project, function point analysis would assist in:
- estimating the elapsed time of the project.
- estimating the size of a system development task.
- analyzing the functions undertaken by system users as an aid to job redesign.
- determining the business functions undertaken by a system or program.
-
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following would be the auditor’s BEST recommendation?
- IT security should regularly revoke excessive system rights.
- System administrators should ensure consistency of assigned rights.
- Line management should regularly review and request modification of access rights.
- Human resources should delete access rights of terminated employees.
-
During an enterprise resource planning (ERP) post-implementation review, it was noted that operating costs have been significantly higher than anticipated. Which of the following should the organization have done to detect this issue?
- Updated the project charter as major changes occurred
- Conducted periodic user satisfaction surveys
- Performed an analysis of system usage
- Monitored financial key performance indicators (KPIs)
-
Which of the following access rights in the production environment should be granted to a developer to maintain segregation of duties?
- Database administration
- Emergency support
- IT operations
- System administration
-
An IS auditor considering use of another auditor’s workpapers should:
- rarely rely on the work of another auditor.
- determine that the workpapers were completed within the past month.
- determine that the auditee agrees with key issues in these workpapers.
- consider the appropriateness and sufficiency of the workpapers.
-
Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?
- Continuity of service
- Homogeneity of the network
- Nonrepudiation
- Identity management
-
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
- Administrative security can be provided for the client.
- System administration can be better managed.
- The security of the desktop PC is enhanced.
- Desktop application software will never have to be upgraded.
-
Which of the following would BEST assist senior management in evaluating IT performance as well as the alignment between corporate and IT strategic objectives?
- Enterprise architecture (EA)
- IT project value analysis
- Balanced scorecard
- Control self-assessment (CSA)
-
Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
- The information security policy has not been updated in the last two years.
- A list of critical information assets was not included in the information security policy.
- Senior management was not involved in the development of the information security policy.
- The information security policy is not aligned with regulatory requirements.
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172