Last Updated on December 23, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 107

  1. An organization is considering using production data for testing a new application’s functionality. Which of the following data protection techniques would BEST ensure that personal data cannot be inadvertently recovered in test environments while also reducing the need for strict confidentiality of the data?

    • Data anonymization
    • Data minimization
    • Data normalization
    • Data encryption
  2. Disaster recovery planning for network connectivity to a hot site over a public-switched network would be MOST likely to include:

    • minimizing the number of points of presence
    • contracts for acquiring new leased lines
    • reciprocal agreements with customers of that network
    • redirecting private virtual circuits
  3. Which of the following privacy principles ensures data controllers do not use personal data unintended ways that breach protection of data subjects?

    • Data retention
    • Adequacy
    • Accuracy
    • Purpose limitation
  4. An organization’s software developers need access to personally identifiable information (PII) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

    • Data masking
    • Data encryption
    • Data tokenization
    • Data abstraction
  5. As part of business continuity planning, which of the following is MOST important to include in a business impact analysis (BIA)?

    • Define a risk appetite.
    • Assess risk of moving significant applications to the cloud.
    • Assess recovery scenarios.
    • Assess threats to the organization.
  6. Which of the following is the MOST important reason for updating and retesting a business continuity plan (BCP)?

    • Staff turnover
    • Emerging technology
    • Significant business change
    • Matching industry best practices
  7. When developing a business continuity plan (BCP), which of the following should be performed FIRST?

    • Develop business continuity training
    • Classify operations
    • Conduct a business impact analysis (BIA)
    • Establish a disaster recovery plan (DRP)
  8. An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?

    • Verify the ISP has staff to deal with data leakage
    • Review the ISP’s external audit report
    • Review the data leakage clause in the SLA
    • Simulate a data leakage incident
  9. Which of the following would be of GREATEST concern to an IS auditor reviewing a critical spreadsheet during a financial audit?

    • Periodic access reviews are manually performed.
    • Changes to the file are not always documented.
    • Access requests are manually processed.
    • A copy of the current validated file is not available.
  10. Which of the following activities is MOST important in determining whether a test of a disaster recovery plan (DRP) has been successful?

    • Evaluating participation by key personnel
    • Testing at the backup data center
    • Analyzing whether predetermined test objectives were met
    • Testing with offsite backup files
  11. Which of the following should be the FIRST step when conducting an IT risk assessment?

    • Assess vulnerabilities
    • Identify assets to be protected
    • Evaluate controls in place
    • Identify potential threats
  12. To develop a robust data security program, the FIRST course of action should be to:

    • implement monitoring controls
    • implement data loss prevention (DLP) controls
    • perform an inventory of assets
    • interview IT senior management
  13. An IS auditor has been asked to participate in the creation of an organization’s formal business continuity program. Which of the following would impair auditor independence?

    • Developing disaster recovery test scenarios
    • Determining system criticality
    • Facilitating the business impact analysis (BIA)
    • Participating on the business continuity committee
  14. When is the BEST time to commence continuity planning for a new application system?

    • Immediately after implementation
    • Just prior to the handover to the system maintenance group
    • During the design phase
    • Following successful user testing
  15. An IS auditor is performing a consulting engagement and needs to make a recommendation for securing all doors to a data center to prevent unauthorized access. Which of the following access control techniques would be MOST difficult for an intruder to compromise?

    • Dead-man door and swipe card
    • Smart card and numeric keypad
    • USB token and password
    • Biometrics and PIN
  16. Invoking a business continuity plan (BCP) is demonstrating which type of control?

    • Corrective
    • Preventive
    • Detective
    • Directive
  17. Which of the following is necessary to determine what would constitute a disaster for an organization?

    • Backup strategy analysis
    • Threat probability analysis
    • Risk analysis
    • Recovery strategy analysis
  18. Which of the following should be an information security manager’s PRIMARY role when an organization initiates a data classification process?

    • Assign the asset classification level.
    • Define the classification structure to be implemented.
    • Verify that assets have been appropriately classified.
    • Apply security in accordance with specific classification.
  19. Which of the following would BEST protect against web-based cross-domain attacks?

    • Network addressing scheme
    • Database hardening
    • Encryption controls
    • Application controls
  20. When using digital signatures, a sender transmits an encrypted message digest. This ensures that the:

    • message is not intercepted during transmission
    • message is not altered during transmission
    • message sender obtains acknowledgement of delivery
    • message remains confidential during transmission