Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 108

  1. An information security risk analysis BEST assists an organization in ensuring that:

    • cost-effective decisions are made with regard to which assets need protection
    • the organization implements appropriate security technologies
    • the infrastructure has the appropriate level of access control
    • an appropriate level of funding is applied to security processes
  2. Which of the following would be the BEST way for an information security manager to justify ongoing annual maintenance fees associated with an intrusion prevention system (IPS)?

    • Perform industry research annually and document the overall ranking of the IPS.
    • Perform a penetration test to demonstrate the ability to protect.
    • Establish and present appropriate metrics that track performance.
    • Provide yearly competitive pricing to illustrate the value of the IPS.
  3. Reviewing which of the following would provide the GREATEST input to the asset classification process:

    • Risk assessment
    • Sensitivity of the data
    • Replacement cost of the asset
    • Compliance requirements
  4. When building a corporate-wide business continuity plan, it is discovered there are two separate lines of business systems that could be impacted by the same threat. Which of the following is the BEST method to determine the priority of systems recovery in the event of a disaster?

    • Reviewing the business plans of each department
    • Evaluating the cost associated with each system’s outage
    • Reviewing each system’s key performance indicators (KPIs)
    • Comparing the recovery point objectives (RPOs)
  5. Business applications should be selected for disaster recovery testing on the basis of:

    • the results of contingency desktop checks
    • the number of failure points that are being tested
    • recovery time objectives (RTOs)
    • criticality to the enterprise
  6. When performing a data classification project, an information security manager should:

    • assign information critically and sensitivity
    • identify information owners
    • identify information custodians
    • assign information access privileges
  7. A third-party service provider has proposed a data loss prevention (DLP) solution. Which of the following MUST be in place for this solution to be relevant to the organization?

    • An adequate data testing environment
    • Senior management support
    • A business case
    • A data classification
  8. Which of the following is the BEST way to identify the potential impact of a successful attack on an organization’s mission critical applications?

    • Execute regular vulnerability scans
    • Conduct penetration testing
    • Perform an application vulnerability review
    • Perform an independent code review
  9. Which of the following needs be established FIRST in order to categorize data properly?

    • A data protection policy
    • A data classification framework
    • A data asset inventory
    • A data asset protection standard
  10. Which of the following would provide the BEST justification for a new information security investment?

    • Defined key performance indicators (KPIs)
    • Projected reduction in risk
    • Results of a comprehensive threat analysis
    • Senior management involvement in project prioritization
  11. Which of the following is MOST likely to prevent social engineering attacks?

    • Security awareness program
    • Employee background checks
    • Implementing positive identification policies
    • Enforcing stronger hiring policies
  12. The recovery point objective (RPO) is required in which of the following?

    • Information security plan
    • Incident response plan
    • Disaster recovery plan
    • Business continuity plan
  13. After assessing risk, the decision to treat the risk should be based PRIMARILY on:

    • whether the level of risk exceeds risk appetite
    • availability of financial resources
    • whether the level of risk exceeds inherent risk
    • the criticality of the risk
  14. When preventive controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager to perform?

    • Identity unacceptable risk levels
    • Manage the impact
    • Evaluate potential threats
    • Assess vulnerabilities
  15. Which of the following is the PRIMARY purpose of data classification?

    • To determine access rights to data
    • To provide a basis for protecting data
    • To select encryption technologies
    • To ensure integrity of data
  16. Before a failover test of a critical business application is performed, it is MOST important for the information security manager to:

    • obtain a signed risk acceptation from the recovery team
    • obtain senior management’s approval
    • inform the users that the test is taking place
    • verify that the information assets have been classified properly
  17. While conducting a test of a business continuity plan, which of the following is the MOST important consideration?

    • The test simulates actual prime-time processing conditions.
    • The test is scheduled to reduce operational impact.
    • The test involves IT members in the test process.
    • The test addresses the critical components.
  18. Which of the following would BEST support a business case to implement a data leakage prevention (DLP) solution?

    • An unusual upward trend in outbound email volume
    • Lack of visibility into previous data leakage incidents
    • Industry benchmark of DLP investments
    • A risk assessment on the threat of data leakage
  19. Which of the following is the MOST important reason for performing vulnerability assessments periodically?

    • Technology risks must be mitigated.
    • Management requires regular reports.
    • The environment changes constantly.
    • The current threat levels are being assessed.
  20. A data leakage prevention (DLP) solution has identified that several employees are sending confidential company data to their personal email addresses in violation of company policy. The information security manager should FIRST:

    • initiate an investigation to determine the full extent of noncompliance
    • notify senior management that employees are breaching policy
    • limit access to the Internet for employees involved
    • contact the employees involved to retake security awareness training