Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 118

  1. Key verification is one of the best controls for ensuring that:

    • Data is entered correctly
    • Only authorized cryptographic keys are used
    • Input is authorized
    • Database indexing is performed properly

    Explanation: 
    Key verification is one of the best controls for ensuring that data is entered correctly.

  2. If senior management is not committed to strategic planning, how likely is it that a company’s implementation of IT will be successful?

    • IT cannot be implemented if senior management is not committed to strategic planning.
    • More likely.
    • Less likely.
    • Strategic planning does not affect the success of a company’s implementation of IT.
    Explanation: 
    A company’s implementation of IT will be less likely to succeed if senior management is not committed to strategic planning.
  3. Which of the following could lead to an unintentional loss of confidentiality?

    • Lack of employee awareness of a company’s information security policy
    • Failure to comply with a company’s information security policy
    • A momentary lapse of reason
    • Lack of security policy enforcement procedures
    Explanation: 
    Lack of employee awareness of a company’s information security policy could lead to an unintentional loss of confidentiality. 
  4. What topology provides the greatest redundancy of routes and the greatest network fault tolerance?

    • A star network topology
    • A mesh network topology with packet forwarding enabled at each host
    • A bus network topology
    • A ring network topology
    Explanation: 
    A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.
  5. An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence?

    • Evidence collected through personal observation
    • Evidence collected through systems logs provided by the organization’s security administration
    • Evidence collected through surveys collected from internal staff
    • Evidence collected through transaction reports provided by the organization’s IT administration
    Explanation: 
    An IS auditor usually places more reliance on evidence directly collected, such as through personal observation.
  6. What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to ensure reliable communication?

    • Nonconnection-oriented protocols
    • Connection-oriented protocols
    • Session-oriented protocols
    • Nonsession-oriented protocols
    Explanation: 
    The transport layer of the TCP/IP protocol suite provides for connection- oriented protocols to ensure reliable communication.
  7. How is the time required for transaction processing review usually affected by properly implemented Electronic Data Interface (EDI)?

    • EDI usually decreases the time necessary for review.
    • EDI usually increases the time necessary for review.
    • Cannot be determined.
    • EDI does not affect the time necessary for review.
    Explanation: 
    Electronic data interface (EDI) supports intervendor communication while decreasing the time necessary for review because it is usually configured to readily identify errors requiring follow-up.
  8. What would an IS auditor expect to find in the console log?

    • Evidence of password spoofing
    • System errors
    • Evidence of data copy activities
    • Evidence of password sharing
    Explanation: 
    An IS auditor can expect to find system errors to be detailed in the console log.
  9. Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing.

    True or false?

    • True
    • False
    Explanation: 
    Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely or not at all. Atomicity is part of the ACID test reference for transaction processing.
  10. Why does the IS auditor often review the system logs?

    • To get evidence of password spoofing
    • To get evidence of data copy activities
    • To determine the existence of unauthorized access to data by a user or program
    • To get evidence of password sharing
    Explanation: 
    When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor will often review the system logs.
  11. What is essential for the IS auditor to obtain a clear understanding of network management?

    • Security administrator access to systems
    • Systems logs of all hosts providing application services
    • A graphical map of the network topology
    • Administrator access to systems
    Explanation: 
    A graphical interface to the map of the network topology is essential for the IS auditor to obtain a clear understanding of network management.
  12. How is risk affected if users have direct access to a database at the system level?

    • Risk of unauthorized access increases, but risk of untraceable changes to the database decreases.
    • Risk of unauthorized and untraceable changes to the database increases.
    • Risk of unauthorized access decreases, but risk of untraceable changes to the database increases.
    • Risk of unauthorized and untraceable changes to the database decreases.
    Explanation: 
    If users have direct access to a database at the system level, risk of unauthorized and untraceable changes to the database increases.
  13. What is the most common purpose of a virtual private network implementation?

    • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.
    • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a dedicated T1 connection.
    • A virtual private network (VPN) helps to secure access within an enterprise when communicating over a dedicated T1 connection between network segments within the same facility.
    • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a wireless connection.
    Explanation: 
    A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.
  14. What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management?

    • The software can dynamically readjust network traffic capabilities based upon current usage.
    • The software produces nice reports that really impress management.
    • It allows users to properly allocate resources and ensure continuous efficiency of operations.
    • It allows management to properly allocate resources and ensure continuous efficiency of operations.
    Explanation: 
    Using capacity-monitoring software to monitor usage patterns and trends enables management to properly allocate resources and ensure continuous efficiency of operations.
  15. What can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program?

    • Network-monitoring software
    • A system downtime log
    • Administration activity reports
    • Help-desk utilization trend reports
    Explanation: 
    A system downtime log can be very helpful to an IS auditor when determining the efficacy of a systems maintenance program.
  16. What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information?

    • Referential integrity controls
    • Normalization controls
    • Concurrency controls
    • Run-to-run totals
    Explanation: 
    Concurrency controls are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information.
  17. What increases encryption overhead and cost the most?

    • A long symmetric encryption key
    • A long asymmetric encryption key
    • A long Advance Encryption Standard (AES) key
    • A long Data Encryption Standard (DES) key
    Explanation: 
    A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All other answers are single shared symmetric keys.
  18. Which of the following best characterizes “worms”?

    • Malicious programs that can run independently and can propagate without the aid of a carrier program such as email.
    • Programming code errors that cause a program to repeatedly dump data
    • Malicious programs that require the aid of a carrier program such as email
    • Malicious programs that masquerade as common applications such as screensavers or macro- enabled Word documents
    Explanation: 
    Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email.
  19. What is an initial step in creating a proper firewall policy?

    • Assigning access to users according to the principle of least privilege
    • Determining appropriate firewall hardware and software
    • Identifying network applications such as mail, web, or FTP servers
    • Configuring firewall access rules
    Explanation: 
    Identifying network applications such as mail, web, or FTP servers to be externally accessed is an initial step in creating a proper firewall policy.
  20. What type of cryptosystem is characterized by data being encrypted by the sender using the recipient’s public key, and the data then being decrypted using the recipient’s private key?

    • With public-key encryption, or symmetric encryption
    • With public-key encryption, or asymmetric encryption
    • With shared-key encryption, or symmetric encryption
    • With shared-key encryption, or asymmetric encryption
    Explanation: 
    With public key encryption or asymmetric encryption, data is encrypted by the sender using the recipient’s public key; the data is then decrypted using the recipient’s private key.