Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 120

  1. Establishing data ownership is an important first step for which of the following processes?

    • Assigning user access privileges
    • Developing organizational security policies
    • Creating roles and responsibilities
    • Classifying data

    Explanation: 
    To properly implement data classification, establishing data ownership is an important first step.

  2. Which of the following is MOST is critical during the business impact assessment phase of business continuity planning?

    • End-user involvement
    • Senior management involvement
    • Security administration involvement
    • IS auditing involvement
    Explanation: 
    End-user involvement is critical during the business impact assessment phase of business continuity planning.
  3. What type of BCP test uses actual resources to simulate a system crash and validate the plan’s effectiveness?

    • Paper
    • Preparedness
    • Walk-through
    • Parallel
    Explanation: 
    Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan’s effectiveness.
  4. Which of the following typically focuses on making alternative processes and resources available for transaction processing?

    • Cold-site facilities
    • Disaster recovery for networks
    • Diverse processing
    • Disaster recovery for systems
    Explanation: 
    Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing.
  5. Which type of major BCP test only requires representatives from each operational area to meet to review the plan?

    • Parallel
    • Preparedness
    • Walk-thorough
    • Paper
    Explanation: 
    Of the three major types of BCP tests (paper, walk-through, and preparedness), a walk-through test requires only that representatives from each operational area meet to review the plan.
  6. What influences decisions regarding criticality of assets?

    • The business criticality of the data to be protected
    • Internal corporate politics
    • The business criticality of the data to be protected, and the scope of the impact upon the organization as a whole
    • The business impact analysis
    Explanation: 
    Criticality of assets is often influenced by the business criticality of the data to be protected and by the scope of the impact upon the organization as a whole. For example, the loss of a network backbone creates a much greater impact on the organization as a whole than the loss of data on a typical user’s workstation.
  7. Of the three major types of off-site processing facilities, what type is characterized by at least providing for electricity and HVAC?

    • Cold site
    • Alternate site
    • Hot site
    • Warm site
    Explanation: 
    Of the three major types of off-site processing facilities (hot, warm, and cold), a cold site is characterized by at least providing for electricity and HVAC. A warm site improves upon this by providing for redundant equipment and software that can be made operational within a short time.
  8. With the objective of mitigating the risk and impact of a major business interruption, a disaster recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false?

    • True
    • False
    Explanation: 
    With the objective of mitigating the risk and impact of a major business interruption, a disaster- recovery plan should endeavor to reduce the length of recovery time necessary and the costs associated with recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs.
  9. Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data?

    • Cold site
    • Hot site
    • Alternate site
    • Warm site
    Explanation: 
    A cold site is often an acceptable solution for preparing for recovery of noncritical systems and data.
  10. Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following?

    • IT strategic plan
    • Business continuity plan
    • Business impact analysis
    • Incident response plan
    Explanation: 
    Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.
  11. Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the _______________________. (fill-in-the-blank)

    • Security administrator
    • Systems auditor
    • Board of directors
    • Financial auditor
    Explanation: 
    Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the board of directors.
  12. Obtaining user approval of program changes is very effective for controlling application changes and maintenance. True or false?

    • True
    • False
    Explanation: 
    Obtaining user approval of program changes is very effective for controlling application changes and maintenance.
  13. Library control software restricts source code to:

    • Read-only access
    • Write-only access
    • Full access
    • Read-write access
    Explanation: 
    Library control software restricts source code to read-only access.
  14. When is regression testing used to determine whether new application changes have introduced any errors in the remaining unchanged code?

    • In program development and change management
    • In program feasibility studies
    • In program development
    • In change management
    Explanation: 
    Regression testing is used in program development and change management to determine whether new changes have introduced any errors in the remaining unchanged code.
  15. What is often the most difficult part of initial efforts in application development?

    • Configuring software
    • Planning security
    • Determining time and resource requirements
    • Configuring hardware
    Explanation: 
    Determining time and resource requirements for an application-development project is often the most difficult part of initial efforts in application development.
  16. What is a primary high-level goal for an auditor who is reviewing a system development project?

    • To ensure that programming and processing environments are segregated
    • To ensure that proper approval for the project has been obtained
    • To ensure that business objectives are achieved
    • To ensure that projects are monitored and administrated effectively
    Explanation: 
    A primary high-level goal for an auditor who is reviewing a systems- development project is to ensure that business objectives are achieved. This objective guides all other systems development objectives.
  17. Whenever an application is modified, what should be tested to determine the full impact of the change?

    • Interface systems with other applications or systems
    • The entire program, including any interface systems with other applications or systems
    • All programs, including interface systems with other applications or systems
    • Mission-critical functions and any interface systems with other applications or systems
    Explanation: 
    Whenever an application is modified, the entire program, including any interface systems with other applications or systems, should be tested to determine the full impact of the change.
  18. The quality of the metadata produced from a data warehouse is ________________ in the warehouse’s design.

    • Often hard to determine because the data is derived from a heterogeneous data environment
    • The most important consideration
    • Independent of the quality of the warehoused databases
    • Of secondary importance to data warehouse content
    Explanation: 
    The quality of the metadata produced from a data warehouse is the most important consideration in the warehouse’s design.
  19. Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system’s inputs and outputs. True or false?

    • True
    • False
    Explanation: 
    Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system’s inputs, outputs, and files.
  20. Who assumes ownership of a systems-development project and the resulting system?

    • User management
    • Project steering committee
    • IT management
    • Systems developers
    Explanation: 
    User management assumes ownership of a systems-development project and the resulting system.