Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 121

  1. If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further:

    • Documentation development
    • Comprehensive integration testing
    • Full unit testing
    • Full regression testing

    Explanation: 
    If an IS auditor observes individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further comprehensive integration testing.

  2. When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?

    • True
    • False
    Explanation:
    When participating in a systems-development project, an IS auditor should also strive to ensure that adequate and complete documentation exists for all projects.
  3. What is a reliable technique for estimating the scope and cost of a software-development project?

    • Function point analysis (FPA)
    • Feature point analysis (FPA)
    • GANTT
    • PERT
    Explanation:
    A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project.
  4. Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?

    • Function Point Analysis (FPA)
    • GANTT
    • Rapid Application Development (RAD)
    • PERT
    Explanation:
    PERT is a program-evaluation review technique that considers different scenarios for planning and control projects.
  5. Which of the following is the PRIMARY concern if a business continuity plan (BCP) is not based on a business impact analysis (BIA)?

    • The critical systems were not identified, but all systems are covered in the BCP.
    • The knowledge of key people within the organization was not considered in the BCP.
    • The strategy of the BCP does not reflect estimated potential losses.
    • Management was not involved in the early stages of the BCP.
  6. An e-commerce enterprise’s disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk?

    • Network firewalls and database firewalls at the DR site do not provide high availability.
    • No disaster recovery plan (DRP) testing has been performed during the last six months.
    • The DR site is in a shared location that hosts multiple other enterprises.
    • The DR site has not undergone testing to confirm its effectiveness.
  7. Which of the following BEST supports the risk assessment process to determine criticality of an asset?

    • Threat assessment
    • Residual risk analysis
    • Vulnerability assessment
    • Business impact analysis (BIA)
  8. Which of the following is the MOST important prerequisite to performing an information security assessment?

    • Reviewing the business impact analysis (BIA)
    • Assessing threats and vulnerabilities
    • Determining risk tolerance
    • Classifying assets
  9. To ensure appropriate control of information processed in IT systems, security safeguards should be based PRIMARILY on:

    • established guidelines.
    • overall IT capacity and operational constraints.
    • efficient technical processing considerations.
    • criteria consistent with classification levels.
  10. Which of the following is the MOST important factor when determining the frequency of information security risk reassessment?

    • Audit findings
    • Risk priority
    • Mitigating controls
    • Risk metrics
  11. Which of the following is the MOST important consideration when designing information security architecture?

    • Risk management parameters for the organization are defined.
    • The existing threat landscape is monitored.
    • The information security architecture is aligned with industry standards.
    • The level of security supported is based on business decisions.
  12. Which of the following is a PRIMARY security responsibility of an information owner?

    • Determining the controls associated with information classification
    • Testing information classification controls
    • Maintaining the integrity of data in the information systems
    • Deciding what level of classification the information requires
  13. Utilizing external resources for highly technical information security tasks allows an information security manager to:

    • transfer business risk.
    • distribute technology risk.
    • outsource responsibility.
    • leverage limited resources.
  14. The GREATEST benefit of choosing a private cloud over a public cloud would be:

    • server protection.
    • online service availability.
    • containment of customer data.
    • collection of data forensics.
  15. An organization is considering moving one of its critical business applications to a cloud hosting service. The cloud provider may not provide the same level of security for this application as the organization. Which of the following will provide the BEST information to help maintain the security posture?

    • Risk assessment
    • Cloud security strategy
    • Vulnerability assessment
    • Risk governance framework
  16. Which is MOST important when contracting an external party to perform a penetration test?

    • Obtain approval from IT management.
    • Define the project scope.
    • Increase the frequency of log reviews.
    • Provide network documentation.
  17. A company has purchased a rival organization and is looking to integrate security strategies. Which of the following is the GREATEST issue to consider?

    • The organizations have different risk appetites
    • Differing security technologies
    • Differing security skills within the organizations
    • Confidential information could be leaked
  18. An information security manager reads a media report of a new type of malware attack. Who should be notified FIRST?

    • Security operations team
    • Data owners
    • Communications department
    • Application owners
  19. Which of the following is the MOST beneficial outcome of testing an incident response plan?

    • The plan is enhanced to reflect the findings of the test.
    • Test plan results are documented.
    • Incident response time is improved.
    • The response includes escalation to senior management.
  20. The selection of security controls is PRIMARILY linked to:

    • risk appetite of the organization.
    • regulatory requirements.
    • business impact assessment.
    • best practices of similar organizations.