Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 135

  1. Both statistical and nonstatistical sampling techniques:

    • permit the auditor to quantify the probability of error.
    • permit the auditor to quantify and fix the level of risk.
    • require judgment when defining population characteristics.
    • provide each item an equal opportunity of being selected.
  2. Cross-site scripting (XSS) attacks are BEST prevented through:

    • use of common industry frameworks.
    • secure coding practices.
    • application firewall policy settings.
    • a three-tier web architecture.
  3. The PRIMARY advantage of object-oriented technology is enhanced:

    • efficiency due to the re-use of elements of logic.
    • management of sequential program execution for data access.
    • management of a restricted variety of data types for a data object.
    • grouping of objects into methods for data access.
  4. Which of the following would BEST facilitate the detection of internal fraud perpetrated by an individual?

    • Corporate fraud hotline
    • Segregation of duties
    • Mandatory leave
    • Flexible time
  5. Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

    • Better utilization of resources
    • Stronger data security
    • Increased application performance
    • Improved disaster recovery
  6. Which of the following is the MOST effective control for a utility program?

    • Renaming the versions in the programmers’ libraries
    • Installing the program on a separate server
    • Storing the program in a production library
    • Allowing only authorized personnel to use the program
  7. The control that MOST effectively addresses the risk of piggybacking/tailgating into a restricted area without a dead man door is:

    • using biometric door locks.
    • security awareness training.
    • requiring employees to wear ID badges.
    • using two-factor authentication.
  8. Which of the following provides the MOST assurance that a newly developed web application does not have IT security issues?

    • Server hardening
    • Business impact analysis (BIA)
    • Application whitelisting
    • Penetration testing
  9. An airline’s online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?

    • Compensating control
    • Preventive control
    • Detective control
    • Corrective control
  10. Which of the following features can be provided only by asymmetric encryption?

    • 128-bit key length
    • Information privacy
    • Data confidentiality
    • Nonrepudiation
  11. Which of the following is the MOST effective way to assess whether an outsourcer’s controls are following the service level agreement (SLA)?

    • Perform an onsite review of the outsourcer.
    • Review the outsourcer’s monthly service reports.
    • Perform a review of penalty clauses for non-performance.
    • Review an internal audit report from the outsourcer’s auditor.
  12. Which of the following BEST indicates the effectiveness of an organization’s risk management program?

    • Control risk is minimized.
    • Inherent risk is eliminated.
    • Residual risk is minimized.
    • Overall risk is quantified.
  13. A retirement system verifies that the field for employee status has either a value of A (for active) or R (for retired). This is an example of which type of check?

    • Validity
    • Existence
    • Limit
    • Completeness
  14. Which of the following controls would BEST decrease the exposure if a password is compromised?

    • Passwords are masked.
    • Passwords are encrypted.
    • Passwords have format restrictions.
    • Password changes are forced periodically.
  15. The BEST data backup strategy for mobile users is to:

    • synchronize data directories automatically over the network.
    • have them regularly back up data directories onto CD and courier the backups to the head office.
    • mirror all data to a portable storage device.
    • have them regularly go to branch offices to perform backups.
  16. Which of the following would BEST enable effective IT resource management?

    • Assessing the risk associated with IT resources
    • Outsourcing IT processes and activities
    • Establishing business priorities
    • Automating business processes
  17. Digital signatures are an effective control method for information exchange over an insecure network because they:

    • enable nonrepudiation.
    • are under the sole custody of the receiver.
    • are constant over time.
    • authenticate the user biometrically.
  18. Which of the following BEST determines if a batch update job was completed?

    • Reviewing a copy of the script for the job
    • Verifying the timestamp from the job log 
    • Testing a sample of transactions to confirm updates were applied
    • Obtaining process owner confirmation that the job was completed
  19. Which of the following would be MOST important to include in a data security policy to adequately manage the privacy of customer information?

    • Information classification criteria
    • Encryption technology
    • Backup strategy
    • Data ownership
  20. Which of the following is the MOST important reason to periodically review data that has already been classified?

    • The associated risk may change over time.
    • Additional data may have been added to the inventory.
    • Older data may need to be archived on removable media.
    • The classification nomenclature has changed.