Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 137

  1. Which of the following is the BEST reason to perform root cause analysis after a critical server failure?

    • To enable appropriate corrective measures
    • To enable the gathering of system availability data
    • To enable timely follow-up audits
    • To enable the optimization of IT investments
  2. Which of the following would help determine the maturity of an information security awareness program?

    • A review of the annual penetration test results
    • A network vulnerability assessment
    • A simulated social engineering test
    • A gap assessment against an established model
  3. A user of a telephone banking system has forgotten his personal identification number (PIN). After the user has been authenticated, the BEST method of issuing a new PIN is to have:

    • the user enter a new PIN twice.
    • banking personnel verbally assign a new PIN.
    • a randomly generated PIN communicated by banking personnel.
    • banking personnel assign the user a new PIN via email.
  4. Privileged account access is required to start an ad hoc batch job. Which of the following would MOST effectively detect unauthorized job execution?

    • Requiring manual approval by an authorized user
    • Executing the job through two-factor authentication
    • Introducing job execution request procedures
    • Reconciling user activity logs against authorizations
  5. Due to the small size of the payroll department, an organization is unable to segregate the employee setup and payroll processing functions. Which of the following would be the BEST compensating control for the lack of segregation of duties?

    • An independent payroll disbursement review is conducted.
    • The system is configured to require secondary approval for changes to the employee master file.
    • A review is conducted to verify that terminated employees are removed from the employee master file.
    • A payroll variance report is reviewed for anomalies every pay period.
  6. Which of the following is the MOST critical step prior to performing a network penetration test?

    • Informing management of the potential risk involved with penetration testing
    • Identifying a scanning tool for use in identifying vulnerabilities
    • Communicating the location of the penetration test targets to management
    • Reviewing the results of previous penetration tests
  7. Which of the following is the MOST significant concern when backup tapes are encrypted?

    • Loss of the encryption key
    • Lack of physical security over the tapes
    • Incompatibility with future software versions
    • Inaccurate data due to encryption processing
  8. Based on the guidance of internal audit, an IT steering committee is considering the use of a balanced scorecard to evaluate its project management process. Which of the following is the GREATEST advantage to using this approach?

    • Project schedule and budget management will improve.
    • Performance is measured from different perspectives.
    • Information is provided in a consistent and timely manner.
    • Project will be prioritized based on value.
  9. The quality assurance (QA) function should be prevented from:

    • developing naming conventions.
    • establishing analysis techniques.
    • amending review procedures.
    • changing programs for business functions.
  10. Which of the following provides the GREATEST assurance that any confidential information on a disk is no longer accessible but the device is still usable by other internal users?

    • Reformatting the disk
    • Erasing the disk
    • Degaussing the disk
    • Password-protecting the disk
  11. The demilitarized zone (DMZ) is the part of a network where servers that are placed are:

    • running internal department applications.
    • running mission-critical, non-web applications.
    • interacting with the public Internet.
    • external to the organization.
  12. An IS auditor is unable to directly test privacy controls for a client’s cloud-based application. The MOST effective alternative to direct testing is to review:

    • the provider’s internal audit reports.
    • the provider’s statement of assurance.
    • formal privacy certification.
    • independent audit reports.
  13. An organization has installed blade server technology in its data center. To determine whether higher cooling demands are maintained, which of the following should the IS auditor review?

    • Ventilation systems
    • Uninterruptible power supply (UPS) systems
    • Air conditioning capacity
    • Duct maintenance
  14. An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?

    • Awareness training for mobile device users
    • Data encryption on the mobile device
    • The triggering of remote data wipe capabilities
    • Complex password policy for mobile devices
  15. When physical destruction is not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

    • Recycling the disk
    • Reformatting
    • Deleting files sequentially
    • Overwriting multiple times
  16. Which of the following components of a scheduling tool BEST prevents job failures due to insufficient system resources?

    • Job dependencies
    • Delayed job starts
    • Exception handling
    • Error alerts
  17. Which of the following is the MOST effective control for emergency changes to application programs?

    • Processing the change through change control with review of the change the following day
    • Keeping a sealed envelope containing a password that operators can use to make emergency changes
    • Periodically checking the application program libraries to detect whether unauthorized changes have been made
    • Preparing and approving program change forms before the changes are made
  18. Which of the following controls would BEST ensure that payroll system rate changes are valid?

    • Only a payroll department manager can input the new rate.
    • Rate changes require visual verification before acceptance.
    • Rate changes must be entered twice to ensure that they are entered correctly.
    • Rate changes are reported to and independently verified by a manager.
  19. Which of the following BEST enables timely detection of changes in the IT environment to support informed decision making by management?

    • Continuous monitoring
    • Sampling checks on high-risk areas
    • Change management reports
    • Established key risk indicators (KRIs)
  20. Which of the following is BEST for providing uninterrupted services?

    • Snapshots
    • Differential backup
    • Televaulting
    • Mirroring