Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 140

  1. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it:

    • has been approved by line management.
    • does not vary from the IS department’s preliminary budget.
    • complies with procurement procedures.
    • supports the business objectives of the organization.

    Explanation: 
    Strategic planning sets corporate or department objectives into motion. Both long-term and short- term strategic plans should be consistent with the organization’s broader plans and business objectives for attaining these goals. Choice A is incorrect since line management prepared the plans.

  2. An IS auditor reviewing an organization’s IT strategic plan should FIRST review:

    • the existing IT environment.
    • the business plan.
    • the present IT budget.
    • current technology trends.
    Explanation: 
    The IT strategic plan exists to support the organization’s business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan. 
  3. When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations’ business objectives by determining if IS:

    • has all the personnel and equipment it needs.
    • plans are consistent with management strategy.
    • uses its equipment and personnel efficiently and effectively.
    • has sufficient excess capacity to respond to changing directions.
    Explanation: 
    Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization’s strategies.
  4. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?

    • Optimized
    • Managed
    • Defined
    • Repeatable
    Explanation: 
    Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be ‘managed and measurable.’
  5. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

    • control self-assessments.
    • a business impact analysis.
    • an IT balanced scorecard.
    • business process reengineering.
    Explanation: 
    An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control self- assessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives.
  6. When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

    • incorporates state of the art technology.
    • addresses the required operational controls.
    • articulates the IT mission and vision.
    • specifies project management practices.
    Explanation: 
    The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.
  7. When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the:

    • establishment of a review board.
    • creation of a security unit.
    • effective support of an executive sponsor.
    • selection of a security process owner.
    Explanation: 
    The executive sponsor would be in charge of supporting the organization’s strategic security program, and would aid in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). None of the other choices are effective without visible sponsorship of top management.
  8. When reviewing an organization’s strategic IT plan an IS auditor should expect to find:

    • an assessment of the fit of the organization’s application portfolio with business objectives.
    • actions to reduce hardware procurement cost.
    • a listing of approved suppliers of IT contract resources.
    • a description of the technical architecture for the organization’s network perimeter security.
    Explanation: 
    An assessment of how well an organization’s application portfolio supports the organization’s business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives. Operational efficiency initiatives belong to tactical planning, not strategic planning. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization’s business objectives. A listing of approved suppliers of IT contract resources is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail of a specific technical architecture.
  9. The advantage of a bottom-up approach to the development of organizational policies is that the policies:

    • are developed for the organization as a whole
    • are more likely to be derived as a result of a risk assessment.
    • will not conflict with overall corporate policy.
    • ensure consistency across the organization.
    Explanation: 
    A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.
  10. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?

    • User management coordination does not exist.
    • Specific user accountability cannot be established.
    • Unauthorized users may have access to originate, modify or delete data.
    • Audit recommendations may not be implemented.
    Explanation: 
    Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
  11. The PRIMARY objective of an audit of IT security policies is to ensure that:

    • they are distributed and available to all staff.
    • security and control policies support business and IT objectives.
    • there is a published organizational chart with functional descriptions.
    • duties are appropriately segregated.
    Explanation: 
    Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies.
  12. The rate of change in technology increases the importance of:

    • outsourcing the IS function.
    • implementing and enforcing good processes.
    • hiring personnel willing to make a career within the organization.
    • meeting user requirements.
    Explanation: 
    Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated; usually they do not feel their jobs are at risk and are prepared to switch jobs frequently. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IS environment.
  13. An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:

    • this lack of knowledge may lead to unintentional disclosure of sensitive information.
    • information security is not critical to all functions.
    • IS audit should provide security training to the employees.
    • the audit finding will cause management to provide continuous training to staff.
    Explanation: 
    All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
  14. The development of an IS security policy is ultimately the responsibility of the:

    • IS department.
    • security committee.
    • security administrator.
    • board of directors.
    Explanation: 
    Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.
  15. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?

    • Response
    • Correction
    • Detection
    • Monitoring
    Explanation: 
    A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.
  16. Which of the following should be included in an organization’s IS security policy?

    • A list of key IT resources to be secured
    • The basis for access authorization
    • Identity of sensitive security features
    • Relevant software security features
    Explanation: 
    The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.
  17. Which of the following is the initial step in creating a firewall policy?

    • A cost-benefit analysis of methods for securing the applications
    • Identification of network applications to be externally accessed
    • Identification of vulnerabilities associated with network applications to be externally accessed
    • Creation of an applications traffic matrix showing protection methods
    Explanation: 
    Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
  18. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

    • Utilization of an intrusion detection system to report incidents
    • Mandating the use of passwords to access all software
    • Installing an efficient user log system to track the actions of each user
    • Training provided on a regular basis to all current and new employees
    Explanation: 
    Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness.
  19. Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

    • Assimilation of the framework and intent of a written security policy by all appropriate parties
    • Management support and approval for the implementation and maintenance of a security policy
    • Enforcement of security rules by providing punitive actions for any violation of security rules
    • Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
    Explanation: 
    Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user’s education on the importance of security.
  20. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:

    • recovery.
    • retention.
    • rebuilding.
    • reuse.
    Explanation: 
    Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e- mail communication is held in the same regard as the official form of classic ‘paper* makes the retention of corporate e-mail a necessity. All e-mail generated on an organization’s hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.