Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 141

  1. In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:

    • implementation.
    • compliance.
    • documentation.
    • sufficiency.

    An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.

  2. To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:

    • the IT infrastructure.
    • organizational policies, standards and procedures.
    • legal and regulatory requirements.
    • the adherence to organizational policies, standards and procedures.
    To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.
  3. A top-down approach to the development of operational policies will help ensure:

    • that they are consistent across the organization.
    • that they are implemented as a part of risk assessment.
    • compliance with all policies.
    • that they are reviewed periodically.
    Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.
  4. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

    • Time zone differences could impede communications between IT teams.
    • Telecommunications cost could be much higher in the first year.
    • Privacy laws could prevent cross-border flow of information.
    • Software development may require more detailed specifications.
    Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations.
  5. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

    • Issues of privacy
    • Wavelength can be absorbed by the human body
    • RFID tags may not be removable
    • RFID eliminates line-of-sight reading
    The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern.
  6. When developing a security architecture, which of the following steps should be executed FIRST?

    • Developing security procedures
    • Defining a security policy
    • Specifying an access control methodology
    • Defining roles and responsibilities
    Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
  7. An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:

    • report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy.
    • verify that user access rights have been granted on a need-to-have basis.
    • recommend changes to the IS policy to ensure deactivation of user IDs upon termination.
    • recommend that activity logs of terminated users be reviewed on a regular basis.
    Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the auditor, the time frame defined for deactivation is inappropriate, the auditor needs to communicate this to management and recommend changes to the policy. Though the deactivation happens as stated in the policy, it cannot be concluded that the control is effective. Best practice would require that the ID of a terminated user be deactivated immediately. Verifying that user access rights have been granted on a need-to-have basis is necessary when permissions are granted.
    Recommending that activity logs of terminated users be reviewed on a regular basis is a good practice, but not as effective as deactivation upon termination.
  8. An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the:

    • technical platforms between the two companies are interoperable.
    • parent bank is authorized to serve as a service provider.
    • security features are in place to segregate subsidiary trades.
    • subsidiary can join as a co-owner of this payment system.
    Even between parent and subsidiary companies, contractual agreement(s) should be in place to conduct shared services. This is particularly important in highly regulated organizations such as banking. Unless granted to serve as a service provider, it may not be legal for the bank to extend business to the subsidiary companies. Technical aspects should always be considered; however, this can be initiated after confirming that the parent bank can serve as a service provider. Security aspects are another important factor; however, this should be considered after confirming that the parent bank can serve as a service provider. The ownership of the payment system is not as important as the legal authorization to operate the system.
  9. IT control objectives are useful to IS auditors, as they provide the basis for understanding the:

    • desired result or purpose of implementing specific control procedures.
    • best IT security control practices relevant to a specific entity.
    • techniques for securing information.
    • security policy.
    An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.
  10. Which of the following provides the best evidence of the adequacy of a security awareness program?

    • The number of stakeholders including employees trained at various levels
    • Coverage of training at all locations across the enterprise
    • The implementation of security devices from different vendors
    • Periodic reviews and comparison with best practices
    The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.
  11. The PRIMARY objective of implementing corporate governance by an organization’s management is to:

    • provide strategic direction.
    • control business operations.
    • align IT with business.
    • implement best practices.
    Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled. 
  12. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?

    • Define a balanced scorecard (BSC) for measuring performance
    • Consider user satisfaction in the key performance indicators (KPIs)
    • Select projects according to business benefits and risks
    • Modify the yearly process of defining the project portfolio
    Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organization’s strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is currently not tied to the definition of corporate strategies; however, this is unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.
  13. An example of a direct benefit to be derived from a proposed IT-related business investment is:

    • enhanced reputation.
    • enhanced staff morale.
    • the use of new technology.
    • increased market penetration.
    A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.
  14. To assist an organization in planning for IT investments, an IS auditor should recommend the use of:

    • project management tools.
    • an object-oriented architecture.
    • tactical planning.
    • enterprise architecture (EA).
    Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitate understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective. Project management does not consider IT investment aspects; it is a tool to aid in delivering projects. Object-oriented architecture is a software development methodology and does not assist in planning for IT investment, while tactical planning is relevant only after high-level IT investment decisions have been made.
  15. A benefit of open system architecture is that it:

    • facilitates interoperability.
    • facilitates the integration of proprietary components.
    • will be a basis for volume discounts from equipment vendors.
    • allows for the achievement of more economies of scale for equipment.
    Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers’ systems cannot or will not interface with existing systems.
  16. In the context of effective information security governance, the primary objective of value delivery is to:

    • optimize security investments in support of business objectives.
    • implement a standard set of security practices.
    • institute a standards-based solution.
    • implement a continuous improvement culture.
    In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing value delivery include implementation of a standard set of security practices, institutionalization and commoditization of standards-based solutions, and implementation of a continuous improvement culture considering security as a process, not an event.
  17. Which of the following BEST supports the prioritization of new IT projects?

    • Internal control self-assessment (CSA)
    • Information systems audit
    • Investment portfolio analysis
    • Business risk assessment
    It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. Like internal CSA, IS audits may provide only part of the picture for the prioritization of IT projects.
    Business risk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.
  18. After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?

    • Project management and progress reporting is combined in a project management office which is driven by external consultants.
    • The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.
    • The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company’s legacy systems.
    • The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.
    The efforts should be consolidated to ensure alignment with the overall strategy of the post-merger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In post-merger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. Itis a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.
  19. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?

    • Ensuring that invoices are paid to the provider
    • Participating in systems design with the provider
    • Renegotiating the provider’s fees
    • Monitoring the outsourcing provider’s performance
    In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider’s performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider’s performance, while renegotiating fees is usually a one-time activity.
  20. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?

    • Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan.
    • Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract.
    • No, because the backup to be provided should be specified adequately in the contract.
    • No, because the service bureau’s business continuity plan is proprietary information.
    The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan.