Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 156

  1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)?

    • A user from within could send a file to an unauthorized person.
    • FTP services could allow a user to download files from unauthorized sources.
    • A hacker may be able to use the FTP service to bypass the firewall.
    • FTP could significantly reduce the performance of a DMZ server.

    Explanation: 
    Since file transfer protocol (FTP) is considered an insecure protocol, it should not be installed on a server in a demilitarized zone (DMZ). FTP could allow an unauthorized user to gain access to the network. Sending files to an unauthorized person and the risk of downloading unauthorized files are not as significant as having a firewall breach. The presence of the utility does not reduce the performance of a DMZ server; therefore, performance degradation is not a threat.

  2. The MAIN reason for requiring that all computer clocks across an organization be synchronized is to:

    • prevent omission or duplication of transactions.
    • ensure smooth data transition from client machines to servers.
    • ensure that e-mail messages have accurate time stamps.
    • support the incident investigation process.
    Explanation: 
    During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events might not be easily established. Time-stamping a transaction has nothing to do with the update itself. Therefore, the possibility of omission or duplication of transactions does not exist. Data transfer has nothing to do with the time stamp. While the time stamp on an e-mail may not be accurate, this is not a significant issue.
  3. When reviewing the configuration of network devices, an IS auditor should FIRST identify:

    • the best practices for the type of network devices deployed.
    • whether components of the network are missing.
    • the importance of the network device in the topology.
    • whether subcomponents of the network are being used appropriately.
    Explanation: 
    The first step is to understand the importance and role of the network device within the organization’s network topology. After understanding the devices in the network, the best practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. Identification of which component or subcomponent is missing or being used inappropriately can only be known upon reviewing and understanding the topology and the best practice for deployment of the device in the network.
  4. Which of the following would be of MOST concern when determining if information assets are adequately safeguard during transport and disposal?

    • Lack of password protection
    • Lack of recent awareness training
    • Lack of appropriate data classification
    • Lack of appropriate labeling
  5. Which of the following should an IS auditor expect to find when reviewing IT security policy?

    • Assigned responsibility for safeguarding company assets 
    • A risk-based classification of systems
    • An inventory of information assets
    • Virus protection implementation strategies
  6. Which of the following roles is BEST suited to assign classification to an information asset?

    • The data owner 
    • The information security manager
    • The data custodian
    • The senior manager
  7. Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

    • Reduce the risk of data leakage that could lead to an attack.
    • Comply with business continuity best practice.
    • Ensure compliance with the data classification policy.
    • Protect the plan from unauthorized alteration.
  8. Which of the following would protect the confidentiality of information sent in email messages?

    • Encryption 
    • Digital certificates
    • Digital signatures
    • Secure Hash Algorithm 1 (SHA-1)
  9. What is the PRIMARY objective of implementing data classification?

    • Employ data leakage prevention tools.
    • Establish appropriate data protection methods. 
    • Create awareness among users.
    • Establish appropriate encryption methods.
  10. Which of the following is a PRIMARY purpose of a privacy notice?

    • To obtain permission from users for the organization to use personal information as it sees fit
    • To indemnify the organization against litigation by users for the appropriation of personal information
    • To establish the organization’s accountability for the use and protection of personal information 
    • To ensure that the organization’s privacy controls comply with the privacy laws of the user’s region
  11. Which of the following features of a library control software package would protect against unauthorized updating of source code?

    • Access controls for source libraries 
    • Required approvals at each life cycle step
    • Date and time stamping of source and object code
    • Release-to-release comparison of source code
  12. Which of the following roles is ULTIMATELY accountable for the protection of an organization’s information?

    • The board of directors
    • The chief information security officer (CISO)
    • The data owner 
    • The chief information officer (CIO)
  13. A digital signature addresses which of the following concerns?

    • Message copying
    • Message theft
    • Unauthorized reading
    • Message alteration
  14. Which combination of access controls provides the BEST physical protection for a server room?

    • PIN and smart card 
    • User ID and PIN
    • Card with a magnetic strip and a smart card
    • Card with a magnetic strip and a shared PIN
  15. Which of the following would BEST deter the theft of corporate information from a laptop?

    • Install biometric access controls.
    • Encrypt all data on the hard drive.
    • Protect files with passwords.
    • Encrypt the file allocation table (FAT).
  16. Which of the following system deployments requires the cloud provider to assume the widest range of responsibilities for data protection?

    • Database as a Service (DbaaS)
    • Software as a Service (SaaS) 
    • Platform as a Service (PaaS)
    • Infrastructure as a Service (IaaS)
  17. Which of the following would MOST effectively minimize the risk of unauthorized online banking customer transactions due to phishing?

    • A strong authentication mechanism
    • Clear audit trails
    • An intrusion prevention system (IPS)
    • A customer awareness program
  18. Which of the following would have the GREATEST impact on defining the classification levels for electronic documents?

    • Value of information 
    • Volume of information
    • Document archival requirements
    • End user preferences
  19. An IS auditor is reviewing an organization’s implementation of a bring your own device (BYOD) program. Which of following would be the BEST recommendation to help ensure sensitive data is protected if a device is in the possession of an unauthorized individual?

    • Enable the location service feature on devices.
    • Encrypt data on devices including storage media. 
    • Authenticate device users when accessing the corporate network.
    • Enable remote wiping of critical data.
  20. When reviewing an organization’s data protection practices, an IS auditor should be MOST concerned with a lack of:

    • a security team.
    • data classification. 
    • training manuals.
    • data encryption.