Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 26

  1. Which of the following is the MOST important driver when developing an effective information security strategy?

    • Security audit reports
    • Benchmarking reports
    • Information security standards
    • Compliance requirements
  2. The FIRST step in establishing an information security program is to:

    • secure organizational commitment and support
    • assess the organization’s compliance with regulatory requirements
    • determine the level of risk that is acceptable to senior management
    • define policies and standards that mitigate the organization’s risks
  3. Which of the following is the BEST reason to certify an organization to an international security standard?

    • The certification covers enterprise security end-to-end.
    • The certification reduces information security risk.
    • The certification ensures that optimal controls are in place.
    • The certification delivers value to stakeholders.
  4. An organization is considering whether to allow employees to use personal computing devices for business purposes. To BEST facilitate senior management’s decision, the information security manager should:

    • perform a cost-benefit analysis
    • map the strategy to business objectives
    • conduct a risk assessment
    • develop a business case
  5. A PRIMARY advantage of involving business management in evaluating and managing information security risks is that they:

    • better understand the security architecture
    • better understand organizational risks
    • can balance technical and business risks
    • are more objective than security management
  6. Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?

    • Providing information security training to third-party personnel
    • Auditing the service delivery of third-party providers
    • Inducting information security clauses within contracts
    • Requiring third parties to sign confidentiality agreements
  7. Which of the following should be the MOST important consideration when implementing an information security framework?

    • Compliance requirements
    • Audit findings
    • Technical capabilities
    • Risk appetite
  8. An organization’s IT department is undertaking a large virtualization project to reduce its physical server footprint. Which of the following should be the HIGHEST priority of the information security manager?

    • Determining how incidents will be managed
    • Selecting the virtualization software
    • Being involved as the design stage of the project
    • Ensuring the project has appropriate security funding
  9. An information security manager is developing evidence preservation procedures for an incident response plan. Which of the following would be the BEST source of guidance for requirements associated with the procedures?

    • IT management
    • Executive management
    • Legal counsel
    • Data owners
  10. What is the MOST important role of an organization’s data custodian in support of information security function?

    • Evaluating data security technology vendors
    • Applying approval security policies
    • Approving access rights to departmental data
    • Assessing data security risks to the organization
  11. An information security manager has identified and implemented migrating controls according to industry best practices. Which of the following is the GREATEST risk associated with this approach?

    • Important security controls may be missed without senior management input.
    • The cost of control implementation may be too high.
    • The migration measures may not be updated in a timely manner.
    • The security program may not be aligned with organizational objectives.
  12. Following a risk assessment, new countermeasures have been approved by management. Which of the following should be performed NEXT?

    • Schedule the target end date for implementation activities.
    • Budget the total cost of implementation activities.
    • Develop an implementation strategy.
    • Calculate the residual risk for each countermeasure.
  13. Which of the following would be of GREATEST concern to an IS auditor evaluating governance over open source development components?

    • The development project has gone over budget and time
    • The open source development components do not meet industry best practices
    • The software is not analyzed for compliance with organizational requirements
    • Existing open source policies have not been approved in over a year
  14. The PRIMARY objective of value delivery in reference to IT governance is to:

    • increase efficiency
    • promote best practices
    • optimize investments
    • ensure compliance
  15. Which of the following is the PRIMARY objective of implementing IT governance?

    • Resource management
    • Performance measurement
    • Value delivery
    • Strategic planning
  16. Which of the following is necessary for the effective risk management in IT governance?

    • Risk evaluation is embedded in management processes
    • Risk management strategy is approved by the audit committee
    • Local managers are solely responsible for risk evaluation
    • IT risk management is separate from corporate risk management
  17. Which of the following should be an IS auditor’s PRIMARY consideration when evaluating the development and design of a privacy program?

    • Data governance and data classification procedures
    • Policies and procedures consistent with privacy guidelines
    • Industry practice and regulatory compliance guidance
    • Information security and incident management practices
  18. Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

    • To identify data at rest and data in transit for encryption
    • To prevent confidential data loss
    • To comply with legal and regulatory requirements
    • To provide options to individuals regarding use of their data
  19. An IS audit of an organization’s data classification policies finds some areas of the policies may not be up-to-date with new data privacy regulations. What should management do FIRST to address the risk of noncompliance?

    • Conduct a privacy impact assessment to identify gaps
    • Reclassify information based on revised information classification labels
    • Mandate training on the new privacy regulations
    • Perform a data discovery exercise to identify all personal data
  20. Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

    • Applicable laws and regulations
    • End user access rights
    • Business requirements
    • Classification of data