Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 30

  1. In a multinational organization, local security regulations should be implemented over global security policy because:

    • global security policies include unnecessary controls for local businesses
    • business objectives are defined by local business unit managers
    • requirements of local regulations take precedence
    • deploying awareness of local regulations is more practical than of global policy
  2. Which of the following is a step in establishing a security policy?

    • Developing platform-level security baselines.
    • Developing configurations parameters for the network,
    • Implementing a process for developing and maintaining the policy.
    • Creating a RACI matrix.
  3. A large number of exceptions to an organization’s information security standards have been granted after senior management approved a bring your own device (BYOD) program. To address this situation, it is MOST important for the information security manage to:

    • introduce strong authentication on devices
    • reject new exception requests
    • require authorization to wipe lost devices
    • update the information security policy
  4. Which of the following is MOST important for the IS auditor to verify when reviewing the development process of a security policy?

    • Evidence of active involvement of key stakeholders
    • Output from the enterprise’s risk management system
    • Identification of the control framework
    • Evidence of management approval
  5. Which of the following should be the PRIMARY reason to establish a social media policy for all employees?

    • To publish acceptable messages to be used by employees when posting
    • To raise awareness and provide guidance about social media risks
    • To restrict access to social media during business hours to maintain productivity
    • To prevent negative public social media postings and comments
  6. An internal IS auditor discovers that a service organization did not notify its customers following a data breach. Which of the following should the auditor do FIRST?

    • Notify audit management of the finding.
    • Report the finding to regulatory authorities.
    • Notify the service organization’s customers.
    • Require the service organization to notify its customers.
  7. A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

    • Industry standards
    • The business impact analysis (BIA)
    • The business objectives
    • Previous audit recommendations
  8. A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:

    • evaluate the business risk
    • evaluate a third-party solution
    • initiate an exception approval process
    • deploy additional security controls
  9. Which of the following is MOST important to consider when developing a bring your own device (BYOD) policy?

    • Supported operating systems
    • Procedure for accessing the network
    • Application download restrictions
    • Remote wipe procedures
  10. An IT steering committee assists the board of directors to fulfill IT governance duties by:

    • developing IT policies and procedures for project tracking.
    • focusing on the supply of IT services and products.
    • overseeing major projects and IT resource allocation.
    • implementing the IT strategy.
  11. Which of the following can provide assurance that an IT project has delivered its planned benefits?

    • User acceptance testing (UAT)
    • Steering committee approval
    • Post-implementation review
    • Quality assurance evaluation
  12. Which of the following is MOST important when evaluating the retention period for a cloud provider’s client data backups?

    • Cost of data storage
    • Contractual commitments
    • Previous audit recommendations
    • Industry best practice
  13. Which of the following is MOST important to include in a contract with a software development service provider?

    • A list of key performance indicators (KPIs)
    • Ownership of intellectual property
    • Service level agreement (SLA)
    • Explicit contract termination requirements
  14. Which of the following is a distinguishing feature at the highest level of a maturity model?

    • There are formal standards and procedures.
    • Projects are controlled with management supervision.
    • A continuous improvement process is applied.
    • Processes are monitored continuously.
  15. The PRIMARY purpose of a precedence diagramming method in managing IT projects is to:

    • monitor project scope creep.
    • identify the critical path.
    • identify key milestones.
    • minimize delays and overruns.
  16. Reports to the executive level concerning IT performance should focus on:

    • third-party compliance with organizational practices.
    • IT performance in relation to operational improvements.
    • IT deliverables against organizational strategies.
    • capacity planning effectiveness within the organization.
  17. To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

    • Include strategic objectives in IT staff performance objectives.
    • Review IT staff job descriptions for alignment.
    • Identify required IT skill sets that support key business processes.
    • Develop quarterly training for each IT staff member.
  18. Which of the following should be the PRIMARY basis for planning and prioritizing IT infrastructure security audits?

    • Asset value to the organization
    • Management requests
    • The organization’s risk appetite
    • Security best practice
  19. Which of the following is the MOST effective control to reduce the risk of information leakage through social media?

    • Use of keystroke loggers
    • Periodic review of the data classification policy
    • Limited access to social media sites in the workplace
    • Security awareness training
  20. An operations manager has recently moved to internal audit. Which of the following would be of GREATEST concern when assigning audit projects to this individual?

    • A control within the audit scope was implemented by the operations manager six months ago.
    • A control within the audit scope was downgraded to low risk by the operations manager six months ago.
    • The owner of a process within the audit scope worked for the operations manager six month ago.
    • A system within the audit scope is supported by an emerging technology for which the operations manager lacks experience.