Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 32

  1. An IS auditor determines that an online retailer processing credit card information does not have a data classification process. The auditor’s NEXT step should be to:

    • recommend encryption of all sensitive data at rest
    • determine existing controls around sensitive data
    • recommend the implementation of data loss prevention (DLP) tools
    • inquire if there have been any data loss incidents
  2. An IS auditor is reviewing an organization’s network vulnerability scan results. Which of the following processes would the scan results MOST likely feed into?

    • Firewall maintenance 
    • Patch management
    • Incident response
    • Traffic management
  3. Which of the following is MOST critical for the effective implementation of IT governance?

    • Internal auditor commitment
    • Supportive corporate culture
    • Strong risk management practices
    • Documented policies
  4. When auditing the IT governance of an organization planning to outsource a critical financial application to a cloud vendor, the MOST important consideration for the auditor should be:

    • the cost of the outsourced system.
    • the inclusion of a service termination clause.
    • alignment with industry standards.
    • alignment with business requirements.
  5. An IS auditor has completed a review of an outsourcing agreement and has identified IT governance issues. Which of the following is the MOST effective and efficient way of communicating the issues at a meeting with senior management?

    • Present a completed report and discuss the details.
    • Provide a detailed report in advance and open the floor to questions.
    • Present an overview highlighting the key findings.
    • Provide a plan of action and milestones.
  6. An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:

    • re-evaluate the risk appetite.
    • quantify reputational risks.
    • meet information security compliance requirements.
    • ensure appropriate information security governance.
  7. Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?

    • Conducting information security awareness training
    • Performing security assessments and gap analyses
    • Integrating security requirements with processes.
    • Conducting a business impact analysis (BIA)
  8. Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?

    • The existing organizational security culture
    • Security management processes aligned with security objectives
    • Organizational security controls deployed in line with regulations
    • Security policies that adhere to industry best practices
  9. After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?

    • Balanced scorecard
    • Recent audit results
    • Risk heat map
    • Gap analysis
  10. Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance?

    • Ensure information security aligns with IT strategy.
    • Provide periodic IT balanced scorecards to senior management.
    • Align information security budget requests to organizational goals.
    • Ensure information security efforts support business goals.
  11. Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:

    • conducts frequent reviews of the security policy.
    • includes a mix of members from all levels of management.
    • has a clearly defined charter and meeting protocols.
    • has established relationships with external professionals.
  12. The PRIMARY purpose of aligning information security with corporate governance objectives is to:

    • identify an organization’s tolerance for risk.
    • re-align roles and responsibilities.
    • build capabilities to improve security processes.
    • consistently manage significant areas of risk.
  13. In an organization where IT is critical to its business strategy and where there is a high level of operational dependence on IT, senior management commitment to security is BEST demonstrated by the:

    • reporting line of the chief information security officer (CISO).
    • segregation of duties policy.
    • existence of an IT steering committee.
    • size of the IT security function.
  14. Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?

    • Vulnerability assessment results
    • Application security policy
    • A business case
    • Internal audit reports
  15. In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?

    • Update the corporate mobile usage policy to prohibit texting.
    • Conduct a business impact analysis (BIA) and provide the report to management.
    • Stop providing mobile devices until the organization is able to implement controls.
    • Include the topic of prohibited texting in security awareness training.
  16. A large organization is considering a policy that would allow employees to bring their own smartphones into the organizational environment. The MOST important concern to the information security manager should be the:

    • lack of a device management solution.
    • decrease in end user productivity.
    • impact on network capacity.
    • higher costs in supporting end users.
  17. Which of the following is the BEST way to demonstrate to senior management that organizational security practices comply with industry standards?

    • A report on the maturity of controls
    • Up-to-date policy and procedures documentation
    • Existence of an industry-accepted framework
    • Results of an independent assessment
  18. An information security manager learns that a departmental system is out of compliance with the information security policy’s authentication requirements. Which of the following should be the information security manager’s FIRST course of action?

    • Isolate the noncompliant system from the rest of the network.
    • Submit the issue to the steering committee for escalation.
    • Request risk acceptance from senior management.
    • Conduct an impact analysis to quantify the associated risk.
  19. Following significant organizational changes, which of the following is the MOST important consideration when updating the IT policy?

    • The policy is integrated into job descriptions.
    • The policy is endorsed by senior executives.
    • The policy is compliant with relevant laws and regulations.
    • The policy is aligned with industry standards and best practice.
  20. Which of the following is the FIRST consideration when developing a data retention policy?

    • Determining the backup cycle based on retention period
    • Designing an infrastructure storage strategy
    • Identifying the legal and contractual retention period for data
    • Determining the security access privileges to the data