Last Updated on December 13, 2021 by Admin 3
CISA : Certified Information Systems Auditor : Part 32
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172
-
An IS auditor determines that an online retailer processing credit card information does not have a data classification process. The auditor’s NEXT step should be to:
- recommend encryption of all sensitive data at rest
- determine existing controls around sensitive data
- recommend the implementation of data loss prevention (DLP) tools
- inquire if there have been any data loss incidents
-
An IS auditor is reviewing an organization’s network vulnerability scan results. Which of the following processes would the scan results MOST likely feed into?
- Firewall maintenance
- Patch management
- Incident response
- Traffic management
-
Which of the following is MOST critical for the effective implementation of IT governance?
- Internal auditor commitment
- Supportive corporate culture
- Strong risk management practices
- Documented policies
-
When auditing the IT governance of an organization planning to outsource a critical financial application to a cloud vendor, the MOST important consideration for the auditor should be:
- the cost of the outsourced system.
- the inclusion of a service termination clause.
- alignment with industry standards.
- alignment with business requirements.
-
An IS auditor has completed a review of an outsourcing agreement and has identified IT governance issues. Which of the following is the MOST effective and efficient way of communicating the issues at a meeting with senior management?
- Present a completed report and discuss the details.
- Provide a detailed report in advance and open the floor to questions.
- Present an overview highlighting the key findings.
- Provide a plan of action and milestones.
-
An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:
- re-evaluate the risk appetite.
- quantify reputational risks.
- meet information security compliance requirements.
- ensure appropriate information security governance.
-
Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?
- Conducting information security awareness training
- Performing security assessments and gap analyses
- Integrating security requirements with processes.
- Conducting a business impact analysis (BIA)
-
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?
- The existing organizational security culture
- Security management processes aligned with security objectives
- Organizational security controls deployed in line with regulations
- Security policies that adhere to industry best practices
-
After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?
- Balanced scorecard
- Recent audit results
- Risk heat map
- Gap analysis
-
Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance?
- Ensure information security aligns with IT strategy.
- Provide periodic IT balanced scorecards to senior management.
- Align information security budget requests to organizational goals.
- Ensure information security efforts support business goals.
-
Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:
- conducts frequent reviews of the security policy.
- includes a mix of members from all levels of management.
- has a clearly defined charter and meeting protocols.
- has established relationships with external professionals.
-
The PRIMARY purpose of aligning information security with corporate governance objectives is to:
- identify an organization’s tolerance for risk.
- re-align roles and responsibilities.
- build capabilities to improve security processes.
- consistently manage significant areas of risk.
-
In an organization where IT is critical to its business strategy and where there is a high level of operational dependence on IT, senior management commitment to security is BEST demonstrated by the:
- reporting line of the chief information security officer (CISO).
- segregation of duties policy.
- existence of an IT steering committee.
- size of the IT security function.
-
Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?
- Vulnerability assessment results
- Application security policy
- A business case
- Internal audit reports
-
In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?
- Update the corporate mobile usage policy to prohibit texting.
- Conduct a business impact analysis (BIA) and provide the report to management.
- Stop providing mobile devices until the organization is able to implement controls.
- Include the topic of prohibited texting in security awareness training.
-
A large organization is considering a policy that would allow employees to bring their own smartphones into the organizational environment. The MOST important concern to the information security manager should be the:
- lack of a device management solution.
- decrease in end user productivity.
- impact on network capacity.
- higher costs in supporting end users.
-
Which of the following is the BEST way to demonstrate to senior management that organizational security practices comply with industry standards?
- A report on the maturity of controls
- Up-to-date policy and procedures documentation
- Existence of an industry-accepted framework
- Results of an independent assessment
-
An information security manager learns that a departmental system is out of compliance with the information security policy’s authentication requirements. Which of the following should be the information security manager’s FIRST course of action?
- Isolate the noncompliant system from the rest of the network.
- Submit the issue to the steering committee for escalation.
- Request risk acceptance from senior management.
- Conduct an impact analysis to quantify the associated risk.
-
Following significant organizational changes, which of the following is the MOST important consideration when updating the IT policy?
- The policy is integrated into job descriptions.
- The policy is endorsed by senior executives.
- The policy is compliant with relevant laws and regulations.
- The policy is aligned with industry standards and best practice.
-
Which of the following is the FIRST consideration when developing a data retention policy?
- Determining the backup cycle based on retention period
- Designing an infrastructure storage strategy
- Identifying the legal and contractual retention period for data
- Determining the security access privileges to the data
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172