Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 33

  1. Which of the following factors will BEST promote effective information security management?

    • Senior management commitment
    • Identification and risk assessment of sensitive resources
    • Security awareness training
    • Security policy framework
  2. A review of Internet security disclosed that users have individual user accounts with the Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only corporate network is used. The organization should FIRST:

    • use a proxy server to filter out Internet sites that should not be accessed.
    • keep a manual log of Internal access.
    • monitor remote access activities.
    • include a statement in its security policy about Internet use.
  3. Which of the following BEST indicates a need to review an organization’s information security policy?

    • Completion of annual IT risk assessment
    • Increasing complexity of business transactions
    • Increasing exceptions approved by management
    • High number of low-risk findings in the audit report
  4. Which of the following is a directive control?

    • Establishing an information security operations team
    • Updating data loss prevention software
    • Implementing an information security policy
    • Configuring data encryption software
  5. An organization’s IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training’s effectiveness?

    • Results of a social engineering test
    • Interviews with employees
    • Decreased calls to the incident response team
    • Surveys completed by randomly selected employees
  6. Which type of risk would MOST influence the selection of a sampling methodology?

    • Control
    • Inherent
    • Residual
    • Detection
  7. Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

    • Regular monitoring of user access logs
    • Annual sign-off of acceptable use policy
    • Security awareness training
    • Formalized disciplinary action
  8. Which of the following will BEST protect an organization against spear phishing?

    • Email content filtering
    • Acceptable use policy
    • End-user training
    • Antivirus software
  9. Which of the following is MOST likely to be included in an enterprise information security policy?

    • Password composition requirements
    • Consequences of noncompliance
    • Audit trail review requirements
    • Security monitoring strategy
  10. Which of the following processes is the FIRST step in establishing an information security policy?

    • Security controls evaluation
    • Business risk assessment
    • Review of current global standards
    • Information security audit
  11. A business unit uses an e-commerce application with a strong password policy. Many customers complain that they cannot remember their passwords because they are too long and complex. The business unit states it is imperative to improve the customer experience. The information security manager should FIRST:

    • change the password policy to improve the customer experience.
    • recommend implementing two-factor authentication.
    • research alternative secure methods of identity verification.
    • evaluate the impact of the customer’s experience on business revenue.
  12. The GREATEST benefit of using a maturity model when providing security reports to management is that it presents the:

    • current and target security state for the business.
    • security program priorities to achieve an accepted risk level.
    • assessed level of security risk at a particular point in time.
    • level of compliance with internal policy.
  13. A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization’s information?

    • Check references supplied by the provider’s other customers.
    • Invoke the right to audit per the contract.
    • Review the provider’s information security policy.
    • Review the provider’s self-assessment.
  14. Which of the following is MOST likely to result from compliance testing?

    • Comparison of data with physical counts
    • Confirmation of data with outside sources
    • Identification of errors due to processing mistakes
    • Discovery of controls that have not been applied
  15. When designing an incident response plan to be agreed upon with a cloud computing vendor, including which of the following will BEST help to ensure the effectiveness of the plan?

    • A training program for the vendor staff
    • An audit and compliance program
    • Responsibility and accountability assignments
    • Requirements for onsite recovery testing
  16. Which of the following would BEST help to ensure compliance with an organization’s information security requirements by an IT service provider?

    • Defining the business recovery plan with the IT service provider
    • Requiring an external security audits of the IT service provider
    • Defining information security requirements with internal IT
    • Requiring regular reporting from the IT service provider
  17. Which of the following should be of MOST influence to an information security manager when developing IT security policies?

    • Past and current threats
    • IT security framework
    • Compliance with regulations
    • Business strategy
  18. Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and contractual requirements?

    • Vulnerability assessment
    • Risk assessment
    • Business impact analysis (BIA)
    • Gap analysis
  19. Which of the following provides the GREATEST assurance that an organization allocates appropriate resources to respond to information security events?

    • Incident classification procedures
    • Threat analysis and intelligence reports
    • An approved IT staffing plan
    • Information security policies and standards.
  20. Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?

    • Critical success factors (CSFs)
    • Key risk indicators (KRIs)
    • Capability maturity models
    • Key performance indicators (KPIs)