Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 34

  1. When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:

    • implement controls to mitigate the risk.
    • report compliance to management.
    • review the residual risk level.
    • monitor for business changes.
  2. Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?

    • Compensating controls in place to protect information security
    • Corresponding breaches associated with each vendor
    • Criticality of the service to the organization
    • Compliance requirements associated with the regulation
  3. An information security manager is concerned that executive management does not support information security initiatives. Which of the following is the BEST way to address this situation?

    • Demonstrate alignment of the information security function with business needs.
    • Escalate noncompliance concerns to the internal audit manager.
    • Report the risk and status of the information security program to the board.
    • Revise the information security strategy to meet executive management’s expectations.
  4. The MOST important reason that security risk assessment should be conducted frequently throughout an organization is because:

    • threats to the organization may change.
    • controls should be regularly tested.
    • compliance with legal and regulatory standards should be reassessed.
    • control effectiveness may weaken.
  5. Which of the following is the MOST important factor to consider when establishing a severity hierarchy for information security incidents?

    • Management support
    • Business impact
    • Regulatory compliance
    • Residual risk
  6. The PRIMARY reason an organization would require that users sign an acknowledgment of their system access responsibilities is to:

    • maintain compliance with industry best practices.
    • serve as evidence of security awareness training.
    • assign accountability for transactions made with the user’s ID.
    • maintain an accurate record of users’ access rights.
  7. Which of the following would provide the MOST reliable evidence to indicate whether employee access has been deactivated in a timely manner following termination?

    • Comparing termination forms with dates in the HR system
    • Reviewing hardware return-of-asset forms
    • Interviewing supervisors to verify employee data is being updated immediately
    • Comparing termination forms with system transaction log entries
  8. To effectively classify data, which of the following MUST be determined?

    • Data controls
    • Data ownership
    • Data users
    • Data volume
  9. Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?

    • Leverage security steering committee contribution.
    • Obtain senior management sign-off.
    • Integrate industry best practices.
    • Conduct an organization-wide security audit.
  10. To integrate security into system development life cycle (SDLC) processes, an organization MUST ensure that security:

    • is a prerequisite for completion of major phases.
    • performance metrics have been met.
    • roles and responsibilities have been defined.
    • is represented on the configuration control board.
  11. Which of the following is the PRIMARY role of a data custodian?

    • Processing information
    • Securing information
    • Classifying information
    • Validating information
  12. The PRIMARY focus of a training curriculum for members of an incident response team should be:

    • technology training.
    • security awareness.
    • external corporate communication.
    • specific role training.
  13. Which of the following should be the PRIMARY objective of the information security incident response process?

    • Minimizing negative impact to critical operations
    • Communicating with internal and external parties
    • Classifying incidents
    • Conducting incident triage
  14. Which of the following is MOST important to include in a contract with a critical service provider to help ensure alignment with the organization’s information security program?

    • Escalation paths
    • Right-to-audit clause
    • Termination language
    • Key performance indicators (KPIs)
  15. Which of the following is MOST important when selecting an information security metric?

    • Defining the metric in quantitative terms
    • Aligning the metric to the IT strategy
    • Defining the metric in qualitative terms
    • Ensuring the metric is repeatable
  16. The PRIMARY purpose of asset valuation for the management of information security is to:

    • eliminate the least significant assets.
    • provide a basis for asset classification.
    • determine the value of each asset.
    • prioritize risk management activities.
  17. Which of the following is MOST effective in the strategic alignment of security initiatives?

    • A security steering committee is set up within the IT department.
    • Key information security policies are updated on a regular basis.
    • Business leaders participate in information security decision making.
    • Policies are created with input from business unit managers.
  18. Which of the following is the BEST approach for determining the maturity level of an information security program?

    • Review internal audit results.
    • Engage a third-party review.
    • Perform a self-assessment.
    • Evaluate key performance indicators (KPIs).
  19. An organization with a maturing incident response program conducts post-incident reviews for all major information security incidents. The PRIMARY goal of these reviews should be to:

    • identify security program gaps or systemic weaknesses that need correction.
    • prepare properly vetted notifications regarding the incidents to external parties.
    • identify who should be held accountable for the security incidents.
    • document and report the root cause of the incidents for senior management.
  20. To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:

    • conduct a risk assessment.
    • perform a gap analysis.
    • conduct a cost-benefit analysis.
    • interview senior management.