Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 35

  1. Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

    • Identifying risk mitigation options
    • Identifying key business risks
    • Identifying critical business processes
    • Identifying the threat environment
  2. Which of the following would BEST assist an information security manager in gaining strategic support from executive management?

    • Research on trends in global information security breaches
    • Risk analysis specific to the organization
    • Annual report of security incidents within the organization
    • Rating of the organization’s security based on international standards
  3. An information security manager has developed a strategy to address new information security risks resulting from recent changes in the business. Which of the following would be MOST important to include when presenting the strategy to senior management?

    • The impact of organizational changes on the security risk profile
    • The costs associated with business process changes
    • Results of benchmarking against industry peers
    • Security controls needed for risk mitigation
  4. Which of the following is the BEST way for an information security manager to justify continued investment in the information security program when the organization is facing significant budget cuts?

    • Demonstrate an increase in ransomware attacks targeting peer organizations.
    • Demonstrate the readiness of business continuity plans.
    • Demonstrate that implemented program controls are effective.
    • Demonstrate that the program enables business activities.
  5. Which of the following is MOST important to ensure when planning a black box penetration test?

    • The test results will be documented and communicated to management.
    • Diagrams of the organization’s network architecture are available.
    • The environment and penetration test scope have been determined.
    • The management of the client organization is aware of the testing.
  6. Which of the following human resources management practices BEST leads to the detection of fraudulent activity?

    • Background checks
    • Time reporting
    • Employee code of ethics
    • Mandatory time off
  7. Which of the following would BEST enable alignment of IT with business objectives?

    • Leveraging an IT framework
    • Completing an IT risk assessment
    • Adopting industry best practices
    • Monitoring key performance indicators (KPIs)
  8. Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

    • Identifying critical information resources
    • Identifying events impacting continuity of operations
    • Analyzing past transaction volumes
    • Creating a data classification scheme
  9. Which of the following findings would have the GREATEST impact on the objective of a business intelligence system?

    • Key control have not been tested in a year.
    • Decision support queries use database functions proprietary to the vendor.
    • The hot site for disaster recovery does not include the decision support system.
    • Management reports have not been evaluated since implementation.
  10. When reviewing an organization’s IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?

    • Achievement of established security metrics
    • Approval of the security program by senior management
    • Utilization of an internationally recognized security standard
    • Implementation of a comprehensive security awareness program
  11. Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

    • Identifying relevant roles for an enterprise IT governance framework
    • Verifying that legal, regulatory and contractual requirements are being met
    • Making decisions regarding risk response and monitoring of residual risk
    • Providing independent and objective feedback to facilitate improvement of IT processes
  12. Which of the following is the MOST appropriate action to formalize IT governance in an organization?

    • Evaluating the IT strategy
    • Modifying IT goals and strategy
    • Establishing an IT steering committee
    • Establishing an IT steering committee
  13. Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization?

    • Funding allocations
    • Risk management methodology
    • Defined service levels
    • Decision making responsibilities
  14. Which of the following findings should be of MOST concern to an IS auditor when evaluating information security governance within an organization?

    • The data center manager has final sign-off on security projects.
    • The information security oversight committee meets quarterly.
    • The information security department has difficulty filling vacancies.
    • Information security policies were last updated two years ago.
  15. When reviewing business continuity plan (BCP) test results, it is MOST important for the IS auditor to determine whether the test:

    • verifies the ability to resume key business operations.
    • considers changes to the systems environment.
    • assesses the capability to retrieve vital records.
    • follows up on activities that occurred since the previous test.
  16. While reviewing an organization’s business continuity plan (BCP), an IS auditor observes that a recently developed application is not included. The IS auditor should:

    • ensure that the criticality of the application is determined.
    • ignore the observation as the application is not mission critical.
    • include in the audit findings that the BCP is incomplete.
    • recommend that the application be incorporated in the BCP.
  17. The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to:

    • execute periodic walk-throughs of the plans.
    • update the business impact analysis (BIA) for significant business changes.
    • outsource the maintenance of the BCP and DRP to a third party.
    • include BCP and DRP responsibilities as a part of new employee training.
  18. When preparing to evaluate the effectiveness of an organization’s IT strategy, an IS auditor should FIRST review:

    • information security procedures.
    • the IT governance framework.
    • the most recent audit results.
    • IT processes and procedures.
  19. Which of the following is the GREATEST advantage of using a framework to guide an organization’s governance of IT?

    • It enables consistency when making strategic IT investments across the organization.
    • It enables better management of the annual IT budget provided by the board of directors.
    • It enables improvements to the security of high-risk systems in the organization.
    • It enables the achievement of service levels between IT and true business departments.
  20. Which of the following observations should be of GREATEST concern to an IS auditor performing a review of an organization’s IT governance structure?

    • The chief risk officer is also the chief information officer.
    • The chief information officer is prohibited from making capital decisions regarding IT.
    • The IT steering committee has oversight of the IT budget.
    • The IT steering committee has oversight of the IT budget.