Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 38

  1. In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:

    • outsourced service provider management.
    • business management.
    • continuity planning specialists.
    • IT management.
  2. Which of the following is MOST important to include in a business continuity plan (BCP)?

    • Vendor contact information
    • Documentation of critical systems
    • Documentation of data center floor plans
    • Backup site location information
  3. An organization wants to test business continuity using a scenario in which there are many remote workers trying to access production data at the same time. Which of the following is the BEST testing method in this situation?

    • Application failover testing.
    • Network stress testing.
    • Alternate site testing.
    • Network penetration testing.
  4. An IS auditor is performing a business continuity plan (BCP) audit and identifies that the plan has not been tested for five years. However, the plan was successfully activated during a recent extended power outage. Which of the following is the IS auditor’s BEST course of action?

    • Determine if lessons learned from the activation were incorporated into the plan.
    • Determine if the business impact analysis (BIA) is still accurate.
    • Determine if a follow-up BCP audit is required to identify future gaps.
    • Determine if the annual BCP training program is in need of a review.
  5. In assessing the priority given to systems covered in an organization’s business continuity plan (BCP), an IS auditor should FIRST:

    • review results of previous business continuity plan (BCP) tests.
    • review the backup and restore processes.
    • verify the criteria for disaster recovery site selection.
    • validate the recovery time objectives and recovery point objectives.
  6. Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

    • Identifying where existing data resides and establishing a data classification matrix.
    • Requiring users to save files in secured folders instead of a company-wide shared drive
    • Reviewing data transfer logs to determine historical patterns of data flow
    • Developing a DLP policy and requiring signed acknowledgement by users
  7. An organization’s IT security policy states that user IDs must uniquely identify individuals and that users should not disclose their passwords. An IS auditor discovers that several generic user IDs are being used. Which of the following is the MOST appropriate course of action for the auditor?

    • Investigate the noncompliance.
    • Include the finding in the final audit report.
    • Recommend disciplinary action.
    • Recommend a change in security policy.
  8. An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?

    • The policy stating what employees can post on the organization’s behalf is unclear.
    • Access to corporate-sponsored social media accounts requires only single-factor authentication.
    • Approved employees can use personal devices to post on the company’s behalf.
    • There is a lack of clear procedures for responding to customers on social media outlets.
  9. Which of the following observations noted during a review of the organization’s social media practices should be of MOST concern to the IS auditor?

    • The organization does not require approval for social media posts.
    • More than one employee is authorized to publish on social media on behalf of the organization.
    • Not all employees using social media have attended the security awareness program.
    • The organization does not have a documented social media policy.
  10. An IS auditor is conducting a review of an organization’s information systems and discovers data that is no longer needed by business applications. Which of the following would be the IS auditor’s BEST recommendation?

    • Ask the data custodian to remove it after confirmation from the business user.
    • Assess the data according to the retention policy.
    • Back up the data to removable media and store in a secure area.
    • Keep the data and protect it using a data classification policy.
  11. Which of the following provides an IS auditor the MOST assurance that an organization is compliant with legal and regulatory requirements?

    • The IT manager is responsible for the organization’s compliance with legal and regulatory requirements.
    • Controls associated with legal and regulatory requirements have been identified and tested.
    • Senior management has provided attestation of legal and regulatory compliance.
    • There is no history of complaints or fines from regulators regarding noncompliance.
  12. An IS auditor is reviewing IT policies and found that most policies have not been reviewed in over 3 years. The MOST significant risk is that the policies do not reflect:

    • current legal requirements.
    • the vision of the CEO.
    • the mission of the organization.
    • current industry best practices.
  13. Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

    • Restricting evidence access to professionally certified forensic investigators
    • Engaging an independent third party to perform the forensic investigation
    • Performing investigative procedures on the original hard drives rather than images of the hard drives
    • Documenting evidence handling by personnel throughout the forensic investigation
  14. During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

    • Discuss potential regulatory issues with the legal department.
    • Ask management why the regulatory changes have not been included.
    • Exclude recent regulatory changes from the audit scope.
    • Report the missing regulatory updates to the chief information officer (CIO).
  15. Which of the following data would be used when performing a business impact analysis (BIA)?

    • Projected impact of current business on future business
    • Cost of regulatory compliance
    • Cost benefit analysis of running the current business
    • Expected costs for recovering the business.
  16. An organization has decided to migrate payroll processing to a new platform hosted by a third party in a different country. Which of the following is MOST important for the IS auditor to consider?

    • The service provider’s compliance with privacy regulations
    • Whether the contract contains a right-to-terminate clause
    • The service provider’s compliance with financial regulations
    • Storage costs charged by the service provider
  17. What is the BEST way for an IS auditor to address the risk associated with over-retention of personal data after identifying a large number of customer records retained beyond the retention period defined by law?

    • Recommend automating deletion of records beyond the retention period.
    • Schedule regular internal audits to identify records for deletion.
    • Report the retention period noncompliance to the regulatory authority.
    • Escalate the over-retention issue to the data privacy officer for follow-up.
  18. Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

    • Industry standards
    • Information security policy
    • Incident response plan
    • Industry regulations
  19. An IS auditor identifies key controls that have been overridden by management. The NEXT step the IS auditor should take is to:

    • perform procedures to quantify the irregularities.
    • report the absence of key controls to regulators.
    • recommend compensating controls.
    • withdraw from the engagement.
  20. A security regulation requires the disabling of direct administrator access. Such access must occur through an intermediate server that holds administrator passwords for all systems and records all actions. An IS auditor’s PRIMARY concern with this solution would be that:

    • it is not feasible to implement.
    • it represents a single point of failure.
    • segregation of duties is not observed.
    • access logs may not be maintained.