Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 43

  1. An organization is choosing key performance indicators (KPIs) for its information security management. Which of the following KPIs would provide stakeholders with the MOST useful information about whether information security risk is being managed?

    • Time from initial reporting of an incident to appropriate escalation
    • Time from identifying a security threat to implementing a solution
    • The number of security controls implemented
    • The number of security incidents during the past quarter
  2. Which of the following is a detective control that can be used to uncover unauthorized access to information systems?

    • Requiring long and complex passwords for system access
    • Implementing a security information and event management (SIEM) system
    • Requiring internal audit to perform periodic reviews of system access logs
    • Protecting access to the data center with multifactor authentication
  3. Which of the following control checks would utilize data analytics?

    • Evaluating configuration settings for the credit card application system
    • Reviewing credit card applications submitted in the past month for blank data fields
    • Attempting to submit credit card applications with blank data fields
    • Reviewing the business requirements document for the credit card application system
  4. Which of the following is the BEST way to control scope creep during application system development?

    • Involve key stakeholders.
    • Implement project steering committee review.
    • Implement a quality management system.
    • Establish key performance indicators (KPIs).
  5. An organization is using a single account shared by personnel for its social networking marketing page. Which of the following is the BEST method to maintain accountability over the account?

    • Reviewing access rights on a periodic basis
    • Integrating the account with a single sign-on
    • Regular monitoring of proxy server logs
    • Implementing an account password check-out process
  6. An organization has implemented an enhanced password policy for business applications which requires significantly more business unit resources to support clients. The BEST approach to obtain the support of business unit management would be to:

    • elaborate on the positive impact to information security.
    • present industry benchmarking results to business units.
    • discuss the risk and impact of security incidents if not implemented.
    • present an analysis of the cost and benefit of the changes.
  7. When using a newly implemented security information and event management (SIEM) infrastructure, which of the following should be considered FIRST?

    • Report distribution
    • Encryption
    • Tuning
    • Retention
  8. An organization has an approved bring your own device (BYOD) program. Which of the following is the MOST effective method to enforce application control on personal devices?

    • Implement a mobile device management solution.
    • Establish a mobile device acceptable use policy.
    • Implement a web application firewall.
    • Educate users regarding the use of approved applications.
  9. An organization’s HR department would like to outsource its employee management system to a cloud-hosted solution due to features and cost savings offered. Management has identified this solution as a business need and wants to move forward. What should be the PRIMARY role of information security in this effort?

    • Ensure a security audit is performed of the service provider.
    • Ensure the service provider has the appropriate certifications.
    • Determine how to securely implement the solution.
    • Explain security issues associated with the solution to management.
  10. During which phase of an incident response process should corrective actions to the response procedure be considered and implemented?

    • Eradication
    • Identification
    • Review
    • Containment
  11. An emergency change was made to an IT system as a result of a failure. Which of the following should be of GREATEST concern to the organization’s information security manager?

    • The operations team implemented the change without regression testing.
    • The change did not include a proper assessment of risk.
    • Documentation of the change was made after implementation.
    • The information security manager did not review the change prior to implementation.
  12. Which of the following is MOST critical to the successful implementation of information security within an organization?

    • Strong risk management skills exist within the information security group.
    • Budget is allocated for information security tools.
    • The information security manager is responsible for setting information security policy.
    • Security is effectively marketed to all managers and employees.
  13. Which of the following would contribute MOST to employees’ understanding of data handling responsibilities?

    • Requiring staff acknowledgement of security policies
    • Labeling documents according to appropriate security classification
    • Implementing a tailored security awareness training program
    • Demonstrating support by senior management of the security program
  14. An organization implemented a mandatory information security awareness training program a year ago. What is the BEST way to determine its effectiveness?

    • Analyze responses from an employee survey on training satisfaction.
    • Analyze results from training completion reports.
    • Analyze results of a social engineering test.
    • Analyze findings from previous audit reports.
  15. Planning for the implementation of an information security program is MOST effective when it:

    • uses risk-based analysis for security projects.
    • applies technology-driven solutions to identified needs.
    • uses decision trees to prioritize security projects.
    • applies gap analysis to current and future business plans.
  16. The MOST important factors in determining the scope and timing for testing a business continuity plan are:

    • manual processing capabilities and the test location.
    • the importance of the function to be tested and the cost of testing.
    • the experience level of personnel and the function location.
    • prior testing results and the degree of detail of the business continuity plan.
  17. Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?

    • Gap analysis
    • Risk assessment
    • Business impact analysis (BIA)
    • Penetration testing
  18. Which of the following is MOST important for an organization to complete prior to developing its disaster recovery plan (DRP)?

    • Support staff skill gap analysis
    • Comprehensive IT inventory
    • Business impact analysis (BIA)
    • Risk assessment
  19. An application development team is also promoting changes to production for a critical financial application. Which of the following would be the BEST control to reduce the associated risk?

    • Implementing a change management code review
    • Implementing a peer review process
    • Performing periodic audits
    • Submitting change logs to the business manager for review
  20. A start-up organization wants to develop a data loss prevention program (DLP). The FIRST step should be to implement:

    • data encryption.
    • access controls.
    • data classification.
    • security awareness training.