Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 45

  1. The BEST way to obtain funding from senior management for a security awareness program is to:

    • meet regulatory requirements
    • produce an impact analysis report of potential breaches
    • demonstrate that the program will adequately reduce risk
    • produce a report of organizational risks
  2. In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents?

    • Data encryption
    • Access to the hardware
    • Compressed customer data
    • Non-standard event logs
  3. A finance department director has decided to outsource the organization’s budget application and has identified potential providers. Which of the following actions should be initiated FIRST by the information security manager?

    • Validate that connectivity to the service provider can be made securely.
    • Obtain audit reports on the service providers hosting environment.
    • Review the disaster recovery plans (DRP) of the providers.
    • Align the roles of the organization’s and the service providers’ staffs.
  4. When considering whether to adopt bring your own device (BYOD), it is MOST important for the information security manager to ensure that:

    • security controls are applied to each device when joining the network
    • business leaders have an understanding of security risks
    • users have read and signed acceptable use agreements
    • the applications are tested prior to implementation
  5. Hamid needs to shift users from using the application from the existing (Old) system to the replacing (new) system. His manager Lily has suggested he uses an approach in which the newer system is changed over from the older system on a cutoff date and time and the older system is discontinued once the changeover to the new system takes place. Which of the following changeover approach is suggested by Lily?

    • Parallel changeover
    • Phased changeover
    • Abrupt changeover
    • Pilot changeover


    In the abrupt changeover approach the newer system is changed over from the older system on a cutoff date and time, and the older system is discontinued once changeover to the new system takes place.
    Changeover refers to an approach to shift users from using the application from the existing (old) system to the replacing (new) system.

    Changeover to newer system involves four major steps or activities
    Conversion of files and programs; test running on test bed
    Installation of new hardware, operating system, application system and the migrated data.
    Training employees or user in groups
    Scheduling operations and test running for go-live or changeover

    Some of the risk areas related to changeover includes:

    Asset safeguarding
    Data integrity
    System effectiveness
    Change management challenges
    Duplicate or missing records

    The following were incorrect answers:

    Parallel changeover – This technique includes running the old system, then running both the old and new systems in parallel and finally full changing over to the new system after gaining confidence in the working of new system.

    Phased Changeover -In this approach the older system is broken into deliverables modules. Initially, the first module of older system is phased out using the first module of a new system. Then, the second module of the newer system is phased out, using the second module of the newer system and so forth until reaching the last module.

    Pilot changeover – Not a valid changeover type.


    CISA review manual 2014 Page number 172

  6. An IT management group has developed a standardized security control checklist and distributed it to the control self-assessors in each organizational unit. Which of the following is the GREATEST risk in this approach?

    • Delayed feedback may increase exposures
    • Over time the checklist may become outdated
    • Assessors may manipulate the results
    • Business-specific vulnerabilities may be overlooked
  7. Which of the following would create the GREATEST risk when migrating a critical legacy system to a new system?

    • Using agile development methodology
    • Following a phased approach
    • Following a direct cut-over approach
    • Maintaining parallel systems
  8. The GREATEST benefit of using a prototyping approach in software development is that it helps to:

    • decrease the time allocated for user testing and review
    • minimize scope changes to the system
    • conceptualize and clarify requirements
    • improve efficiency of quality assurance (QA) testing
  9. A company is using a software developer for a project. At which of the following points should the software quality assurance (QA) plan be developed?

    • As part of software definition
    • During the feasibility phase
    • Prior to acceptance testing
    • As part of the design phase
  10. During development of an information security policy, which of the following would BEST ensure alignment to business objectives?

    • Incorporation of industry best practices
    • Linkage between policy and procedures
    • Use of a balanced scorecard
    • Input from relevant stakeholders
  11. To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?

    • Criteria
    • Responsible party
    • Impact
    • Root cause
  12. Which of the following MUST be included in emergency change control procedures?

    • Obtaining user management approval before implementing the changes
    • Updating production source libraries to reflect the changes
    • Using an emergency ID to move production programs into development
    • Requesting that the help desk makes the changes
  13. Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

    • Periodic risk assessment
    • Full operational test
    • Frequent testing of backups
    • Annual walk-through testing
  14. The PRIMARY reason for allocating sufficient time between the “go-live” phase of a new system and conducting a post-implementation review is to:

    • update project requirements and design documentation
    • increase availability of system implementation team resources
    • allow the system to stabilize in production
    • obtain sign-off on the scope of post-implementation review
  15. A maturity model is useful in the assessment of IT service management because it:

    • provides a benchmark for process improvement
    • defines the level of control required to meet business needs
    • indicates the service levels required for the business area
    • specifies the mechanism needed to achieve defined service levels
  16. Which of the following should be the FIRST step when drafting an incident response plan for a new cyber-attack scenario?

    • Schedule response testing
    • Create a new incident response team
    • Create a reporting template
    • Identify relevant stakeholders
  17. Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to server performance will be prevented?

    • Anticipating current service level agreements (SLAs) will remain unchanged
    • Prorating the current processing workloads
    • Negotiating agreements to acquire required cloud services
    • Duplicating existing disk drive systems to improve redundancy and data storage
  18. In a typical (system development life cycle) SDLC, which group is PRIMARILY responsible for confirming compliance with requirements?

    • Steering committee
    • Risk management
    • Quality assurance (QA)
    • Internal audit
  19. A company is planning to implement a new administrative system at many sites. The new system contains four integrated modules. Which of the following implementation approaches would be MOST appropriate?

    • Parallel implementation module by module
    • Pilot run of the new system
    • Full implementation of the new system
    • Parallel run at all locations
  20. A change to the scope of an IT project has been formally submitted to the project manager. What should the project manager do NEXT?

    • Update the project plan to reflect the change in scope
    • Discuss the change with the project team and determine if it should be approved
    • Escalate the change to the change advisory board for approval
    • Determine how the change will affect the schedule and budget