Last Updated on December 13, 2021 by Admin 3
CISA : Certified Information Systems Auditor : Part 81
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172
-
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to “never expire”. Which of the following recommendations would BEST address the risk with minimal disruption to the business?
- Modify the access management policy to make allowances for application accounts
- Introduce database access monitoring into the environment
- Modify applications to no longer require direct access to the database
- Schedule downtime to implement password changes
-
Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?
- Exception reporting
- Variance reporting
- Independent reviews
- Audit trail
-
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor’s BEST recommendation?
- Upgrade hardware to newer technology
- Build a virtual environment
- Hire temporary contract workers for the IT function
- Increase the capacity of existing systems
-
Which of the following metrics would be MOST useful to an IS auditor when assessing the resilience of an application programming interface (API)?
- Number of developers adopting the API for their applications
- Number of patches released within a time interval for the API
- Number of API calls expected versus actually received within a time interval
- Number of defects logged during development compared to other APIs
-
Which of the following is the BEST use of a balanced scorecard when evaluating IT performance?
- Monitoring alignment of IT with the rest of the organization
- Determining compliance with relevant regulatory requirements
- Monitoring alignment of the IT project portfolio to budget
- Evaluating implementation of the business strategy
-
A checksum is classified as which type of control?
- Corrective control
- Detective control
- Preventive control
- Administrative control
-
Which of the following is the GREATEST risk associated with vulnerability scanning tools used to identify security weaknesses?
- False positives
- False negatives
- Use of open source tools
- Outdated signatures for detection
-
Which of the following controls is BEST implemented through system configuration?
- Network user accounts for temporary workers expire after 90 days
- Financial data in key reports is traced to source systems for completeness and accuracy
- Application user access is reviewed every 180 days for appropriateness
- Computer operations personnel initiate batch processing jobs daily
-
An audit has identified that business units have purchased cloud-based applications without IT’s support. What is the GREATEST risk associated with this situation?
- The application purchases did not follow procurement policy.
- The applications may not reasonably protect data.
- The applications could be modified without advanced notice.
- The applications are not included in business continuity plans (BCPs).
-
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
- Formulas within macros
- Encryption of the spreadsheet
- Version history
- Reconciliation of key calculations
-
An algorithm in an email program analyzes traffic to quarantine emails identified as spam. The algorithm in the program is BEST characterized as which type of control?
- Corrective
- Detective
- Directive
- Preventive
-
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor’s BEST recommendation for a compensating control?
- Require written authorization for all payment transactions
- Reconcile payment transactions with invoices
- Restrict payment authorization to senior staff members
- Review payment transaction history
-
An organization is migrating its human resources (HR) application to an infrastructure as a Service (IaaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application’s operating system?
- The organization
- The operating system vendor
- The cloud provider
- The cloud provider’s external auditor
-
Which of the following is MOST important for an IS auditor to verify during a disaster recovery audit?
- Roles and responsibilities are documented
- Regular backups are made and stored offsite.
- The disaster recovery plan (DRP) is updated on a regular basis.
- Tabletop disaster recovery tests are conducted.
-
The use of control totals reduces the risk of:
- incomplete processing.
- improper backup.
- posting to the wrong record.
- improper authorization.
-
For an organization which uses a VoIP telephony system exclusively, the GREATEST concern associated with leaving a connected telephone in an unmonitored public area is the possibility of:
- connectivity issues when used with an analog local exchange carrier
- unauthorized use leading to theft of services and financial loss
- network compromise due to the introduction of malware
- theft or destruction of an expensive piece of electronic equipment
-
Which of the following provides nonrepudiation in an electronic communication session without confidentiality?
- Message encryption
- Log-on ID and password
- Certification authority
- Digital signature
-
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
- System performance may be impacted by the migration.
- Records past their retention period may not be migrated to the new system.
- Data from the source and target system may have different data formats.
- Data from the source and target system may be intercepted.
-
When responding to an ongoing denial of service (DoS) attack, an organization’s FIRST course of action should be to:
- restore service
- minimize impact
- analyze the attack path
- investigate damage
-
Which of the following is the GREATEST risk when relying on reports generated by end-user computing?
- Data may be inaccurate
- Reports may not work efficiently
- Reports may not be timely
- Historical data may not be available
- CISA : Part 1 - 40
- CISA : Part 41 - 80
- CISA : Part 81 - 120
- CISA : Part 121 - 160
- CISA : Part 161 - 172