Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 98

  1. The Federal Information Processing Standards (FIPS) are primarily for use by (Choose two.):

    • all non-military government agencies
    • US government contractors
    • all military government agencies
    • all private and public colleges in the US
    • None of the choices.

    Explanation: 
    Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community.

  2. Sophisticated database systems provide many layers and types of security, including (Choose three.):

    • Access control
    • Auditing
    • Encryption
    • Integrity controls
    • Compression controls
    Explanation:
    Sophisticated database systems provide many layers and types of security, including Access control, Auditing, Authentication, Encryption and Integrity controls. An important procedure when evaluating database security is performing vulnerability assessments against the database. Database administrators or Information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software.
  3. Which of the following refers to an important procedure when evaluating database security?

    • performing vulnerability assessments against the database.
    • performing data check against the database.
    • performing dictionary check against the database.
    • performing capacity check against the database system.
    • None of the choices.
    Explanation:
    Databases provide many layers and types of security, including Access control, Auditing, Authentication, Encryption and Integrity controls. An important procedure when evaluating database security is performing vulnerability assessments against the database. Database administrators or Information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software.
  4. Which of the following refers to any authentication protocol that requires two independent ways to establish identity and privileges?

    • Strong-factor authentication
    • Two-factor authentication
    • Dual-password authentication
    • Two-passphrases authentication
    • Dual-keys authentication
    • Rich-factor authentication
    Explanation: 
    Two-factor authentication (T-FA) refers to any authentication protocol that requires two independent ways to establish identity and privileges. Common implementations of two-factor authentication use ‘something you know’ as one of the two factors, and use either ‘something you have’ or ‘something you are’ as the other factor. In fact, using more than one factor is also called strong authentication. On the other hand, using just one factor is considered by some weak authentication.
  5. Common implementations of strong authentication may use which of the following factors in their authentication efforts (Choose three.):

    • ‘something you know’
    • ‘something you have’
    • ‘something you are’
    • ‘something you have done in the past on this same system’
    • ‘something you have installed on this same system’
    • None of the choices.
    Explanation: 
    Two-factor authentication (T-FA) refers to any authentication protocol that requires two independent ways to establish identity and privileges. Common implementations of two-factor authentication use ‘something you know’ as one of the two factors, and use either ‘something you have’ or ‘something you are’ as the other factor. In fact, using more than one factor is also called strong authentication. On the other hand, using just one factor is considered by some weak authentication.
  6. Effective transactional controls are often capable of offering which of the following benefits (Choose four.):

    • reduced administrative and material costs
    • shortened contract cycle times
    • enhanced procurement decisions
    • diminished legal risk
    • None of the choices.
    Explanation: 
    Transactional systems provide a baseline necessary to measure and monitor contract performance and provide a method for appraising efficiency against possible areas of exposure. Effective transactional controls reduce administrative and material costs, shorten contract cycle times, enhance procurement decisions, and diminish legal risk.
  7. In the context of physical access control, what is known as the process of verifying user identities?

    • Authentication
    • Authorization
    • Accounting
    • Encryption
    • Compression
    • None of the choices.
    Explanation: 
    Authentication is the process of verifying a user’s claimed identity. It is based on at least one of these three factors: Something you know, Something you have, or Something you are.
  8. Physical access controls are usually implemented based on which of the following means (Choose two.):

    • mechanical locks
    • guards
    • operating systems
    • transaction applications
    • None of the choices.
    Explanation: 
    In physical security, access control refers to the practice of restricting entrance to authorized persons. Human means of enforcement include guard, bouncer, receptionist … etc. Mechanical means may include locks and keys.
  9. Fault-tolerance is a feature particularly sought-after in which of the following kinds of computer systems:

    • desktop systems
    • laptop systems
    • handheld PDAs
    • business-critical systems
    • None of the choices.
    Explanation:
    Fault-tolerance enables a system to continue operating properly in the event of the failure of some parts of it. It avoids total breakdown, and is particularly sought-after in high-availability environment full of business critical systems.
  10. The technique of rummaging through commercial trash to collect useful business information is known as:

    • Information diving
    • Intelligence diving
    • Identity diving
    • System diving
    • Program diving
    • None of the choices.
    Explanation: 
    Dumpster diving in the form of information diving describes the practice of rummaging through commercial trash to find useful information such as files, letters, memos, passwords …etc.
  11. Which of the following refers to a primary component of corporate risk management with the goal of minimizing the risk of prosecution for software piracy due to use of unlicensed software?

    • Software audit
    • System audit
    • Application System audit
    • Test audit
    • Mainframe audit
    • None of the choices.
    Explanation: 
    Software audits are a component of corporate risk management, with the goal of minimizing the risk of prosecution for software piracy due to use of unlicensed software. From time to time internal or external audits may take a forensic approach to establish what is installed on the computers in an organization with the purpose of ensuring that it is all legal and authorized and to ensure that its process of processing transactions or events is correct.
  12. In a security server audit, focus should be placed on (Choose two.):

    • proper segregation of duties
    • adequate user training
    • continuous and accurate audit trail
    • proper application licensing
    • system stability
    • performance and controls of the system
    • None of the choices.
  13. The purpose of a mainframe audit is to provide assurance that processes are being implemented as required, the mainframe is operating as it should, security is strong, and that procedures in place are working and are updated as needed. The auditor may accordingly make recommendations for improvement. Which of the following types of audit always takes high priority over the others? (Choose five.)

    • System audit
    • Application audit
    • Software audit
    • License audit
    • Security server audit
    • None of the choices.
  14. Talking about application system audit, focus should always be placed on (Choose five.)

    • performance and controls of the system
    • the ability to limit unauthorized access and manipulation
    • input of data are processed correctly
    • output of data are processed correctly
    • changes to the system are properly authorized
    • None of the choices.
    Explanation: 
    Talking about application system audit, focus should be placed on the performance and controls of the system, its ability to limit unauthorized access and manipulation, that input and output of data are processed correctly on the system, that any changes to the system are authorized, and that users have access to the system.
  15. A successful risk-based IT audit program should be based on:

    • an effective scoring system.
    • an effective PERT diagram.
    • an effective departmental brainstorm session.
    • an effective organization-wide brainstorm session.
    • an effective yearly budget.
    • None of the choices.
    Explanation: 
    A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.
  16. The use of risk assessment tools for classifying risk factors should be formalized in your IT audit effort through:

    • the use of risk controls.
    • the use of computer assisted functions.
    • using computer assisted audit technology tools.
    • the development of written guidelines.
    • None of the choices.
    Explanation: 
    A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.
  17. Which of the following correctly describes the purpose of an Electronic data processing audit?

    • to collect and evaluate evidence of an organization’s information systems, practices, and operations.
    • to ensure document validity.
    • to verify data accuracy.
    • to collect and evaluate benefits brought by an organization’s information systems to its bottom line.
    • None of the choices.
    Explanation: 
    An Electronic data processing (EDP) audit is an IT audit. It is the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations.
  18. What should be done to determine the appropriate level of audit coverage for an organization’s IT environment?

    • determine the company’s quarterly budget requirement.
    • define an effective assessment methodology.
    • calculate the company’s yearly budget requirement.
    • define an effective system upgrade methodology.
    • define an effective network implementation methodology.
    Explanation: 
    To determine the appropriate level of audit coverage for the organization’s IT environment, you must define an effective assessment methodology and provide objective information to prioritize the allocation of audit resources properly.
  19. IS audits should be selected through a risk analysis process to concentrate on:

    • those areas of greatest risk and opportunity for improvements.
    • those areas of least risk and opportunity for improvements.
    • those areas of the greatest financial value.
    • areas led by the key people of the organization.
    • random events.
    • irregular events.
    Explanation: 
    Audits are typically selected through a risk analysis process to concentrate on those areas of greatest risk and opportunity for improvements.
    Audit topics are supposed to be chosen based on potential for cost savings and service improvements.
  20. Your final audit report should be issued:

    • after an agreement on the observations is reached.
    • before an agreement on the observations is reached.
    • if an agreement on the observations cannot reached.
    • without mentioning the observations.
    • None of the choices.
    Explanation: 
    Reporting can take the forms of verbal presentation, an issue paper or a written audit report summarizing observations and management’s responses. After agreement is reached on the observations, a final report can be issued.