Black Friday Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sale65best

examstrack slider

Master the Isaca CISA Exam: Essential Study Tips and Strategies

Questions 251

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

Options:

A.

structured query language (SQL) injection

B.

buffer overflow.

C.

denial of service (DoS).

D.

phishing.

Buy Now
Questions 252

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Options:

A.

Detective control

B.

Preventive control

C.

Directive control

D.

Corrective control

Buy Now
Questions 253

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's

GREATEST concern?

Options:

A.

User access rights have not been periodically reviewed by the client.

B.

Payroll processing costs have not been included in the IT budget.

C.

The third-party contract has not been reviewed by the legal department.

D.

The third-party contract does not comply with the vendor management policy.

Buy Now
Questions 254

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Buy Now
Questions 255

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Buy Now
Questions 256

Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

Options:

A.

Continuous network monitoring

B.

Periodic network vulnerability assessments

C.

Review of electronic access logs

D.

Physical security reviews

Buy Now
Questions 257

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Options:

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Buy Now
Questions 258

IT governance should be driven by:

Options:

A.

business unit initiatives.

B.

balanced scorecards.

C.

policies and standards.

D.

organizational strategies.

Buy Now
Questions 259

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Options:

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Buy Now
Questions 260

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

Options:

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Buy Now
Questions 261

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Buy Now
Questions 262

Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

Options:

A.

Support

B.

Performance

C.

Confidentiality

D.

Usability

Buy Now
Questions 263

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Buy Now
Questions 264

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

Options:

A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Buy Now
Questions 265

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

Options:

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Buy Now
Questions 266

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

Options:

A.

Outsource low-risk audits to external audit service providers.

B.

Conduct limited-scope audits of low-risk business entities.

C.

Validate the low-risk entity ratings and apply professional judgment.

D.

Challenge the risk rating and include the low-risk entities in the plan.

Buy Now
Questions 267

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Buy Now
Questions 268

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

Options:

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Buy Now
Questions 269

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Buy Now
Questions 270

Which of the following metrics is the BEST indicator of the performance of a web application

Options:

A.

HTTP server error rate

B.

Server thread count

C.

Average response time

D.

Server uptime

Buy Now
Questions 271

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Options:

A.

eliminated

B.

unchanged

C.

increased

D.

reduced

Buy Now
Questions 272

Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

Options:

A.

The data center is patrolled by a security guard.

B.

Access to the data center is monitored by video cameras.

C.

ID badges must be displayed before access is granted

D.

Access to the data center is controlled by a mantrap.

Buy Now
Questions 273

Which of the following BEST contributes to the quality of an audit of a business-critical application?

Options:

A.

Assigning the audit to independent external auditors

B.

Reviewing previous findings reported by the application owner

C.

Identifying common coding errors made by the development team

D.

Involving the application owner early in the audit planning process

Buy Now
Questions 274

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

Options:

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Buy Now
Questions 275

An IS auditor is verifying the adequacy of an organization's internal controls and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?

Options:

A.

Variable sampling

B.

Random sampling

C.

Cluster sampling

D.

Attribute sampling

Buy Now
Questions 276

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Buy Now
Questions 277

An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about

risk appetite?

Options:

A.

Risk policies

B.

Risk assessments

C.

Prior audit reports

D.

Management assertion

Buy Now
Questions 278

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

Options:

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Buy Now
Questions 279

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Buy Now
Questions 280

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:

A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Buy Now
Questions 281

During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

Options:

A.

Conduct a follow-up audit after a suitable period has elapsed.

B.

Reschedule the audit assignment for the next financial year.

C.

Reassign the audit to an internal audit subject matter expert.

D.

Extend the duration of the audit to give the auditor more time.

Buy Now
Questions 282

Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

Options:

A.

Any information assets transmitted over a public network must be approved by executive management.

B.

All information assets must be encrypted when stored on the organization's systems.

C.

Information assets should only be accessed by persons with a justified need.

D.

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Buy Now
Questions 283

Which of the following is the MAIN responsibility of the IT steering committee?

Options:

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Buy Now
Questions 284

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

Options:

A.

The method relies exclusively on the use of public key infrastructure (PKI).

B.

The method relies exclusively on the use of digital signatures.

C.

The method relies exclusively on the use of asymmetric encryption algorithms.

D.

The method relies exclusively on the use of 128-bit encryption.

Buy Now
Questions 285

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

Options:

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Buy Now
Questions 286

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Options:

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Buy Now
Questions 287

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Buy Now
Questions 288

Retention periods and conditions for the destruction of personal data should be determined by the.

Options:

A.

risk manager.

B.

database administrator (DBA).

C.

privacy manager.

D.

business owner.

Buy Now
Questions 289

An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of the following is the auditor's BEST recommendation?

Options:

A.

Harden IT system and application components based on best practices.

B.

Incorporate a security information and event management (SIEM) system into incident response

C.

Implement a survey to determine future incident response training needs.

D.

Introduce problem management into incident response.

Buy Now
Questions 290

Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?

Options:

A.

Audit staff interviews

B.

Quality control reviews

C.

Control self-assessments (CSAs)

D.

Corrective action plans

Buy Now
Questions 291

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Options:

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Buy Now
Questions 292

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

Options:

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Buy Now
Questions 293

In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?

Options:

A.

Revisit the IT strategic plan.

B.

Implement project portfolio management.

C.

Implement an integrated resource management system.

D.

Implement a comprehensive project scorecard.

Buy Now
Questions 294

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Buy Now
Questions 295

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 296

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Buy Now
Questions 297

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Buy Now
Questions 298

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Buy Now
Questions 299

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Buy Now
Questions 300

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now