CISA Final Assessment 2

An IT balanced scorecard is the MOST effective means of monitoring:

change management effectiveness.
return on investment (ROI).
governance of enterprise IT.
control effectiveness.

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the organization's web server.
the demilitarized zone (DMZ).
the Internet.
the organization's network.

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Administrative security can be provided for the client.
System administration can be better managed.
The security of the desktop PC is enhanced.
Desktop application software will never have to be upgraded.

Which of the following is MOST important for an IS auditor to look for in a project feasibility study?

An assessment indicating the benefits will exceed the investment
An assessment indicating security controls will operate effectively
An assessment of whether the expected benefits can be achieved
An assessment of whether requirements will be fully met

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization’s RACI chart. Which of the following roles within the chart would provide this information?

Accountable
Consulted
Responsible
Informed

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

The deployment project experienced significant overruns, exceeding budget projections.
The new system has capacity issues, leading to slow response times for users.
Data is not converted correctly, resulting in inaccurate patient records.
Staff were not involved in the procurement process, creating user resistance to the new system.

During an audit of a multinational bank’s disposal process, an IS auditor notes several findings. Which of the following should be the auditor’s GREATEST concern?

Backup media are not reviewed before disposal.
Degaussing is used instead of physical shredding.
Backup media are disposed before the end of the retention period.
Hardware is not destroyed by a certified vendor.

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

The work is separated into phases.
The work is separated into sprints.
Project milestones are created.
Project segments are established.

Which of the following would MOST effectively help to reduce the number of repeated incidents in an organization?

Linking incidents to problem management activities
Training incident management teams on current incident trends
Prioritizing incidents after impact assessment
Testing incident response plans with a wide range of scenarios

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Implement policies addressing acceptable usage of social media during working hours.
Adjust budget for network usage to include social media usage.
Implement a process to actively monitor postings on social networking sites.
Use data loss prevention (DLP) tools on endpoints.

An organization’s software developers need access to personally identifiable information (PII) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Data masking
Data encryption
Data tokenization
Data abstraction

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

The organization is using a cloud-hosted scanning tool for identification of vulnerabilities.
Vulnerability scanning results are reported to the CISO.
Access to the vulnerability scanning tool is periodically reviewed.
The organization's systems inventory is kept up to date.

Which of the following is the BEST evidence that an organization’s IT strategy is aligned to its business objectives?

The IT strategy has significant impact on the business strategy.
The IT strategy is modified in response to organizational changes.
The IT strategy is based on IT operational best practices.
The IT strategy is approved by executive management.

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Previous audit coverage and scope
Organizational risk assessment
Prior year's audit findings
Senior management's request

Which of the following is the BEST method to safeguard data on an organization’s laptop computers?

Two-factor authentication
Full disk encryption
Disabled USB ports
Biometric access control

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Processes for on-boarding and off-boarding users to the platform
Processes for reviewing administrator activity
Types of data that can be uploaded to the platform
Role-based access control policies

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Include the requirement in the incident management response plan.
Enhance the alert functionality of the intrusion detection system (IDS).
Engage an external security incident response expert for incident handling.
Establish key performance indicators (KPIs) for timely identification of security incidents.

A finance group recently implemented new technologies and processes. Which type of IS audit would provide the GREATEST level of assurance that the department’s objectives have been met?

Financial audit
Performance audit
Integrated audit
Cyber audit

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

Performing periodic reviews of physical access to backup media
Validating offline backups using software utilities
Reviewing and updating data restoration policies annually
Performing periodic complete data restorations

Which of the following would BEST help to support an auditor’s conclusion about the effectiveness of an implemented data classification program?

Access rights provisioned according to scheme
Detailed data classification scheme
Purchase of information management tools
Business use cases and scenarios

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor’s
BEST course of action?

Determine exposure to the business.
Increase monitoring for security incidents.
Hire a third party to perform security testing.
Adjust future testing activities accordingly.

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed. Which of the following is the MOST important requirement to include in the vendor contract to ensure continuity?

Source code for the software must be placed in escrow.
Continuous 24/7 support must be available.
The vendor must have a documented disaster recovery plan (DRP) in place.
The vendor must train the organization's staff to manage the new software.

An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor’s BEST course of action when preparing the final report?

Come to an agreement prior to issuing the final report.
Ensure the auditee's comments are included in the working papers.
Exclude the disputed recommendation from the final engagement report.
Include the position supported by senior management in the final engagement report.

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

Emergency change records
Penetration test results
IT security incidents
Server room access history

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Ensure compliance with the data classification policy.
Reduce the risk of data leakage that could lead to an attack.
Comply with business continuity best practice.
Protect the plan from unauthorized alteration.

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Emergency support
System administration
IT operator
Database administration

Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

Provide ongoing information security awareness training.
Establish behavioral analytics monitoring.
Review perimeter firewall logs.
Implement data loss prevention (DLP) software

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

To identify areas with relatively high probability of material problems
To help ensure maximum use of audit resources during the engagement
To help prioritize and schedule auditee meetings
To address the overall risk associated with the activity under review

Which of the following should be the IS auditor’s PRIMARY focus when evaluating an organization’s offsite storage facility?

Adequacy of physical and environmental controls
Results of business continuity plan (BCP) tests
Shared facilities
Retention policy and period

Which of the following is an example of a preventative control in an accounts payable system?

Backups of the system and its data are performed on a nightly basis and tested periodically.
Policies and procedures are clearly communicated to all members of the accounts payable department.
The system only allows payments to vendors who are included in the system's master vendor list.
The system produces daily payment summary reports that staff use to compare against invoice totals.

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

An operational level agreement (OLA) was not negotiated.
Software escrow was not negotiated.
The contract does not contain a right-to-audit clause.
Several vendor deliverables missed the commitment date.

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster?

Use both tape and disk backup systems.
Deploy a fully automated backup maintenance system.
Use an electronic vault for incremental backups.
Periodically test backups stored in a remote location.

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

assess IT functions and processes.
indicate whether the organization meets quality standards.
train and educate IT staff.
ensure that IT staff meet performance requirements.

Which of the following would be the BEST process for continuous auditing in a large financial institution?

Validating performance of help desk metrics
Testing encryption standards on the disaster recovery system
Performing parallel testing between systems
Validating access controls for real time data systems

Which of the following occurs during the issues management process for a system development project?

Configuration management
Help desk management
Contingency planning
Impact assessment

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following is the BEST recommendation?

Implement annual third-party audits.
Require executive management to draft IT strategy.
Benchmark organizational performance against industry peers.
Implement key performance indicators (KPIs).

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business. The auditor’s PRIMARY concern would be:

failure to maximize the use of equipment.
unanticipated increase in business's capacity needs.
cost of excessive data center storage capacity.
impact to future business project funding.

From an IS auditor’s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Inability to determine the cost of deployed software
Inability to close unused ports on critical servers
Inability to identify unused licenses within the organization
Inability to deploy updated security patches

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor’s NEXT course of action?

Report the security posture of the organization.
Determine the risk of not replacing the firewall.
Report the mitigating controls.
Determine the value of the firewall.

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor’s GREATEST concern?

The replacement is occurring near year-end reporting.
Data migration is not part of the contracted activities.
Testing was performed by the third-party consultant.
The user department will manage access rights.

Which of the following techniques provides the BEST assurance of server availability over time?

Analyzing logs in the server administration console
Reviewing reported downtime from users
Evaluating downtime based on planned outages
Manually pinging the server on a daily basis

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

Average the business units' IT risk levels.
Identify the highest-rated IT risk level among the business units.
Establish a global IT risk scoring criteria.
Prioritize the organization's IT risk scenarios.

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
Include the data warehouse m the impact analysis for any changes in the source system
Configure data quality alerts to check variances between the data warehouse and the source system
Require approval for changes in the extract/transfer/load (ETL) process between the two systems

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Media shredding policy
Media recycling policy
Media sanitization policy
Media labeling policy

Which of the following is MOST helpful for measuring benefits realization for a new system?

Balanced scorecard review
Post-implantation review
Business impact analysis (BIA)
Function point analysts

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of on e-commerce application system’s edit routine?

Review of program documentation
Review of source code
Use of test transactions
Interviews with knowledgeable users

An IT balanced scorecard is PRIMARILY used for:

monitoring risk in IT-related processes.
measuring IT strategic performance.
evaluating the IT project portfolio.
allocating IT budget and resources.

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization’s information cannot be accessed?

Re-partitioning
Degaussing
Formatting
Data wiping

Which of the following is the BEST indication of effective IT investment management?

IT investments are mapped to specific business objectives.
The IT investment budget is significantly below industry benchmarks.
IT investments are implemented and monitored following a system development life cycle (SDLC).
Key performance indicators (KPIs) are defined for each business requiring IT investment.

Which of the following is MOST important with regard to an application development acceptance test?

User management approves the test design before the test is started.
All data files are tested for valid information before conversion.
The quality assurance (QA) team is in charge of the testing process.
The programming team is involved in the testing process.

Which of the following should be an IS auditor’s GREATEST concern when an international organization intends to roll out a global data privacy policy?

Requirements may become unreasonable.
Local management may not accept the policy.
Local regulations may contradict the policy.
The policy may conflict with existing application requirements.

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

There are no notices indicating recording is in progress.
Cameras are not monitored 24/7.
There are no backups of the videos.
The retention period for video recordings is undefined.

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy?

Reviewing the system log
Reviewing the actual procedures
Reviewing the parameter settings
Interviewing the firewall administrator

Which of the following would BEST indicate the effectiveness of a security awareness training program?

Employee satisfaction with training
Reduced unintentional violations
Results of third-party social engineering tests
Increased number of employees completing training

An organization recently migrated its data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be GREATEST concern to the IS auditor reviewing the new data architecture?

The cloud data warehouse uses a hybrid cloud architecture.
There is increased latency in the data source synchronization to the cloud data warehouse.
The migration analyst is not fully trained on the new tools.
The data was not cleansed before moving from the source to the cloud data warehouse.

Which of the following is the BEST means of defense against social engineering attacks?

Controlling access to confidential and sensitive information
Performing background checks on all employees
Conducting ongoing security awareness training
Installing antivirus and anti-spyware software

The FIRST step in auditing a data communication system is to determine:

physical security for network equipment.
business use and types of messages to be transmitted.
traffic volumes and response-time criteria.
the level of redundancy in the various communication paths.

Which of the following is the BEST indicator to measure service quality of change and incident management processes outsourced to an external provider?

Total number of resolved service requests
Average wait time for service request resolution
Total number of reopened service requests
Percentage of requests resolved within the service level agreement (SLA)

For the implementation of a program change in a production environment, the MOST important approval required is from:

the security administrator
the project manager
user management
IS management

An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:

an EUC policy is developed.
EUC controls are reviewed.
a business impact analysis (BIA) is conducted.
EUC use cases are assessed and documented.

During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following is the IS auditor’s BEST recommendation to management?

Run system reports of full vendor listings periodically to identify duplication
Perform system verification checks for unique data values on key fields
Request senior management approval of all new vendor details.
Build a segregation of duties control into the vendor creation process.

An organization is modernizing its technology policy framework to demonstrate compliance with external industry standards. Which of the following would be MOST useful to an IS auditor for validating the outcome?

Mapping of relevant standards against the organization's controls
Inventory of the organization's approved policy exceptions
Policy recommendations from a leading external consulting agency
Benchmarking of internal standards against peer organizations

Which of the following system implementation approaches allows for the LONGEST overlap period between the old and new systems?

Phased
Modular
Pilot
Parallel

Which of the following provides the BEST assurance that a new process for purging transactions does not have a detrimental impact on the integrity of the database?

Reviewing the entity relationship diagram of the database
Reviewing results of the process in a test environment
Assessing the design of triggers
Analyzing the database structure

The MOST critical security weakness of a packet level firewall is that it can be circumvented by:

deciphering the signature information of the packets
using a dictionary attack of encrypted passwords
intercepting packets and viewing passwords sent in clear text
changing the source address on incoming packets

Which of the following should be the FIRST step when conducting an IT risk assessment?

Assess vulnerabilities
Evaluate controls in place
Identify assets to be protected
Identify potential threats

Which of the following BEST enables alignment of IT with business objectives?

Benchmarking against peer organizations
Completing an IT risk assessment
Developing key performance indicators (KPIs)
Leveraging an IT governance framework

At the end of each business day, a business-critical application generates a report of financial transactions greater than a certain value, and an employee then checks these transactions for errors. What type of control is in place?

Deterrent
Preventive
Corrective
Detective

A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

Attribute sampling
Quota sampling
Variable sampling
Haphazard sampling

Which of the following BEST enables an organization to determine the priority of applications to be recovered in the event of a disaster?

Business impact analysis (BIA)
Return on investment (ROI) analysis
Threat analysis
Legal and regulatory needs analysis

Which of the following methods would BEST ensure that IT strategy is in line with business strategy?

Break-even point analysis
Business impact analysis (BIA)
Critical path analysis
IT value analysis

Which of the following has the GREATEST potential impact on the independence of an IS auditor?

Prior experience in IS audit
Prior relationship with vendors
Prior knowledge of technology
Prior job responsibilities

Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?

Review internal documentation to evaluate adherence to external requirements.
Confirm there are procedures in place to ensure organizational agreements address legal requirements
Determine whether the organization has established benchmarks against industry peers for compliance.
Identify industry-specific requirements that apply to the organization.

Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?

Two-factor authentication
Network segmentation
User activity monitoring
Access recertification

Which of the following is MOST important for an IS auditor to test when reviewing market data received from external providers?

Data transformation configurations
Data loading controls
Data quality controls
Data encryption configurations

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

IT manager
Internal auditor
Business management
Risk management

Which of the following should an organization do to anticipate the effects of a disaster?

Develop a business impact analysis (BIA)
Define recovery point objectives (RPO)
Simulate a disaster recovery
Analyze capability maturity model gaps

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Data leakage as a result of employees leaving to work for competitors
Physical theft of media on which information is stored
Unauthorized logical access to information through an application interface
Noncompliance fines related to storage of regulated information

Which of the following is the BEST indication to an IS auditor that management’s post-implementation review was effective?

Internal audit follow-up was completed without any findings.
Lessons learned were documented and applied.
Post-implementation review is a formal phase in the system development life cycle (SDLC).
Business and IT stakeholders participated in the post-implementation review.

Which of the following provides the MOST reliable method of preventing unauthorized logon?

Limiting after-hours usage
Reinforcing current security policies
Issuing authentication tokens
Installing an automatic password generator

When designing a data analytics process, which of the following should be the stakeholder’s role in automating data extraction and validation?

Allocating the resources necessary to purchase the appropriate software packages
Indicating which data elements are necessary to make informed decisions
Designing the workflow necessary for the data analytics tool to evaluate the appropriate data
Performing the business case analysis for the data analytics initiative

An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

Violation of industry standards
Lack of data for measuring compliance
Noncompliance with documentation requirements
Lack of user accountability

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Implement network address translation on the sensor system
Route the traffic from the sensor system through a proxy server.
Transmit the sensor data via a virtual private network (VPN) to the server
Hash the data that is transmitted from the sensor system

The PRIMARY benefit of a risk-based audit methodology is to:

identify key controls
understand business processes
reduce audit scope
prioritize audit resources

Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

Interviews with management
A control self-assessment (CSA)
Results of control testing
A control matrix

A bank’s transactional services are exclusively conducted online via Internet and mobile banking. Both its primary and disaster recovery sites are supported by the same Internet service provider (ISP). Which of the following is the BEST way for the bank to minimize risk in this situation?

Conduct incremental backups of transactional data every two hours.
Conduct real-time data synchronization between the primary and disaster recovery sites.
Revise the current contract to require 99.99% connection availability with the current ISP.
Establish a contractual agreement with a second ISP to cover connection to the disaster recovery site

An IS auditor notes that a mortgage origination team receives customer loan applications via a shared repository. Which of the following findings presents the GREATEST privacy risk for this process?

Shared repository lacks dual access controls
Customer data is not updated in the origination system
Loan documentation is not purged from the system
Duplicate loan applications are not flagged for attention

An IS auditor previously worked in an organization’s IT department and was involved with the design of the business continuity plan (BCP). The IS auditor has now been asked to review this same BCP. What should the auditor do FIRST?

Document the conflict in the audit report.
Report the conflict of interest to the chief compliance officer.
Communicate the conflict of interest to the audit manager.
Decline the audit assignment.

Which of the following is MOST important when evaluating the design effectiveness of multi-factor authentication?

Reviewing the physical controls related to the storage of the hardware tokens
Ensuring segregation is maintained by storing the two factors in separate databases
Determining the identification process for each factor and ensuring they are synchronized
Evaluating whether false rejection and false acceptance rates have been adequately defined

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

Wi-Fi
Bluetooth
Long-term evolution (LTE)
Near-field communication (NFC)

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Periodic tabletop exercises involving key stakeholders
Periodic update of incident response process documentation
Periodic cybersecurity training for staff involved in incident response
Periodic reporting of cybersecurity incidents to key stakeholders

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on:

future task updates.
enterprise architecture (EA).
task capacity output
employee retention

Which of the following is a core functionality of a configuration and release management system?

Identifying other configuration items that will be impacted by a given change
Identifying vulnerabilities in configuration settings
Deploying a configuration change to the sandbox environment
Managing privileged access to databases, servers, and infrastructure

In an annual audit cycle, the audit of an organization’s IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

Limiting the review to the deficient areas
Following up on the status of all recommendations
Verifying that all recommendations have been implemented
Postponing the review until all of the findings have been rectified

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization’s wider security threat and vulnerability management program. Which of the following would BEST enable the organization to work toward improvement in this area?

Outsourcing the threat and vulnerability management function to a third party
Maintaining a catalog of vulnerabilities that may impact mission-critical systems
Using a capability maturity model to identify a path to an optimized program
Implementing security logging to enhance threat and vulnerability management

Which of the following will BEST help detect software licensing issues in a networked environment where all software is purchased and loaded by IT?

Comparing the software on each machine to the listing of software purchased
Comparing the number of individual software instances installed to the license inventory
Reviewing listings of software on each machine for known versions of unlicensed software
Reviewing reports demonstrating that metering software is not being used to access per-seat software

Which of the following would be the BEST criteria for monitoring an IT vendor’s service levels?

Performance metrics
Surprise visit to vendor
Service auditor’s report
Interview with vendor

Which of the following would be the BEST criteria for monitoring an IT vendor’s service levels?

Performance metrics
Surprise visit to vendor
Service auditor’s report
Interview with vendor

Which of the following is the PRIMARY reason for using a hash function?

To verify the integrity of data
To encrypt private keys
To create a fixed length value of a public key
To authorize the receiver of data

A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

Query the database
Use generalized audit software
Develop an integrated test facility (ITF)
Leverage a random number generator

A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

Unstratified mean per unit sampling
Stratified mean per unit sampling
Customer unit sampling
Difference estimation sampling

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified. Which type of control is in place?

Directive
Detective
Compensating
Corrective

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.

Which of the following is the IS auditor’s BEST recommendation?

Automate the transfer of data between systems as much as feasible.
Enable automatic encryption, decryption, and electronic signing of data files.
Have coders perform manual reconciliation of data between systems.
Implement software to perform automatic reconciliations of data between systems.

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Implementing incident escalation procedures
Completing the incident management log
Broadcasting an emergency message
Requiring a dedicated incident response team

A disaster recovery plan (DRP) should include steps for:

negotiating contracts with disaster planning consultants
identifying application control requirements
obtaining replacement supplies
assessing and quantifying risk

The use of which of the following is an inherent risk in the application container infrastructure?

Shared data
Shared registries
Shared kernel
Host operating system

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Administrator passwords do not meet organizational security and complexity requirements.
The number of support staff responsible for job scheduling has been reduced
Maintenance patches and the latest enhancement upgrades are missing
The scheduling tool was not classified as business-critical by the IT department.

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

The policy aligns with business goals and objectives
The policy aligns with local laws and regulations
The policy aligns with corporate policies and practices
The policy aligns with global best practices

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor’s GREATEST concern with this situation?

Incomplete requirements
Inadequate deliverables
Unclear benefits
Unrealistic milestones

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

Operating system
Data backups
Decision support system
Applications

The PRIMARY reason to assign data ownership for protection of data is to establish:

reliability
traceability
accountability
authority

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Design
Feasibility
Implementation
Development

Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

The testing process can be automated to cover large groups of assets
The testing produces a lower number of false positive results
Custom-developed applications can be tested more accurately
Network bandwidth is utilized more efficiently

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?

Whether the system's performance poses a significant risk to the organization
Whether stakeholders are committed to assisting with the audit
Whether system delays result in more frequent use of manual processing
Whether internal auditors have the required skills to perform the audit

An organization has introduced a capability maturity model to the system development life cycle (SDLC) to measure improvements. Which of the following is the BEST indication of successful process improvement?

Evaluation results align with defined business goals
Processes demonstrate the mitigation of inherent business risk
Evaluation results exceed process maturity benchmarks against competitors.
Process maturity reaches the highest state of process optimization

Which of the following is a concern associated with virtualization?

One host may have multiple versions of the same operating system
Performance issues with the host could impact the guest operating systems
The physical footprint of servers could decrease within the data center
Processing capacity may be shared across multiple operating systems

An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?

Virtual desktop
Virtual private network (VPN)
Multi-factor authentication
Additional firewall rules

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

Developer status reports
Critical path analysis reports
Change management logs
Backlog consumption reports

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s release management processes?

Some releases are carried out with no supporting release documentation
Some releases exceeded the agreed-upon outage window.
Release documentation does not follow a consistent format for all systems.
Release management policies have not been updated in the past two years.

Which of the following management decisions presents the GREATEST risk associated with data leakage?

Staff is allowed to work remotely.
There is no requirement for desktops to be encrypted.
Security awareness training is not provided to staff.
Security policies have not been updates in the past year.

An IS auditor is reviewing an organization’s incident management processes and procedures. Which of the following observations should be the auditor’s GREATEST concern?

Ineffective incident classification
Ineffective post-incident review
Ineffective incident prioritization
Ineffective incident detection

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Consultation with security staff
Alignment with an information security framework
Inclusion of mission and objectives
Compliance with relevant regulations

What should an IS auditor review FIRST to verify that an organization’s IT strategy is effectively implemented?

Information security procedures
The IT governance framework
Process maturity of IT general controls
The most recent audit results

Which of the following is MOST important to include in an awareness program focused on information security risk?

Social engineering attacks
Laptop theft prevention
Restricted websites
Password parameters

Which of the following is a threat to IS auditor independence?

Internal auditors recommend appropriate controls for systems in development
Internal auditors attend IT steering committee meetings.
Internal auditors design remediation plans to address control gaps identified by internal audit
Internal auditors share the audit plan and control test plans with management prior to audit commencement.

Which of the following BEST supports an organization’s efforts to reduce the impact of ransomware attacks?

Ensuring a payment method is available
Conducting periodic internal and external penetration testing
Conducting security awareness training for staff
Developing robust backup and recovery procedures

Which of the following network topologies will provide the GREATEST fault tolerance?

Star configuration
Bus configuration
Ring configuration
Mesh configuration

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?

Employees do not receive immediate notification of results.
Only new employees are required to attend the program.
The timing for program updates has not been determined.
Metrics have not been established to assess training results.

Which of the following are used in a firewall to protect the entity’s internal resources?

Failover services
Remote access servers
Internet Protocol (IP) address restrictions
Secure Sockets Layers (SSLs)

Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?

Flexibility
High availability
Alternate routing
Scalability

An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies. This should result in:

greater consistency across the organization
greater adherence to best practices
a more comprehensive risk assessment plan
a synthesis of existing operational policies

Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

Monitoring all emails based on pre-defined criteria
Reporting all outgoing emails that are marked as confidential
Requiring all users to encrypt documents before sending
Installing firewalls on the corporate network

An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

Quality assurance (QA)
Change management
Key performance indicator (KPI) monitoring
Configuration management

Which of the following is the BEST approach to help ensure evidence from a computer forensics investigation is legally admissible?

The incident response team reviews and analyzes the evidence, and the evidence file is then securely deleted to avoid further damage.
The relevant data is extracted from system, firewall, and intrusion detection system (IDS) logs, then consolidated as evidence.
The media involved is preserved using imaging, and further analysis is performed on the image instead of the original.
The computer suspected of storing the evidence is isolated, and the incident response team is contacted for investigation.

Evaluating application development projects against a defined maturity model enables an IS auditor to determine whether:

effective security requirements have been designed
the development function’s processes are efficient
the development function follows a robust process
the development project is likely to achieve its objectives

During data conversion, data cleansing is BEST performed prior to:

load
transformation
validation
extraction

Which of the following scenarios should raise a concern about auditor independence?

The auditor used to manage the same business process at a different company.
The auditor consulted on the implementation portion of a project being audited.
The auditor attended design and development meetings to monitor progress.
The auditor has a personal relationship with an end user.

Which of the following is the BEST way for an IS auditor to determine whether an organization’s disaster recovery plan (DRP) is current?

Review critical system documentation and related recovery time objectives (RTOs).
Verify the DRP identifies appropriate staff with up-to-date contact details.
Ensure all staff is trained on business continuity.
Verify the DRP is periodically tested.

Which of the following BEST enables the authentication of an email from an untrusted network?

Secure Shell (SSH) connections
Email encryption
Digital signatures
Transport Layer Security (TLS)

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the:

scope and methodology meet audit requirements
service provider is independently certified and accredited
report was released within the last 12 months
report confirms that service levels were not violated

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s job scheduling practices?

Job dependencies are undefined
Job processing procedures are missing
Most jobs are run manually
Jobs are executed during working hours

Which of the following is the GREATEST benefit to an organization as a result of effective IS audit risk assessments?

Credibility with management is enhanced
The scope for future audits is established
Low-risk areas can be eliminated
Audits will be targeted to high-risk areas

A white box testing method is applicable with which of the following testing processes?

Sociability testing
Integration testing
Parallel testing
User acceptance testing (UAT)

Which of the following is the GREATEST risk related to the use of virtualized environments?

There may be increased potential for session hijacking.
There may be insufficient processing capacity to assign to guests.
Ability to change operating systems may be limited.
The host may be a potential single point of failure within the system.

Which of the following is a deterrent security control that reduces the likelihood of an insider threat event?

Removing malicious code
Distributing disciplinary policies
Creating contingency plans
Executing data recovery procedures

While evaluating the data classification process of an organization, an IS auditor’s PRIMARY focus should be on whether:

data is correctly classified
a data dictionary is maintained
data retention requirements are clearly defined
data classifications are automated

Which of the following auditing techniques would be used to detect the validity of a credit card transaction based on time, location, and date of purchase?

Integrated test facility (ITF)
Data analytics
Hash totals
Check sums

Which of the following poses the GREATEST risk to a virtualized environment?

Server cloning occurs without appropriate approval from IT management.
A network map has not been updated.
Backup testing does not occur at regular intervals.
Security zones within the environment are combined.

Capacity management tools are PRIMARILY used to ensure that:

available resources are used efficiently and effectively
concurrent use by a large number of users is enabled
proposed hardware acquisitions meet capacity requirements
computer systems are used to their maximum capacity most of the time

Which of the following is an example of personally identifiable information (PII)?

Office address
Marital status
Passport number
Date of birth

CISA Final Assessment 2

Quiz Summary

Information

Results

Results

Categories

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question

66. Question

67. Question

68. Question

69. Question

70. Question

71. Question

72. Question

73. Question