CISA Final Assessment 3

Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Deviation detection
Cluster sampling
Random sampling
Classification

Which of the following BEST addresses the availability of an online store?

Online backups
A mirrored site at another location
Clustered architecture
RAID level 5 storage devices

Who would provide an IS auditor with the MOST helpful input during an interview to determine whether business requirements for an application were met?

User management
Project sponsors
Senior management
Project management

Which of the following should be an IS auditor’s GREATEST concern when assessing an IT service configuration database?

The database is not encrypted at rest.
The database is read-accessible for all users.
The database is executable for all users.
The database is write-accessible for all users.

Which of the following is PRIMARY responsibility of an IT steering committee?

Prioritizing IT projects in accordance with business requirements
Validating and monitoring the skill sets of IT department staff
Establishing IT budgets for the business
Reviewing periodic IT risk assessments

Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

Electronic copies of customer sales receipts are maintained.
Monthly bank statements are reconciled without exception.
The data transferred over the POS interface is encrypted.
Nightly batch processing has been replaced with real-time processing.

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

Overviews of interviews between data center personnel and the auditor
Summary memos reflecting audit opinions regarding noted weaknesses
Detailed evidence of the successes and weaknesses of all contingency testing
Prior audit reports involving other corporate disaster recovery audits

Which of the following is an indication of possible hacker activity involving voice communications?

Direct inward system access (DISA) is found to be disabled on the company’s exchange.
Outbound calls are found to significantly increase in frequency during non-business hours.
Inbound calls experience significant fluctuations based on time of day and day of week.
The abandonment rate of service desk calls is increasing during the early morning.

Which of the following is the MOST appropriate indicator of change management effectiveness?

Time lag between changes to the configuration and the update of records
Number of system software changes
Number of incidents resulting from changes
Time lag between changes and updates of documentation materials

Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s capacity management planning?

Many of the resource requirements are based on estimates
The organization is increasingly dependent on the use of cloud providers
Some planning areas are not well developed
Current resource utilization is not monitored

Which of the following is the BEST source of information to determine the required level of data protection on a file server?

Acceptable use policy and privacy statements
Previous data breach incident reports
Data classification policy and procedures
Access rights of similar file servers

Which of the following is the PRIMARY objective of implementing IT governance?

Resource management
Performance measurement
Value delivery
Strategic planning

During an information security audit of a mid-sized organization, an IS auditor notes that the organization’s information security policy is not sufficient. What is the auditor’s BEST recommendation for the organization?

Obtain an external consultant's support to rewrite the policy.
Identify and close gaps compared to a best-practice framework.
Perform a benchmark with competitors’ policies.
Define roles and responsibilities for regularly updating the policy.

The GREATEST limitation of a network-based intrusion detection system (IDS) is that it:

provides only for active rather than passive IDS monitoring
does not monitor for denial of service (DoS) attacks
consumes excessive network resources for detection
does not detect attacks originating on the server hosting the IDS

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves for care?

Software as a Service (SaaS) provider
Network segmentation
Infrastructure as a Service (IaaS) provider
Dynamic localization

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Materiality
Independence
Integrity
Accountability

Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?

Black box testing report
Static software composition analysis
Penetration test report
Web application vulnerability report

Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?

A combination of questionnaires, workshops, and interviews is used.
Outsourced business processes are excluded from the scope of the BIA.
Resource dependencies for critical processes are not determined.
Recovery objectives are identified without conducting risk assessments.

During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Industry standard business definitions
Input from customers
Validation of rules by the business
Built-in data error prevention application controls

Which of the following approaches would BEST enable an e-commerce website to handle unpredictable amounts of traffic?

Index key databases to improve response time.
Re-factor applications to improve efficiency.
Cluster application servers to distribute web traffic.
Configure resources to scale.

An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?

At least one year after the transition
As soon as the new operating model is in place
During the next scheduled review
As soon as the decision about the transition is announced

Which of the following is a PRIMARY benefit of a maturity model?

It facilitates communication with regulatory bodies.
It benchmarks the organization to peer performance levels.
It facilitates the establishment of organizational capability.
It provides the organization with a standard assessment tool.

In the development of a new financial application, the IS auditor’s FIRST involvement should be in the:

control design
application design
system test
feasibility study

Which of the following tests would BEST indicate that a software development project is ready to be deployed into the production environment?

Performance
Parallel
Unit
Quality assurance (QA)

Which of the following is the MOST important element of quality control with respect to an audit engagement?

Increase of audit quality through multiple follow-up audits
Responsibility of leadership for quality in audits
Assignment of engagement teams for audits
Resolution procedures for differences of opinion in audits

Which of the following threats is mitigated by a firewall?

Asynchronous attack
Intrusion attack
Trojan horse
Passive assault

Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?

Better understanding of the business and processes
Ability to negotiate recommendations with management
Increased IS audit staff visibility and availability throughout the year
Increased independence and impartiality of recommendations

The MOST appropriate person to chair the steering committee for an enterprise-wide system development should be the:

business analyst
project manager
IS director
executive level manager

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program?

Scans are performed less frequently than required by the organization’s vulnerability scanning schedule.
Steps taken to address identified vulnerabilities are not formally documented.
Results are not approved by senior management.
Results are not reported to individuals with authority to ensure resolution.

An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor’s BEST course of action?

Ensure a gap analysis is conducted
Ensure regulatory reporting is completed
Ensure the risk register is updated
Ensure risk acceptance is documented

Which of the following is the BEST way for an IS auditor to determine the completeness of data migration?

Review migration logs to identify possible failures.
Review the implemented data cleanup process.
Reconcile migrated records with records in the source system.
Examine formal departmental review of the data migration.

Which of the following is MOST important to consider when establishing the retention period for customer data within a specific database or application?

Enterprise classification level
System performance
Hardware capacity
Minimum regulatory requirements

An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure. What type of cloud computing environment would BEST meet the organization’s objective?

Database as a Service (DBaaS)
Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Platform as a Service (PaaS)

Which of the following is the GREATEST advantage of utilizing guest operating systems in a virtual environment?

They can be logged into and monitored from any location.
They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP)
They can be wiped quickly in the event of a security breach.
They are easier to containerize with minimal impact to the rest of the environment

An IS auditor finds that a system receives identical information from two different upstream sources, even though redundancy is not required. Which of the following would BEST enable the organization to avoid this type of inefficiency?

Enterprise architecture (EA)
Normalized relational databases
Centralized data warehouse
Cyber architecture review

Which of the following is the BEST way to determine the effectiveness of an organization’s current patch management system?

Perform a vulnerability assessment
Perform secure code review
Perform a network scan
Perform penetration testing

A large organization has a centralized infrastructure team and decentralized application support teams reporting into their respective business units. Which of the following is the GREATEST potential issue with his organizational structure?

Redundancy of IT resources used across the organization
Failure to align with industry best practices across the organization
Inconsistent allocation of IT spend across the organization
Inconsistent IT strategy across the organization

An IS auditor is reviewing an origination’s release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

Agile development approach
Critical path methodology
Rapid application development
Function point analysis

Which of the following is the BEST way to faster continuous improvement of IS audit processes and practices?

Frequently review IS audit policies, procedures, and instruction manuals.
Establish and embed quality assurance (QA) within the IS audit function.
Invite external auditors and regulators to perform regular assessment of the IS audit function.
Implement rigorous managerial review and sign-off of IS audit deliverables.

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

Allocate audit resources.
Determine the audit universe.
Prioritize risks.
Review prior audit reports.

During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor’s NEXT step should be to:

recommend a control to automatically update access rights.
determine the reason why access rights have not been revoked.
direct management to revoke current access rights.
determine if access rights are in violation of software licenses.

An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?

Corrective
Detective
Preventive
Compensating

Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?

Data mining
Botnet attack
Malware sharing
Phishing attempt

Which of the following is the BEST preventative control to ensure that database integrity is maintained?

Mandatory annual user access reviews
Biometric authentication
Role-based access
Mandatory password changes

During an information security review, an IS auditor learns an organizational policy requires all employees to attend information security training during the first week of each new year What is the auditor’s BEST recommendation to ensure employees hired after January receive adequate guidance regarding security awareness?

Require management of new employees to provide an overview of security
Revise the policy to require security training every six months for all employees
Ensure new employees read and sign acknowledgment of the acceptable use policy
Revise the policy to include security training during onboarding

An IS auditor observes a system performance monitoring too that states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required an IS auditor should review:

system baselines.
the system process activity log.
the number of CPUs allocated to each virtual machine.
organizational objectives.

In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?

Risk management techniques
Access control rules
Value-added activity analysis
Incident management techniques

When using data analytics to perform an audit, the IS auditor should FIRST:

identify testing models
define data needs
identify data sources
prepare the data

An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should:

coordinate disaster recovery administration with the outsourcing vendor
delegate evaluation of disaster recovery to a third party
delegate evaluation of disaster recovery to internal audit
discontinue maintenance of the disaster recovery plan (DRP)

Which of the following is a preventive control that can protect against internal fraud in an organization?

Continuous auditing
Management review
External audits
Segregation of duties

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor’s BEST course of action?

Recommend the utilization of software licensing monitoring tools.
Recommend the purchase of additional software license keys.
Validate user need for shared software licenses.
Verify whether the licensing agreement allows shared use.

An organization has implemented segregation of duties with appropriate job definitions and restrictions on overlapping roles. Which type of control has been implemented?

Preventive
Detective
Physical
Corrective

Which of the following is the MOST effective way to assess the controls over the hardware maintenance process?

Review the hardware maintenance logs to confirm all recorded dates are within one year
Compare the hardware maintenance log with the recommended maintenance schedule
Validate that management tracks the mean time between failures (MTBFs)
Identify the required maintenance procedures and ensure the maintenance policy is in alignment

When auditing an organization’s software acquisition process, the BEST way for an IS auditor to understand the software benefits to the organization would be to review the:

alignment with IT strategy
business case
feasibility study
request for proposal (RFP)

When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business requirements?

Network throttling
Service discovery
Backup and restoration capabilities
Scalable architectures and systems

After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit. This evidence indicates that procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by this oversight?

Operational
Audit
Financial
Inherent

Which of the following is MOST effective for controlling visitor access to a data center?

Visitors sign in at the front desk upon arrival
Pre-approval of entry requests
Visitors are escorted by an authorized employee
Closed-circuit television (CCTV) is used to monitor the facilities

When reviewing a business impact analysis (BIA), it is MOST important for an IS auditor to ensure input was obtained from which group of stakeholders?

Business executives
Business process owners
Third-party consultants
Risk management

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of an organization’s social media practices?

Some employees have not received adequate training in the use of social media.
The organization does not have a social media policy.
Employees are using corporate devices to access mainstream social media websites.
Employees are using corporate branding on personal social media postings.

Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?

The array cannot recover from a natural disaster.
The array relies on proper maintenance.
The array cannot offer protection against disk corruption.
Disks of the array cannot be hot-swapped for quick recovery.

An organization’s business continuity plan (BCP) should be:

updated based on changes to personnel and environments
tested whenever new applications are implemented
updated before an independent audit review
tested after an intrusion attempt into the organization’s hot site

An IS auditor has been asked to review a recently implemented quality management system (QMS). Which of the following should be the auditor’s PRIMARY focus?

Training materials prepared for coaching employees
Processes to measure the performance of business-critical transactions
Cost-benefit analysis of the development and implementation of the QMS
Stability of the implemented QMS system over a period of time

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s release management processes?

Release management policies have not been updated in the past two years.
Identify assets to be protected.
Evaluate controls in place.
Identify potential threats.

An organization’s IT risk assessment should include the identification of:

vulnerabilities
compensating controls
business process owners
business needs

Which of the following should be identified FIRST during the risk assessment process?

Vulnerability
Existing controls
Legal requirements
Information assets

Which of the following is MOST important for an IS auditor to confirm when assessing the security of a new cloud-based IT application that is linked with the organization’s existing technology?

The application programming interfaces (APIs) are adequately secured.
The on-premise database has adequate encryption at rest.
The cloud provider shares an external audit report.
The organization has a flat network structure.

What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?

To keep the risk register updated
To eliminate unnecessary risk
To determine whether risk is changing
To align resources with the greatest risk

A matrix showing the current state and challenges of an organization’s software release management practices is MOST useful for:

writing up an internal audit report.
determining the overall maturity level.
improving the developer experience.
seeking approval for new tooling.

Which of the following is the BEST way to prevent social engineering incidents?

Ensure user workstations are running the most recent version of antivirus software.
Include security responsibilities in job descriptions and require signed acknowledgment.
Maintain an onboarding and annual security awareness program.
Enforce strict email security gateway controls.

Which of the following is the BEST way to reduce the attack surface for a server farm?

Implement effective vulnerability management procedures.
Uninstall unnecessary applications and services.
Evaluate server configuration periodically.
Ensure applications are periodically patched.

Which of the following is the BEST indication that an IT service desk function needs to improve its incident management processes?

Information found in many incident records is incomplete
The service desk spends most of its time on recurring incidents
Back-end releases are the major cause of system disruptions
Service level metrics for resolution time have not been met several times

The PRIMARY benefit of automating application testing is to:

reduce the time to review code
provide test consistency
replace all manual test processes
provide more flexibility

Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

Understanding the purpose of each spreadsheet
Ascertaining which spreadsheets are most frequently used
Identifying the spreadsheets with built-in macros
Reviewing spreadsheets based on file size

Which of the following is the MOST critical factor for the successful implementation of an IT governance framework?

Alignment with industry benchmarks
Alignment with business strategy
Alignment with information security standards
Alignment with a risk management framework

During an investigation, it was determined that an employee leaked company system administrative credentials on a public social media site. What is the IS auditor’s FIRST recommendation?

Prosecute the employee
Change privileged passwords
Initiate forensic investigation
Initiate shutdown of the system

A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?

Perform periodic reconciliations.
Improve user acceptance testing (UAT).
Ensure system owner sign-off for the system fix.
Conduct functional testing.

Which of the following BEST enables an organization to control which software can be installed on a user’s computer?

Access list
Capabilities list
Baseline list
Blocked list

Which of the following indicators would BEST demonstrate the efficiency of a help desk operation?

The percentage of system uptime supported
The percentage of tickets resolved over a period of time
Number of calls received per day
The number of users supported

Which of the following should be identified FIRST when assessing the maturity level of an organization’s vulnerability management practices?

Applicable IT governance framework
Key security team members to interview
Applicable security framework
Scope of vulnerability reports

An organization wants an independent measure of an outsourced system’s availability. This measure is directly related to contractual payment obligations. Which of the following procedures would an IS auditor MOST likely recommend?

Requiring end users to report any service disruptions
Polling the remote service at regular intervals
Scanning for errors or warnings from system logs
Comparing downtime to approved maintenance windows

Which of the following should be of GREATEST concern to an IS auditor when using data analytics?

The data source lacks integrity
The data analytics software is open source
The data set contains irrelevant fields
The data was not extracted by the auditor

Which of the following BEST indicates that an organization’s risk management practices contribute to the effectiveness of internal IS audits?

The audit team participates in risk scenario development workshops.
The audit department utilizes the corporate risk register.
The audit department uses the existing risk analysis templates.
The audit department follows the same reporting format used by the IT risk function.

An IS auditor notes that an organization’s DevOps team has both production and developer access. The head of IT operations agrees that there is a segregation of duties concern but considers both types of access to be necessary for the team. Which of the following is the auditor’s BEST recommendation?

Implement weekly management reviews to confirm that no change was both developed and deployed by the same engineer.
Require DevOps engineers’ access to production systems to be reauthorized quarterly by the head of IT operations.
Have developer access removed from the DevOps engineers.
Implement an automated control to prevent deployment if the developer is also trying to deploy the change

An organization has outsourced the maintenance of its customer database to an external vendor, and the vendor has requested live data to test the performance of the database. Which of the following is MOST important for the IS auditor to recommend?

Ensure sensitive field data is anonymized by random characters.
Ensure both parties agree the data will be destroyed after the testing is complete.
Ensure the data is backed up before providing it to the vendor.
Ensure data transfer details are specified in the service engagement contract.

The use of control totals satisfies which of the following control objectives?

Processing integrity
Transaction integrity
Distribution control
System recoverability

An organization outsources its IT function to a third-party provider that supplies all hardware and support personnel. Which of the following poses the GREATEST risk that the provider’s IT resources may not be available to meet the organization’s objectives?

The service contract does not include penalty or termination provisions.
The service provider does not make independent audit reports available.
The service provider is located offshore.
Service level agreements (SLAs) are not established and monitored.

Which of the following biometric authentication methods has the LOWEST false acceptance rate?

Fingerprint
Voice
Retina
Face

Which of the following is MOST important for an IS auditor to confirm upon learning that an organization utilizes storage virtualization for key systems in their environment?

Restoration testing is performed at regular intervals.
Redundancy is included in the storage architecture.
Backup drives are available at the disaster recovery hot site.
Access to physical media is limited to authorized individuals.

As part of a payroll department IS audit, which of the following is the PRIMARY reason an IS auditor would recommend that a supervisor review exception reports before authorizing payments?

To identify unusual fluctuations or changes in any employee's monthly pay
To evaluate gaps between employee performance and salary adjustments
To verify the accuracy of bank account information for payroll deposit
To collect statistical information in preparation for future pay scale reviews

Which of the following is the PRIMARY objective of enterprise architecture (EA)?

Enforcing the IT policy across the organization
Managing and planning for IT investments
Executing customized development and delivery of projects
Maintaining detailed system documentation

An IS auditor observes that each department follows a different approach for creating and securing spreadsheet macros. Which of the following is the auditor’s BEST recommendation for management in this situation?

Provide end-user training on spreadsheet macro development.
Prohibit further development of end-user computing (EUC) applications by end users.
Implement an end-user computing (EUC) governance framework
Secure the folders where macro-enabled spreadsheets are stored.

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Physical destruction
Random character overwrite
Degaussing
Low-level formatting

Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?

The date and time stamp of the received message
The digital signature
The sender’s private key
The message header

Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

EUC tests of operational effectiveness
EUC access control matrix
EUC availability controls
EUC inventory

An IS auditor has been asked to investigate critical business applications that have been producing suspicious results. Which of the following should be done FIRST?

Evaluate control design
Evaluate incident management
Review configuration management
Review user access rights

Which of the following should be the FIRST step to successfully implement a corporate data classification program?

Check for the required regulatory requirements.
Select a data loss prevention (DLP) protocol.
Confirm that adequate resources are available for the project.
Approve a data classification policy.

Which of the following is BEST supported by enforcing data definition standards within a database?

Data confidentiality
Data security
Data formatting
Data retention

An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor’s penetration attacks and actual attacks?

Restricted host IP addresses of simulated attacks
Testing techniques of simulated attacks
Source IP addresses of simulated attacks
Timing of simulated attacks

Which of the following BEST protects private health information from data loss for clients that utilize remote health-monitoring devices?

Digital certificates
Remote device wipe functionality
Information security training
Encrypted device storage

The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:

product registration
procurement
payroll processing
payment processing

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

Changes are promoted to production by the development group.
Developers have access to the testing environment.
Object code can be accessed by the development group.
Change approvals are not formally documented.

Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?

The standards have no reference to an industry-recognized framework.
The standards are not detailed in policies and procedures.
The standards are not readily available to organization-wide users.
The standards have not been revised within the last year.

Which of the following is MOST important for an organization to consider when planning to outsource data storage to a third-party provider?

The cost of delivering the service
The country in which the provider operates
The classification levels of the stored data
The skill set and experience of the provider

An IS auditor has been tasked with analyzing an organization’s capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?

It reduces the sample size required to perform the audit.
It improves the reliability of the data.
It reduces the error rate.
It enables the auditor to work with 100% of the transactions.

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?

Lack of portability for users
Calculation errors in spreadsheets
Inability to quickly modify and deploy a solution
Loss of time due to manual processes

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Source code version control
Project change management controls
Existence of an architecture review board
Configuration management

Which of the following is MOST important to consider when defining disaster recovery strategies?

Mean time to restore (MTTR)
Maximum time between failures (MTBF)
Maximum tolerable downtime (MTD)
Mean time to acknowledge (MTTA)

Which of the following is the GREATEST advantage of agile development over waterfall development?

Agile development values working software over static documentation.
Agile development values processes and tools over individuals and interactions.
Agile development values contract negotiation over customer collaboration.
Agile development values following a plan over responding to change.

Which of the following controls provides the MOST protection against ransomware attacks?

Education and awareness training
Tested and reliable backups
A tested incident response plan
Signature based anti-malware tools

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

Including project team members who can provide security expertise
Reverting to traditional waterfall software development life cycle (SDLC) techniques
Documenting security control requirements and obtaining internal audit sign off
Requiring the project to go through accreditation before release into production

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

Including project team members who can provide security expertise
Reverting to traditional waterfall software development life cycle (SDLC) techniques
Documenting security control requirements and obtaining internal audit sign off
Requiring the project to go through accreditation before release into production

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

Including project team members who can provide security expertise
Reverting to traditional waterfall software development life cycle (SDLC) techniques
Documenting security control requirements and obtaining internal audit sign off
Requiring the project to go through accreditation before release into production

Which of the following is MOST important when assembling an internal team to perform penetration testing for the organization?

Obtain a listing of key systems for testing from management.
Gain agreement from management on timing and scope.
Perform a scan and identify in-scope assets.
Query the company directory to find privileged users.

Which of the following would a digital signature MOST likely prevent?

Disclosure
Repudiation
Corruption
Unauthorized change

An IS auditor is determining the scope for an upcoming audit. Which of the following BEST enables the auditor to ensure appropriate controls are considered?

Conducting interviews with IT staff
Reading recent industry journal articles
Using an IT-related framework
Reviewing previous audit reports

A PRIMARY objective of risk management is to keep the total cost of risks below the:

estimated amount of losses included in the firm's budget.
amount of losses that would materially damage the firm.
costs of loss prevention measures, such as physical security measures.
administrative costs of risk management.

Which of the following should be the role of internal audit in an organization’s move to the cloud?

Identifying and mitigating risk to an acceptable level
Identifying impacts to organizational budgets and resources
Implementing security controls for data prior to migration
Serving as a trusted partner and advisor

Which of the following should be the role of internal audit in an organization’s move to the cloud?

Identifying and mitigating risk to an acceptable level
Identifying impacts to organizational budgets and resources
Implementing security controls for data prior to migration
Serving as a trusted partner and advisor

How does a switched network reduce the risk of network sniffing?

Switches can detect active packet sniffing devices in their subnet.
Packets are not broadcasted throughout the whole subnet.
Network traffic is generally reduced.
Source and destination addresses are encrypted.

Which of the following is the MOST effective way for internal audit management to ensure the quality of IS audits is maintained?

Engage a third party to conduct regular quality assurance (QA) reviews.
Include quality metrics in audit staff annual performance evaluations.
Introduce a balanced scorecard for internal audit.
Conduct control self-assessments (CSA) with IT management.

In an organization’s feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Reputation of potential vendors
Alternatives for financing the acquisition
Financial stability of potential vendors
Cost-benefit analysis of available products

Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?

Network architecture diagrams
Inventory of end-of-life software
Vendor software invoices
System-wide incident reports

An IS auditor is reviewing results from the testing of an organization’s disaster recovery plan (DRP). Which of the following findings should be of GREATEST concern?

The testing was done after implementing a business application.
The backups at the DR site are not encrypted.
The testing was done during critical business hours.
The backups at the DR site are unreadable.

Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Information security steering committee
Chief information security officer (CISO)
Board of directors
Chief information officer (CIO)

An employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?

Automated logging of changes to development libraries should be instituted.
Procedures should be established to ensure that program changes are identified and approved.
Additional staff should be recruited to provide separation of duties.
Access control should prevent the operator from making program modifications.

A national bank recently migrated a large number of business-critical applications to the cloud. Which of the following is MOST important to ensuring the resiliency of the applications?

Conducting periodic system stress testing
Negotiating a service level agreement (SLA) with the provider
Using a monitoring tool to assess uptime
Creating restore points for critical applications

Which of the following should be an IS auditor’s PRIMARY consideration when evaluating the development and design of a privacy program?

Policies and procedures consistent with privacy guidelines
Industry practice and regulatory compliance guidance
Information security and incident management practices
Privacy training and awareness program for employees

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s newly established enterprise architecture (EA)?

The business leaders were not consulted when designing the IT architecture.
Standard architecture methodology was not adopted for designing the IT architecture.
Staff responsible for designing the IT architecture do not hold a related certification.
External experts were not consulted when designing the IT architecture.

Which of the following BEST enables an organization to manage unexpected or on-request jobs?

Service level agreements (SLAs)
Job scheduling software
Job scheduling by the service desk
Console logs

When protecting mobile devices, which of the following is the PRIMARY risk mitigated by authentication controls?

Software updates
Data availability and integrity
Internal or external security breaches
IT service failure

During a review of an organization’s technology policies, which of the following observations should be of MOST concern to the IS auditor?

Business objectives are not defined.
Legal requirements are not considered.
A globally acknowledged framework is not used.
The policies have not been reviewed within the last three years.

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Prior audit reports
IT balanced scorecard
Vulnerability assessment report
IT value analysis

Which risk response has been adopted by a risk owner postponing the implementation of proper controls due to budget constraints?

Transfer
Acceptance
Avoidance
Mitigation

Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?

Independent third-party approval
Standardized change requests
Secure code review
Change approval board

Which of the following BEST describes the role of the IS auditor in a control self-assessment (CSA)?

Implementer
Approver
Reviewer
Facilitator

Which of the following is the BEST indication that there are potential problems within an organization’s IT service desk function?

Lack of key performance indicators (KPIs)
An excessive backlog of user requests
Undocumented operating procedures
Lack of segregation of duties

Which of the following is the PRIMARY objective of cyber resiliency?

To efficiently and effectively recover from an incident with limited operational impact
To prevent potential attacks or disruptions in operations
To limit the severity of security breaches and maintain continuous operations
To resume normal operations after service disruptions

During a post-implementation review, which of the following provides the BEST evidence that user requirements have been met?

Operator error logs
End-user documentation
User acceptance testing (UAT)
Management interviews

An IS auditor assessing an organization’s information systems needs to understand management’s approach regarding controls. Which documentation should the auditor review FIRST?

Policies
Standards
Guidelines
Procedures

Which of the following is MOST useful for matching records of incoming and outgoing personnel to identify tailgating in physical security logs?

Discovery sampling methodology
Continuous auditing
Data analytics tools
Reconciliation with HR records

An IS auditor assesses an organization’s backup management practices for optimization potential. Which of the following features of a regular backup tape reorganization job BEST enables the organization to realize cost savings?

Refreshed data written on tapes
Rotation of backup tapes
Decommissioning of old tapes
Defragmentation of data on tapes

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Roles and responsibilities for recovery team members
Test results for backup data restoration
A comprehensive list of disaster recovery scenarios and priorities
Business continuity plan (BCP)

Which of the following findings should be of MOST concern to an IS auditor assessing agile software development practices?

There is a low acceptance rate by the business of delivered software.
Testing is performed by both software developers and testers.
Release plans have been revised several times before actual release.
The IT team feels unable to strictly follow standard agile practices.

Which of the following would BEST integrate multiple data warehouses while reducing the workload required for moving data between the warehouses?

Extract, transform, and load
Data virtualization
Real-time data mirroring
Streaming data integration

A confidential file was sent to a legal entity, and hashing was used on the file. Which type of control has been applied?

Detective
Compensating
Corrective
Preventive

An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor’s BEST course of action is to:

document management's reasons for not addressing deficiencies.
postpone the audit until the deficiencies are addressed.
provide new recommendations.
assess the impact of not addressing deficiencies.

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

Consider stakeholder concerns when defining the EA.
Conduct EA reviews as part of the change advisory board.
Perform mandatory post-implementation reviews of IT implementations.
Document the security view as part of the EA.

Which of the following is MOST important to confirm when evaluating an IT organization’s structure?

Clear reporting and lines of authority
Documented provisions for interdepartmental cross-training
Comprehensive system architecture documentation
Policies and procedures that define requirements for periodic job rotation

Which feature associated with an Infrastructure as a Service (IaaS) cloud service provider allows for the provisioning of new servers as demand changes?

Measured service
Resource pooling
Rapid elasticity
Load balancing

Which of the following provides the BEST evidence that all elements of a business continuity plan (BCP) are operating effectively?

Walk-through test results
Full operational test results
Simulation test results
Tabletop test results

CISA Final Assessment 3

Quiz Summary

Information

Results

Results

Categories

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question

66. Question

67. Question

68. Question

69. Question

70. Question

71. Question

72. Question

73. Question