Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Applying access controls determined by the data owner

Limiting access to the data files based on frequency of use

Obtaining formal agreement by users to comply with the data classification policy

Applying access controls determined by the data owner

Using scripted access control lists to prevent unauthorized access to the server

The PRIMARY benefit of automating application testing is to:

replace all manual test processes.

reduce the time to review code.

Which of the following BEST addresses the availability of an online store?

A mirrored site at another location

Which of the following is the BEST way to prevent social engineering incidents?

Maintain an onboarding and annual security awareness program.

Ensure user workstations are running the most recent version of antivirus software.

Include security responsibilities in job descriptions and require signed acknowledgment.

Enforce strict email security gateway controls

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

The policy aligns with local laws and regulations.

The policy aligns with corporate policies and practices.

The policy aligns with global best practices.

The policy aligns with business goals and objectives.

The policy aligns with local laws and regulations.

Which of the following BEST enables alignment of IT with business objectives?

Leveraging an IT governance framework

Benchmarking against peer organizations

Developing key performance indicators (KPIs)

Completing an IT risk assessment

Leveraging an IT governance framework

Which of the following are used in a firewall to protect the entity's internal resources?

Internet Protocol (IP) address restrictions

Controls related to authorized modifications to production programs are BEST tested by:

tracing modifications from the original request for change forward to the executable program.

tracing modifications from the executable program back to the original request for change.

testing only the authorizations to implement the new program.

reviewing only the actual lines of source code changed in the program.

Which of the following is a PRIMARY responsibility of an IT steering committee?

Prioritizing IT projects in accordance with business requirements

Reviewing periodic IT risk assessments

Validating and monitoring the skill sets of IT department staff

Establishing IT budgets for the business

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Roles and responsibilities for recovery team members

Test results for backup data restoration

A comprehensive list of disaster recovery scenarios and priorities

Roles and responsibilities for recovery team members

Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

Tasks defined on the critical path do not have resources allocated.

The actual start times of some activities were later than originally scheduled.

Tasks defined on the critical path do not have resources allocated.

The project manager lacks formal certification.

Milestones have not been defined for all project products.

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Determine which databases will be in scope.

Perform a business impact analysis (BIA).

Determine which databases will be in scope.

Identify the most critical database controls.

Evaluate the types of databases being used

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Software escrow was not negotiated.

The contract does not contain a right-to-audit clause.

An operational level agreement (OLA) was not negotiated.

Several vendor deliverables missed the commitment date.

Software escrow was not negotiated.

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Evaluate senior management's acceptance of the risk.

Require the auditee to address the recommendations in full.

Adjust the annual risk assessment accordingly.

Evaluate senior management's acceptance of the risk.

Update the audit program based on management's acceptance of risk.

An IT balanced scorecard is the MOST effective means of monitoring:

change management effectiveness.

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

an information security framework.

past information security incidents.

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

The lack of acceptance criteria behind user requirements.

The lack of technical documentation to support the program code

The lack of completion of all requirements at the end of each sprint

The lack of acceptance criteria behind user requirements.

The lack of a detailed unit and system test plan

Which of the following is the BEST data integrity check?

Tracing data back to the point of origin

Counting the transactions processed per day

Tracing data back to the point of origin

Preparing and running test data

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Reconciliation of total amounts by project

Validity checks, preventing entry of character data

Reasonableness checks for each cost type

Display the back of the project detail after the entry

An organizations audit charier PRIMARILY:

describes the auditors' authority to conduct audits.

defines the auditors' code of conduct.

formally records the annual and quarterly audit plans.

documents the audit process and reporting standards.

The decision to accept an IT control risk related to data quality should be the responsibility of the:

chief information officer (CIO).

Which of the following data would be used when performing a business impact analysis (BIA)?

Expected costs for recovering the business

Projected impact of current business on future business

Cost-benefit analysis of running the current business

Expected costs for recovering the business

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Alignment with the IT tactical plan

Compliance with industry best practice

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Determine the risk of not replacing the firewall.

Report the mitigating controls.

Report the security posture of the organization.

Determine the value of the firewall.

Determine the risk of not replacing the firewall.

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Analyze whether predetermined test objectives were met.

Perform testing at the backup data center.

Evaluate participation by key personnel.

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Providing education and guidelines to employees on use of social networking sites

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

Establishing strong access controls on confidential data

Providing education and guidelines to employees on use of social networking sites

Monitoring employees' social networking usage

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

implement policies addressing acceptable usage of social media during working hours.

Implement a process to actively monitor postings on social networking sites.

Adjust budget for network usage to include social media usage.

Use data loss prevention (DLP) tools on endpoints.

implement policies addressing acceptable usage of social media during working hours.

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

The IS auditor implemented a specific control during the development of the application system.

The IS auditor provided consulting advice concerning application system best practices.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

The IS auditor implemented a specific control during the development of the application system.

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Implement business rules to reject invalid data.

Obtain error codes indicating failed data feeds.

Appoint data quality champions across the organization.

Purchase data cleansing tools from a reputable vendor.

Implement business rules to reject invalid data.

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Contact the incident response team to conduct an investigation.

Examine the computer to search for evidence supporting the suspicions.

Advise management of the crime after the investigation.

Contact the incident response team to conduct an investigation.

Notify local law enforcement of the potential crime before further investigation.

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Write access to production program libraries

Write access to development data libraries

Execute access to production program libraries

Execute access to development program libraries

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

verify results to determine validity of user concerns.

review recent changes to the system.

verify completeness of user acceptance testing (UAT).

verify results to determine validity of user concerns.

review initial business requirements.

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Determine if a root cause analysis was conducted.

Document the finding and present it to management.

Determine if a root cause analysis was conducted.

Confirm the resolution time of the incidents.

Validate whether all incidents have been actioned.

Isaca CISA Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Isaca CISA Practice Test 1

Question

Isaca CISA Practice Tests

Practice Tests