Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

The DRP has not been updated since an IT infrastructure upgrade.

The DRP has not been formally approved by senior management.

The DRP has not been distributed to end users.

The DRP has not been updated since an IT infrastructure upgrade.

The DRP contains recovery procedures for critical servers only.

Which of the following is MOST critical for the effective implementation of IT governance?

Strong risk management practices

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Inability to utilize the site when required

Inability to test the recovery plans onsite

Equipment compatibility issues at the site

Mismatched organizational security policies

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Perform domain name system (DNS) server security hardening.

Utilize a network-based firewall.

Conduct regular user security awareness training.

Perform domain name system (DNS) server security hardening.

Enforce a strong password policy meeting complexity requirement.

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Segregate the outdated software system from the main network.

Verify all patches have been applied to the software system's outdated version

Close all unused ports on the outdated software system.

Segregate the outdated software system from the main network.

Monitor network traffic attempting to reach the outdated software system.

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Enforce an internal data access policy.

Apply single sign-on for access control

Implement segregation of duties.

Enforce an internal data access policy.

Enforce the use of digital signatures.

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Monitor and restrict vendor activities

Issues an access card to the vendor.

Conceal data devices and information labels

Restrict use of portable and wireless devices.

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

To identify areas with relatively high probability of material problems

To address the overall risk associated with the activity under review

To identify areas with relatively high probability of material problems

To help ensure maximum use of audit resources during the engagement

To help prioritize and schedule auditee meetings

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Research the validity of the alerted breach

Inform potentially affected customers of the security breach

Notify business management of the security breach.

Research the validity of the alerted breach

Engage a third party to independently evaluate the alerted breach.

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Manual sign-in and sign-out log

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Conduct a data inventory and classification exercise

Identify approved data workflows across the enterprise.

Conduct a threat analysis against sensitive data usage.

Create the DLP pcJc.es and templates

Conduct a data inventory and classification exercise

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

vulnerabilities have not been properly addressed

Abuses by employees have not been reported.

Lessons learned have not been properly documented

vulnerabilities have not been properly addressed

Security incident policies are out of date.

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Review of program documentation

Interviews with knowledgeable users

A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A formal request for proposal (RFP) process

Business case development procedures

An information asset acquisition policy

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

The security weakness facilitating the attack was not identified.

The attack was not automatically blocked by the intrusion detection system (IDS).

The attack could not be traced back to the originating person.

Appropriate response documentation was not maintained.

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

quality assurance (QA) personnel

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

include a statement in its security policy about Internet use.

use a proxy server to filter out Internet sites that should not be accessed.

keep a manual log of Internet access.

monitor remote access activities.

include a statement in its security policy about Internet use.

Which of the following is MOST important when implementing a data classification program?

Understanding the data classification levels

Planning for secure storage capacity

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Ensuring that audit trails exist for transactions

Restricting program functionality according to user security profiles

Restricting access to update programs to accounts payable staff only

Including the creator's user ID as a field in every transaction record created

Ensuring that audit trails exist for transactions

Which of the following would be MOST useful when analyzing computer performance?

Statistical metrics measuring capacity utilization

Operations report of user dissatisfaction with response time

Tuning of system software to optimize resource usage

Report of off-peak utilization and response time

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Validate that all data files contain digital watermarks

Ensure that paper documents arc disposed security.

Implement an intrusion detection system (IDS).

Verify that application logs capture any changes made.

Validate that all data files contain digital watermarks

An IS auditor assessing the controls within a newly implemented call center would First

evaluate the operational risk associated with the call center.

gather information from the customers regarding response times and quality of service.

review the manual and automated controls in the call center.

test the technical infrastructure at the call center.

evaluate the operational risk associated with the call center.

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

Review the documentation of recant changes to implement sequential order numbering.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

Examine a sample of system generated purchase orders obtained from management

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

the security criteria are clearly documented for each classification

each information asset is to a assigned to a different classification.

the security criteria are clearly documented for each classification

Senior IT managers are identified as information owner.

the information owner is required to approve access to the asset

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

Net present value (NPV) of the portfolio

Cost of projects divided by total IT cost

Expected return divided by total project cost

Net present value (NPV) of the portfolio

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Improve the change management process

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Misconfiguration and missing updates

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

security parameters are set in accordance with the organization's policies.

security parameters are set in accordance with the manufacturer s standards.

a detailed business case was formally approved prior to the purchase.

security parameters are set in accordance with the organization's policies.

the procurement project invited lenders from at least three different suppliers.

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

it establishes accountability for the action plans

it facilitates easier audit follow-up

it enforces action plan consensus between auditors and auditees

it establishes accountability for the action plans

it helps to ensure factual accuracy of findings

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Increased vulnerability due to anytime, anywhere accessibility

The use of the cloud negatively impacting IT availably

Increased need for user awareness training

Increased vulnerability due to anytime, anywhere accessibility

Lack of governance and oversight for IT infrastructure and applications

Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?

Analyzing risks posed by new regulations

Developing procedures to monitor the use of personal data

Defining roles within the organization related to privacy

Designing controls to protect personal data

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

The BCP has not been tested since it was first issued.

The BCP's contact information needs to be updated

The BCP is not version controlled.

The BCP has not been approved by senior management.

The BCP has not been tested since it was first issued.

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

The survey questions did not address the scope of the business case.

The survey results were not presented in detail lo management.

The survey questions did not address the scope of the business case.

The survey form template did not allow additional feedback to be provided.

The survey was issued to employees a month after implementation.

Which of the following is the BEST reason to implement a data retention policy?

To limit the liability associated with storing and protecting information

To document business objectives for processing data within the organization

To assign responsibility and ownership for data protection outside IT

To establish a recovery point detective (RPO) for (toaster recovery procedures

Isaca CISA Practice Test 10 - Free Online Exam Prep & Questions

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Become a Premium Member for full access

Unlock Premium Member

Isaca CISA Practice Test 10

Question

Isaca CISA Practice Tests

Practice Tests