An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Evaluate key performance indicators (KPIs)

implement a control self-assessment (CSA)

Evaluate key performance indicators (KPIs)

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

Escalate to audit management to discuss the audit plan

Notify the chief operating officer (COO) and discuss the audit plan risks

Exclude IS audits from the upcoming year's plan

Increase the number of IS audits in the clan

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

Security policy documents are available on a public domain website

Security policies are not applicable across all business units

End users are not required to acknowledge security policy training

The security policy has not been reviewed within the past year

Security policy documents are available on a public domain website

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Review test procedures and scenarios

Establish a configuration baseline

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

Completeness of critical asset inventory

Critical applications m the cloud

Completeness of critical asset inventory

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

To enable conclusions about me performance of the processes and target variances tor follow-up analysis

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

To assess the functionality of a software deliverable based on business processes

In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

Data changes are independently reviewed by another group

Users are required to periodically rotate responsibilities

Segregation of duties conflicts are periodically reviewed

Data changes are independently reviewed by another group

Data changes are logged in an outside application

An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

Document and lest compliance with the informal standards

Make recommendations to IS management as to appropriate quality standards

Postpone the audit until IS management implements written standards

Document and lest compliance with the informal standards

Finalize the audit and report the finding

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Decreased mean time between failures (MTBF)

A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?

Perform user acceptance testing (UAT)

Document last-minute enhancements

Perform a pre-implementation audit

Perform user acceptance testing (UAT)

Ensure that code has been reviewed

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Metrics have not been established to assess training results

Only new employees are required to attend the program

Metrics have not been established to assess training results

Employees do not receive immediate notification of results

The timing for program updates has not been determined

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?

Information security was not included as a key objective m the IT strategic plan.

The IT strategy was developed before the business plan

A business impact analysis (BIA) was not performed to support the IT strategy

The IT strategy was developed based on the current IT capability

Information security was not included as a key objective m the IT strategic plan.

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

A significant increase in approved exceptions

A significant increase in authorized connections to third parties

A significant increase in cybersecurity audit findings

A significant increase in approved exceptions

A significant increase in external attack attempts

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Prioritize resources for corrective action

An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?

Intrusion detection system (IDS)

Security information and event management (SIEM) system

What is the PRIMARY benefit of using one-time passwords?

An intercepted password cannot be reused

Security for applications can be automated

Users do not have to memorize complex passwords

Users cannot be locked out of an account

Which of the following should an organization do to anticipate the effects of a disaster?

Develop a business impact analysis (BIA)

Define recovery point objectives (RPO)

Develop a business impact analysis (BIA)

Analyze capability maturity model gaps

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

booth used by the building security personnel

computer room closest to the uninterruptible power supply (UPS) module

computer room closest to the server computers

booth used by the building security personnel

Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

Tenants are required to implement data classification polices

Monitoring tools are configured to alert in case of downtime

A comprehensive security review is performed every quarter.

Data for different tenants is segregated by database schema

Tenants are required to implement data classification polices

Which of the following is the BEST way to minimize sampling risk?

Enhance audit testing procedures

An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?

Security procedures may be inadequate to support the change

A distributed security system is inherently a weak security system

End-user acceptance of the new system may be difficult to obtain

The new system will require additional resources

A characteristic of a digital signature is that it

is under control of the receiver

is validated when data are changed

has a reproducible hashing algorithm

Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Chief information security officer (CISO)

Information security steering committee

Chief information officer (CIO)

One advantage of monetary unit sampling is the fact that

it increases the likelihood of selecting material items from the population

results are stated m terms of the frequency of items in error

it can easily be applied manually when computer resources are not available

large-value population items are segregated and audited separately

it increases the likelihood of selecting material items from the population

An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

the recovery site devices can handle the storage requirements

hardware maintenance contract is in place for both old and new storage devices

the procurement was in accordance with corporate policies and procedures

the relocation plan has been communicated to all concerned parties

When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

actual attacks have not been identified

legitimate packets blocked by the system have increased

actual attacks have not been identified

false positives have been reported

With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

A business impact analysis (BIA) has not been performed

Business data is not sanitized in the development environment

There is no plan for monitoring system downtime

The process owner has not signed off on user acceptance testing (UAT)

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Adverse posts about the organization

A computer forensic audit is MOST relevant in which of the following situations?

Data loss due to hacking of servers

Inadequate controls in the IT environment

Data loss due to hacking of servers

Isaca CISA Practice Test 14 - Free Online Exam Prep & Questions

Question 1 / 40

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

The information security policy has not been approved by the chief audit executive (CAE).

The information security policy does not include mobile device provisions

The information security policy is not frequently reviewed

The information security policy has not been approved by the policy owner

Comment (0)

Isaca CISA Practice Test 14

Question

Isaca CISA Practice Tests

Practice Tests