amikeliunas – Learn AWS

CISA Exam 2020 Examination

1. Which of the following will be the MOST cost-effective way to evaluate the completeness of the disaster recovery plan?

Ensure that all likely cyber attack disaster scenarios are covered in procedures.

Include senior management in a disaster recovery exercise.

Arrange for a review of the procedures by an independent consultant.

Organize a paper test with actual members of the response team.

2. Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users?

Systematic sampling

Variable sampling

Stratified random sampling

Judgmental sampling

3. Which of the following controls would BEST help protect an organization from successful phishing attacks?

Role-based access controls

Intrusion detection system

A data loss protection system

Employee awareness training

4. Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program?

Key stakeholders are incorrectly identified.

Important business risk may be overlooked.

Control costs will exceed planned budget.

Previously audited areas may be inadvertently included.

5. Which of the following is the FIRST step in an IT risk assessment for a risk-based audit?

Understand the business, its operating model and key processes

Review the results of a risk self-assessment

Identify all IT systems and controls relevant to audit objectives

List all controls from the audit program to select ones matching with audit objectives

6. A system developer transferred to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern?

Audit points may largely shift to technical aspects.

The employee may not have sufficient control assessment skills.

The work may be construed as a self-audit.

The employee’s knowledge of business risk may be limited.

7. An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take?

Elevate the risks associated with the control

Discuss the finding with the auditee’s manager

Discuss the finding with the IT auditor’s manager

Retest the control to confirm the finding

8. In a public key infrastructure, certificate authorities are intended to PRIMARILY address:

faster generation of digital certificates.

man-in-the-middle attacks.

brute force attacks.

confidentiality of secret keys.

9. A digital hash ensures:

Authenticity

Confidentiality

Availability

Integrity

10. After identifying the findings, the IS auditor should FIRST:

obtain remediation deadlines to close the findings.

inform senior management of the findings.

gain agreement on the findings.

determine mitigation measures for the findings.

11. An employee who has access to highly confidential information has resigned. Upon departure, which of the following should be done FIRST?

Review the employee’s job history.

Conduct an exit interview with the employee.

Revoke the employee’s access to all systems.

Ensure succession plans are in place.

12. An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?

System unavailability

System integrity

Exposure to malware

Unauthorized access

13. Which of the following would an IS auditor FIRST reference when performing an IS audit?

Internal standards

Documented practices

Approved policies

Implemented procedures

14. Who should be accountable for ensuring access rights to corporate web applications are revoked when user termination occurs?

Web administrators

Data custodians

Data owners

Security administrators

15. Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting?

Findings are clearly tracked back to evidence

Risk statement includes an explanation of a business impact

Remediation plans have been provided by responsible parties

Recommendations address root causes of findings

16. An IS auditor has found numerous users emailing confidential information to unauthorized recipients. The BEST course of action is to prevent this from recurring is to:

implement a data protection program.

integrate data security into the employees’ performance reviews.

assign the violators additional security awareness training.

implement an outgoing anti-email phishing system.

17. Which of the following would be of GREATEST concern to an IS auditor inspecting an organization’s computer room?

Handheld fire extinguishers are present in the computer room.

Access to the computer room does not require biometrics.

The computer room is located in the basement.

The computer room is adjacent to an office area.

18. Which of the following methods would be the MOST effective way to ascertain that information security policies have been communicated to and understood by all IS users?

Personal interviews

Instances of policy deviations

User sign-off of policies

Structured training programs

19. Which of the following is MOST important to consider when reviewing the classification levels of information assets?

Potential threats

Financial cost

Potential loss

Cost of insurance

20. Which of the following would be expected to approve the audit charter?

Audit committee

Chief financial officer

Chief executive officer

Audit steering committee

21. An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult?

Business analysts

Project managers

Project sponsors

End-user groups

22. Which of the following is the MOST important input for decision making throughout the life of an IT project?

IT investment plan

IT resource management strategy

Business impact analysis

Business case

23. Which of the following is MOST important when system patches need to be applied to application servers at the disaster recovery site?

Approval from the disaster recovery site manager

Approval from respective system owners

Approval from the business continuity coordinator

Approval from the information security manager

24. Which of the following would BEST help an IS auditor determine the adequacy of user privileges set up in an application system?

Roles and responsibilities assigned to operators

Test results of an IT compliance self-assessment

Change management record of user profiles

Organizational chart of the target business area

25. As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors?

Range check

Validity check

Check digit

Duplicate check

26. An IS auditor is reviewing an organization’s business continuity plan. Which of the following would provide the BEST means of evaluating the systems supporting the organization’s critical processes?

Recovery time objective

Corporate business strategy

Recovery point objective

Business impact analysis

27. Which of the following is the MOST important critical success factor of implementing a risk-based approach to the IT system life cycle?

Selection of a risk management framework

Understanding of the regulatory environment

Identification of risk mitigation strategies

Adequate involvement of stakeholders

28. Which of the following scenarios would an IS auditor MOST likely expect an application team to employ when a system change to a mission-critical application with a low tolerance to failure causes a disruption in operations?

Migration

Failover

Backup

Fallback

29. An enterprise has selected a vendor to develop and implement a new software system. To ensure that the enterprise’s investment in software is protected, which of the following security clauses is MOST important to include in the master services agreement?

Software escrow

Version control

Limitation of liability

Service level requirements

30. Which of the following countermeasures would the IS auditor MOST likely recommend for the risk mitigation of logic alteration vulnerabilities discovered during penetration testing of a public-facing web application?

Change the application firewall rules to filter malicious inputs

Perform code review and server-side input validation

Set the network firewall to allow traffic only from desired IP addresses

Use the HTTPS protocol to secure access towards the website

31. An IS auditor is reviewing a third-party agreement for a new cloud based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data?

Network and intrusion detection

Return or destruction of information

A patch management process

Data retention, backup and recovery

32. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?

Define a balanced scorecard for measuring performance.

Select projects according to business benefits and risk.

Consider user satisfaction in the key performance indicators.

Modify the yearly process of defining the project portfolio.

33. Which of the following controls would be the MOST effective to reduce the impact of a successful ransomware attack?

Workforce education

Intrusion prevention system

Updated antivirus

Regular backups

34. An internal IT auditor is observing an organization’s disaster recovery tests. It is found that the organization’s ability to recover does not meet the management-approved recovery time objective (RTO). Which of the following is the BEST recommendation for the auditor to include in the report?

Recommend mirror backup systems

Recommend an alternative recovery method

Recommend a retesting of the backup process

Recommend changing the RTO

35. Which of the following is the MOST effective control when granting temporary access to vendors?

Administrator access is provided for a limited period.

Vendor access corresponds to the service level agreement.

User accounts are created with expiration dates and are based on services provided.

User IDs are deleted when the work is completed.

36. An organization bought a new system to integrate its existing human resources and payroll systems in the environment. Which of the following tests ensures that the new system can operate successfully with existing systems?

Integration testing

Parallel testing

Sociability testing

Pilot testing

37. As result of profitability pressure, senior management of an enterprise has decided to keep investments in information security at an inadequate level, which of the following would be the BEST recommendation of an IS auditor?

Revise compliance enforcement processes.

Use cloud providers for low-risk operations.

Request that senior management accept the risk.

Postpone low-priority security procedures.

38. An IS auditor is reviewing an e-commerce site. Which of the following is MOST important to ensure controls are in place to protect the consumer?

A robust vulnerability management program

A tested business continuity plan

An up-to-date digital certificate

Encryption keys stored in escrow

39. The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

reduction of the cost for IT security.

enforcement of the management of security risk.

implementation of the chief information security officer’s recommendations.

alignment of the IT activities with IS audit recommendations.

40. Which of the following would MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation?

Advising on the cybersecurity framework

Delivering cybersecurity awareness training

Designing the cybersecurity controls

Conducting the vulnerability assessment

41. In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario?

Verifying that only approved program changes are implemented

Hiring additional staff to provide segregation of duties

Preventing the release manager from making program modifications

Logging of changes to development libraries

42. Which of the following is the MOST appropriate action to take upon identifying that a computer may have been used to leak a confidential file?

Make a duplicate image of the original media.

Isolate the computer from the network.

Install forensic tools on the target system.

Report the incident to law enforcement.

43. Which of the following would be of MAIN concern to the IS auditor reviewing the transborder flow of personal data?

Encryption of personal data

Limitation of access

Consent of the data subjects

Signed agreements with data processors

44. Which of the following should be of the GREATEST concern to an IS auditor when analyzing the baseline security of a corporate desktop personal computer?

Patches are not downloaded from the vendor.

Patches are not automatically installed.

Local user password expiration is not defined.

Local user password hash is not applied.

45. Which of the following would be MOST useful for an IS auditor in accessing and analyzing digital data to collect relevant audit evidence from diverse software environments?

Computer-assisted auditing techniques

Data analytics controls

Application software reports

Structured Query Language

46. During an audit, which of the following situations would be MOST concerning for an organization that significantly outsources IS processing to a private network?

The contract was not reviewed by an information security subject matter expert prior to
signing.

The IS outsourcing guidelines are not approved by the board of directors.

There is a lack of well-defined IS performance evaluation procedures.

The contract does not contain a right-to-audit clause for the third party.

47. Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications?

Abrupt changeover

Parallel changeover

Phased changeover

Rollback procedure

48. Why would an organization MOST likely choose an agile systems development approach?

To improve system performance

To facilitate reuse of modules

To enhance security of the system

To speed up the rollout to the users

49. Accountants are developing a temporary reporting solution using a spreadsheet and macro program. Which of the following will be the MOST significant concern from a control perspective?

The temporary solution becomes a permanent solution.

A tighter reconciliation process is required to ensure integrity.

Development is done using an agile development methodology.

The modifications do not follow standard change management process.

50. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:

report the possibility of fraud to management.

expand activities to determine whether an investigation is warranted.

report the matter to the audit committee.

consult with external legal counsel to determine the course of action to be taken.

51. The MAIN purpose of the annual IS audit plan is to:

allocate resources for audits.

minimize the audit costs.

develop a training plan for auditors.

reduce the impact of audit risk.

52. Vulnerabilities associated with which of the following would pose the GREATEST risk to Domain Name Systeman organization hosting a web application?

JavaScript

CGI script

Domain Name System

53. When performing a post-implementation review of a software development project for a highly secure application, it is MOST important to confirm that:

the project was formally closed.

vulnerability testing was performed.

business functional requirements were met.

the project schedule and budget were met.

54. Which of the following is the PRIMARY purpose of a risk-based audit?

Management concerns are prioritized.

Material areas are addressed first.

Audit resources are allocated efficiently.

High-impact areas are addressed first.

55. Which of the following would be of MOST interest to an IS auditor reviewing an organization’s risk strategy?

Residual risk is zero after control implementation.

All likely risks are identified and ranked.

All risks are mitigated effectively.

The organization uses an established risk framework.

56. Which of the following business continuity activities is PRIMARILY the responsibility of the IT department?

Defining the recovery time objectives and recovery point objectives

Declaring the disaster and activating the business continuity plan

Restoring systems and data after a business disruption

Conducting the business impact analysis to determine critical systems

57. The IS auditor learns a business application has extended the access from users of one department to other departments. The GREATEST concern for the IS auditor would be approval of:

the business impact analysis

creation forms for new users

an updated access rights matrix

an updated IT security policy

58. Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective?

Virtual tape libraries

Continuous data backup

Disk-to-tape backup

Disk-based snapshots

59. When developing a security architecture, which of the following steps should be executed FIRST?

Specifying an access control methodology

Defining roles and responsibilities

Defining a security policy

Developing security procedures

60. Which of the following is the FIRST step in determining the appropriate level of protection for the enterprise information systems?

Data classification

Security baseline

Risk assessment

Asset inventory

61. Which of the following provides the BEST evidence of an organization’s cyber incident response readiness?

A documented disaster recovery plan

The results of annual tabletop exercises

Regular internal audits of incident response

Recently updated incident response procedures

62. An IS auditor is conducting a postimplementation review of an enterprise’s network. Which of the following findings would be of MOST concern?

An outbound web proxy does not exist.

All communication links do not use encryption.

Wireless mobile devices are not password-protected.

Default passwords are not changed when installing network devices.

63. An IS auditor is reviewing an organization’s change management process and finds that after-hours emergency changes are made, and approval is obtained subsequent to the change. Which of the following is the BEST course of action for the auditor?

Recommend that changes are not made until approval is obtained.

Recommend an after-hours approval team.

Record the finding in the report.

Document the practice in the report.

64. The MOST important element for the effective design of an information security policy is the:

enterprise risk appetite.

emerging technologies.

threat landscape.

prior security incidents.

65. De-normalization of the relational database would PRIMARILY result in:

increased data redundancy.

increased database optimization.

referential integrity issues.

loss of table indexes.

66. Which of the following is the BEST choice to ensure confidentiality of transmissions in a public-facing web application?

Secure Shell

Secure Sockets Layer

IP Security

Transport Layer Security

67. An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following would be the MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?

The vendor agrees to provide annual external audit reports in the contract.

The vendor provides the latest internal audit report for verification.

The vendor provides the latest third-party audit report for verification.

The vendor agrees to implement controls in alignment with the enterprise.

68. When performing a risk analysis, the IS auditor should FIRST:

perform a cost-benefit analysis for controls.

review the data classification program.

identify the inherent risk of the system.

identify the organization’s information assets.

69. What is the GREATEST advantage of performing penetration testing in addition to vulnerability assessment?

Increased coverage of different technologies.

Confirmation of the ability to exploit vulnerabilities.

Better regulatory compliance.

Improved preparedness to cybersecurity incidents.

70. When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:

maximum tolerable outage.

service delivery objective.

quantity of orphan data.

annual loss expectancy.

71. Errors in audit procedures would PRIMARILY impact which of the following risks?

Inherent risk

Detection risk

Control risk

Business risk

72. Which of the following BEST ensures that business requirements are met prior to go-live?

Post-implementation review

Feasibility study

Implementation plan

User acceptance testing

73. Establishing a software baseline would have the GREATEST impact on which of the following?

Software integrity

Access controls

Change management

System documentation

74. During the review of an enterprise’s preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization:

has performed background checks on all service personnel.

performs maintenance during noncritical processing times.

escorts service personnel at all times when performing their work.

independently verifies that maintenance is being performed.

75. Which of the following would be the GREATEST concern when an IS auditor notices an increasing number of emergency changes?

Increased number of production incidents

High chance of introducing security deficiencies

Fast-tracking of releases into production

Insufficient documentation of changes

Question 1 of 75