Categories quizz CISA 2020 Post author By amikeliunas Post date February 19, 2020 CISA Exam 2020 Examination 1. An IS auditor is reviewing an e-commerce site. Which of the following is MOST important to ensure controls are in place to protect the consumer? An up-to-date digital certificate A robust vulnerability management program Encryption keys stored in escrow A tested business continuity plan 2. Which of the following provides the BEST evidence of an organization’s cyber incident response readiness? The results of annual tabletop exercises Recently updated incident response procedures A documented disaster recovery plan Regular internal audits of incident response 3. Which of the following would MOST likely be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation? Conducting the vulnerability assessment Advising on the cybersecurity framework Delivering cybersecurity awareness training Designing the cybersecurity controls 4. In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? Preventing the release manager from making program modifications Hiring additional staff to provide segregation of duties Verifying that only approved program changes are implemented Logging of changes to development libraries 5. What is the GREATEST advantage of performing penetration testing in addition to vulnerability assessment? Confirmation of the ability to exploit vulnerabilities. Improved preparedness to cybersecurity incidents. Better regulatory compliance. Increased coverage of different technologies. 6. Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective? Virtual tape libraries Continuous data backup Disk-based snapshots Disk-to-tape backup 7. As result of profitability pressure, senior management of an enterprise has decided to keep investments in information security at an inadequate level, which of the following would be the BEST recommendation of an IS auditor? Revise compliance enforcement processes. Request that senior management accept the risk. Use cloud providers for low-risk operations. Postpone low-priority security procedures. 8. As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors? Check digit Range check Validity check Duplicate check 9. The MAIN purpose of the annual IS audit plan is to: allocate resources for audits. minimize the audit costs. reduce the impact of audit risk. develop a training plan for auditors. 10. Which of the following is the BEST choice to ensure confidentiality of transmissions in a public-facing web application? Secure Shell Secure Sockets Layer IP Security Transport Layer Security 11. Which of the following scenarios would an IS auditor MOST likely expect an application team to employ when a system change to a mission-critical application with a low tolerance to failure causes a disruption in operations? Fallback Failover Backup Migration 12. An organization bought a new system to integrate its existing human resources and payroll systems in the environment. Which of the following tests ensures that the new system can operate successfully with existing systems? Integration testing Sociability testing Pilot testing Parallel testing 13. An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following would be the MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements? The vendor provides the latest internal audit report for verification. The vendor agrees to provide annual external audit reports in the contract. The vendor agrees to implement controls in alignment with the enterprise. The vendor provides the latest third-party audit report for verification. 14. Which of the following BEST ensures that business requirements are met prior to go-live? Implementation plan Post-implementation review User acceptance testing Feasibility study 15. A system developer transferred to the audit department to serve as an IT auditor. When production systems are to be reviewed by this employee, which of the following will become the MOST significant concern? The employee’s knowledge of business risk may be limited. Audit points may largely shift to technical aspects. The work may be construed as a self-audit. The employee may not have sufficient control assessment skills. 16. When performing a post-implementation review of a software development project for a highly secure application, it is MOST important to confirm that: the project was formally closed. vulnerability testing was performed. business functional requirements were met. the project schedule and budget were met. 17. An IS auditor has found numerous users emailing confidential information to unauthorized recipients. The BEST course of action is to prevent this from recurring is to: implement an outgoing anti-email phishing system. assign the violators additional security awareness training. implement a data protection program. integrate data security into the employees’ performance reviews. 18. Establishing a software baseline would have the GREATEST impact on which of the following? System documentation Access controls Software integrity Change management 19. The PRIMARY benefit of implementing a security program as part of a security governance framework is the: implementation of the chief information security officer’s recommendations. enforcement of the management of security risk. reduction of the cost for IT security. alignment of the IT activities with IS audit recommendations. 20. Which of the following business continuity activities is PRIMARILY the responsibility of the IT department? Restoring systems and data after a business disruption Conducting the business impact analysis to determine critical systems Declaring the disaster and activating the business continuity plan Defining the recovery time objectives and recovery point objectives 21. Which of the following would be of MOST interest to an IS auditor reviewing an organization’s risk strategy? Residual risk is zero after control implementation. All risks are mitigated effectively. The organization uses an established risk framework. All likely risks are identified and ranked. 22. Which of the following would be of MAIN concern to the IS auditor reviewing the transborder flow of personal data? Consent of the data subjects Limitation of access Signed agreements with data processors Encryption of personal data 23. Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? Define a balanced scorecard for measuring performance. Modify the yearly process of defining the project portfolio. Select projects according to business benefits and risk. Consider user satisfaction in the key performance indicators. 24. During the review of an enterprise’s preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: independently verifies that maintenance is being performed. escorts service personnel at all times when performing their work. performs maintenance during noncritical processing times. has performed background checks on all service personnel. 25. Which of the following would be the GREATEST concern when an IS auditor notices an increasing number of emergency changes? Fast-tracking of releases into production Increased number of production incidents Insufficient documentation of changes High chance of introducing security deficiencies 26. Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? Parallel changeover Phased changeover Abrupt changeover Rollback procedure 27. Which of the following would be of GREATEST concern to an IS auditor inspecting an organization’s computer room? The computer room is adjacent to an office area. Handheld fire extinguishers are present in the computer room. Access to the computer room does not require biometrics. The computer room is located in the basement. 28. An IS auditor is reviewing an organization’s business continuity plan. Which of the following would provide the BEST means of evaluating the systems supporting the organization’s critical processes? Recovery point objective Recovery time objective Business impact analysis Corporate business strategy 29. Which of the following would BEST help an IS auditor determine the adequacy of user privileges set up in an application system? Organizational chart of the target business area Change management record of user profiles Roles and responsibilities assigned to operators Test results of an IT compliance self-assessment 30. In a public key infrastructure, certificate authorities are intended to PRIMARILY address: faster generation of digital certificates. brute force attacks. man-in-the-middle attacks. confidentiality of secret keys. 31. Which of the following controls would be the MOST effective to reduce the impact of a successful ransomware attack? Intrusion prevention system Updated antivirus Regular backups Workforce education 32. An IS auditor is reviewing an organization’s change management process and finds that after-hours emergency changes are made, and approval is obtained subsequent to the change. Which of the following is the BEST course of action for the auditor? Recommend an after-hours approval team. Document the practice in the report. Record the finding in the report. Recommend that changes are not made until approval is obtained. 33. An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult? Business analysts Project managers End-user groups Project sponsors 34. An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? System unavailability System integrity Exposure to malware Unauthorized access 35. Which of the following is the MOST appropriate action to take upon identifying that a computer may have been used to leak a confidential file? Report the incident to law enforcement. Isolate the computer from the network. Install forensic tools on the target system. Make a duplicate image of the original media. 36. Which of the following is MOST important to ensure before communicating the audit findings to top management during the closing meeting? Findings are clearly tracked back to evidence Remediation plans have been provided by responsible parties Risk statement includes an explanation of a business impact Recommendations address root causes of findings 37. After identifying the findings, the IS auditor should FIRST: determine mitigation measures for the findings. obtain remediation deadlines to close the findings. gain agreement on the findings. inform senior management of the findings. 38. Which of the following is the FIRST step in determining the appropriate level of protection for the enterprise information systems? Asset inventory Security baseline Data classification Risk assessment 39. When performing a risk analysis, the IS auditor should FIRST: identify the inherent risk of the system. identify the organization’s information assets. review the data classification program. perform a cost-benefit analysis for controls. 40. Which of the following would be MOST useful for an IS auditor in accessing and analyzing digital data to collect relevant audit evidence from diverse software environments? Computer-assisted auditing techniques Data analytics controls Application software reports Structured Query Language 41. Which of the following will be the MOST cost-effective way to evaluate the completeness of the disaster recovery plan? Arrange for a review of the procedures by an independent consultant. Ensure that all likely cyber attack disaster scenarios are covered in procedures. Include senior management in a disaster recovery exercise. Organize a paper test with actual members of the response team. 42. During an audit, which of the following situations would be MOST concerning for an organization that significantly outsources IS processing to a private network? The IS outsourcing guidelines are not approved by the board of directors. There is a lack of well-defined IS performance evaluation procedures. The contract was not reviewed by an information security subject matter expert prior to signing. The contract does not contain a right-to-audit clause for the third party. 43. Errors in audit procedures would PRIMARILY impact which of the following risks? Control risk Business risk Detection risk Inherent risk 44. Which of the following is the MOST important critical success factor of implementing a risk-based approach to the IT system life cycle? Identification of risk mitigation strategies Selection of a risk management framework Adequate involvement of stakeholders Understanding of the regulatory environment 45. An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? Discuss the finding with the IT auditor’s manager Retest the control to confirm the finding Elevate the risks associated with the control Discuss the finding with the auditee’s manager 46. Which of the following is the MOST effective control when granting temporary access to vendors? User IDs are deleted when the work is completed. Administrator access is provided for a limited period. User accounts are created with expiration dates and are based on services provided. Vendor access corresponds to the service level agreement. 47. Which of the following is the MOST important input for decision making throughout the life of an IT project? Business case IT resource management strategy Business impact analysis IT investment plan 48. When developing a security architecture, which of the following steps should be executed FIRST? Defining a security policy Defining roles and responsibilities Specifying an access control methodology Developing security procedures 49. Which of the following is the FIRST step in an IT risk assessment for a risk-based audit? List all controls from the audit program to select ones matching with audit objectives Understand the business, its operating model and key processes Identify all IT systems and controls relevant to audit objectives Review the results of a risk self-assessment 50. Why would an organization MOST likely choose an agile systems development approach? To facilitate reuse of modules To enhance security of the system To speed up the rollout to the users To improve system performance 51. Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program? Control costs will exceed planned budget. Previously audited areas may be inadvertently included. Key stakeholders are incorrectly identified. Important business risk may be overlooked. 52. An enterprise has selected a vendor to develop and implement a new software system. To ensure that the enterprise’s investment in software is protected, which of the following security clauses is MOST important to include in the master services agreement? Service level requirements Limitation of liability Version control Software escrow 53. Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? Variable sampling Stratified random sampling Systematic sampling Judgmental sampling 54. An IS auditor is reviewing a third-party agreement for a new cloud based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A patch management process Data retention, backup and recovery Network and intrusion detection Return or destruction of information 55. A digital hash ensures: Authenticity Availability Confidentiality Integrity 56. Which of the following methods would be the MOST effective way to ascertain that information security policies have been communicated to and understood by all IS users? Structured training programs User sign-off of policies Instances of policy deviations Personal interviews 57. Which of the following countermeasures would the IS auditor MOST likely recommend for the risk mitigation of logic alteration vulnerabilities discovered during penetration testing of a public-facing web application? Use the HTTPS protocol to secure access towards the website Change the application firewall rules to filter malicious inputs Set the network firewall to allow traffic only from desired IP addresses Perform code review and server-side input validation 58. An employee who has access to highly confidential information has resigned. Upon departure, which of the following should be done FIRST? Ensure succession plans are in place. Conduct an exit interview with the employee. Review the employee’s job history. Revoke the employee’s access to all systems. 59. The IS auditor learns a business application has extended the access from users of one department to other departments. The GREATEST concern for the IS auditor would be approval of: creation forms for new users an updated access rights matrix the business impact analysis an updated IT security policy 60. Which of the following would an IS auditor FIRST reference when performing an IS audit? Implemented procedures Documented practices Approved policies Internal standards 61. Which of the following would be expected to approve the audit charter? Audit committee Chief financial officer Chief executive officer Audit steering committee 62. Who should be accountable for ensuring access rights to corporate web applications are revoked when user termination occurs? Web administrators Data custodians Data owners Security administrators 63. Which of the following should be of the GREATEST concern to an IS auditor when analyzing the baseline security of a corporate desktop personal computer? Patches are not downloaded from the vendor. Local user password hash is not applied. Local user password expiration is not defined. Patches are not automatically installed. 64. Which of the following is MOST important to consider when reviewing the classification levels of information assets? Potential loss Potential threats Cost of insurance Financial cost 65. Which of the following is MOST important when system patches need to be applied to application servers at the disaster recovery site? Approval from the disaster recovery site manager Approval from respective system owners Approval from the business continuity coordinator Approval from the information security manager 66. Which of the following is the PRIMARY purpose of a risk-based audit? Management concerns are prioritized. Audit resources are allocated efficiently. Material areas are addressed first. High-impact areas are addressed first. 67. De-normalization of the relational database would PRIMARILY result in: loss of table indexes. referential integrity issues. increased database optimization. increased data redundancy. 68. An internal IT auditor is observing an organization’s disaster recovery tests. It is found that the organization’s ability to recover does not meet the management-approved recovery time objective (RTO). Which of the following is the BEST recommendation for the auditor to include in the report? Recommend changing the RTO Recommend an alternative recovery method Recommend a retesting of the backup process Recommend mirror backup systems 69. Accountants are developing a temporary reporting solution using a spreadsheet and macro program. Which of the following will be the MOST significant concern from a control perspective? A tighter reconciliation process is required to ensure integrity. The modifications do not follow standard change management process. Development is done using an agile development methodology. The temporary solution becomes a permanent solution. 70. When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the: service delivery objective. annual loss expectancy. maximum tolerable outage. quantity of orphan data. 71. An IS auditor is conducting a postimplementation review of an enterprise’s network. Which of the following findings would be of MOST concern? Default passwords are not changed when installing network devices. An outbound web proxy does not exist. All communication links do not use encryption. Wireless mobile devices are not password-protected. 72. Which of the following controls would BEST help protect an organization from successful phishing attacks? A data loss protection system Role-based access controls Employee awareness training Intrusion detection system 73. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: expand activities to determine whether an investigation is warranted. consult with external legal counsel to determine the course of action to be taken. report the possibility of fraud to management. report the matter to the audit committee. 74. The MOST important element for the effective design of an information security policy is the: prior security incidents. threat landscape. enterprise risk appetite. emerging technologies. 75. Vulnerabilities associated with which of the following would pose the GREATEST risk to Domain Name Systeman organization hosting a web application? Domain Name System JavaScript Cookies CGI script Loading … Question 1 of 75
Categories exam quizz sample auction listing Post author By amikeliunas Post date December 28, 2019 This content is restricted to subscribers
Categories quizz AWS Quiz Post author By amikeliunas Post date December 1, 2019 This content is restricted to subscribers
