DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Exam Questions 2024 Updated: Get Ready for Exams, Certified Information Systems Auditor | SPOTO

Prepare for the 2024 CISA exams with SPOTO's updated exam questions and comprehensive resources. Our meticulously crafted materials cover the latest exam objectives, ensuring you're thoroughly prepared for any curveball. Access a vast database of exam questions, sample questions, online exam questions, and full-length mock exams to assess your knowledge and identify areas for improvement. Leverage detailed explanations and performance analysis to reinforce key concepts. Stay ahead of the curve with regularly refreshed exam materials, including free test dumps and exam questions and answers. Simulate the real testing environment with our realistic exam simulator. Trust SPOTO's 2024 CISA exam prep to unlock your certification success.
Take other online exams
Question #1
Which of the following requirements in a document control standard would provide nonrepudiation to digitally signed legal documents?
A. All digital signatures must include a hashing algorithm
B. All digitally signed documents must be stored in an encrypted database
C. All documents requiring digital signatures must be signed by both the customer and a witness
D. Only secure file transfer protocol (SFTP) may be used for digitally signed documentation
View answer
Correct Answer: C
Question #2
An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:
A. exposure is greater, since information is available to unauthorized users
B. operating efficiency is enhanced, since anyone can print any report at any time
C. operating procedures are more effective, since information is easily available
D. user friendliness and flexibility is facilitated, since there is a smooth flow of information among users
View answer
Correct Answer: D
Question #3
When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:
A. not be concerned since there may be other compensating controls to mitigate the risks
B. ensure that overrides are automatically logged and subject to review
C. verify whether all such overrides are referred to senior management for approval
D. recommend that overrides not be permitted
View answer
Correct Answer: A
Question #4
Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan?
A. Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract
C. No, because the backup to be provided should be specified adequately in the contract
D. No, because the service bureau's business continuity plan is proprietary information
View answer
Correct Answer: D
Question #5
Which of the following is the BEST way to determine if IT is delivering value to the business?
A. Distribute surveys to various end users of IT services
B. Interview key IT managers and service providers
C. Review IT service level agreement (SLA) metrics
D. Analyze downtime frequency and duration
View answer
Correct Answer: C
Question #6
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity
B. access cards are not labeled with the organization's name and address to facilitate easy return of a lost card
C. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards
D. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure
View answer
Correct Answer: D
Question #7
When performing an audit of a client relationship management (CRM) system migration project, which of the following should be of GREATEST concern to an IS auditor?
A. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks
B. Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system
C. A single implementation is planned, immediately decommissioning the legacy system
D. Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system’s software
View answer
Correct Answer: B
Question #8
What is the MOST effective method of preventing unauthorized use of data files?
A. Automated file entry
B. Tape librarian
C. Access control software
D. Locked library
View answer
Correct Answer: A
Question #9
Which of the following BEST supports the prioritization of new IT projects?
A. Internal control self-assessment (CSA)
B. Information systems audit
C. Investment portfolio analysis
D. Business risk assessment
View answer
Correct Answer: A
Question #10
Squid is an example of: E.
A. IDS
B. caching proxy
C. security proxy
D. connection proxy dialer
F. None of the choices
View answer
Correct Answer: F
Question #11
When a new system is to be implemented within a short time frame, it is MOST important to:
A. finish writing user manuals
B. perform user acceptance testing
C. add last-minute enhancements to functionalities
D. ensure that the code has been documented and reviewed
View answer
Correct Answer: C
Question #12
Which of the following refers to a primary component of corporate risk management with the goal of minimizing the risk of prosecution for software piracy due to use of unlicensed software?
A. Software audit
B. System audit
C. Application System audit
D. Test audit
E. Mainframe audit
F. None of the choices
View answer
Correct Answer: A
Question #13
Which of the following types of attack makes use of common consumer devices that can be used to transfer data surreptitiously?
A. Direct access attacks
B. Indirect access attacks
C. Port attack
D. Window attack
E. Social attack
F. None of the choices
View answer
Correct Answer: A
Question #14
Data flow diagrams are used by IS auditors to:
A. order data hierarchically
B. highlight high-level data definitions
C. graphically summarize data paths and storage
D. portray step-by-step details of data generation
View answer
Correct Answer: D
Question #15
When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time
B. application interface failure
C. improper transaction authorization
D. no validated batch totals
View answer
Correct Answer: D
Question #16
The information security policy that states 'each individual must have their badge read at every controlled door' addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
View answer
Correct Answer: A
Question #17
Which of the following is BEST suited for secure communications within a small group?
A. Key distribution center
B. Certification authority
C. Web of trust
D. Kerberos Authentication System
View answer
Correct Answer: A
Question #18
During an audit of a financial application, it was determined that many terminated users’ accounts were not disabled. Which of the following should be the IS auditor’s NEXT step?
A. Perform a review of terminated users’ account activity
B. Conclude that IT general controls are ineffective
C. Communicate risks to the application owner
D. Perform substantive testing of terminated users’ access rights
View answer
Correct Answer: D
Question #19
Which of the following is a MAJOR benefit of using a wireless network?
A. Faster network speed
B. Stronger authentication
C. Protection against eavesdropping
D. Lower installation cost
View answer
Correct Answer: A
Question #20
Which of the following controls would BEST detect intrusion?
A. User IDs and user privileges are granted through authorized procedures
B. Automatic logoff is used when a workstation is inactive for a particular period of time
C. Automatic logoff of the system occurs after a specified number of unsuccessful attempts
D. Unsuccessful logon attempts are monitored by the security administrator
View answer
Correct Answer: A
Question #21
IS audits should be selected through a risk analysis process to concentrate on:
A. those areas of greatest risk and opportunity for improvements
B. those areas of least risk and opportunity for improvements
C. those areas of the greatest financial value
D. areas led by the key people of the organization
E. random events
F. irregular events
View answer
Correct Answer: A
Question #22
The PRIMARY goal of a web site certificate is:
A. authentication of the web site that will be surfed
B. authentication of the user who surfs through that site
C. preventing surfing of the web site by hackers
D. the same purpose as that of a digital certificate
View answer
Correct Answer: A
Question #23
The ability of the internal IS audit function to achieve desired objectives depends largely on:
A. the training of audit personnel
B. the background of audit personnel
C. the independence of audit personnel
D. the performance of audit personnel
E. None of the choices
View answer
Correct Answer: ABCD
Question #24
Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?
A. increase the time allocated for system testing
B. implement formal software inspections
C. increase the development staff
D. Require the sign-off of all project deliverables
View answer
Correct Answer: B
Question #25
An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of:
A. reverse engineering
B. prototyping
C. software reuse
D. reengineering
View answer
Correct Answer: A
Question #26
A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?
A. The organization uses good practice guidelines instead of industry standards and relies on external advisors to ensure the adequacy of the methodology
B. The business continuity capabilities are planned around a carefully selected set of scenarios which describe events that might happen with a reasonable probability
C. The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as personnel or system dependencies during the recovery phase
D. The organization plans to rent a shared alternate site with emergency workplaces which has only enough room for half of the normal staff
View answer
Correct Answer: A
Question #27
During the evaluation of a firm’s newly established whistleblower system, an auditor notes several findings. Which of the following should be the auditor’s GREATEST concern?
A. New employees have not been informed of the whistleblower policy
B. The whistleblower’s privacy is not protected
C. The whistleblower system does not track the time and date of submission
D. The whistleblower system is only available during business hours
View answer
Correct Answer: C
Question #28
The PRIMARY objective of implementing corporate governance by an organization's management is to:
A. provide strategic direction
B. control business operations
C. align IT with business
D. implement best practices
View answer
Correct Answer: B
Question #29
Which of the following is the MOST reliable form of single factor personal identification?
A. Smart card
B. Password
C. Photo identification
D. iris scan
View answer
Correct Answer: A
Question #30
Cisco IOS based routers perform basic traffic filtering via which of the following mechanisms?
A. datagram scanning
B. access lists
C. stateful inspection
D. state checking
E. link progressing
F. None of the choices
View answer
Correct Answer: B
Question #31
In an online banking application, which of the following would BEST protect against identity theft?
A. Encryption of personal password
B. Restricting the user to a specific terminal
C. Two-factor authentication
D. Periodic review of access logs
View answer
Correct Answer: B
Question #32
The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information
B. auditor's familiarity with the circumstances
C. auditee's ability to find relevant evidence
D. purpose and scope of the audit being done
View answer
Correct Answer: C
Question #33
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as:
A. wormnets
B. trojannets
C. spynets
D. botnets
E. rootnets
F. backdoor
View answer
Correct Answer: A
Question #34
Effective IT governance requires organizational structures and processes to ensure that:
A. the organization's strategies and objectives extend the IT strategy
B. the business strategy is derived from an IT strategy
C. IT governance is separate and distinct from the overall governance
D. the IT strategy extends the organization's strategies and objectives
View answer
Correct Answer: D
Question #35
An IS auditor seeks assurance that a new process for purging transactions does not have a detrimental impact on the integrity of a database. This could be achieved BEST by analyzing the:
A. database structure
B. design of triggers
C. results of the process in a test environment
D. entity relationship diagram of the database
View answer
Correct Answer: C
Question #36
A computer program used by multiple departments has data quality issues. There is no agreement as to who should be responsible for corrective action. Which of the following is an IS auditor’s BEST course of action?
A. Recommend the IT department be assigned data cleansing responsibility
B. Modify the program to automatically cleanse the data and close the issue
C. Assign responsibility to the primary department using the program
D. Note the disagreement and recommend establishing data governance
View answer
Correct Answer: B
Question #37
IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
A. Port scanning
B. Back door
C. Man-in-the-middle
D. War driving
View answer
Correct Answer: D
Question #38
An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?
A. Digitalized signatures
B. Hashing
C. Parsing
D. Steganography
View answer
Correct Answer: D
Question #39
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:
A. recommend that the database be normalized
B. review the conceptual data model
C. review the stored procedures
View answer
Correct Answer: A
Question #40
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to- consumer transactions via the internet?
A. Customers are widely dispersed geographically, but the certificate authorities are not
B. Customers can make their transactions from any computer or mobile device
C. The certificate authority has several data processing subcenters to administer certificates
D. The organization is the owner of the certificate authority
View answer
Correct Answer: D
Question #41
Which of the following tasks should be performed FIRST when preparing a disaster recovery plan?
A. Develop a recovery strategy
B. Perform a business impact analysis
C. Map software systems, hardware and network components
D. Appoint recovery teams with defined personnel, roles and hierarchy
View answer
Correct Answer: C
Question #42
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following would be the auditor’s BEST recommendation?
A. IT security should regularly revoke excessive system rights
B. System administrators should ensure consistency of assigned rights
C. Line management should regularly review and request modification of access rights
D. Human resources should delete access rights of terminated employees
View answer
Correct Answer: C
Question #43
An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?
A. Report that the organization does not have effective project management
B. Recommend the project manager be changed
C. Review the IT governance structure
D. Review the conduct of the project and the business case
View answer
Correct Answer: D
Question #44
Doing which of the following during peak production hours could result in unexpected downtime?
A. Performing data migration or tape backup
B. Performing preventive maintenance on electrical systems
C. Promoting applications from development to the staging environment
D. Replacing a failed power supply in the core router of the data center
View answer
Correct Answer: B
Question #45
An IS auditor is reviewing a software-based configuration. Which of the following represents the GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule in the rule base
B. is installed on an operating system with default settings
C. has been configured with rules permitting or denying access to systems or networks
D. is configured as a virtual private network (VPN) endpoint
View answer
Correct Answer: A
Question #46
Which of the following is a prevalent risk in the development of end-user computing (EUC) applications?
A. Applications may not be subject to testing and IT general controls
B. increased development and maintenance costs
C. increased application development time
D. Decision-making may be impaired due to diminished responsiveness to requests for information
View answer
Correct Answer: D
Question #47
The FIRST step in a successful attack to a system would be:
A. gathering information
B. gaining access
C. denying services
D. evading detection
View answer
Correct Answer: A
Question #48
During a follow-up audit, an IS auditor finds that the auditee has updated virus scanner definitions without adopting the original audit recommendation to increase the frequency of using the scanner. The MOST appropriate action for the auditor is to:
A. prepare a follow-up audit report reiterating the recommendation
B. escalate the issue to senior management
C. modify the audit opinion based on the new information available
D. conclude that the residual risk is beyond tolerable levels of risk
View answer
Correct Answer: D
Question #49
An IS auditor should ensure that an application’s audit trail:
A. has adequate security
B. does not impact operational efficiency
C. is accessible online
D. logs all database records
View answer
Correct Answer: A
Question #50
While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?
A. A scan of all floppy disks before use
B. A virus monitor on the network file server
C. Scheduled daily scans of all network drives
D. A virus monitor on the user's personal computer
View answer
Correct Answer: C
Question #51
Which of the following is the BEST way to satisfy a two-factor user authentication?
A. A smart card requiring the user's PIN
B. User ID along with password
C. Iris scanning plus fingerprint scanning
D. A magnetic card requiring the user's PIN Explanation Explanation/Reference: Explanation:
View answer
Correct Answer: D
Question #52
The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users might:
A. use this information to launch attacks
B. forward the security alert
C. implement individual solutions
D. fail to understand the threat
View answer
Correct Answer: D
Question #53
The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:
A. destruction policy
B. security policy
C. archive policy
D. audit policy
View answer
Correct Answer: C
Question #54
Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
A. The information security policy has not been updated in the last two years
B. A list of critical information assets was not included in the information security policy
C. Senior management was not involved in the development of the information security policy
D. The information security policy is not aligned with regulatory requirements
View answer
Correct Answer: B
Question #55
A Trojan horse's payload would almost always take damaging effect immediately.
A. True
B. False
View answer
Correct Answer: A
Question #56
Which of the following can be thought of as the simplest and almost cheapest type of firewall?
A. stateful firewall
B. hardware firewall
C. PIX firewall
D. packet filter
E. None of the choices
View answer
Correct Answer: E
Question #57
As part of a post-implementation review, the BEST way to assess the realization of outcomes is by:
A. obtaining feedback from the user community
B. performing a comprehensive risk analysis
C. evaluating the actual performance of the system
D. comparing the business case benefits to the archived benefits
View answer
Correct Answer: D
Question #58
An integrated test facility is considered a useful audit tool because it:
A. is a cost-efficient approach to auditing application controls
B. enables the financial and IS auditors to integrate their audit tests
C. compares processing output with independently calculated data
D. provides the IS auditor with a tool to analyze a large range of information
View answer
Correct Answer: D
Question #59
An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)?
A. Review whether the service provider's BCP process is aligned with the organization's BCP and contractual obligations
B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster
C. Review the methodology adopted by the organization in choosing the service provider
D. Review the accreditation of the third-party service provider's staff
View answer
Correct Answer: C
Question #60
Which of the following controls can BEST detect accidental corruption during transmission of data across a network?
A. Sequence checking
B. Parity checking
C. Symmetric encryption
D. Check digit verification
View answer
Correct Answer: B
Question #61
An IS auditor is conducting a follow-up internal IS audit and determines that several recommendations from the prior year have not been implemented. Which of the following should be the auditor’s FIRST course of action?
A. Evaluate the recommendations in context of the current IT environment
B. Continue the audit and disregard prior audit recommendations
C. Request management implement recommendations from the prior year
D. Add unimplemented recommendations as findings for the new audit
View answer
Correct Answer: D
Question #62
When conducting a follow-up of previous audit findings, an IS auditor is told by management that a recommendation to make security changes to an application has not been implemented. The IS auditor should FIRST determine whether:
A. additional time to implement changes is needed
B. the associated risk is still relevant
C. the recommendation should be re-issued
D. the issue should be escalated
View answer
Correct Answer: A
Question #63
D. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated?
A. Consistency
B. Isolation
C. Durability Atomicity
View answer
Correct Answer: B
Question #64
During an ERP post-implementation review, it was noted that operating costs have been significantly higher than anticipated. Which of the following should the organization have done to detect this issue?
A. Updated the project charter as major changes occurred
B. Conducted periodic user satisfaction surveys
C. Performed an analysis of system usage
D. Monitored financial key performance indicators
View answer
Correct Answer: C
Question #65
Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors?
A. A security information event management (SIEM) product
B. An open-source correlation engine
C. A log management tool
D. An extract, transform, load (ETL) system
View answer
Correct Answer: C
Question #66
E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:
A. alert the appropriate staff
B. create an entry in the log
C. close firewall-2
D. close firewall-1
View answer
Correct Answer: A
Question #67
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:
A. apply the patch according to the patch's release notes
B. ensure that a good change management process is in place
C. thoroughly test the patch before sending it to production
D. approve the patch after doing a risk assessment
View answer
Correct Answer: D
Question #68
After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?
A. Project management and progress reporting is combined in a project management office which is driven by external consultants
B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach
C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems
D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs
View answer
Correct Answer: B
Question #69
Which of the following would normally be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysts developed by the IS auditor from reports supplied by line management
View answer
Correct Answer: B
Question #70
Which of the following access rights in the production environment should be granted to a developer to maintain segregation of duties?
A. Database administration
B. Emergency support
C. IT operations
D. System administration
View answer
Correct Answer: D
Question #71
An organization has begun using social media to communicate with current and potential clients. Which of the following should be of PRIMARY concern to the auditor?
A. Using a third-party provider to host and manage content
B. Lack of guidance on appropriate social media usage and monitoring
C. Negative posts by customers affecting the organization’s image
D. Reduced productivity of stuff using social media
View answer
Correct Answer: C
Question #72
Which of the following is the PRIMARY objective of an IT performance measurement process?
A. Minimize errors
B. Gather performance data
C. Establish performance baselines
D. Optimize performance
View answer
Correct Answer: C
Question #73
A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation?
A. Audit logs are not enabled for the system
B. A logon ID for the technical lead still exists
C. Spyware is installed on the system
D. A Trojan is installed on the system
View answer
Correct Answer: A
Question #74
The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:
A. symmetric encryption
B. message authentication code
D. digital signature certificates
View answer
Correct Answer: A
Question #75
The MOST significant security concerns when using flash memory (e.g., USB removable disk) is that the:
A. contents are highly volatile
B. data cannot be backed up
C. data can be copied
D. device may not be compatible with other peripherals
View answer
Correct Answer: C
Question #76
What is the recommended minimum length of a good password?
A. 6 characters
B. 8 characters
C. 12 characters
D. 18 characters
E. 22 characters
F. None of the choices
View answer
Correct Answer: A
Question #77
The technique of rummaging through commercial trash to collect useful business information is known as:
A. Information diving
B. Intelligence diving
C. Identity diving
D. System diving
E. Program diving
F. None of the choices
View answer
Correct Answer: B
Question #78
Following an IS audit recommendation, all Telnet and File Transfer Protocol (FTP) connections have been replaced by Secure Socket Shell (SSH) and Secure File Transfer Protocol (SFTP). Which risk treatment approach has the organization adopted?
A. Acceptance
B. Mitigation
C. Avoidance
D. Transfer
View answer
Correct Answer: C
Question #79
After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?
A. Stress
B. Black box
C. InterfaceD
View answer
Correct Answer: B
Question #80
During a follow-up audit, an IS auditor discovers that a recommendation has not been implemented. However, the auditee has implemented a manual workaround that addresses the identified risk, through far less efficiency than the recommended action would. Which of the following would be the auditor’s BEST course of action?
A. Notify management that the risk has been addressed and take no further action
B. Escalate the remaining issue for further discussion and resolution
C. Note that the risk has been addressed and notify management of the inefficiency
D. Insist to management that the original recommendation be implemented
View answer
Correct Answer: D
Question #81
Over the long term, which of the following has the greatest potential to improve the security incident response process?
A. A walkthrough review of incident response procedures
B. Postevent reviews by the incident response team
C. Ongoing security training for users
D. Documenting responses to an incident
View answer
Correct Answer: C
Question #82
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?
A. Bottom up
B. Sociability testing
C. Top-down
D. System test
View answer
Correct Answer: C
Question #83
Which of the following is the most important element in the design of a data warehouse?
A. Quality of the metadata
B. Speed of the transactions
C. Volatility of the data
D. Vulnerability of the system
View answer
Correct Answer: A
Question #84
An IS auditor observes a weakness in the tape management system at a data center in that some parameters are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?
A. Staging and job set up
B. Supervisory review of logs
C. Regular back-up of tapes
D. Offsite storage of tapes
View answer
Correct Answer: A
Question #85
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
A. Administrative security can be provided for the client
B. System administration can be better managed
C. The security of the desktop PC is enhanced
D. Desktop application software will never have to be upgraded
View answer
Correct Answer: C
Question #86
An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the:
A. EDI trading partner agreements
B. physical controls for terminals
C. authentication techniques for sending and receiving messages
D. program change control procedures
View answer
Correct Answer: C
Question #87
With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?
A. Outsourced activities are core and provide a differentiated advantage to the organization
B. Periodic renegotiation is specified in the outsourcing contract
C. The outsourcing contract fails to cover every action required by the arrangement
D. Similar activities are outsourced to more than one vendor
View answer
Correct Answer: D
Question #88
When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?
A. Wiring and schematic diagram
B. Users' lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures
View answer
Correct Answer: A
Question #89
A company has decided to implement an electronic signature scheme based on public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is:
A. use of the user's electronic signature by another person if the password is compromised
B. forgery by using another user's private key to sign a message with an electronic signature
C. impersonation of a user by substitution of the user's public key with another person's public key
D. forgery by substitution of another person's private key on the computer
View answer
Correct Answer: B
Question #90
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
A. Identify business risks associated with the observations
B. Assist the management with control enhancements
C. Record the proposed course of corrective action
D. Validate the audit observations
View answer
Correct Answer: A
Question #91
B. Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner's server?
A. The organization does not have control over encryption
C. Data might not reach the intended recipient
D. The communication may not be secure
View answer
Correct Answer: A
Question #92
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C. Enforcement of security rules by providing punitive actions for any violation of security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.