DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Exam Success: Mock Tests & Study Resources, Certified Information Systems Auditor | SPOTO

Welcome to SPOTO's CISA Exam Success: Mock Tests & Study Resources for 2024! The Certified Information Systems Auditor® (CISA®) certification is a prestigious achievement in auditing, IT systems assessment, and risk-based audit methodologies. Our study resources, coupled with mock tests, provide a robust preparation platform for aspiring CISA professionals. Mock tests offer several advantages, including simulating real exam conditions, enhancing time management skills, and identifying knowledge gaps for targeted study. Join SPOTO to access high-quality exam materials, sample questions, and practice tests, ensuring a confident and successful approach to earning your CISA certification. Demonstrate your expertise and proficiency in applying a risk-based approach to audit engagements with SPOTO's CISA Exam Preparation.

Take other online exams

Question #1
An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:
A. the probability of error must be objectively quantified
B. the auditor wishes to avoid sampling risk
D. the tolerable error rate cannot be determined
View answer
Correct Answer: D

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
________ risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a _________________ risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective
View answer
Correct Answer: C
Question #3
When are benchmarking partners identified within the benchmarking process?
A. In the design stage
B. In the testing stage
C. In the research stage
D. In the development stage
View answer
Correct Answer: A
Question #4
The ultimate purpose of IT governance is to:
A. encourage optimal use of IT
B. reduce IT costs
C. decentralize IT resources across the organization
D. centralize control of IT
View answer
Correct Answer: D
Question #5
The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:
A. understand the business process
B. comply with auditing standards
C. identify control weakness
D. plan substantive testing
View answer
Correct Answer: A
Question #6
Which of the following is the BEST indication of an effective incident management process? A. Percentage of incidents where root cause has been identified
B. Percentage of incidents closed without escalation
C. Number of calls to the help desk
D. Number of incidents reviewed by the IT management
View answer
Correct Answer: A
Question #7
What is the most common purpose of a virtual private network implementation?
A. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet
B. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a dedicated T1 connection
C. A virtual private network (VPN) helps to secure access within an enterprise when communicating over a dedicated T1 connection between network segments within the same facility
D. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a wireless connection
View answer
Correct Answer: C
Question #8
Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?
A. Business plans
B. Business processes
C. D
C. IT strategic plans
D. Portfolio management
View answer
Correct Answer: A
Question #9
Human error is being HEAVILY relied upon on by which of the following types of attack?
A. Eavedropping
B. DoS
C. DDoS
D. ATP
E. Social Engineering
F. None of the choices
View answer
Correct Answer: B
Question #10
Due to the increasing size of a database, user access times and daily backups continue to increase. Which of the following would be the BEST way to address this situation?
A. Data modeling
B. Data visualization
C. Data mining
D. Data purging
View answer
Correct Answer: A
Question #11
Loading of illegal software packages onto a network by an employee is MOST effectively detected by:
A. diskless workstations
B. regular scanning of hard drivesC
D. logging of activity on network drives
View answer
Correct Answer: A
Question #12
Privileged account access is required to start an ad hoc batch job. Which of the following would MOST effectively detect unauthorized job execution?
A. Requiring manual approval by an authorized user
B. Executing the job through two-factor authentication
C. Introducing job execution request procedures
D. Reconciling user activity logs against authorizations
View answer
Correct Answer: A
Question #13
The BEST reason for implementing a virtual private network (VPN) is that it:
A. eases the implementation of data encryption
B. allows for public use of private networks
C. enables use of existing hardware platforms
D. allows for private use of public networks
View answer
Correct Answer: A
Question #14
Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #15
The final acceptance testing of a new application system should be the responsibility of the:
A. IS audit team
B. user group
C. IS management
D. quality assurance team
View answer
Correct Answer: B
Question #16
Which of the following types of attack works by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs?
A. format string vulnerabilities
B. integer overflow
C. code injection
D. command injection
E. None of the choices
View answer
Correct Answer: D
Question #17
Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #18
Which of the following mechanisms for process improvement involves examination of industry best practice?
A. Continuous improvement
B. Knowledge management
C. Business process reengineering (BPR)
D. Benchmarking
View answer
Correct Answer: D
Question #19
The purpose of a mainframe audit is to provide assurance that processes are being implemented as required, the mainframe is operating as it should, security is strong, and that procedures in place are working and are updated as needed. The auditor may accordingly make recommendations for improvement. Which of the following types of audit always takes high priority over the others? (Choose five.)
A. System audit
B. Application audit
C. Software audit
D. License audit
E. Security server audit
F. None of the choices
View answer
Correct Answer: B
Question #20
What should an IS auditor do if he or she observes that project-approval procedures do not exist?
A. Advise senior management to invest in project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures be adopted and documented
View answer
Correct Answer: D
Question #21
If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do?
A. Lack of IT documentation is not usually material to the controls tested in an IT audit
B. The auditor should at least document the informal standards and policies
C. The auditor should at least document the informal standards and policies, and test for a compliance
D. The auditor should at least document the informal standards and policies, and test for compliance
View answer
Correct Answer: D
Question #22
ALL computer programming languages are vulnerable to command injection attack. A. True
B. False
View answer
Correct Answer: C
Question #23
The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:
A. destruction policy
B. security policy
C. archive policy
D. audit policy
View answer
Correct Answer: A
Question #24
Which of the following would help determine the maturity of an information security awareness program?
A. A review of the annual penetration test results
B. A network vulnerability assessment
C. A simulated social engineering test
D. A gap assessment against an established model
View answer
Correct Answer: A
Question #25
With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Outsourced activities are core and provide a differentiated advantage to the organization.
B. Periodic renegotiation is specified in the outsourcing contract
C. The outsourcing contract fails to cover every action required by the arrangement
D. Similar activities are outsourced to more than one vendor
View answer
Correct Answer: C
Question #26
When is regression testing used to determine whether new application changes have introduced any errors in the remaining unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management
View answer
Correct Answer: C
Question #27
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?
A. Define a balanced scorecard (BSC) for measuring performance Consider user satisfaction in the key performance indicators (KPIs) Select projects according to business benefits and risks
D. Modify the yearly process of defining the project portfolio
View answer
Correct Answer: A
Question #28
Which of the following are used in a firewall to protect the entity’s internal resources? A. Internet Protocol (IP) address restrictions
B. Remote access servers
C. Secure Sockets Layers (SSLs)
D. Fail-over services
View answer
Correct Answer: C
Question #29
Rather than simply reviewing the adequacy of access control, appropriateness of access policies, and effectiveness of safeguards and procedures, the IS auditor is more concerned with effectiveness and utilization of assets. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #30
Which of the following controls will MOST effectively detect inconsistent records resulting from the lack of referential integrity in a database management system?
A. Concurrent access controls
B. Incremental data backups
C. Performance monitoring tools
D. Periodic table link checks
View answer
Correct Answer: ABCD
Question #31
Integer overflow occurs primarily with:
A. string formatting B
C. output formatting
D. input verificationsE
F. None of the choices
View answer
Correct Answer: B
Question #32
After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings
View answer
Correct Answer: C
Question #33
Which of the following types of firewall treats each network frame or packet in isolation?
A. statefull firewall
B. hardware firewall
C. combination firewall
D. packet filtering firewall
E. stateless firewall
F. None of the choices
View answer
Correct Answer: C
Question #34
Which of the following data validation edits is effective in detecting transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check D
View answer
Correct Answer: B
Question #35
When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the:
A. report was released within the last 12 months
B. scope and methodology meet audit requirements
C. service provider is independently certified and accredited
D. report confirms that service levels were not violated
View answer
Correct Answer: C
Question #36
What should be the PRIMARY objective of conducting interviews with business unit managers when developing an information security strategy?
A. Obtain information on department goals
B. Classify information assets
C. Identify data and system ownership
D. Determine information types
View answer
Correct Answer: A
Question #37
An IS auditor is performing a consulting engagement and needs to make a recommendation for securing all doors to a data center to prevent unauthorized access. Which of the following access control techniques would be MOST difficult for an intruder to compromise?
A. Dead-man door and swipe card
B. Smart card and numeric keypad
C. USB token and password
D. Biometrics and PIN
View answer
Correct Answer: D
Question #38
Database snapshots can provide an excellent audit trail for an IS auditor. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #39
Which of the following is the BEST point in time to conduct a post-implementation review (PIR)?
A. After a full processing cycle
B. Immediately after deployment
C. To coincide with annual PIR cycle
D. Six weeks after deployment
View answer
Correct Answer: A
Question #40
Which of the following attack is also known as Time of Check(TOC)/Time of Use(TOU)?
A. Eavesdropping
B. Traffic analysis
C. Masquerading
D. Race Condition
View answer
Correct Answer: C
Question #41
Which of the following should an IS auditor recommend be done FIRST upon learning that new data protection legislation may affect the organization?
A. Implement data protection best practices
B. Implement a new security baseline for achieving compliance
C. Restrict system access for noncompliant business processes
D. Perform a gap analysis of data protection practices
View answer
Correct Answer: A
Question #42
Host Based ILD&P primarily addresses the issue of: A. information integrity
B. information accuracy
C. information validity
D. information leakage
E. None of the choices
View answer
Correct Answer: A
Question #43
In computer forensics, which of the following is the process that allows bit-for-bit copy of a data to avoid damage of original data or information when multiple analysis may be performed?
A. Imaging
B. Extraction
C. Data Protection
D. Data Acquisition
View answer
Correct Answer: C
Question #44
In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:
A. there is an integration of IS and business staffs within projects
B. there is a clear definition of the IS mission and vision
C. a strategic information technology planning methodology is in place
D. the plan correlates business objectives to IS goals and objectives
View answer
Correct Answer: D
Question #45
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?
A. Attribute sampling
B. Generalized audit software (GAS)
C. Test data
D. Integrated test facility (ITF)
View answer
Correct Answer: B
Question #46
An organization is running servers with critical business applications that are in an area subject to frequent but brief power outages. Knowledge of which of the following would allow the organization’s management to monitor the ongoing adequacy of the uninterrupted power supply (UPS)?
A. Duration and interval of the power outages
B. Business impact of server downtime
C. Number of servers supported by the UPSD
View answer
Correct Answer: A
Question #47
Which of the following tools BEST demonstrate the effectiveness of the information security program?
A. A security balanced scorecard
B. Management satisfaction surveys
C. Risk heat map
D. Key risk indicators (KRIs)
View answer
Correct Answer: C
Question #48
The development of an IS security policy is ultimately the responsibility of the: A. IS department.
B. security committee
C. security administrator
D. board of directors
View answer
Correct Answer: C
Question #49
An accurate biometric system usually exhibits (Choose two.):
A. low EER
B. low CER
C. high EER D
E. None of the choices
View answer
Correct Answer: C
Question #50
When protecting the confidentiality of information assets, the MOST effective control practice is the:
A. awareness training of personnel on regulatory requirements
B. enforcement of a need-to-know access control philosophy
C. utilization of a dual-factor authentication mechanism
D. configuration of read-only access to all users
View answer
Correct Answer: C
Question #51
Which of the following may be deployed in a network as lower cost surveillance and early-warning tools?
A. Honeypots
B. Hardware IPSs
C. Hardware IDSs
D. Botnets
E. Stateful inspection firewalls
F. Stateful logging facilities
G. None of the choices
View answer
Correct Answer: B
Question #52
What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network D
View answer
Correct Answer: B
Question #53
An airline’s online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?
A. Compensating control
B. Preventive control
C. Detective control
D. Corrective control
View answer
Correct Answer: A
Question #54
If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further: A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing
View answer
Correct Answer: A
Question #55
At which stage of the software development life cycle should an organization identity privacy considerations?
A. Design
B. Testing
C. Development
D. Requirements
View answer
Correct Answer: C
Question #56
Which of the following firewall technologies involves examining the header of every packet of data traveling between the Internet and the corporate network without examining the previous packets?
A. Proxy servers
B. Bastion host
C. Stateful filtering
D. Stateless filtering
View answer
Correct Answer: B
Question #57
You may reduce a cracker's chances of success by: (Choose all that apply.)
A. keeping your systems up to date using a security scanner
B. hiring competent people responsible for security to scan and update your systems
D. using multiple firewalls and IDS
E. None of the choices
View answer
Correct Answer: B
Question #58
A purpose of project closure is to determine the:
A. potential risks affecting the quality of deliverables
C. project feasibility requirements professional expertise of the project manager
View answer
Correct Answer: B
Question #59
Which of the following is the most fundamental step in preventing virus attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users' desktop computers
C. Implementing antivirus content checking at all network-to-Internet gateways
D. Inoculating systems with antivirus code
View answer
Correct Answer: B
Question #60
Which of the following terms is used more generally for describing concealment routines in a malicious program? A. virus
B. worm
C. trojan horse
D. spyware
E. rootkits
F. backdoor
G. None of the choices
View answer
Correct Answer: A
Question #61
Which of the following is the BEST way to protect the confidentiality of data on a corporate smartphone?
A. Disabling public wireless connections
B. Using remote data wipe capabilities
C. Using encryption
D. Changing the default PIN for Bluetooth connections
View answer
Correct Answer: D
Question #62
A stockbroker accepts orders over the Internet. Which of the following is the MOST appropriate control to ensure confidentiality of the orders?
A. Virtual private network
B. Public key encryption
C. Data Encryption Standard (DES)
D. Digital signature
View answer
Correct Answer: A
Question #63
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services. Which of the following would BEST enable the organization to resolve this issue?
A. Service level management
B. Change management
C. Problem management
D. Incident management
View answer
Correct Answer: B
Question #64
An organization has begun using social media to communicate with current and potential clients. Which of the following should be of PRIMARY concern to the auditor?
A. Using a third-party provider to host and manage content
B. Lack of guidance on appropriate social media usage and monitoring
C. Negative posts by customers affecting the organization’s image
C. D
D. Reduced productivity of stuff using social media
View answer
Correct Answer: A
Question #65
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management
B. Job failure alerts are automatically generated and routed to support personnel
C. Jobs are scheduled and a log of this activity is retained for subsequent review
D. Jobs are scheduled to be completed daily and data is transmitted using a secure File Transfer Protocol (FTP)
View answer
Correct Answer: A
Question #66
Which of the following is the MOST important difference between end-user computing (EUC) applications and traditional applications?
A. Traditional application documentation is typically less comprehensive than EUC application documentation
B. Traditional applications require roll-back procedures whereas EUC applications do not
C. Traditional applications require periodic patching whereas EUC applications do not
D. Traditional application input controls are typically more robust than EUC application input controls
View answer
Correct Answer: A
Question #67
Which is MOST important when contracting an external party to perform a penetration test?
A. Obtain approval from IT management
B. Define the project scope
C. Increase the frequency of log reviews
D. Provide network documentation
View answer
Correct Answer: B
Question #68
An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #69
Which of the following is the MOST effective way to reduce risk to an organization from widespread use of web-based communication technologies?
A. Publish an enterprise-wide policy outlining acceptance use of web-based communication technologies
B. Incorporate risk awareness training for web-based communications into the IT security program
C. Monitor staff usage of web-based communication and notify the IT security department of violations
D. Block access from user devices to unauthorized pages that allow web-based communication
View answer
Correct Answer: B
Question #70
Which of the following is the MOST significant risk when an application uses individual end user accounts to access the underlying database?
A. User accounts may remain active after a termination
B. Multiple connects to the database are used and slow the process
C. Application may not capture a complete audit trail
D. Users may be able to circumvent application controls
View answer
Correct Answer: A
Question #71
Which of the following is MOST important to include in an organization’s incident response plan to help prevent similar incidents from happening in the future?
A. Documentation of incident details
B. Incident closure procedures
C. Containment and neutralization actions
D. Post-incident review
View answer
Correct Answer: D
Question #72
Which of the following is the MOST important factor when determining the frequency of information security risk reassessment?
A. Audit findings
B. Risk priority
C. Mitigating controls
D. Risk metrics
View answer
Correct Answer: C
Question #73
Which of the following will enable a customer to authenticate an online Internet vendor?
A. Vendor signs a reply using a hash function and the customer’s public key
B. Customer encrypts an order using the vendor’s public key
C. Customer verifies the vendor’s certificate with a certificate authority (CA)
D. Vendor decrypts incoming orders using its own private key
View answer
Correct Answer: B
Question #74
In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A. Optimized
B. Managed
C. Defined
D. Repeatable
View answer
Correct Answer: A
Question #75
There are several types of penetration tests depending upon the scope, objective and nature of a test. Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?
A. External Testing
B. Internal Testing
C. Blind Testing
D. Targeted Testing
View answer
Correct Answer: B
Question #76
The demilitarized zone (DMZ) is the part of a network where servers that are placed are:
A. running internal department applications
B. running mission-critical, non-web applications
C. interacting with the public Internet
D. external to the organization
View answer
Correct Answer: A
Question #77
Which of the following is the GREATEST advantage of application penetration testing over vulnerability scanning?
A. Penetration testing does not require a special skill set to be executed
C. Penetration testing can be conducted in a relatively short time period
D. Penetration testing creates relatively smaller risks to application availability and integrity
View answer
Correct Answer: B
Question #78
The BEST way to assure an organization’s board of directors that IT strategies support business objectives is to:
A. provide regular assessments of emerging technologies
B. identify and report on the achievement of critical success factors (CSFs)
C. confirm that IT strategies have been fully documented and disseminated
D. ensure that senior business managers review IT budgets
View answer
Correct Answer: C
Question #79
Reviewing project plans and status reports throughout the development life cycle will:
A. eliminate the need to perform a risk assessment
B. postpone documenting the project’s progress until the final phase
C. guarantee that the project will meet its intended deliverables
D. facilitate the optimal use of resources over the life of the project
View answer
Correct Answer: C
Question #80
The lack of which of the following represents the GREATEST risk to the quality of developed software?
A. Code reviews
B. Periodic internal audits
C. Load testing
D. An enterprise architecture
View answer
Correct Answer: C
Question #81
To ensure appropriate control of information processed in IT systems, security safeguards should be based PRIMARILY on:
A. established guidelines
B. overall IT capacity and operational constraints
C. efficient technical processing considerations
D. criteria consistent with classification levels
View answer
Correct Answer: C
Question #82
Which of the following refers to any authentication protocol that requires two independent ways to establish identity and privileges?
A. Strong-factor authentication
B. Two-factor authentication
C. Dual-password authentication
D. Two-passphrases authentication
E. Dual-keys authentication
F. Rich-factor authentication
View answer
Correct Answer: A
Question #83
A bank is relocating its servers to a vendor that provides data center hosting services to multiple clients. Which of the following controls would restrict other clients from physical access to the bank’s servers?
A. Closed-circuit television cameras
B. Locking server cages
C. Biometric access at all data center entrances
D. 24-hour security guards
View answer
Correct Answer: C
Question #84
The business case for an IS project has changed during the course of the project due to new requirements being added. What should be done NEXT? A. The project should go through the formal reapproval process.
B. The changes to the business case should be documented in the project plan
C. Additional resources should be allocated to the project due to the new requirements
D. Project stakeholders should be notified of the changes
View answer
Correct Answer: D
Question #85
C. D. A recent audit identified duplicate software licenses and technologies. Which of the following would be MOST helpful to prevent this type of duplication in the future?
A. Centralizing IT procurement and approval practices
B. Updating IT procurement policies and procedures Conducting periodic inventory reviews Establishing a project management office
View answer
Correct Answer: A
Question #86
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. Apply single sign-on for access control
B. Enforce an internal data access policy
C. Enforce the use of digital signatures
D. Implement segregation of duties
View answer
Correct Answer: A
Question #87
When developing a security architecture, which of the following steps should be executed FIRST? Developing security procedures Defining a security policy
C. Specifying an access control methodology
D. Defining roles and responsibilities
View answer
Correct Answer: B
Question #88
Which of the following would BEST help ensure information security is effective following the outsourcing of network operations?
A. Test security controls periodically
B. Review security key performance indicators (KPIs)
C. Establish security service level agreements (SLAs)
D. Appoint a security service delivery monitoring manager
View answer
Correct Answer: B
Question #89
Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?
A. Employees are not required to sign a non-compete agreement
B. Security education and awareness workshops have not been completed
C. Users lack technical knowledge related to security and data protection
D. Desktop passwords do not require special characters
View answer
Correct Answer: C
Question #90
A user of a telephone banking system has forgotten his personal identification number (PIN). After the user has been authenticated, the BEST method of issuing a new PIN is to have:
A. the user enter a new PIN twice
B. banking personnel verbally assign a new PIN
C. a randomly generated PIN communicated by banking personnel
D. banking personnel assign the user a new PIN via email
View answer
Correct Answer: A
Question #91
Which of the following security risks can be reduced by a properly configured network firewall?
A. Insider attacks
B. SQL injection attacks
C. Denial of service (DoS) attacks D
View answer
Correct Answer: A
Question #92
Which of the following are valid choices for the Apache/SSL combination (Choose three.): A. the Apache-SSL project
B. third-party SSL patches
C. the mod_ssl module
D. the mod_css module
E. None of the choices
View answer
Correct Answer: D
Question #93
Which of the following is the MOST important prerequisite to performing an information security assessment?
A. Reviewing the business impact analysis (BIA)
B. Assessing threats and vulnerabilities C
D. Classifying assets
View answer
Correct Answer: B
Question #94
When implementing a software product (middleware) to pass data between local area network (LAN) servers and the mainframe, the MOST critical control consideration is:
A. cross-platform authentication
B. time synchronization of databases
C. network traffic levels between platforms
D. time-stamping of transactions to facilitate recovery
View answer
Correct Answer: D
Question #95
Which of the following refers to the act of creating and using an invented scenario to persuade a target to perform an action?
A. Pretexting
B. Backgrounding
C. Check making
D. Bounce checking
E. None of the choices
View answer
Correct Answer: C
Question #96
Organization A has a Software as a Service Agreement (SaaS) with Organization
B. The software is vital to Organization
A. Which of the following would provide the GREATEST assurance that the application can be recovered in the event of a disaster? A
B. Organization A has a source code escrow agreement and hardware procurement provisions for disaster recovery purposes
C. Organization B has a disaster recovery plan included in its contract and allows oversight by Organization
A.
D. Organization A buys disaster insurance to recuperate losses in the event of a disaster
View answer
Correct Answer: A
Question #97
Which of the following BEST supports the prioritization of new IT projects?
A. Internal control self-assessment (CSA)
B. Information systems auditInvestment portfolio analysis
D. E
View answer
Correct Answer: C
Question #98
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
A. Participative management techniques
B. Quality assurance (QA) reviews
C. Performance data
D. Real-time audit software
View answer
Correct Answer: A
Question #99
Business applications should be selected for disaster recovery testing on the basis of:
A. the results of contingency desktop checks
B. the number of failure points that are being tested
C. recovery time objectives (RTOs)
D. criticality to the enterprise
View answer
Correct Answer: C
Question #100
On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?
A. Encrypt the message containing the sender’s public key, using a private-key cryptosystem
B. Send a certificate that can be verified by a certification authority with the public key
C. Encrypt the message containing the sender’s public key; using the recipient’s pubic key
View answer
Correct Answer: D
Question #101
Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
A. Perform network reviews
B. Implement network access control
C. Implement outbound firewall rules
D. Review access control lists
View answer
Correct Answer: ABC
Question #102
Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
A. Only collect logs from servers classified as business critical
B. Limit the use of logs to only those purposes for which they were collected
C. Limit log collection to only periods of increased security activity
D. Restrict the transfer of log files from host machine to online storage
View answer
Correct Answer: B
Question #103
To ensure the integrity of a recovered database, which of the following would be MOST useful?
A. Before-and-after transaction images
B. Database defragmentation tools
C. A copy of the data dictionary
D. Application transaction logs
View answer
Correct Answer: B
Question #104
An IS auditor finds that the process for removing access for terminated employees is not documented. What is the MOST significant risk from this observation?
A. Procedures may not align with best practices
B. HR records may not match system access
C. Unauthorized access cannot be identified
D. Access rights may not be removed in a timely manner
View answer
Correct Answer: C
Question #105
In an organization that has a staff-rotation policy, the MOST appropriate access control model is:
A. role based
B. discretionary
C. mandatory
D. lattice based
View answer
Correct Answer: A
Question #106
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist withing the organization?
A. Reviewing user activity logs
B. Mapping IT processes to roles
C. Reviewing vacation patterns
D. Interviewing senior IT management
View answer
Correct Answer: A
Question #107
Which of the following would BEST enable effective IT resource management?
A. Assessing the risk associated with IT resources
B. Outsourcing IT processes and activities
C. Establishing business priorities
D. Automating business processes
View answer
Correct Answer: D
Question #108
Which of the following BEST indicates the effectiveness of an organization’s risk management program?
A. Control risk is minimized
B. Inherent risk is eliminated
C. Residual risk is minimized
D. Overall risk is quantified
View answer
Correct Answer: B
Question #109
Which of the following would be of MOST concern when determining if information assets are adequately safeguard during transport and disposal?
A. Lack of password protection
B. Lack of recent awareness training
C. Lack of appropriate data classification D
View answer
Correct Answer: C
Question #110
An IS auditor evaluating logical access controls should FIRST:
A. document the controls applied to the potential access paths to the system
B. test controls over the access paths to determine if they are functional
D. obtain an understanding of the security risks to information processing
View answer
Correct Answer: C
Question #111
Which of the following activities is MOST important to consider when conducting IS audit planning?
A. Results from previous audits are reviewed
B. Audit scheduling is based on skill set of audit team
C. Resources are allocated to areas of high risk
D. The audit committee agrees on risk rankings
View answer
Correct Answer: C
Question #112
Which of the following is the MOST effective way to assess whether an outsourcer’s controls are following the service level agreement (SLA)?
A. Perform an onsite review of the outsourcer
B. Review the outsourcer’s monthly service reports
C. Perform a review of penalty clauses for non-performance
D. Review an internal audit report from the outsourcer’s auditor
View answer
Correct Answer: C
Question #113
When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor? A. There could be a question regarding the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits
C. The auditing process will be difficult because of the distance
D. There could be different auditing norms
View answer
Correct Answer: A
Question #114
An organization using instant messaging to communicate with customers can prevent legitimate customers from being impersonated by:
A. using call monitoring
B. using firewalls to limit network traffic to authorized ports
C. logging conversations
D. authenticating users before conversations are initiated
View answer
Correct Answer: C
Question #115
Which of the following PBX feature provides the possibility to break into a busy line to inform another user of an important message?
A. Account Codes
B. Access Codes
C. Override
D. Tenanting
View answer
Correct Answer: C
Question #116
The performance of an order-processing system can be measured MOST reliably by monitoring:
A. input/request queue length
B. turnaround time of completed transactions
C. application and database servers’ CPU load
D. heartbeats between server systems
View answer
Correct Answer: B
Question #117
An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?
A. Awareness training for mobile device users
B. Data encryption on the mobile device
C. The triggering of remote data wipe capabilities
D. Complex password policy for mobile devices
View answer
Correct Answer: A
Question #118
The quality assurance (QA) function should be prevented from:
A. developing naming conventions
B. establishing analysis techniques
C. amending review procedures
D. changing programs for business functions
View answer
Correct Answer: D
Question #119
Which of the following is MOST likely to result from a business process reengineering (BPR) project? A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
View answer
Correct Answer: D
Question #120
An information security risk analysis BEST assists an organization in ensuring that:
A. cost-effective decisions are made with regard to which assets need protection
B. the organization implements appropriate security technologies
C. the infrastructure has the appropriate level of access control
D. an appropriate level of funding is applied to security processes
View answer
Correct Answer: C
Question #121
Which of the following is BEST for providing uninterrupted services?
A. Snapshots
B. Differential backup
C. Televaulting
D. Mirroring
View answer
Correct Answer: C
Question #122
Business process re-engineering often results in ___________________ automation, which results in ____________ number of people using technology. Fill in the blanks. A. Increased; a greater
B. Increased; a fewer
C. Less; a fewer
D. Increased; the same
View answer
Correct Answer: A
Question #123
When using digital signatures, a sender transmits an encrypted message digest. This ensures that the:
A. message is not intercepted during transmission
B. message is not altered during transmission
C. message sender obtains acknowledgement of delivery
D. message remains confidential during transmission
View answer
Correct Answer: C
Question #124
Based on the guidance of internal audit, an IT steering committee is considering the use of a balanced scorecard to evaluate its project management process. Which of the following is the GREATEST advantage to using this approach?
A. Project schedule and budget management will improve
B. Performance is measured from different perspectives
C. Information is provided in a consistent and timely manner
D. Project will be prioritized based on value
View answer
Correct Answer: C
Question #125
Which of the following is a substantive test?
A. Checking a list of exception reports
B. Ensuring approval for parameter changes C
D. Reviewing password history reports
View answer
Correct Answer: B
Question #126
An organization’s current end-user computing practices include the use of a spreadsheet for financial statements. Which of the following is the GREATEST concern?
A. Formulas are not protected against unintended changes
B. The spreadsheet contains numerous macros
C. Operational procedures have not been reviewed in the current fiscal year
D. The spreadsheet is not maintained by IT
View answer
Correct Answer: A
Question #127
During a follow-up audit, an IS auditor discovers that a recommendation has not been implemented. However, the auditee has implemented a manual workaround that addresses the identified risk, through far less efficiency than the recommended action would. Which of the following would be the auditor’s BEST course of action?
A. Notify management that the risk has been addressed and take no further action
B. Escalate the remaining issue for further discussion and resolution
View answer
Correct Answer: A
Question #128
A successful risk-based IT audit program should be based on:
A. an effective scoring system
B. an effective PERT diagram
C. an effective departmental brainstorm session
D. an effective organization-wide brainstorm session
E. an effective yearly budget
F. None of the choices
View answer
Correct Answer: C
Question #129
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):
A. Implementor
B. Facilitator
C. Developer
D. Sponsor
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: