CISA Practice Questions

A.  

Independent reconciliation

B.  

Re-keying of wire dollar amounts

C.  

Two-factor authentication control

D.  

System-enforced dual control

A.  

Note the exception in a new report as the item was not addressed by management.

B.  

Recommend alternative solutions to address the repeat finding.

C.  

Conduct a risk assessment of the repeat finding.

D.  

Interview management to determine why the finding was not addressed.

A.  

The company is being sued for false accusations.

B.  

The financial report may contain undetected material errors.

C.  

Employees have been misappropriating funds.

D.  

Key employees have not taken vacation for 2 years.

A.  

Determination of IP range in use

B.  

Analysis of traffic content

C.  

Isolation of rogue access points

D.  

Identification of existing nodes

A.  

Review the documentation of recant changes to implement sequential order numbering.

B.  

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.  

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.  

Examine a sample of system generated purchase orders obtained from management

A.  

Loss of application support

B.  

Lack of system integrity

C.  

Outdated system documentation

D.  

Developer access 1o production

A.  

Review of program documentation

B.  

Use of test transactions

C.  

Interviews with knowledgeable users

D.  

Review of source code

A.  

Testing incident response plans with a wide range of scenarios

B.  

Prioritizing incidents after impact assessment.

C.  

Linking incidents to problem management activities

D.  

Training incident management teams on current incident trends

A.  

CCTV recordings are not regularly reviewed.

B.  

CCTV cameras are not installed in break rooms

C.  

CCTV records are deleted after one year.

D.  

CCTV footage is not recorded 24 x 7.

A.  

Utilize a network-based firewall.

B.  

Conduct regular user security awareness training.

C.  

Perform domain name system (DNS) server security hardening.

D.  

Enforce a strong password policy meeting complexity requirement.

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

A.  

Rotating backup copies of transaction files offsite

B.  

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.  

Maintaining system console logs in electronic formal

D.  

Ensuring bisynchronous capabilities on all transmission lines

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

A.  

A formal request for proposal (RFP) process

B.  

Business case development procedures

C.  

An information asset acquisition policy

D.  

Asset life cycle management.

A.  

Improved disaster recovery

B.  

Better utilization of resources

C.  

Stronger data security

D.  

Increased application performance

A.  

Lack of chief information officer (CIO) involvement in board meetings

B.  

Insufficient IT budget to execute new business projects

C.  

Lack of information security involvement in business strategy development

D.  

An IT steering committee chaired by the chief information officer (CIO)

A.  

Separate authorization for input of transactions

B.  

Statistical sampling of adjustment transactions

C.  

Unscheduled audits of lost stock lines

D.  

An edit check for the validity of the inventory transaction

A.  

Restricting evidence access to professionally certified forensic investigators

B.  

Documenting evidence handling by personnel throughout the forensic investigation

C.  

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.  

Engaging an independent third party to perform the forensic investigation

A.  

Mobile device tracking program

B.  

Mobile device upgrade program

C.  

Mobile device testing program

D.  

Mobile device awareness program

A.  

Leverage the work performed by external audit for the internal audit testing.

B.  

Ensure both the internal and external auditors perform the work simultaneously.

C.  

Request that the external audit team leverage the internal audit work.

D.  

Roll forward the general controls audit to the subsequent audit year.

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

A.  

Use an electronic vault for incremental backups

B.  

Deploy a fully automated backup maintenance system.

C.  

Periodically test backups stored in a remote location

D.  

Use both tape and disk backup systems

A.  

Unit testing

B.  

Pilot testing

C.  

System testing

D.  

Integration testing

A.  

Users are not required to change their passwords on a regular basis

B.  

Management does not review application user activity logs

C.  

User accounts are shared between users

D.  

Password length is set to eight characters

A.  

SIEM reporting is customized.

B.  

SIEM configuration is reviewed annually

C.  

The SIEM is decentralized.

D.  

SIEM reporting is ad hoc.

A.  

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.  

Vulnerability in the virtualization platform affecting multiple hosts

C.  

Data center environmental controls not aligning with new configuration

D.  

System documentation not being updated to reflect changes in the environment

A.  

each information asset is to a assigned to a different classification.

B.  

the security criteria are clearly documented for each classification

C.  

Senior IT managers are identified as information owner.

D.  

the information owner is required to approve access to the asset

A.  

Network penetration tests are not performed

B.  

The network firewall policy has not been approved by the information security officer.

C.  

Network firewall rules have not been documented.

D.  

The network device inventory is incomplete.

A.  

Determine the resources required to make the controleffective.

B.  

Validate the overall effectiveness of the internal control.

C.  

Verify the impact of the control no longer being effective.

D.  

Ascertain the existence of other compensating controls.

A.  

Server room access history

B.  

Emergency change records

C.  

IT security incidents

D.  

Penetration test results

A.  

Simple mail transfer protocol (SMTP)

B.  

Simple object access protocol (SOAP)

C.  

Hypertext transfer protocol (HTTP)

D.  

File transfer protocol (FTP)

A.  

security parameters are set in accordance with the manufacturer s standards.

B.  

a detailed business case was formally approved prior to the purchase.

C.  

security parameters are set in accordance with the organization's policies.

D.  

the procurement project invited lenders from at least three different suppliers.

A.  

Ensure that paper documents arc disposed security.

B.  

Implement an intrusion detection system (IDS).

C.  

Verify that application logs capture any changes made.

D.  

Validate that all data files contain digital watermarks

A.  

The IT strategy is modified in response to organizational change.

B.  

The IT strategy is approved by executive management.

C.  

The IT strategy is based on IT operational best practices.

D.  

The IT strategy has significant impact on the business strategy

A.  

Statistical metrics measuring capacity utilization

B.  

Operations report of user dissatisfaction with response time

C.  

Tuning of system software to optimize resource usage

D.  

Report of off-peak utilization and response time

A.  

Level of stakeholder satisfaction with the scope of planned IT projects

B.  

Percentage of enterprise risk assessments that include IT-related risk

C.  

Percentage of stat satisfied with their IT-related roles

D.  

Frequency of business process capability maturity assessments

A.  

Notify law enforcement of the finding.

B.  

Require the third party to notify customers.

C.  

The audit report with a significant finding.

D.  

Notify audit management of the finding.

A.  

The BCP's contact information needs to be updated

B.  

The BCP is not version controlled.

C.  

The BCP has not been approved by senior management.

D.  

The BCP has not been tested since it was first issued.

A.  

Review a report of security rights in the system.

B.  

Observe the performance of business processes.

C.  

Develop a process to identify authorization conflicts.

D.  

Examine recent system access rights violations.

A.  

Process and resource inefficiencies

B.  

Irregularities and illegal acts

C.  

Noncompliance with organizational policies

D.  

Misalignment with business objectives

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk acceptance

D.  

Risk reduction

A.  

Restricting program functionality according to user security profiles

B.  

Restricting access to update programs to accounts payable staff only

C.  

Including the creator’s user ID as a field in every transaction record created

D.  

Ensuring that audit trails exist for transactions

A.  

The applications are not included in business continuity plans (BCFs)

B.  

The applications may not reasonably protect data.

C.  

The application purchases did not follow procurement policy.

D.  

The applications could be modified without advanced notice.

A.  

Identify approved data workflows across the enterprise.

B.  

Conduct a threat analysis against sensitive data usage.

C.  

Create the DLP pcJc.es and templates

D.  

Conduct a data inventory and classification exercise

A.  

Local managers are solely responsible for risk evaluation.

B.  

IT risk management is separate from corporate risk management.

C.  

Risk management strategy is approved by the audit committee.

D.  

Risk evaluation is embedded in management processes.

A.  

Analyze a new application that moots the current re

B.  

Perform an analysis to determine the business risk

C.  

Bring the escrow version up to date.

D.  

Develop a maintenance plan to support the application using the existing code

A.  

IT steering committee minutes

B.  

Business objectives

C.  

Alignment with the IT tactical plan

D.  

Compliance with industry best practice

A.  

Users can export application logs.

B.  

Users can view sensitive data.

C.  

Users can make unauthorized changes.

D.  

Users can install open-licensed software.

A.  

Assign the security risk analysis to a specially trained member of the project management office.

B.  

Deploy changes in a controlled environment and observe for security defects.

C.  

Include a mandatory step to analyze the security impact when making changes.

D.  

Mandate that the change analyses are documented in a standard format.

A.  

The quality of the data is not monitored.

B.  

Imported data is not disposed frequently.

C.  

The transfer protocol is not encrypted.

D.  

The transfer protocol does not require authentication.