Download CISA Exam Practice Questions: Information Security Auditing and more Exams Business Economics in PDF only on Docsity!
CISA Practice Questions
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? Correct A. Nonrepudiation B. Encryption C. Authentication D. Integrity
. correct answer You are correct, the answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication. D. Integrity ensures that transactions are accurate but does not provide the identification of the customer Which of the following BEST ensures the integrity of a server's operating system (OS)? A. Protecting the server in a secure location
B. Setting a boot password Correct C. Hardening the server configuration D. Implementing activity logging correct answer You are correct, the answer is C. A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them. The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? A. Database digital signatures Incorrect B. Database encryption nonces and other variables C. Database media access control (MAC) address authentication
A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software. A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: Correct A. the users may not remember to manually encrypt the data before transmission. B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability. correct answer You are correct, the answer is A. A. If the data is not encrypted, an unauthorized external party may download sensitive company data. B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it.
C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. D. Tracing accountability is of minimal concern compared to the compromise of sensitive data. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. Correct D. identify and evaluate the existing controls. correct answer You are correct, the answer is D. A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place. B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed. C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated.
B. digital signature. Correct C. digital certificate. D. receiver's private key. correct answer You are correct, the answer is C. A. A certificate revocation list (CRL) is the list of certificates that can no longer be trusted. B. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. D. The sender's public key cannot be opened by any key except the sender's private key. When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? A. Controls are eliminated as part of the BPR effort. Incorrect B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area. correct answer You answered B. The correct answer is A.
A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern. B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort. D. A recommended best practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern. An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. Incorrect D. Immediately investigate the source and nature of the incident. correct answer You answered D. The correct answer is B. A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down.
D. Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully. Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting Correct C. Table lookups D. Tracing and tagging correct answer You are correct, the answer is C. A. Transaction logs are a detective control and provide audit trails. B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself. As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: Correct A. performance measurement.
B. strategic alignment. C. value delivery. D. resource management. correct answer You are correct, the answer is A. A. Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Transparency is primarily achieved through performance measurement because it provides information to the stakeholders on how well the enterprise is performing when compared to objectives. B. Strategic alignment primarily focuses on ensuring linkage of business and IT plans, not on transparency. C. Value delivery is about executing the value proposition throughout the delivery cycle. Value delivery ensures that IT investments deliver on promised values, but does not ensure transparency of investment. D. Resource management is about the optimal investment in and proper management of critical IT resources, but does not ensure transparency of IT investments. Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? A. Two-factor authentication B. A digital certificate Correct C. Audit trails
B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria. C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. D. A DSS supports semistructured decision-making tasks. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy Incorrect B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading correct answer You answered B. The correct answer is A. A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID. B. That wavelength can be absorbed by the human body is a concern of less importance. C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.
An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged. Correct B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment. correct answer You are correct, the answer is B. A. Having a log is not a control; reviewing the log is a control. B. The matching of hash keys over time would allow detection of changes to files. C. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers. An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? Correct A. Use of a point-to-point leased line
C. Implementation planning D. Postimplementation review correct answer You are correct, the answer is B. A. The feasibility study is too early for such detailed user involvement. B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. D. User acceptance testing should be completed prior to implementation. The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A. does not exceed the existing IT budget. B. is aligned with the investment strategy. C. has been approved by the IT steering committee. Correct D. is aligned with the business plan. correct answer You are correct, the answer is D.
A. It should be identified if the project portfolio exceeds the IT budget, but it is not as critical as ensuring that it is aligned with the business plan. B. The project portfolio should be aligned with the investment strategy, but it is most important that it is aligned with the business plan. C. Appropriate approval of the project portfolio should be granted. However, not every enterprise has an IT steering committee, and this is not as critical as ensuring that the projects are aligned with the business plan. D. Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor. During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? A. One-for-one checking B. Data file security Correct C. Transaction logs D. File updating and maintenance authorization correct answer You are correct, the answer is C. A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account.
D. The procedures for declaring a disaster are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed. In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? Incorrect A. Maintaining system software parameters B. Ensuring periodic dumps of transaction logs C. Ensuring grandfather-father-son file backups D. Maintaining important data at an offsite location correct answer You answered A. The correct answer is B. A. Maintaining system software parameters is important for all systems, not just online systems. B. Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historic data. Because online systems do not have a paper trail that can be used to recreate data, maintaining transaction logs is critically important to prevent data loss. The volume of activity usually associated with an online system may make other more traditional methods of backup impractical. C. Having generations of backups is best practice for all systems. D. All backups should consider offsite storage at a location that is accessible but not likely to be affected by the same disaster. The PRIMARY purpose of a business impact assessment (BIA) is to: Correct A. define recovery strategies.
B. identify the alternate site. C. improve recovery testing. D. calculate the annual loss expectancy (ALE). correct answer You are correct, the answer is A. A. One of the primary outcomes of a business impact assessment (BIA) is the recovery time objective (RTO) and the recovery point objective (RPO), which help in defining the recovery strategies. B. A BIA, itself, will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project. C. A BIA, itself, will not help improve recovery testing. That is done during the implementation and testing phase of the project. D. The annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage. Which of the following is the MOST effective type of antivirus software to detect an infected application? A. Scanners B. Active monitors Correct C. Integrity checkers D. Vaccines correct answer You are correct, the answer is C.
