×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 10 of 50

181.

In data architecture, which layer is responsible for copying data and transforming it into a data warehouse format?

  • Data staging and quality layer

  • Presentation layer

  • Data preparation layer

  • Data access layer

Correct answer: Data staging and quality layer

The data staging and quality layer is responsible for copying data and transforming it into the data warehouse format. It also checks data for reliability. Occasionally, a system will present faulty data, such as numbers that have been reformatted, and the data staging and quality layer needs to be able to deal with problems like this.

The presentation layer is where users directly access data. The data preparation layer is where data is prepared for data marts. The data access layer connects the data storage and quality layer with data stores in the data source layer.

182.

Which metric should be used to define the periodic basis from which files should be backed up?

  • RPO

  • RTO

  • MTD

  • MTBF

Correct answer: RPO

The recovery point objective (RPO) is the metric that defines the acceptable amount of data loss for a process. For example, highly used systems may back up data every hour so that no more than one hour of data is lost in an incident.

The recovery time objective (RTO) is the acceptable amount of time until the process is restored after an outage. The maximum tolerable downtime (MTD) is the limit to downtime before a company's survivability is at stake. The mean time between failures (MTBF) is the average time between failures for a system.

183.

In today's computing environment, many devices deliver application services, including many types of servers. What is a server that is an intermediate link between users and resources?

  • Proxy server

  • File server

  • Application server

  • Web server

Correct answer: Proxy server

A proxy server can supply a link between users and the resources they need. It replaces direct access to provide services for the user. A proxy server can actually be faster and more secure than direct access.

A file server provides access to files and programs. An application server hosts software programs. A web server provides information and services through web pages.

184.

A disaster recovery team needs to start building recovery capabilities and procedures for a company's CRM systems. Which metric will let them know the maximum data loss the company can tolerate?

  • RPO

  • RTO

  • MTD

  • MTTR

Correct answer: RPO

The recovery point objective (RPO) gives the maximum data loss that is acceptable for a system or process. This information will be used by the disaster recovery team when planning recovery procedures.

The recovery time objective (RTO) is the target amount of time to restore the system. The maximum tolerable downtime (MTD) is the time at which an outage threatens the survival of a company. The mean time to recovery (MTTR) is the average time it takes to recover a process after failure.

185.

What is a firecall ID procedure?

  • Keeping the administrator password in a sealed envelope in a locked cabinet

  • Ensuring that passwords are changed every 30 days

  • Masking passwords whenever they appear on computer screens

  • Prohibiting the reuse of passwords within a predefined period

Correct answer: Keeping the administrator password in a sealed envelope in a locked cabinet

The administrator password should be known by only one person, which creates a problem with emergency access. Sometimes, the password is kept in a sealed envelope in a locked cabinet that's available only to top management. This is called a firecall ID. 

Since the administrator account has full access to the system, special policies need to be implemented.

186.

Organizations need an acceptable use policy for their IT equipment and services. Unacceptable usage of IT equipment and services can expose a company to which of the following?

  • Virus attacks and the compromise of network services

  • Software server failures

  • Misclassification of data security levels

  • Users accessing network resources that they do not need to perform their job duties

Correct answer: Virus attacks and the compromise of network services

Personnel should always understand safe IT equipment and service usage. Unacceptable use of an organization's IT equipment and services can expose it to virus attacks and the compromise of network services. Every organization needs policies to protect itself. For example, it is common practice to require new employees to sign acceptable usage policies prior to accessing the organization's IT equipment and services.

A user policy is not likely to affect a server. A data classification policy describes classifications of data security. Access control policies define which resources are available to which users or groups in an organization.

187.

An administrator wants to secure the point where data from one application is sent to other applications. On what type of security are they focusing?

  • System interfaces

  • User interfaces

  • End-user computing

  • Access management

Correct answer: System interfaces

System interfaces are the point where an application sends data to other applications. Tracking and managing these interfaces are important for leaving an audit trail.

User interfaces involve humans. End-user computing refers to the policies governing user devices like desktops and mobile devices. Access management is used for controlling user and system access to various IT resources, not ensuring system interfaces are confidential, integral, and available.

188.

How does an integrity CRC checker work?

  • Determining whether changes have been made to files

  • Interpreting SSL calls

  • Blocking insecure protocols with a firewall

  • Running a trend analysis on newly added files

Correct answer: Determining whether changes have been made to files

Integrity CRC checkers use a malware-free program and compute a binary number from it that is then stored in a database. The number is the cyclical redundancy check (CRC). On each scan, the program is executed and checked to see if any changes have occurred. If there are no changes, there is no infection, but a change could mean that malware has made changes. 

The problem with CRC checkers is that they only detect malware after it has caused changes.

189.

CPM is one important approach to project scheduling. All the following are true of the critical path EXCEPT:

  • There are many algorithmic resource-leveling methods available.

  • Activities can be crashed (i.e., the time to completion is shortened while the cost goes up).

  • If tasks go according to schedule, their duration gives the shortest possible completion time for the project.

  • If an activity is on the critical path, it has zero slack time.

Correct answer: There are many algorithmic resource-leveling methods available.

There are relatively few algorithmic resource-leveling methods available in critical path methodology (CPM). A critical path is a sequence of activities whose sum of activity time is longer than that of any other path through the network. 

Activities that are in the critical path have zero slack time. A critical path is computed by working forward through the project and computing how soon each activity can be completed until the earliest possible completion time for the entire project is determined. Then, the same path is taken backward, the latest completion time for each activity is found, and slack time is computed.

190.

What is the first thing that needs to be taken into account when a disaster occurs at an organization?

  • Personnel safety

  • Damage assessment

  • Recovery operations

  • Documentation

Correct answer: Personnel safety

The first step in a disaster is to ensure the safety of all personnel. Depending on the type of disaster, this could mean evacuating a building or sheltering in place.

Damage assessment, recovery operations, and documentation can be done after the safety of personnel has been addressed.

191.

A team of developers has been working on a project at their company. Since the project started, the market has changed a lot, affecting the usage of the project. What should the company do to address this issue?

  • Re-evaluate the project at a key milestone

  • Have the developers decide whether they want to continue the project

  • Create a business case for the project

  • Stop the project immediately until a new plan has been developed

Correct answer: Re-evaluate the project at a key milestone

A project's business case should be re-evaluated at key milestones to be sure that it is still relevant. During the project, risks, costs, or other changes could affect the usefulness of the project.

Both developers and stakeholders should decide if they want to continue the project or not. A business case for the project should be created at the start of the process. Stopping the project immediately until a new plan has been developed is not as ideal as stopping at key milestones.

192.

An IS auditor is examining a company's automated job scheduling. When looking at their daily job schedule, what is a key question to consider?

  • Are operators provided with a schedule of the work to be done?

  • Were all jobs completed according to schedule?

  • Did all exception processing requests get recorded?

  • What procedures were used to re-run jobs if appropriate?

Correct answer: Are operators provided with a schedule of the work to be done?

When reviewing the daily job schedule, it is important to ask if operators were provided with a schedule for the work. It's also important to ask questions such as whether the number of personnel is adequate, whether there is an audit trail, and whether a statement of work completed is handed off after a shift.

Asking if all jobs were completed according to schedule is done during the review of the console log. Asking if all exception processing requests were recorded occurs when reviewing exception processing logs. Asking what procedures are used to re-run jobs if appropriate is done when checking re-executed jobs.

193.

What is an example of a productivity metric that can be measured to determine the success of a project?

  • Number of transactions per user

  • Number of customer disputes

  • Monetary value of IT assets

  • Number of fraudulent transactions

Correct answer: Number of transactions per user

In order to evaluate the success of a project, it is important to identify metrics and measure them before and after the project. Looking at the number of transactions per user is a metric for productivity. 

The number of customer disputes and the number of fraudulent transactions are metrics for quality. The monetary value of IT assets is a metric for economic value.

194.

When gathering evidence, what can an auditor look at to see security events that have occurred at the audited organization?

  • Incident log

  • Risk register

  • Service level agreements

  • Operations manuals

Correct answer: Incident log

An incident log shows security incidents that have occurred at the organization. It is an important document to look at while gathering evidence.

A risk register shows identified risks to the organization. Service level agreements (SLAs) are contracts with third parties. Operations manuals are IS system documentation.

195.

There are two different cost factors that need to be considered for a business impact analysis. The first is downtime cost. What is the second?

  • The cost of alternative corrective measures

  • The cost of breaking regulations

  • The cost of insurance coverage

  • The cost of end-user computing

Correct answer: The cost of alternative corrective measures

The cost of alternative corrective measures includes the cost of insurance coverage, the cost of the BCP, the cost of off-site disaster recovery facilities, etc. Downtime cost includes the cost of idle resources, lost sales, the loss of goodwill, etc.

Downtime cost grows quickly with the passage of time until it stops growing because the business cannot function anymore. The cost of alternative measures varies with the chosen recovery time.

196.

An auditor is checking a client's database system to ensure that it has proper controls. The company says that the database administrator is on vacation, so they have a network administrator supply the requested information to the auditor. When trying to get information about data access controls, the network administrator instead sends information on performance. 

What issue is the auditor facing with regard to collecting evidence during the audit?

  • Qualifications of the evidence provider

  • Independence of the evidence provider

  • Objectivity

  • Timing

Correct answer: Qualifications of the evidence provider

When collecting evidence, an auditor needs to work with qualified individuals from the audited organization. Sometimes, an auditee may provide unqualified personnel in an attempt to hide information.

The independence of the evidence provider refers to getting evidence from outside sources. Objectivity refers to evidence that is more objective than subjective. Timing refers to information that may be lost if not collected quickly, such as log files.

197.

What does the term SCADA represent?

  • Supervisory control and data acquisition

  • Supervisory centralized allocated data acquisition

  • Specific control and data acquisition

  • Supervisory control and data archiving

Correct answer: Supervisory control and data acquisition

As the advancement of technology and the need to acquire data at the origination site grow, automated systems for data acquisition are being deployed by organizations. These systems encompass barcode readers or systems known as supervisory control and data acquisition (SCADA). This term typically refers to the centralized systems that monitor and control entire sites or complexes of systems distributed over larger geographic areas. 

An example would be the automated systems used on oil rigs to measure and control the extraction of oil and control the temperature and flow of the water.

198.

An IS auditor needs to verify that a software acquisition has which of the following?

  • Adequate security controls

  • Measurable deployment efforts

  • Auditable acceptance testing

  • Functionality that aligns with business goals

Correct answer: Adequate security controls

IS auditors need to verify that an adequate level of security controls is present before an agreement is reached. If security controls are not part of the package, there may be no way to ensure data integrity. 

The auditor also needs to ensure adequate audit trails, password controls, and overall security.

199.

What does an integrated audit accomplish?

  • It combines financial, operational, and IS audit steps.

  • It combines two different IS audits.

  • It provides a variation of the administrative audit.

  • It combines an audit of two different departments.

Correct answer: It combines financial, operational, and IS audit steps.

An integrated audit is a combination of financial, operational, and IS audit steps. It also assesses the overall objectives of the company as they relate to financial information and the safeguarding of assets. It includes substantive audit steps.

200.

An auditor is auditing a consumer electronics company. The company outsources its payroll processing to a third party. Which type of report should the auditor obtain from the third party to ensure that it has proper controls?

  • SSAE 18

  • SLA

  • PBC list

  • RFP

Correct answer: SSAE 18

A Statement on Standards for Attestation Engagement (SSAE) 18 is a report that third parties can have ready to provide to clients. It gives assurance that the third party has appropriate controls.

A service level agreement (SLA) outlines the expectations of a service provider for a client. A provided-by-client (PBC) list is a record of information requested by a client. A request for proposals (RFP) is a document that requests proposals for a project. 

×