×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 3 of 50

41.

On which layer of the OSI model does IPsec operate?

  • Network

  • Transport

  • Data Link

  • Session

Correct answer: Network

IPsec is often used for VPNs. It is in the Network Layer.

The Transport Layer includes protocols like TCP and UDP. The Data Link Layer is for sending and receiving Ethernet frames. The Session Layer is for controlling established connections.

42.

A manufacturer implements a quality assurance program to ensure proper procedures are followed during production. They follow ISO 9001-compliant guidelines for their practices. The quality assurance team is composed of individuals who are not involved in producing the product, and they report directly to the manager of the production department. In this situation, what would an auditor recommend in their findings?

  • The quality assurance team should be independent.

  • The quality assurance team should be involved in producing the product.

  • The quality assurance team should follow PCI-DSS.

  • The quality assurance team should follow up by testing finished products.

Correct answer: The quality assurance team should be independent.

The quality assurance (QA) team should be independent in order to function effectively, so they should not report directly to the manager of the production department.

The quality assurance team should not be involved in producing the product. PCI-DSS is a standard for payment card processors. A separate quality control (QC) team should follow up by testing finished products.

43.

Which type of denial-of-service attack is capable of permanently damaging hardware?

  • Phlashing

  • Pulsing zombie

  • Banana attack

  • Bandwidth-saturating flood attack

Correct answer: Phlashing

A phlashing attack targets firmware in embedded systems. The destruction of the firmware causes the device to crash. This type of attack was demonstrated at conferences by a researcher; it’s never been used by hackers, but security departments need to be aware of all potential vulnerabilities.

A pulsing zombie attack is a DoS attack that occurs in waves. A banana attack redirects outgoing traffic back to the internal network. A bandwidth-saturating flood attack involves the attacker having more bandwidth than the victim. 

44.

Duties should be segregated in an IS department to prevent fraud. All these duties should be segregated, EXCEPT:

  • Running anti-malware scans

  • Authorizing transactions

  • Recording transactions

  • Custody of assets

Correct answer: Running anti-malware scans

Everyday low-risk tasks do not need segregation of duties, especially in smaller organizations. IT tasks such as installing updates, managing users, or scanning for viruses can be handled by a single person without much risk.

Duties should be segregated in an IS department to prevent fraud. Duties that need to be segregated are duties that could result in fraud if performed by the same person. In IT, these duties include authorization of transactions, recording of transactions, and custody of assets. The segregated duties need to be split among different employees.

45.

Generalized audit software (GAS) usually supports all the following functions EXCEPT:

  • Cybersecurity analysis

  • Statistical functions

  • File reorganization

  • Mathematical functions

Correct answer: Cybersecurity analysis

GAS does not include cybersecurity analysis tools. GAS is software that gives IT auditors independent access to data. It includes features for analyzing information statistically and mathematically. 

It enables statistical functions such as sampling, stratification, and frequency analysis. It supports file reorganization by enabling indexing, sorting, merging, and linking with another file. It supports mathematical functions by enabling arithmetic operators.

46.

A company is using its system interfaces to transfer data to partner organizations. They want to have an audit trail to ensure proper delivery. What type of information should they include in the audit trail?

  • Timestamp of when data was sent and received

  • Full contents of the data

  • Credentials used to authenticate with remote systems

  • Contact information of associated parties

Correct answer: Timestamp of when data was sent and received

Using an audit trail on system interfaces is important for tracking information. Data to collect includes who sent the data, when it was sent, when it was received, and who received it.

The full content of the data would inflate the audit trail size. Credentials used to authenticate with remote systems would be a security risk for putting sensitive information in the audit trail. Contact information could include personally identifiable details.

47.

A risk-based approach can be rather important to a company. What is true about business risk?

  • It can negatively impact the assets, processes, or objectives of a specific business or organization.

  • It typically can be ignored and dealt with when needed.

  • It can be associated with external threats only.

  • It can be eliminated entirely.

Correct answer: It can negatively impact the assets, processes, or objectives of a specific business or organization.

Risk is the combination of the probability of an event and its consequences. Business risk may negatively impact a company's assets as well as its processes or objectives. The IS auditor is often focused on high-risk issues associated with confidentiality, availability, or integrity. Depending on materiality, sources of risk (internal and external) should be reviewed and mitigated in a timely manner. The higher the risk is, the quicker action should be taken to reduce the risk. 

Risks should be adequately managed. It can come from both internal and external sources. Risks cannot be fully eliminated.

48.

There are three major database structures. What are they?

  • Hierarchical, network, and relational

  • Network, sequential, and relational

  • Random-access, sequential, and network

  • Structural, network, and sequential

Correct answer: Hierarchical, network, and relational

The three major database structures are hierarchical, network, and relational. The first two are not in wide use anymore; they've been replaced by relational databases. 

A hierarchical database is set up as a hierarchy between parent-child segments. A network database is based on sets. Relational databases are based both on set theory and relational calculations.

49.

An IS auditor has begun planning a review of the security of a financial application used by a Fortune 500 company with campuses all over the world. The application consists of a database with a business logic layer and a web interface overlaying the front end. Users access the application via the local network and from outside the network through a VPN connection. 

Which of the following should the auditor do to determine whether the VPN settings require a detailed review?

  • Perform a risk analysis

  • Consult the opinion of the IT department

  • Refer to previous audit documentation and results

  • Consult ISACA guidelines and best practices

Correct answer: Perform a risk analysis

To determine whether the firewall and VPN configuration should be included in the audit scope, a risk analysis should be performed, and the results should be documented. Details such as software revisions and hardware would be evaluated; if they present a large enough risk, they should be included in the audit scope.

The auditor should not be influenced by individual departments. Previous audit documentation might not be reliable. ISACA provides general guidelines, but a risk analysis has to be completed separately.

50.

Which of the following is an attack in which the attacker collects small amounts of money from computerized transactions or accounts?

  • Salami

  • Flooding

  • Pharming

  • Packet replay

Correct answer: Salami

A salami attack involves slicing small amounts of money from a computerized transaction or account. It is somewhat similar to the rounding down technique, but the salami method takes it a step further. The rounding down method rounds off by the smallest money fraction. With rounding down, a transaction of $9,876,543.21 might be rounded down to $9,876,543.15, but a salami attack might make the total $9,876,543.00 instead, depending on the algorithm/formula used.

A flooding attack involves sending large amounts of traffic on a network. A pharming attack redirects traffic to an attacker's site. A packet replay attack steals sessions between two communicating systems.

51.

What tool can an auditor use to determine whether there are security weaknesses in an enterprise's segregation of duties?

  • Control matrix

  • Organizational chart

  • Acceptable use policy

  • Data classification policy

Correct answer: Control matrix

User access rights should be periodically reviewed to determine any segregation of duties (SOD) issues. An enterprise can create its own control matrix so it can see which users have a combination of access rights that should be forbidden.

An organizational chart shows the hierarchy of positions and departments. An acceptable use policy outlines how a user can appropriately use an organization's resources. A data classification policy describes how different types of data should be protected based on sensitivity.

52.

Which statement accurately describes the relationship between ISACA's audit standards and ISACA's audit guidelines?

  • IS auditors are expected to follow the standards, while IS auditors use the guidelines to understand how standards can be implemented.

  • IS auditors must follow the standards to be legally compliant, while IS auditors use the guidelines to learn how to display proper professional behavior.

  • IS auditors use the standards to implement rules in the guidelines, while IS auditors use the guidelines for tools and techniques.

  • IS auditors use the standards for planning, while IS auditors use the guidelines for fieldwork and documentation.

Correct answer: IS auditors are expected to follow the standards, while IS auditors use the guidelines to understand how standards can be implemented.

Two publications from ISACA are the Audit and Assurance Standards and the Audit and Assurance Guidelines. The standards are used to tell auditors the rules they must follow, while the guidelines are used to help auditors understand how to implement the standards.

The Code of Professional Ethics document is used to show proper professional behaviors. ISACA publishes separate tools and techniques for use. Planning, fieldwork, and documentation are phases of an audit.

53.

An IT staff member is attempting to automate various tasks at their company. While testing their job scheduling procedures, they come across an issue in which if one job fails, it causes problems with subsequent jobs. What type of solution would help in this situation?

  • Specifying job dependencies in job scheduling software

  • Maintaining records of all jobs that have failed

  • Keeping operators on call during job processing

  • Disabling the job schedules that are problematic

Correct answer: Specifying job dependencies in job scheduling software

By using job scheduling software, IT staff can define dependencies. If a job fails, the jobs that depend on it will not be processed.

Maintaining records of all jobs that have failed does not address the issue. Keeping operators on call during job processing does not help with automation. Disabling the job schedules that are problematic will not fix the issue.

54.

Which of the following would fall under a detective control classification?

  • Adding checkpoints in production jobs

  • Employing only qualified personnel

  • Using backup procedures

  • Having disaster recovery planning

Correct answer: Adding checkpoints in production jobs

A detective control works to detect errors and report their occurrence, such as past-due accounts or performing checks on production runs. A CISA candidate should be familiar with the differences between preventive, detective, and corrective controls. 

An example of preventive control would be employing only qualified personnel or using encryption software to protect assets. Corrective controls move to minimize the impact of a threat, such as with backup procedures and disaster recovery planning.

55.

One important network management tool is the response time report. All the following statements are true about response time reports EXCEPT:

  • They track telecommunication interruptions caused by power line failures or traffic overloads.

  • They record the time necessary for a response after a command is entered.

  • They report average, worst, and best response times.

  • The reports should be reviewed, and potential problems should be addressed.

Correct answer: They track telecommunication interruptions caused by power line failures or traffic overloads.

Telecommunication interruptions and power failures are better tracked in downtime reports. Response time reports track items like the time necessary for a command entered at a terminal to receive a response. It's important for response time to be reasonable in order for users to make full use of the system. Slow response times should be investigated, and appropriate corrective actions should be taken.

Downtime reports track telecommunication interruptions caused by power line failures or traffic overloads.

56.

A data life cycle, as explained by COBIT, should consist of six phases. What are these six phases?

  • Plan, Design, Build/Acquire, Use/Operate, Monitor, Dispose

  • Plan, Develop, Manage, Use/Operate, Monitor, Dispose

  • Inspect, Plan, Build/Acquire, Use/Operate, Monitor, Dispose

  • Inspect, Plan, Build/Acquire, Use/Operate, Manage, Destroy

Correct answer: Plan, Design, Build/Acquire, Use/Operate, Monitor, Dispose

According to COBIT, the data life cycle consists of 6 phases:

  • Plan: The phase in which the creation, acquisition, and use of the information resource are prepared.
  • Design: The phase in which more detailed work is done, specifying how the information will look and how systems processing the info will have to work.
  • Build/Acquire: In this phase, the information resource is acquired.
  • Use/Operate: This phase includes functions such as:
    • Store
    • Share
    • Use
  • Monitor: In this phase, the information resource is verified to continue to work properly.
  • Dispose: The phase in which the information resource is transferred or retained for a defined period, destroyed, or handled as part of an archive, as needed.

57.

Which tool is used in problem management to ensure that incidents do not reoccur?

  • KEDB

  • SLA

  • SDLC

  • CMDB

Correct answer: KEDB

With IT server management systems, known error databases (KEDBs) are capable of searching for and locating potential solutions to an issue encountered previously. This can save time and offer much faster response times while also providing the capability for management to notice trending problems. If enough duplicate issues occur, fixes can be sent preemptively to systems that have yet to be affected.

A service-level agreement (SLA) is used to ensure a standard of service from a provider to a client. The software development lifecycle (SDLC) is a framework for planning, developing, testing, and deploying software. A configuration management database (CMDB) is used to store system configurations.

58.

An auditor is looking at how an organization classifies its data. They notice they have labels of "secret," "restricted," "confidential," and "public." Which type only needs access controls when it is being updated?

  • Public

  • Secret

  • Restricted

  • Confidential

Correct answer: Public

Public data can be accessed by anyone. However, access controls must be in place to update the information in public data.

Secret, restricted, and confidential data require more access controls than public data.

59.

What can lead to a company having a false sense of security?

  • Having poorly implemented controls

  • Using risk avoidance

  • Conducting regular risk assessments

  • Being externally audited

Correct answer: Having poorly implemented controls

If a company has implemented controls, they may believe that they are immune to certain risks. However, the controls may be improperly maintained, which can make the organization still vulnerable.

Using risk avoidance will avoid participating in a risky activity. Conducting regular risk assessments will improve security awareness. Being externally audited will expose more security issues.

60.

An auditor is analyzing the inventory of a computer parts retailer. The retailer is concerned by the greater shrinkage of their inventory compared to what is on the books. What type of methodology can the auditor use to compare a sample of the inventory to the bookkeeping number?

  • Difference estimation

  • Stratified mean per unit

  • Discovery sampling

  • Stop-or-go sampling

Correct answer: Difference estimation

Difference estimation is used to compare the results of sampling to the results in the books. In this case, the auditor can suspect fraud if the sample points to a number that is different from the number recorded.

Stratified mean per unit divides a population into classes. Discovery sampling is used to detect at least one exception. Stop-or-go sampling can be stopped early before the whole population has been sampled.

×