×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 5 of 50

81.

Identifying assets that need protection is an important early step in developing a risk management program. Typical IT assets might include all the following EXCEPT:

  • Marketing materials

  • Personnel

  • Documents

  • Hardware

Correct answer: Marketing materials

Assets associated with IT need to be prioritized, and the appropriate protection should be identified. Publicly available information (e.g., marketing materials) is not a high-value asset that typically needs protection.

Included items can be used to further refine risk planning. Assigning a value to assets, for example, can assist in prioritization. The included assets are information and data, hardware, software, documents, and personnel.

82.

You are an IS auditor reviewing an organization's infrastructure. You have spoken with the DBA, who has not been allowed to perform database normalization on the current dataset and needs executive approval. 

Which of the following should be explained to management as the rationale for database normalization?

  • It minimizes information redundancy in the tables.

  • It enhances the database to support more queries.

  • It improves database integrity by providing data in more than one table.

  • It implements access control over sensitive data.

Correct answer: It minimizes information redundancy in the tables.

Database normalization works to remove redundant information from database tables to ensure that the data exists only once and in one place. This data will be linked with a primary key—a tuple—that identifies the record and associated data. With reduced redundancy, the database does not need to search through as many records, so performance is improved and referential integrity is more easily maintained.

Enhancing database support, providing data in more than one table, and implementing access control are not related to normalization.

83.

A company that develops computer hardware is looking to do a voluntary internal audit. What is one advantage of the company performing this self-assessment?

  • Improves employee awareness of controls

  • Exempts the company from external audits

  • Ensures that employees cannot hide fraud

  • Lessens the workload on current employees

Correct answer: Improves employee awareness of controls

One advantage of a control self-assessment (CSA) is that employees will have more awareness of implemented controls. Other advantages can include detecting risks earlier, improving controls faster, and having a greater sense of ownership of controls.

A CSA does not exempt a company from external audits. A CSA cannot uncover employee fraud if the employees are doing the audit. A CSA may add additional work for current employees.

84.

In terms of capacity management, how should sufficient capacity for IT systems and IT processes be determined?

  • By ensuring that its performance falls within the range specified in an SLA

  • By carefully measuring current capacity and increasing it by 200 percent

  • By assuming exponential growth for the next 6 months

  • By ensuring sufficient capacity for between 50 and 150 percent of current capacity

Correct answer: By ensuring that its performance falls within the ranges specified in an SLA

Sufficient capacity should be outlined in the service level agreement (SLA), so the system's performance should follow that guideline. SLAs are used to break IT processes into individual units that can be controlled.

Carefully measuring current capacity and increasing it by 200 percent, assuming exponential growth for the next 6 months, or making sure that there is sufficient capacity for between 50 and 150 percent of current capacity would not be following the SLA.

85.

Whose role in an organization is to facilitate quality improvement activities in an organization?

  • QA manager

  • QC manager

  • Project manager

  • Service desk manager

Correct answer: QA manager

A quality assurance (QA) manager is responsible for facilitating quality improvement activities in an organization. This is to ensure that products meet or exceed established quality standards.

A quality control (QC) manager is in charge of testing items for defects. A project manager is in charge of individual projects. A service desk manager is a point of contact between users and the IT service desk department.

86.

A software development firm has hired temporary workers to help finish some projects. They want to be sure that the temporary workers don't make any changes to important system files. What should they install on their systems to ensure this?

  • File integrity modeling

  • File activity monitoring

  • Segregation of duties

  • Application code review

Correct answer: File integrity modeling

File integrity modeling is used to detect and report changes to files on a system automatically. This can detect unauthorized changes.

File activity monitoring only detects access to certain files. Segregation of duties is the concept of needing multiple people to do critical tasks. Application code review is used to check changes to code before it is committed.

87.

What is an area of systems management that involves acquiring, testing, and installing multiple code changes?

  • Patch management

  • Problem management

  • Software release management

  • Database management

Correct answer: Patch management

Patch management consists of testers testing, managing, and installing multiple patches to a controlled workstation to determine whether the update will cause any complications. In order to maintain up-to-date software and cover security flaws, patches are required, but they can have unintended consequences. Patch management tasks include:

  • Maintaining current knowledge of available patches
  • Ensuring the patches are properly installed, as well as testing them afterward
  • Determining which patches are necessary
  • Documenting any processes for installing

Problem management is used to resolve issues through in-depth analysis. Software release management governs the process of making software available to users. Database management is the administration of databases.

88.

A company is migrating its data to a new type of database. To ensure that the migration to the new system is successful, the team counts the number of records in the new system to make sure the same number appears in the new system. They also add records with numerical values in both systems to make sure they total the same amount. Furthermore, they compute checksums on fields in the old database to verify they have the same checksums on the new system. 

By performing all these operations, the company could face what issue?

  • Checksums can vary based on how each system stores data

  • The new system will likely use fewer records than the old system

  • Data records with numerical values should total differently on each system

  • Migrated data needs to transfer numerical data first

Correct answer: Checksums can vary based on how each system stores data

Each system might store data differently in checksum validation, which could affect checksum calculations. For example, one system may pad fields with spaces, while another may use nulls.

Record counts are one way to confirm the completeness of a migration. Batch totals can be used to make sure numerical fields yield the same totals on each system. Numerical data does not need to be migrated before other data.

89.

Which document describes the practices used by a certificate authority when issuing a digital certificate?

  • CPS

  • SLA

  • CRL

  • RFC 5280

Correct answer: CPS

The certificate practice statement (CPS) describes the practices used by the CA to issue and manage digital certificates. It can include details such as the type of certificate, key length, and policies for renewal.

A service level agreement (SLA) defines the levels of service a provider offers to a client. A certificate revocation list (CRL) contains certificates that are compromised. RFC 2580 is the standard that defines the certificate format.

90.

A company uses system interfaces to transfer data to partners. Currently, they do not have a comprehensive solution to track and monitor all the system interfaces involved in data transfer. What type of solution can they implement to achieve this?

  • MFT

  • DLP

  • IPS

  • CASB

Correct answer: MFT

A managed file transfer (MFT) system is used for functionality such as encrypting/decrypting files, compressing/decompressing files, and connecting to databases. These types of applications are important for securing system interfaces.

Data loss prevention (DLP) systems aim to stop data exfiltration. Intrusion protection systems (IPS) actively detect and defend against threats. A cloud access security broker (CASB) offers security solutions for accessing cloud services.

91.

What is included in ISACA's 2402 (Follow-up Activities) guideline?

  • Management's proposed actions

  • Evaluation of sample results

  • Responding to irregularities and illegal acts

  • Governance of the admissibility of non-audit services or roles

Correct answer: Management's proposed actions

ISACA's follow-up activities include recommendations to ensure that the audit's findings are effectively addressed. The management's proposed actions for this are included in follow-up activities.

Evaluation of sample results is in guideline 2208, Audit Sampling. Responding to irregularities and illegal acts is in guideline 2207, Irregularity and Illegal Acts. Governance of the admissibility of non-audit services or roles is in guideline 2003, Professional Independence.

92.

In a business that is too small for effective segregation of duties, compensating control measures may be instituted. These can include all the following EXCEPT:

  • Physical segregation

  • Exception reporting

  • Reconciliation

  • Audit trails

Correct answer: Physical segregation

Segregation of duties is important to ensure that a single entity is not solely responsible for a critical task. In a business too small for effective segregation of duties, physical segregation is not one of the compensating controls.

Compensating controls include audit trails, reconciliation, exception reporting, transaction logs, supervisor reviews, and independent reviews.

93.

There are several different choices for disk-based software backups. What is the backup system that executes at the home server level and runs software on both the home server and the target server?

  • Host-based replication

  • Snapshots

  • Disk array-based replication

  • Virtual tape library

Correct answer: Host-based replication

Host-based replication is a backup system that executes at the home server level. Host-based replication can wait to write the data at the primary site until after the data is successfully written at the backup site, or the data can be transferred to the backup site after a predetermined delay.

A virtual tape library looks like a conventional tape library from the point of view of a user, but the data is stored on a disk array. Disk-array-based replication is like host-based replication, but the replication takes place at the disk-array level. Snapshots can take either full or partial copies of data. Snapshots are especially effective in supplementing conventional backup and recovery software.

94.

Why is a symmetric key cryptographic system symmetric?

  • The encryption key is the same as the decryption key.

  • The keys are mathematically symmetrically related.

  • The keys are inversely related to each other.

  • It is based on the elliptical curve.

Correct answer: The encryption key is the same as the decryption key.

A symmetric key is symmetric because the encryption key is the same as the decryption key. Cryptography is usually based on the data encryption standard (DES). This algorithm works on 64-bit blocks. 56 bits are used for the encryption, and the additional eight bits are used for parity checking. 

DES is vulnerable to brute-force attacks, and it's being replaced with AES, where the keys are between 128 bits and 256 bits. A symmetric key system is advantageous in that the user only needs to remember one key to both decrypt and encrypt data.

95.

What is the first step in performing an effective IS audit?

  • Adequate planning

  • Gathering shareholder feedback

  • Presenting a plan to the board of directors and receiving approval

  • Doing preliminary planning to determine the cost

Correct answer: Adequate planning

The first step in performing an effective IS audit is adequate planning. An effective audit program sets objectives and plans audit procedures to fulfill the audit objectives. 

Gathering shareholder feedback occurs during and after the IS audit. The annual audit plan is presented to the board of directors, not individual audits. Although a cost-benefit analysis is occasionally performed for an audit, it is not the first step in this process.

96.

A software development company is using release management to control the changes to an application they support. They are currently determining the expected benefits of a new release. In which phase of the release process are they?

  • Feasibility study

  • Requirements definition

  • Design

  • Development

Correct answer: Feasibility study

A feasibility study is the first step in a typical release process. It is used to determine what benefits will arise from making the changes.

The requirements definition stage is used to describe features and detailed requirements. The design stage is used to create a formal design. The development phase is used to start coding the changes.

97.

Which type of risk in an audit considers the risk that material errors were not discovered by the IS auditor?

  • Detection risk

  • Inherent risk

  • Sampling risk

  • Control risk

Correct answer: Detection risk

Detection risk is the risk that an auditor will overlook errors. This is included during a risk assessment at the beginning of an audit to help an auditor use higher sampling rates to improve the chances of detecting errors.

An inherent risk is the risk assuming that no controls have been implemented. A sampling risk is that the sampling technique used will not detect transactions that are not in compliance with the controls. A control risk is that the implemented controls will not prevent the targeted issue.

98.

Review the passage and answer the following question.

Which factor should be the MOST alarming to the IS auditor?

  • The SLA for user account change requests is 48 hours.

  • A 24-hour notice is required to perform an on-site audit.

  • There is no IS auditor employed by the outsourcer.

  • Older versions of the software are not being maintained by the outsourcer.

Correct answer: The SLA for user account change requests is 48 hours. 

The window for handling account change requests is ultimately unacceptable due to the time required to have a user account terminated or suspended. After an employee has been terminated, their account and all access to enterprise systems should be terminated immediately in order to prevent any potential damage from a disgruntled employee.

99.

The CSA lifecycle is an iterative process that starts with identifying and assessing risks. What is the final stage of the CSA lifecycle before returning to the phase of identifying and assessing risks?

  • Perform control remediation

  • Conduct a workshop

  • Develop a questionnaire

  • Identify and assess controls

Correct answer: Perform control remediation

The final phase of the control self-assessment life cycle is control remediation. In this phase, controls are designed or altered to limit risks.

Conducting workshops is used to create ideas for control remediation. Developing questionnaires is done after identifying and assessing controls. Identifying and assessing controls are done after identifying and assessing risks.

100.

What do procedures need to be?

  • Documented, defined, and derived from a parent policy

  • Put through a policy approval process

  • Directly overseen by the board of directors

  • Less detailed than the parent policies they're derived from  

Correct answer: Documented, defined, and derived from a parent policy

Procedures need to be dynamic versions of the parent policies they translate. They need to be updated regularly to ensure they still properly reflect policies. Auditors must evaluate procedures for correct alignment with business policies, efficiency, and relevancy. 

A critical aspect of procedures is that they must be understood by the people who work with them. A procedure is ineffective if used by personnel who don't understand how it works. Procedures need to be managed so that they’re readily accessible and understood.

They do not need a policy approval process, to be overseen by the board of directors, or to be less detailed than a policy.

×