×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 6 of 50

101.

Which EGIT framework was developed by ISACA and ensures that IT is aligned with business objectives?

  • COBIT

  • ISO/IEC 27000

  • ITIL

  • O-ISM3

Correct answer: COBIT

The COBIT framework was created by ISACA. It provides the tools to assess and measure IP processes within an enterprise.

ISO/IEC 27000 is from the International Organization for Standardization and International Electrotechnical Commission. The ITIL is from the UK Office of Government Commerce. The O-ISM3 was created by an IS author and consultant.

102.

ISACA IS Audit and Assurance Standards contain how many categories?

  • 3

  • 4

  • 5

  • 6

Correct answer: 3

There are three categories of standards:

  1. General: The guiding principles under which the IS assurance professional operates, applying to all conduct of the ISACA assignments and encompassing the IS audit and assurance professional's ethics, objectivity, knowledge, competency, and more.
  2. Performance: Deals with the conduct of the assignment, planning and supervision, scoping, risk, supervision, resource mobilization and assignment management, and audit and assurance evidence.
  3. Reporting: Covers the types of reports, means of communication, and the info shared or communicated.

103.

An IS auditor is examining log files and discovers a violation in which a user is attempting to access unauthorized resources. What should the auditor do?

  • Refer the issues to the security administrator

  • Investigate and determine the severity of the violation

  • Notify law enforcement officials

  • Remove inappropriate access rules

Correct answer: Refer the issues to the security administrator

The person who identifies the violation should report it to the security administrator for investigation. 

The security administrator and responsible management should investigate and determine the severity of the violation. Executive management should notify law enforcement if the violation is severe enough. Changing access rules should be done after a review.

104.

What is the purpose of a business impact analysis?

  • To evaluate the effects that different scenarios will have on critical processes

  • To outline the steps required to recover from a disaster

  • To identify, investigate, and resolve the underlying causes of incidents

  • To outline how an organization will continue to operate in the event of a disaster

Correct answer: To evaluate the effects that different scenarios will have on critical processes 

A business impact analysis (BIA) evaluates critical processes and determines timeframes, priorities, resources, and interdependencies. It is one of several detailed analyses needed before developing continuity or recovery plans or procedures.

A disaster recovery plan outlines the steps required to recover from a disaster. Problem management is used to identify, investigate, and resolve the underlying causes of incidents. A business continuity plan outlines how an organization will continue to operate in the event of a disaster.

105.

What occurs during the exit interview of an IS audit?

  • The auditor discusses findings and recommendations with audited management.

  • The auditor is asked why they have decided to stop the audit.

  • The auditor answers questions from the audited organization about how the organization can be more effective.

  • The auditor presents a list of employees that are no longer needed in the organization.

Corrective answer: The auditor discusses findings and recommendations with audited management.

The exit interview is where an IS auditor discusses their findings and recommendations to the audited management. They should ensure that facts are correct and material, that recommendations are realistic, and that dates for implementing recommendations are agreed-upon.

106.

A business needs to prepare for an official audit to be compliant with the Sarbanes-Oxley Act and also wants specific business processes audited. They want to hire a single auditor to do this audit so they can be prepared for an official audit later. What type of audit describes the work that the auditor will be doing?

  • Integrated audit

  • Compliance audit

  • Operational audit

  • Financial audit

Correct answer: Integrated audit

An integrated audit combines both a financial audit and an operational audit. A business may want to prepare for official audits by performing an audit before.

A compliance audit does specific tests to meet regulations only. An operational audit evaluates controls in a specific area. A financial audit only covers accounts and financial information.

107.

What are the phases of penetration testing?

  • Planning, Reconnaissance/Discovery, Attacks, Reporting

  • Design, Deployment, Attacks, Monitoring, Reporting

  • Planning, Scanning, Attacking, Monitoring, Reporting

  • Planning, Reconnaissance, Attacks, Reporting, Discovery

Correct answer: Planning, Reconnaissance/Discovery, Attacks, Reporting

Penetration testing is intended to mimic an experienced hacker attacking a live site. Penetration testing typically consists of four phases: planning, reconnaissance/discovery, attacks, and reporting.

  • Planning:
    • Rules of engagement
    • Choose between intrusive and non-intrusive testing
    • Milestones identified
  • Reconnaissance/Discovery
    • Network mapping
    • DNS interrogation
    • Website mapping
    • WHOIS queries
  • Attacks
    • Cookie/session ID analysis
    • OS exploits
    • Long input
    • Authentication circumvention
  • Reporting
    • Occurs simultaneously with the other three so that important events and milestones are reported as they occur

108.

IT service management (ITSM) is employed by many organizations to support IS. All the following are characteristics of ITSM, EXCEPT:

  • Software needs to be on one platform with a configuration that is maintained at the system level.

  • Processes are both discrete and interdependent.

  • Services should be managed through a service level agreement (SLA).

  • Services include service desk, availability management, and IT financial management.

Correct answer: Software needs to be on one platform with a configuration that is maintained at the system level.

Software can be made up of different systems with different programs with different modules. The configuration can be at any level: system, programmable, or module level. 

The processes are discrete and preferably managed through service-level agreements. Services include service desk, incident management, problem management, configuration management, change management, release management, service level management, IT financial management, capacity management, IT service continuity management, and availability management.

109.

It's important to test business continuity and disaster recovery plans. What is the objective of these tests?

  • Identify areas for improvement

  • Produce an error-free test

  • Write system documentation

  • Ascertain what hardware needs to be updated

Correct answer: Identify areas for improvement

It's important to test business continuity and disaster recovery plans. Disaster recovery can address physical disasters (fires, floods) or data protection issues, such as how to recover from a server failure. Evaluating potential weaknesses and planning how to deal with what might go wrong helps an organization identify shortcomings. Tests should also provide training for the staff responsible for disaster recovery. 

Tests aren't expected to be perfect and error-free but to help staff pinpoint areas that need improvement. Writing system documentation and ascertaining hardware that needs to be updated are not the objectives of testing business continuity and disaster recovery plans.

110.

The Performance and Supervision guidelines of the ISACA IS audit guidelines outline important topics such as documenting work performed and roles and responsibilities. What is NOT covered under the ISACA IS auditor guidelines on Performance and Supervision?

  • Guidance for audit professionals on how to obtain the necessary skills

  • Performing an audit engagement

  • Gathering evidence

  • Formulating findings and conclusions

Correct answer: Guidance for audit professionals on how to obtain necessary skills

Guidance on how to obtain and maintain the necessary competencies of an IS auditor is covered in the Proficiency guidelines. The Performance and Supervision guidelines provide guidance to IS audit and assurance professionals for performing their audit engagement and supervising IS audit members. The guidelines cover:

  • Performing an audit engagement
  • Roles and responsibilities and required knowledge and skills for performing audit engagements
  • Key aspects of supervision
  • Gathering evidence
  • Documenting work performed
  • Formulating findings and conclusions

111.

What is an advantage of a quantitative risk analysis?

  • It is ideal for providing measurable results.

  • It is less complicated than a quantitative analysis.

  • It is less time-consuming than a quantitative analysis.

  • It is useful for valuing informational assets.

Correct answer: It is ideal for providing measurable results.

A quantitative analysis uses numerical values to calculate the likelihood and impact of risks. This is ideal for when measurable results are needed.

A qualitative analysis is less complicated and time-consuming than a quantitative analysis. A qualitative analysis is more useful for valuing informational assets.

112.

Which of the following is a strategic risk when designing and developing software systems?

  • A business develops its own software but does not consider if it will meet the company's future goals.

  • A business develops its own software without fully understanding the costs that go into development.

  • A business develops its own software and severely misunderestimates the time it will take to finish the software.

  • A business develops its own software but uses a programming language that is on the decline in industry usage.

Correct answer: A business develops its own software but does not consider if it will meet the company's future goals.

A strategic risk is that an application may not meet a company's goals. If not all aspects of the company's strategy are considered, the software may be abandoned after its creation.

A business developing its own software without fully understanding the costs that go into development or severely misunderestimating the time it will take to finish the software are examples of business risks. A business developing software in an outdated language is an example of project risk.

113.

A company is migrating its customer data to a new type of database. After the migration, the company encounters an unexpected problem. Since it will take time to address the issue, they want to revert to their previous database type until the issue with the migration is fixed. What should they use as a safety net in this situation?

  • Rollback planning

  • Disaster recovery planning

  • Business continuity planning

  • Differential backup planning

Correct answer: Rollback planning

Rollback planning is used to return to a previous state if a migration goes wrong. It is intended to be used as a last resort in case the issue takes too long to solve.

Disaster recovery planning is used to restore IT infrastructure after an incident. Business continuity planning is used to maintain operations during a disaster. A differential backup involves everything since the last full backup.

114.

Among business continuity plan components, which one provides procedures that will enable the recovery of capabilities at another site?

  • Disaster recovery plan

  • Continuity of support plan

  • Business resumption plan

  • Business continuity plan

Correct answer: Disaster recovery plan

A disaster recovery plan consists of detailed procedures that will enable the recovery of capabilities at another site.

A continuity of support plan provides the procedures required for recovering important applications. A business resumption plan consists of the procedures for recovering business operations. A business continuity plan provides the procedures for maintaining essential business operations.

115.

When does software baselining in the SDLC occur?

  • The cutoff point in the design

  • The initial stage of software design

  • The debugging stage of development

  • The requirements definition stage

Correct answer: The cutoff point in the design

Software baselining means the cutoff point of the design; it is also called design freeze. With baselining, everything is reviewed for time and cost requirements. Any changes are evaluated for risk. Baselining is intended to reduce scope creep. At the point of baselining, version numbers are usually introduced.

In the initial stage of software design, activities such as developing flowcharts and entity relationship models are done. The debugging stage of development occurs during the development phase. The requirements definition stage occurs before the design phase.

116.

What is the first step in closing a project?

  • Assigning responsibility for outstanding issues

  • Archive documentation

  • Conduct a post-implementation review

  • Document risk that was identified during the project

Correct answer: Assigning responsibility for outstanding issues

Closing a project is an important process for learning lessons for the future. The first step in closing a project is assigning responsibility for outstanding issues. 

Archiving documentation or passing it on is the second step in a project closeout. Conducting a post-implementation review is the second step in a project closeout. Documenting risk that was identified during the project is the fourth step in a project closeout.

117.

Proactive controls are often referred to as what?

  • Safeguards

  • Countermeasures

  • Incident responses

  • Warnings

Correct answer: Safeguards

Controls may be proactive, meaning they attempt to prevent incidents entirely, or they can be reactive, meaning they work on detection, containment, and recovery from an incident. Proactive controls are often called safeguards, and reactive controls are typically called countermeasures.

118.

A company wants to display quality control of its information systems by having an external authority verify and accept responsibility for the system's requirements and controls. What process is the company seeking?

  • Accreditation

  • Certification

  • End-user training

  • Changeover

Correct answer: Accreditation

Accreditation is the decision by an external authority to authorize the operation of an information system. By accrediting a process, the accreditor takes on risk for the organization's operations.

Certification is a process of making an assessment against standards, but without the assessor taking responsibility. End-user training is used to ensure users can operate a system. The changeover process is used during migration.

119.

The waterfall approach has some inherent problems, including all the following EXCEPT:

  • It's not useful for applications that follow templates.

  • It doesn't handle unanticipated events well.

  • It's difficult to obtain explicit requirements from customers.

  • A working version isn't available until near the end of the cycle.

Correct answer: It's not useful for applications that follow templates.

The waterfall method is particularly useful in applications that follow templates. Design and programming requirements can be put into methods that go in templates.

It has problems handling unanticipated events since projects in the real world rarely follow the sequential flow exactly. Difficulty obtaining appropriate requirements from the customer and the delay in a working version are other problems. Changing business environments may require large project changes, another disadvantage of this system.

120.

A financial software development company is working on a new release of its software. Before each step of software development, approval is needed. Without approval, the next step cannot proceed. What type of approach is the company taking?

  • Gate process

  • User acceptance testing

  • Unit testing

  • Exception handling

Correct answer: Gate process

The gate process is an approach to release management. It requires each phase to have approval before the next can start.

User acceptance testing is used after coding and unit testing. Unit testing is done by programmers while they are coding. Exception handling is the process of handling errors and unexpected events.

×