×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 7 of 50

121.

A company is in the process of developing a risk management program. They are currently considering whether flood damage at their data center is a likely scenario. In which step of the risk management process are they?

  • Evaluation of threats and vulnerabilities

  • Asset identification

  • Calculation of risk

  • Evaluation of and response to risk

Correct answer: Evaluation of threats and vulnerabilities

The second step of the risk management process is to evaluate threats and vulnerabilities to assets. This can include the likelihood of threat actors, environmental damage, or user error.

Asset identification involves enumerating IT-related resources. The calculation of risk involves measuring the likelihood of a threat occurring and the value of its damage. The evaluation of and response to risk include how controls can reduce the risk.

122.

Applying the balanced scorecard to IT uses strategies in each of these ways, EXCEPT:

  • Regulatory

  • User

  • Operational

  • Future

Correct answer: Regulatory

An IT balanced scorecard allows an organization to measure and manage IT-related functions in a balanced way. Applying the balanced scorecard to IT uses strategies in each of these categories except regulatory, as it does not consider outside factors beyond the organization's control.

The user perspective considers how users or customers interact with IT. The operational perspective considers how effective IT operations are. The future perspective considers how IT can meet future needs and includes innovation and training.

123.

Information security governance (ISG) is the responsibility of which of the following? 

  • The board of directors and executive management

  • The committee established to oversee security

  • The auditor

  • The IT department

Correct answer: The board of directors and executive management

Information security governance is the responsibility of the board of directors and executive management. It needs to be part of enterprise governance. It consists of the leadership, organizational structures, and processes that safeguard information.

ISG includes:

  • Promoting good information security (IS) practices with clear direction and understanding at all levels
  • Controlling IS risks associated with the business
  • Creating an overall IS activity that reflects the organization’s needs and risk levels

124.

Which term is used to describe the elements needed to define a database?

  • Metadata

  • Direct definition

  • Hierarchical data

  • External schemata

Correct answer: Metadata

The elements needed to define a database are called metadata.

Metadata includes data about logical and physical field definitions, files, information about data relationships, etc. Metadata can be an external schema, a conceptual schema, or an internal schema. The schemas must be adjusted to work together as a fully functioning database management system.

125.

An auditor identifies missing controls in an organization's network security. How should the auditor handle this situation?

  • Note the exception but do not remediate it

  • Decide on the best countermeasure for it

  • Create a task force to remediate the problem

  • Aid the organization in implementing countermeasures

Correct answer: Note the exception but do not remediate it

The auditor should not take risks but does not have to implement solutions. The auditor should also be careful about making recommendations, as it can be problematic to influence auditee decisions.

Deciding on the best countermeasures is the responsibility of the audited organization. Creating a task force to remediate the problem is not the responsibility of the auditor. Aiding the organization in implementing countermeasures can compromise the objectivity of the auditor.

126.

Which job role serves as a liaison between the IT department and the users who access business applications at a company?

  • End-user support manager

  • Human resources manager

  • Customer support manager

  • Technical support manager

Correct answer: End-user support manager

An end-user support manager is a liaison between end users and the IT department. They are responsible for ensuring that user productivity is not lost due to IT issues.

A human resources manager deals with employee relations. A customer support manager handles client issues. A technical support manager makes sure the IT team has the appropriate resources.

127.

Each process in an audit is assessed for qualitative and quantitative risk. A risk is considered high if it results in damage to the reputation of the entity AND:

  • takes more than six months to recover

  • takes less than six months but more than three months to recover

  • takes less than three months to recover

  • requires legal action to recover

Correct answer: takes more than six months to recover

Each process in an audit is assessed for qualitative and quantitative risk. A risk is considered high if it is a process issue that results in damage to the reputation of the entity and takes more than six months to recover. A risk is considered medium if it is a process issue that results in damage to the reputation of the entity and takes less than six months but more than three months to recover. A risk is considered low if it is a process issue that results in damage to the reputation of the entity and takes less than three months to recover.

Risk factors are evaluated based on feedback from the business process owners, and every business will be different. For a retail business, reputation is probably a critical risk factor. If legal action is necessary to recover, the risk could be medium or high; therefore, this is not the correct answer. 

128.

Facial recognition is fast and easy to use but has disadvantages. What is its PRIMARY disadvantage as a biometric system?

  • People that look alike

  • Difficulty in getting good images

  • Difficulty in compensating for different hairstyles and makeup

  • Invasiveness

Correct answer: People that look alike

Faces lack the uniqueness of some other biometric measurements, and people that look alike may fool the system. The initial photo is taken by a video camera that's about 24 inches away from the face. A template is created based on a two- or three-dimensional array. A biometric reader may also create a metric measurement system consisting of the distance between specific facial features, such as the distance between the eyes, the nose, and the mouth. 

Although facial metrics are fast and easy to use, they are also memory-heavy.

129.

An auditor is gathering evidence for an audit of a law firm. As part of the audit process, they are interviewing employees. During the interviews, however, they have trouble getting detailed information from employees. What is a reasonable conclusion that an auditor can make from this?

  • Employees have been coached to provide the minimum amount of information.

  • Employees do not have the skills or expertise to perform their job functions.

  • Employees are too nervous to discuss their jobs in one-on-one interviews.

  • Employees are changing their behavior due to being observed.

Correct answer: Employees have been coached to provide the minimum amount of information.

If employees only give minimal amounts of information during an interview, the auditor should be aware that they may have been coached by their employer not to divulge information. In this case, an auditor should try more creative means to get the information they need. 

It is still likely that employees have the skills and expertise to explain their job functions in detail. Nervousness is not likely to be an issue for disclosing information in an interview. Job observation is not a part of interviewing.

130.

Computer-assisted audit techniques are invaluable to the auditor, but accessing data needs to be done safely. All the following are precautions an auditor needs to take, EXCEPT:

  • A computer operator needs to be on hand to verify the integrity of the system.

  • The auditor should only have "read-only" access to production data.

  • Updates should be done in a controlled environment that can isolate the production system and protect it from inadvertent changes.

  • Where possible, an analysis should be done on data that's been downloaded to a standalone platform.

Correct answer: A computer operator needs to be on hand to verify the integrity of the system.

Computer-assisted audit techniques (CAATs) help auditors in complex environments. A computer operator doesn’t need to be on hand to verify the integrity of the system.

Computer-assisted audit techniques always need to be performed on data that's isolated from critical production data. CAATs often provide utilities for creating stand-alone platforms that help protect production data. Another precaution is to use a "read-only" mode if available.

131.

A chain of custody is required for evidence to be admissible in court. The chain of custody needs all the following information, EXCEPT:

  • A report on the details of the incident

  • A list of who had access to the evidence

  • The procedures followed in working with the evidence

  • Documentation that shows the analysis is based on original evidence

Correct answer: A report on the details of the incident

A report on the details of the incident is included in the reporting phase after the incident. The report should be understandable by decision-makers and withstand legal scrutiny.

In a chain of custody, information should be included related to who had access to the evidence, the procedures followed in working with the evidence, and documentation that shows the analysis is based on copies of the original evidence.

132.

All the following are capacity planning and monitoring elements EXCEPT:

  • Disposal

  • Development

  • Implementation

  • Application sizing

Correct answer: Disposal

Capacity planning and monitoring elements include development, monitoring, analysis, tuning, implementation, modeling, and application sizing. 

Disposal is not one of the elements. 

133.

What are the three categories of ISACA IS Audit and Assurance Standards?

  • General, Performance, Reporting

  • Overall, Operations, Reporting

  • General, Tailored, Reporting

  • General, Ethics, Compliance

Correct answer: General, Performance, Reporting

There are three categories of standards and guidelines:

  1. General: The guiding principles under which the IS assurance professional operates, applying to all conduct of the ISACA assignments and encompassing the IS audit and assurance professional's ethics, objectivity, knowledge, competency, and more.
  2. Performance: Deals with the conduct of the assignment, planning and supervision, scoping, risk, supervision, resource mobilization and assignment management, and audit and assurance evidence.
  3. Reporting: Covers the types of reports, means of communication, and the info shared or communicated.

134.

An organization has contracted with an IS auditor to help review an arrangement with its potential cloud service provider. It runs secure systems that it wants to put into the cloud but is concerned about the potential access the CSP will have. 

Which of the following would address the organization's concerns about cloud-hosted server risk?

  • Include a right to audit and contract language that requires the CSP to align with the enterprise's security policy and to implement the necessary controls

  • Include terms in the contract that require proper disposal of applications including objects, sources, and backups

  • Request the CSP's technical details for approval and require additional controls to ensure data privacy

  • Request the CSP's disaster recovery plans and ensure that they contain the proper countermeasures to protect assets

Correct answer: Include a right to audit and contract language that requires the CSP to align with the enterprise's security policy and to implement the necessary controls

In this scenario, the client appears to be concerned with the security of the virtual machines hosted in the cloud. Hypervisor attacks are possible, which permit attackers to gain access to other virtual machines hosted on the hypervisor server. This can compromise server integrity and confidentiality, which this organization requires for secure payment processing.

Including terms in the contract that require proper disposal of applications—including objects, sources, and backups—is a control for ensuring data disposal. Requesting the CSP's technical details for approval and requiring additional controls to ensure data privacy are controls for dealing with multi-tenancy. Requesting the CSP's disaster recovery plans and ensuring that they contain the proper countermeasures to protect assets are controls for physical security.

135.

A healthcare company has recently begun implementing continuous auditing. They have installed audit hooks that create alerts when fraudulent transactions are detected. After running the audit hooks for a week, they discover that the audit hooks have sent numerous alerts for normal transactions. 

What type of issue are they having with the audit hooks?

  • False positives

  • False negatives

  • True negatives

  • True positives

Correct answer: False positives

A false positive is an instance where an event is falsely categorized as an important event. The company should tune its alerts so that there are fewer false positives.

A false negative is when a system misses an important event. A true negative is when a system accurately defines an event as not important. A true positive is when a system correctly identifies an event as important.

136.

Which characteristic relates to digital signatures and ensures that a party cannot deny having sent a message?

  • Nonrepudiation

  • Integrity

  • Confidentiality

  • Authenticity

Correct answer: Nonrepudiation

Nonrepudiation means that the sender of the message cannot later deny that they sent it. This is because it is difficult to forge a digital signature.

Integrity refers to the message not being changed during transit. Confidentiality refers to only the correct person receiving the message. Authenticity refers to verifying to the recipient that the message came from the sender.

137.

Which security characteristic ensures that the origin or receipt of a message is verified?

  • Non-repudiation

  • Accountability

  • Authenticity

  • Availability

Correct answer: Non-repudiation

Non-repudiation is the ability to prove that a particular action occurred and that it was done by a specific individual. It ensures that individuals cannot deny their involvement in an activity. 

Accountability ensures that the action of an entity is uniquely traceable to that entity. Authenticity refers to a message not being altered in transit. Availability refers to ensuring access to the resource.

138.

One of the most commonly used biometric devices is fingerprint scanning. What is the template generated for fingerprints called?

  • Minutiae

  • Hand geometry

  • Signature

  • Access control list

Correct answer: Minutiae

The template for fingerprints is called minutiae. It measures convergences, enclosures, bifurcations, and the general ridge pattern. It contains only the data about the fingerprint, not an image of the fingerprint itself. As a result, the full fingerprint can't be reconstructed from the template. The characteristics of the fingerprint are described by a set of numeric values. Fingerprint scanning is low-cost and can be easily integrated into existing access control methods.

Hand geometry is used in palm-based biometrics. Signatures are used to analyze how users sign their names. An access control list is a register of subjects along with the types of permissions they have.

139.

What is the biggest security issue that relates to system interfaces?

  • Ensuring that data sent from the originating system is the same received by the recipient system

  • Preventing unauthorized users from capturing traffic as it traverses a network medium

  • Keeping the system interface operational as much as possible

  • Reducing the number of errors that the system interface generates

Correct answer: Ensuring that data sent from the originating system is the same as the data received by the recipient system

The most important security issue related to system interfaces is ensuring that the data coming out of the interface is the same as the data received. This data should be secured throughout the whole transfer process.

Preventing unauthorized users from capturing traffic as it traverses a network medium is a concern if the data is unencrypted. Keeping the system interface operational as much as possible is less important than security. Reducing the number of errors that the system interface generates is important but should be considered after security issues.

140.

What is an attack that redirects traffic to a bogus website?

  • Pharming

  • Packet replay

  • Masquerading

  • Spear phishing

Correct answer: Pharming

Pharming is an attack that redirects traffic to a bogus website. This is usually accomplished by changing the host file on the victim’s computer or by exploiting DNS server vulnerabilities. DNS servers resolve internet names. E-commerce sites and online banking sites should especially institute strong security measures.

Packet replay involves capturing a stream of data packets and replacing them. Masquerading is impersonating another user. A spear-phishing attack is a targeted social engineering attack.

×