×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 8 of 50

141.

To perform an audit of an ATM, the auditor needs to do all the following EXCEPT:

  • Review disaster recovery documents

  • Review customer identification measures and measures of confidentiality maintenance 

  • Review encryption procedures

  • Review procedures for retaining files and tracing transactions

Correct answer: Review disaster recovery documents

Reviewing disaster recovery documents is not ordinarily part of an ATM audit. An IS auditor needs to review processes for customer identification, review measures to maintain customer confidentiality, review file maintenance and retention systems, review exception reports, review the daily reconciliation process, and review encryption.

142.

A company needs to perform a CA on its systems and processes. Which step needs to be completed before the company can start the CA?

  • Gathering BIA information

  • Developing the DRP

  • Training staff on continuity plans

  • Establishing key recovery targets

Correct answer: Gathering BIA information

A criticality analysis (CA) is a close, systematic look at the importance of business processes. A business impact analysis (BIA) is first needed to identify the processes and determine what impact happens if each is incapacitated for a period. 

Developing a disaster recovery plan (DRP) is conducted after the CA. Training staff on continuity plans is done after creating a business continuity plan (BCP). Establishing key recovery targets is done after a CA.

143.

Which fire-suppression system pumps water into pipes only after a fire alarm has been activated?

  • Dry-pipe sprinkling systems

  • Water-based sprinkler systems

  • Halon systems

  • Carbon dioxide systems

Correct answer: Dry-pipe sprinkling systems

A dry-pipe sprinkler system keeps its pipes filled with air or nitrogen until the system is activated. This prevents leaks from occurring that could damage equipment.

A water-based sprinkler system always has water in the piping. A Halon system is a banned system that uses gas. A carbon-dioxide system involves gas and is not used in areas where people are.

144.

The guidelines under the ISACA IS audit category of Performance and Supervision do NOT cover which topic?

  • Assessing materiality

  • Performing an audit engagement

  • Key aspects of supervision

  • Gathering evidence

Correct answer: Assessing materiality

The Performance and Supervision guidelines provide guidance to IS audit and assurance professionals for performing their audit engagement and supervising IS audit members. The guidelines cover:

  • Performing an audit engagement
  • Roles and responsibilities and required knowledge and skills for performing audit engagements
  • Key aspects of supervision
  • Gathering evidence
  • Documenting work performed
  • Formulating findings and conclusions

Assessing materiality is in the Materiality guideline.

145.

Which of the following is a tool that is usually hardware-based, monitors packets in a channel, and produces a network usage report?

  • Protocol analyzer

  • Firewall

  • Online monitor

  • Network management protocol

Correct answer: Protocol analyzer

Protocol analyzers are tools for monitoring packets in a network and producing network usage reports. A protocol analyzer is usually hardware that operates at the network or data link level. Protocol analyzers report on the protocols in use, the volume of traffic, hardware errors, software problems, and the type of packets monitored.

A firewall is a tool that blocks certain traffic. An online monitor checks data transmission accuracy and errors. A network management protocol provides real-time displays of network nodes and status.

146.

When ensuring that every transaction has been entered, processed, and recorded accurately, input control procedures are used. Batch controls for input transactions can include hash totals, total monetary amount, total items, and which of the following? 

  • Total documents

  • Total invoices

  • Total accounts

  • Total sales

Correct answer: Total documents

Total documents are included in batch control totals. Verification is done to ensure the number of documents input equals the number of documents processed. This can include the total number of invoices. Total items verify the number of units on an invoice (e.g., so that the number of units invoiced agrees with the total number processed). 

Hash totals verify that the total number in the batch agrees with the total number as calculated by the system.

147.

Client/server architecture is usually a three-tier architecture (i.e., three levels of tasks). What are these?

  • Thin clients, application servers, and database servers

  • File-sharing servers, application servers, and distributed processing

  • Transaction servers, middleware servers, and database servers

  • Load-balancing, application servers, and database servers

Correct answer: Thin clients, application servers, and database servers

The three-tier architecture consists of a presentation layer, which is a thin client like an internet browser that is focused on doing GUI tasks; one or more application tiers, or application servers; and one or more data tiers, or database servers. 

The three-tier architecture allows any of the tiers to be updated independently. This model is often used to build websites. 

148.

Review the passage and answer the following question.

The CISO has concerns about the proximity cards and would like to implement biometric scanning alongside the card scanner to enhance security. Which of the following risks is the CISO identifying?

  • Access card sharing

  • Simple passwords

  • Incorrect or missing log entries

  • Eavesdropping

Correct answer: Access card sharing

Implementing a biometric scanner that couples with the access card would virtually eliminate the ability for users to share access cards. This could be an effective measure in ensuring that unauthorized individuals do not gain access to secure resources.

149.

Which scenario causes an issue with the shared disaster spectrum?

  • A data center and backup media storage facility along the same coastline

  • Sending unencrypted data to a backup media storage facility

  • Lack of security controls at a data center

  • Failing to dispose of backup media past its retention date

Correct answer: A data center and backup media storage facility along the same coastline

If a data center and a backup media storage facility are along the same coastline, then they are on the same shared disaster spectrum. For example, if there was a hurricane or a tsunami, both locations would be vulnerable.

Sending unencrypted data to a backup media storage facility, a lack of security controls at a data center, and failing to dispose of backup media past its retention date are not examples of natural disasters related to being in a geographic area.

150.

Which of the following means that compliance is required by law?

  • Regulation

  • Framework

  • Control

  • Standard

Correct answer: Regulation

Regulations are enforced by law. If a regulation is broken, it can result in fines or imprisonment.

A framework provides general guidance. A control is implemented by an organization to secure its processes. A standard ensures products adhere to industry requirements.

151.

An auditor is analyzing a company's IS policy document. They are currently looking at the procedures an organization uses to label information as "private," "public," and "confidential." In what section of the IS policy document are they?

  • Data classification policy

  • Acceptable use policy

  • End-user computing policy

  • Access control policy

Correct answer: Data classification policy

A data classification policy defines rules for how different types of data are handled by an organization. It is used to categorize how sensitive or confidential the data is.

An acceptable use policy describes how users can utilize IT resources. An end-user computing policy addresses how users can utilize their devices like laptops, desktops, and tablets. An access control policy describes how users can access data and what they can do with it.

152.

A client approaches the IS auditor with concerns about a new service provider that the business is looking to contract with for infrastructure services. The client wants to ensure that the service is highly available and redundant and is not sure how to obligate the service provider to meet its requests.

Which of the following should be used to ensure that the service provider performs as agreed during the initial contracting?

  • SLA

  • SIP

  • NDA

  • MOU

Correct answer: SLA

In this situation, the customer would benefit from a Service Level Agreement (SLA) with the service provider. This agreement would ensure that the service provider meets the performance levels set forth in the SLA, specifically the need for it to be highly available and redundant. These service goals are typically met with SLAs defining that the service will be available a certain percentage of the time, such as 99.999% of the time, with similar definitions in regard to redundancy/durability.

The other choices do not ensure that the service provider performs as agreed during the initial contracting.

153.

Which type of insurance coverage obligates insurance providers to replace damaged goods with those of "like kind and quality"?

  • IT equipment and facilities

  • Media reconstruction

  • Business interruption

  • Errors and omissions

Correct answer: IT equipment and facilities

IT equipment and facilities policies often obligate the insurance company only to replace equipment with that of "like kind and quality" instead of with name-brand new equipment.

Other options include media reconstruction insurance, which covers damage to IT media; errors and omissions insurance, which insures against errors and omissions that result in a financial loss for a client; and business interruption insurance, which covers financial loss because of business interruption. Other options are valuable papers and records insurance, fidelity coverage, and extra expense insurance.

154.

4GLs are used often in software development. They typically include all the following characteristics EXCEPT:

  • Procedural execution

  • Environmental independence

  • Workbench concepts

  • Simple language subsets

Correct answer: Procedural execution

Fourth-generation languages (4GL) characteristics do not typically include the procedural paradigm of continuous statement execution. Instead, they are event-driven and object-oriented. 

They do include environmental independence, programmer workbench concepts, and simple language subsets.

155.

Enterprise architecture (EA) involves performing which of the following functions?

  • Documenting IT assets

  • Deploying infrastructure

  • Controlling and managing patches

  • Administering databases

Correct answer: Documenting IT assets

Enterprise architecture (EA) involves documenting an organization's IT assets in a structured manner to facilitate understanding, management, and planning for IT investments. An EA often involves both a current state and an optimized future-state representation.

Deploying infrastructure, controlling and managing patches, and administering databases are actions that are not part of EA.

156.

Which statement accurately describes a facet of how a control self-assessment (CSA) program is employed?

  • Standards need to be developed for measuring success in each phase.

  • Care should be taken to avoid overlap with COBIT methods.

  • Only auditors should be involved in the design of the control environment.

  • It will remove the requirement of conducting an internal audit.

Correct answer: Standards need to be developed for measuring success in each phase.

A control self-assessment (CSA) differs from other kinds of assessment programs in that the assessment is made by the staff that is being assessed. When a CSA program is employed, measurements need to be decided. Evaluations are usually conducted through surveys or through workshops.

COBIT can be helpful in providing a framework for a CSA program. The workshops assist in giving employees the tools to design the control environment. However, an internal audit is still responsible for an independent review of these areas.

157.

What is the role of an organizational CSIRT?

  • To provide preventive, detective, and corrective controls for security incidents

  • To develop and test plans for business continuity in case of a disaster

  • To gather, analyze, and disseminate threat intelligence

  • To manage user access and authentication of system resources

Correct answer: To provide preventive, detective, and corrective controls for security incidents

A computer security incident response team (CSIRT) acts as a point of contact during an incident. It also helps by disseminating security alerts and engaging in security awareness programs.

A business continuity and disaster recovery (BCDR) team develops and tests plans for business continuity in case of a disaster. A threat intelligence team gathers, analyzes, and disseminates threat intelligence. An identity and access management (IAM) team manages user access and the authentication of system resources.

158.

Which term is a percentage expression that shows the probability that a sample is truly representative of the population?

  • Confidence coefficient

  • Difference estimation

  • Expected error rate

  • Precision

Correct answer: Confidence coefficient

A confidence coefficient is a percentage expression that shows the probability that a sample is a true representation of the population. A 95% confidence level is generally considered a high level of comfort.

Difference estimation is estimating the difference between audited values and book values. The expected error rate is a percentage of the errors that may exist. Precision is the acceptable range difference between a sample and the actual population.

159.

One of the issues of managing a project is handling scope changes. Which of the following should be included in the management of scope changes?

  • Careful documentation in the form of a WBS

  • A procedure instituted for employees to submit change requests to the project manager

  • The project manager evaluating the change request based on software suitability and the availability of personnel

  • A change request that is reviewed by the project manager and then referred to the CIO

Correct answer: Careful documentation in the form of a WBS

Scope changes should be properly documented in the form of a work breakdown structure (WBS). There should be a change management process that is initiated with a formal change request. 

Only stakeholders are allowed to submit change requests. The project manager evaluates a change request based on project activities, schedule, and budget. The change request is then referred to the Change Advisory Board for evaluation.

160.

Data leak-prevention systems attempt to address the three primary states of information. Which of the following is NOT one of the states of information?

  • Data encrypted

  • Data in use

  • Data at rest

  • Data in motion

Correct answer: Data encrypted

Data leak prevention systems recognize three primary states of data:

  • Data at rest: Data is stored by the enterprise on servers, workstations, and other areas. DLP systems use crawlers to locate, identify, and classify this information.
  • Data in motion: Data is moved by the network or other mediums. DLP systems use deep-packet inspection to monitor and regulate the information moving over the network and block communications that are unauthorized.
  • Data in use: Data is in use at the endpoints, where end-users manipulate and control it. End-users can move data via operations such as email or transferring it to a USB drive, so DLP endpoint agents should be installed to control these risks.
×