×

Quiz Session - Attempts With Random Questions

ISACA CISA Exam Questions

Page 9 of 50

161.

Which domain in the COBIT model includes processes that ensure that IT goals align with business strategy?

  • APO

  • EDM

  • BAI

  • MEA

Correct answer: APO

The Align, Plan, and Organize (APO) domain has processes that ensure that IT goals are aligned with business goals and strategy. This is based on the Deming Cycle, where APO occurs after EDM and before BAI.

Evaluate, Direct, and Monitor (EDM) focus on the overall governance of IT. Build, Acquire, and Implement (BAI) focus on acquiring various resources and implementing them. Monitor, Evaluate, and Assess (MEA) focus on ensuring that outcomes meet expectations. 

162.

When performing a BIA, what are processes primarily assessed for?

  • Criticality

  • Dependencies

  • TCO

  • ROI

Correct answer: Criticality

A business impact analysis (BIA) first assesses based on importance. Determining each process or system's criticality will help a company focus its efforts.

Determining the dependencies that each process needs is not as important as determining criticality. Total cost of ownership (TCO) and return on investment (ROI) values are not important in a BIA.

163.

Kerberos is an example of a single-sign-on system. Where is this authentication system intended to be used?

  • Distributed computing environment

  • UNIX environment

  • Client/server environment

  • Mainframe environment

Correct answer: Distributed computing environment

Kerberos was developed by MIT to be used to validate services in a distributed computing environment. In most client/server environments, only users are authenticated, but in a distributed computing environment, users and servers need to be authenticated. 

During the initial login, Kerberos identifies the user. The user then obtains credentials that were registered with a trusted third party and cryptographically protected. This forms the basis for setting secure sessions with the servers.

164.

Where are microwave radio systems commonly used today?

  • On routes where economics don't favor the installation of fiber

  • On routes with heavy rainfall since microwave is unaffected by rain

  • On routes in mountainous areas

  • On routes where latency needs to be minimized

Correct answer: On routes where economics don't favor the installation of fiber

Microwave circuits are commonly used today on "light routes” where it would be too expensive to install fiber. Microwave circuits can't be used in areas with heavy rainfall or in mountainous areas. These circuits don't work well in rain, and microwave antennae need to be able to see each other. Most old microwave systems have been replaced by fiber-optic cable, which has increased capacity, improved reliability, and costs only a fraction of the cost of microwave circuits of a similar capacity. 

However, microwave now uses digital signals exclusively, which are more cost-effective and more error-free than analog circuitry.

165.

After the successful adoption of capability maturity models (CMMs) for software, the CMMI was developed. What is a key feature of CMMI?

  • Includes modules for disciplines such as integrated product development

  • Includes artificial intelligence capabilities

  • Includes modules that verify system integrity

  • Includes business intelligence modules

Correct answer: Includes modules for disciplines such as integrated product development

The Capability Maturity Model Integration includes specialized modules in one integrated package. CMMI is considered less appropriate for waterfall project approaches and more appropriate for iterative development. CMMI can be useful for evaluating computer center management and IT change-management processes.  

CMMI does not involve artificial intelligence capabilities, modules that verify system integrity, or business intelligence modules.

166.

An IS auditor is examining the system resiliency of an online retailer. When looking at their network infrastructure, they see a single point of failure because their site runs on a single server. What type of solution should the auditor recommend in this scenario?

  • Clustering

  • Multi-tenancy

  • Virtualization

  • Multi-core

Correct answer: Clustering

To achieve system resiliency, there should be multiple servers in a cluster so that there is no single point of failure. With clustering, a secondary server will take over when the primary fails, or all servers can participate in load balancing.

Muliti-tenancy is when multiple clients use the same computing resource. Virtualization will create an instance of a server but does not prevent a single point of failure on its own. A multi-core CPU is used to operate multiple instructions simultaneously.

167.

What is the term for a significant redesign of management systems to establish an improved performance structure?

  • Business process reengineering

  • Six Sigma

  • Benchmarking

  • IT-balanced scorecard

Correct answer: Business process reengineering

Business process reengineering is an analysis and redesign process with the goal of making the business more responsive to the market and customers while running the business more economically. BPR seeks ground-up restructuring of business processes.

Six Sigma is focused on product improvement and defect reduction. Benchmarking is comparing performance to a baseline or to competitors. An IT-balanced scorecard is a management evaluation technique to assess IT functions and processes.

168.

All the following are questions that should be asked during a company's BIA phase, EXCEPT:

  • What are the backup and data recovery procedures to use in recovery?

  • What are the company's business processes?

  • What are the critical information resources related to the company's critical business processes?

  • What is the critical recovery period to resume critical processes before there are unacceptable losses?

Correct answer: What are the backup and data recovery procedures to use in recovery?

A business impact assessment (BIA) is used to evaluate critical resources and determine timeframes, priorities, and interdependencies. Backup and data recovery procedures are used during disaster recovery planning.

Questions about business processes, related information resources, and recovery periods are addressed in a BIA.

169.

The steps in the PDCA iterative model include all the following EXCEPT:

  • Create

  • Plan

  • Do

  • Act

Correct answer: Create

PDCA is an iterative management method. The steps in PDCA do not include create. The steps are Plan, Do, Check, Act.

PDCA is used for the continuous improvement of products, and each iteration runs the same four steps. The aim is to improve the process with each iteration.

170.

A company is identifying assets as a part of its risk management process. They are trying to categorize their trade secrets and software source code. How should they categorize these assets?

  • Intellectual property

  • Brand equity

  • Supplies and materials

  • Equipment

Correct answer: Intellectual property

Intellectual property (IP) is an asset type that includes items such as trade secrets, inventions, designs, symbols, and source code. IP is protected by laws and can be very important for an organization.

Brand equity is the perceived or actual value of a brand or product. Supplies and materials can include office supplies and inputs for manufacturing. Equipment can include machines, vehicles, and office equipment.

171.

What are the two main frameworks for IT service management?

  • ITIL and ISO 20000

  • COBIT and ITIL

  • SCRUM and AGILE

  • ISO 38500 and ITIL

Correct answer: ITIL and ISO 20000

ITIL is a reference body of knowledge tailored to service delivery best practices. This comprehensive framework is addressed over five volumes, which should be adapted for each business's needs. The five volumes of ITIL are:

  1. Service Strategy: Align overall organization strategy with IT strategy
  2. Service Design: Create a design from the strategy to meet the needs of the company
  3. Service Transition: Create the IT services
  4. Service Operations: Maintain the IT services
  5. Continual Service Improvement: Constant system improvement

ISO 20000 is used to demonstrate compliance with an accepted good practice. In addition to the central elements of effective ITSM practice, it also requires service providers to implement the plan-do-check-act (PDCA) methodology (Deming's quality circle) and apply it to their service management process. Overall, this encourages the continuation of service improvement by the provider so that the organization's processes develop, mature, and adapt to customer requirements; errors and omissions are avoided; and problems that have been dealt with do not recur.

COBIT is for the governance and management of enterprise IT. SCRUM and AGILE are project management methodologies. ISO 38500 is for corporate governance of IT.

172.

What is a multiplexor?

  • A device that connects several separate signals into one data stream

  • An interface that connects a telecommunications circuit to a router

  • A physical device that provides centralized access control

  • A device that converts digital signals to analog and back again

Correct answer: A device that connects several separate signals into one data stream

A multiplexor is a device that connects several separate signals into one data stream. It can be used when a circuit has more bandwidth capacity than is required. It can allocate excess bandwidth, using every portion as a separate signal link. It can link many low-speed lines together to make one high-speed line, enhancing transmission capability.

A CSU/DSU is an interface that connects a telecommunications circuit to a router. An access server is a physical device that provides centralized access control. A modem is a device that converts digital signals to analog and back again.

173.

What provides information that allows an organization to decide whether to go ahead with a project?

  • Business case

  • Process improvement document

  • Auditing system report

  • Requirements capture report

Correct answer: Business case

A business case provides information that makes it possible for an organization to decide whether to go ahead with a project. The business case is the essential document that provides information that can determine whether a project should proceed. A business case can be the first step in a project or a required preliminary step. Initially, a business case usually derives from the feasibility study that is part of preliminary planning. Various solutions can be outlined with a business case for each, allowing for a cost-benefit comparison.

A process improvement document outlines ways to improve a process. An auditing system report is used to communicate audit results. A requirements capture report outlines the requirements for a system or product.

174.

An organization is currently deciding on procedures for minimizing human loss and protecting property in response to physical threats. On which component of a business continuity plan are they working?

  • OEP

  • ISCP

  • CIP

  • COOP

Correct answer: OEP

The occupant emergency plan (OEP) coordinates procedures to minimize loss of life or property due to a physical threat. It should be implemented immediately after a threat.

The information system contingency plan (ISCP) provides procedures for recovering information systems. A critical infrastructure plan (CIP) protects national critical infrastructure. A continuity of operations (COOP) plan sustains an organization at an alternate site.

175.

Which of the following is NOT part of the ISACA Code of Professional Ethics?

  • Assist the stakeholders with any means necessary to ensure they pass any audit

  • Support the implementation of, and encourage compliance with, appropriate standards and procedures for governance and management

  • Perform all duties with objectivity, due diligence, and professional care

  • Serve in the best interest of the stakeholders in a lawful manner

Correct answer: Assist the stakeholders with any means necessary to ensure they pass any audit

ISACA has all CISA-certified individuals promise to support the implementation of and encourage compliance with appropriate standards and procedures for governance and management; perform their duties with objectivity, due diligence, and professional care; and serve in the best interest of the stakeholders in a lawful manner. 

It does not demand professionals to help a company pass any audit through any means necessary.

176.

An IS auditor is reviewing the specific standards and compliance requirements that need to be met in the systems they will be auditing. The auditor has discovered that the ISACA IS Audit and Assurance Standards are not as stringent as the local regulatory authority. What should the auditor do in this case?

  • Abide by the more stringent regulations and incorporate them into the audit

  • Observe ISACA's IS Audit and Assurance Standards, as they are the most appropriate in this case

  • Create custom standards that average ISACA and regulatory requirements 

  • Work with the local regulatory liaison to determine what requirements are necessary

Correct answer: Abide by the more stringent regulations and incorporate them into the audit

There may be situations where the legal/regulatory authority has mandated more stringent requirements than the ISACA IS Audit and Assurance Standards. ISACA states that, in these cases, an IS auditor should ensure compliance with the more stringent legal/regulatory requirements.

177.

An auditor analyzing a company's problem management discovers that only authorized users log errors. Updates to the log file are also allowed only by authorized users. Any updates to the log files are traced to the user making the changes. The user who closes an error log entry must be different than the user initiating the error log entry. In this situation, what should the auditor recommend to the company?

  • Errors should be logged for all users

  • All users should be able to make edits to the log files

  • Updates to a log file should not be traced

  • The user who initiates an error entry should be the same user who closes the error log entry

Correct answer: Errors should be logged for all users

All users should be able to have their errors logged. This will help alert the company to any abnormal activity.

Only authorized users should be able to make edits to the log files. Updates to a log file should be traced. For the segregation of duties, the user who initiates an error entry should be different than the user who closes the error log entry.

178.

Remote access is often a dial-in service. In most organizations, what is required for complete access to all network resources via dial-in?

  • VPN

  • Password and authorization

  • Access through FTP

  • Special secure line

Correct answer: VPN

Complete access to a network via dial-in usually requires a virtual private network (VPN). A VPN permits a secure connection. It can also provide secure authentication. VPNs are points of entry that need to be centrally controlled; an IS auditor should determine whether these points are adequately managed.

179.

All the following are part of reviewing the applications covered by a business continuity plan, EXCEPT:

  • Reviewing protection against zero-day attacks for all software

  • Verifying that the emergency site has the correct versions of all software

  • Verifying that all software at the emergency site is compatible with production software at the home site

  • Determining whether all critical applications have been properly identified

Correct answer: Reviewing protection against zero-day attacks for all software

Reviewing protection against zero-day attacks for all software is not typically part of reviewing the applications. The basic elements to review for the applications covered in the business continuity plan are:

  • Reviewing whether critical applications are identified
  • Verifying the correct version of the software and software compatibility 
  • Verifying that all applications have been reviewed for their tolerance level in the event of a disaster
  • Verifying that there is a plan for support for all important applications

180.

A financial services company completed a project a few weeks ago. Now, they want to evaluate the adequacy of the project and determine if its projected costs versus benefits were realized. What type of activity should they undertake?

  • Post-implementation review

  • Hardware review

  • Feasibility study

  • Risk assessment

Correct answer: Post-implementation review

A post-implementation review is undertaken a few weeks after the project has been completed in order to evaluate it. Factors such as the project's adequacy, costs vs. benefits, and deficiencies can be evaluated.

A hardware review is for infrastructure and operations. A feasibility study is completed before the project starts to determine if it is reasonable. A risk assessment is used to identify and evaluate potential risks.

×