CISA Certification Dumps - Certified Information Systems Auditor

CISA Certification Dumps – Certified Information Systems Auditor

Jonnie Karnath2023-08-21T08:06:04+00:00

Certified Information Systems Auditor (CISA) is a globally recognized certification for professionals who audit, control, monitor, and assess an organization’s information technology and business systems. The CISA exam is designed to assess the candidate’s knowledge of information systems audit, control, and security. Certspots is a website that provides free CISA Certification Dumps to help candidates prepare for the exam. These CISA Certification dumps include practice exam questions and answers, as well as detailed explanations of the correct answers. By using these CISA Certification dumps, candidates can familiarize themselves with the exam format and gain confidence in their knowledge of the subject matter.

Page 1 of 21

1. In order to be useful, a key performance indicator (KPI) MUST

be approved by management.

be measurable in percentages.

be changed frequently to reflect organizational strategy.

have a target value.

2. Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Apply single sign-on for access control

Implement segregation of duties.

Enforce an internal data access policy.

Enforce the use of digital signatures.

3. Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Analysis of industry benchmarks

Identification of organizational goals

Analysis of quantitative benefits

Implementation of a balanced scorecard

4. Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Walk-through reviews

Substantive testing

Compliance testing

Design documentation reviews

5. Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

Increased number of false negatives in security logs

Decreased effectiveness of roof cause analysis

Decreased overall recovery time

Increased demand for storage space for logs

6. During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon.

Which of the following is the auditor's BEST course of action?

Report the deviation by the control owner in the audit report.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

Cancel the follow-up audit and reschedule for the next audit period.

Request justification from management for not implementing the recommended control.

7. Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Program coding standards have been followed

Acceptance test criteria have been developed

Data conversion procedures have been establish.

The design has been approved by senior management.

8. During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date

When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

There are documented compensating controls over the business processes.

The risk acceptances were previously reviewed and approved by appropriate senior management

The business environment has not significantly changed since the risk acceptances were approved.

The risk acceptances with issues reflect a small percentage of the total population

9. Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Readily available resources such as domains and risk and control methodologies

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

Wide acceptance by different business and support units with IT governance objectives

10. Which of the following provides the MOST assurance of the integrity of a firewall log?

The log is reviewed on a monthly basis.

Authorized access is required to view the log.

The log cannot be modified.

The log is retained per policy.

Page 2 of 21

11. An IS audit reveals that an organization is not proactively addressing known vulnerabilities.

Which of the following should the IS auditor recommend the organization do FIRST?

Verify the disaster recovery plan (DRP) has been tested.

Ensure the intrusion prevention system (IPS) is effective.

Assess the security risks to the business.

Confirm the incident response team understands the issue.

12. Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?

Parallel changeover

Modular changeover

Phased operation

Pilot operation

13. To confirm integrity for a hashed message, the receiver should use:

the same hashing algorithm as the sender's to create a binary image of the file.

a different hashing algorithm from the sender's to create a binary image of the file.

the same hashing algorithm as the sender's to create a numerical representation of the file.

a different hashing algorithm from the sender's to create a numerical representation of the file.

14. Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Media recycling policy

Media sanitization policy

Media labeling policy

Media shredding policy

15. Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Data conversion was performed using manual processes.

Backups of the old system and data are not available online.

Unauthorized data modifications occurred during conversion.

The change management process was not formally documented

16. Which of the following is MOST important to consider when scheduling follow-up audits?

The efforts required for independent verification with new auditors

The impact if corrective actions are not taken

The amount of time the auditee has agreed to spend with auditors

Controls and detection risks related to the observations

17. In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Discovery

Attacks

Planning

Reporting

18. Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Assurance that the new system meets functional requirements

More time for users to complete training for the new system

Significant cost savings over other system implemental or approaches

Assurance that the new system meets performance requirements

19. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the organization's web server.

the demilitarized zone (DMZ).

the organization's network.

the Internet

20. The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:

comply with vendor management policy

convert source code to new executable code.

satisfy regulatory requirements.

ensure the source code is available.

Page 3 of 21

21. An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production.

Which of the following is the MOST significant risk from this situation?

Loss of application support

Lack of system integrity

Outdated system documentation

Developer access 1o production

22. Which of the following is MOST important to consider when reviewing an organization's

defined data backup and restoration procedures?

Business continuity plan (BCP)

Recovery point objective (RPO)

Mean time to restore (MTTR)

Mean time between failures (MTBF)

23. Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

The method relies exclusively on the use of asymmetric encryption algorithms.

The method relies exclusively on the use of 128-bit encryption.

The method relies exclusively on the use of digital signatures.

The method relies exclusively on the use of public key infrastructure (PKI).

24. Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse formal?

Testing

Replication

Staging

Development

25. An IS auditor observes that a business-critical application does not currently have any level of fault tolerance.

Which of the following is the GREATEST concern with this situation?

Degradation of services

Limited tolerance for damage

Decreased mean time between failures (MTBF)

Single point of failure

26. Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Balanced scorecard

Enterprise dashboard

Enterprise architecture (EA)

Key performance indicators (KPIs)

27. Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Available resources for the activities included in the action plan

A management response in the final report with a committed implementation date

A heal map with the gaps and recommendations displayed in terms of risk

Supporting evidence for the gaps and recommendations mentioned in the audit report

28. Backup procedures for an organization's critical data are considered to be which type of control?

Directive

Corrective

Detective

Compensating

29. Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

Unit the use of logs to only those purposes for which they were collected

Restrict the transfer of log files from host machine to online storage

Only collect logs from servers classified as business critical

Limit log collection to only periods of increased security activity

30. Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Identify approved data workflows across the enterprise.

Conduct a threat analysis against sensitive data usage.

Create the DLP pcJc.es and templates

Conduct a data inventory and classification exercise

Page 4 of 21

31. Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Carbon dioxide

FM-200

Dry pipe

Halon

32. Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?

User activity monitoring

Two-factor authentication

Network segmentation

Access recertification

33. The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

is more effective at suppressing flames.

allows more time to abort release of the suppressant.

has a decreased risk of leakage.

disperses dry chemical suppressants exclusively.

34. Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

The organization's security policy

The number of remote nodes

The firewalls' default settings

The physical location of the firewalls

35. Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

Human resources (HR) sourcing strategy

Records of actual time spent on projects

Peer organization staffing benchmarks

Budgeted forecast for the next financial year

36. A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.

Which of the following is the senior auditor s MOST appropriate course of action?

Ask the auditee to retest

Approve the work papers as written

Have the finding reinstated

Refer the issue to the audit director

37. An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code.

What is the auditor's BEST recommendation for the organization?

Analyze a new application that moots the current re

Perform an analysis to determine the business risk

Bring the escrow version up to date.

Develop a maintenance plan to support the application using the existing code

38. Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Audit cycle defined in the audit plan

Complexity of management's action plans

Recommendation from executive management

Residual risk from the findings of previous audits

39. Which of the following is the MOST important control for virualized environments?

Regular updates of policies for the operation of the virtualized environment

Hardening for the hypervisor and guest machines

Redundancy of hardware resources and network components

Monitoring utilization of resources at the guest operating system level

40. Capacity management tools are PRIMARILY used to ensure that:

available resources are used efficiently and effectively

computer systems are used to their maximum capacity most of the time

concurrent use by a large number of users is enabled

proposed hardware acquisitions meet capacity requirements

Page 5 of 21

41. Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Developing and communicating test procedure best practices to audit teams

Developing and implementing an audit data repository

Decentralizing procedures and Implementing periodic peer review

Centralizing procedures and implementing change control

42. Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Deviation detection

Cluster sampling

Random sampling

Classification

43. Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Business interruption due to remediation

IT budgeting constraints

Availability of responsible IT personnel

Risk rating of original findings

44. Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Analyze whether predetermined test objectives were met.

Perform testing at the backup data center.

Evaluate participation by key personnel.

Test offsite backup files.

45. When planning an audit, it is acceptable for an IS auditor to rely on a third-party providers external audit report on service level management when the

scope and methodology meet audit requirements

service provider is independently certified and accredited

report confirms that service levels were not violated

report was released within the last 12 months

46. Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

the patches were updated.

The logs were monitored.

The network traffic was being monitored.

The domain controller was classified for high availability.

47. A computer forensic audit is MOST relevant in which of the following situations?

Inadequate controls in the IT environment

Mismatches in transaction data

Missing server patches

Data loss due to hacking of servers

48. What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Ensure the open issues are retained in the audit results.

Terminate the follow-up because open issues are not resolved

Recommend compensating controls for open issues.

Evaluate the residual risk due to open issues.

49. An IS auditor is following up on prior period items and finds management did not address an audit finding.

Which of the following should be the IS auditor's NEXT course of action?

Note the exception in a new report as the item was not addressed by management.

Recommend alternative solutions to address the repeat finding.

Conduct a risk assessment of the repeat finding.

Interview management to determine why the finding was not addressed.

50. What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

Establish rules for converting data from one format to another

Implement data entry controls for new and existing applications

Implement a consistent database indexing strategy

Develop a metadata repository to store and access metadata

Page 6 of 21

51. Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Inaccurate business impact analysis (BIA)

Inadequate IT change management practices

Lack of a benchmark analysis

Inadequate IT portfolio management

52. Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

Function point analysis

Work breakdown structure

Critical path analysts

Software cost estimation

53. Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Change management

Problem management

incident management

Configuration management

54. An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications. The auditor should FIRST examine requirements from which of the following phases?

Configuration phase

User training phase

Quality assurance (QA) phase

Development phase

55. Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

Implement controls to prohibit downloads of unauthorized software.

Conduct periodic software scanning.

Perform periodic counting of licenses.

Require senior management approval when installing licenses.

56. Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Re-partitioning

Degaussing

Formatting

Data wiping

57. An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor.

Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Service level agreement (SLA)

Hardware change management policy

Vendor memo indicating problem correction

An up-to-date RACI chart

58. Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Periodic vendor reviews

Dual control

Independent reconciliation

Re-keying of monetary amounts

Engage an external security incident response expert for incident handling.

59. Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Securing information assets in accordance with the classification assigned

Validating that assets are protected according to assigned classification

Ensuring classification levels align with regulatory guidelines

Defining classification levels for information assets within the organization

60. An organization's security policy mandates that all new employees must receive appropriate security awareness training.

Which of the following metrics would BEST assure compliance with this policy?

Percentage of new hires that have completed the training.

Number of new hires who have violated enterprise security policies.

Number of reported incidents by new hires.

Percentage of new hires who report incidents

Page 7 of 21

61. Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Audit charter

IT steering committee

Information security policy

Audit best practices

62. Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

Switch

Intrusion prevention system (IPS)

Gateway

Router

63. The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

risk management review

control self-assessment (CSA).

service level agreement (SLA).

balanced scorecard.

64. A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking.

Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

Difference estimation sampling

Stratified mean per unit sampling

Customer unit sampling

Unstratified mean per unit sampling

65. Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

To ensure that older versions are availability for reference

To ensure that only the latest approved version of the application is used

To ensure compatibility different versions of the application

To ensure that only authorized users can access the application

66. Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Monitor access to stored images and snapshots of virtual machines.

Restrict access to images and snapshots of virtual machines.

Limit creation of virtual machine images and snapshots.

Review logical access controls on virtual machines regularly.

67. What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

The contract does not contain a right-to-audit clause.

An operational level agreement (OLA) was not negotiated.

Several vendor deliverables missed the commitment date.

Software escrow was not negotiated.

68. Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Average time between incidents

Incident alert meantime

Number of incidents reported

Incident resolution meantime

69. Which of the following is the MOST important outcome of an information security program?

Operating system weaknesses are more easily identified.

Emerging security technologies are better understood and accepted.

The cost to mitigate information security risk is reduced.

Organizational awareness of security responsibilities is improved.

70. An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system.

Which of the following stakeholders is MOST important to involve in this review?

Information security manager

Quality assurance (QA) manager

Business department executive

Business process owner

Page 8 of 21

71. Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD) policy to help prevent data leakage?

Require employees to waive privacy rights related to data on BYOD devices.

Require multi-factor authentication on BYOD devices,

Specify employee responsibilities for reporting lost or stolen BYOD devices.

Allow only registered BYOD devices to access the network.

72. During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated.

The GREATEST concern to the IS auditor is that policies and procedures might not:

reflect current practices.

include new systems and corresponding process changes.

incorporate changes to relevant laws.

be subject to adequate quality assurance (QA).

73. An organization considering the outsourcing of a business application should FIRST:

define service level requirements.

perform a vulnerability assessment.

conduct a cost-benefit analysis.

issue a request for proposal (RFP).

74. Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

Monitoring tools are configured to alert in case of downtime

A comprehensive security review is performed every quarter.

Data for different tenants is segregated by database schema

Tenants are required to implement data classification polices

75. Which of the following is the MOST important responsibility of user departments associated with program changes?

Providing unit test data

Analyzing change requests

Updating documentation lo reflect latest changes

Approving changes before implementation

76. A checksum is classified as which type of control?

Detective control

Preventive control

Corrective control

Administrative control

77. Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

computer room closest to the uninterruptible power supply (UPS) module

computer room closest to the server computers

system administrators office

booth used by the building security personnel

78. During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements

Which of the following is the BEST way to obtain this assurance?

Review sign-off documentation

Review the source code related to the calculation

Re-perform the calculation with audit software

Inspect user acceptance lest (UAT) results

79. The PRIMARY purpose of a configuration management system is to:

track software updates.

define baselines for software.

support the release procedure.

standardize change approval.

80. An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies. This should result in:

greater consistency across the organization.

a synthesis of existing operational policies.

a more comprehensive risk assessment plan.

greater adherence to best practices.

Page 9 of 21

81. Which of the following is the GREATEST risk associated with storing customer data on a web server?

Data availability

Data confidentiality

Data integrity

Data redundancy

82. Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

Installation manuals

Onsite replacement availability

Insurance coverage

Maintenance procedures

83. An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system.

The auditor's FIRST course of action should be to:

review recent changes to the system.

verify completeness of user acceptance testing (UAT).

verify results to determine validity of user concerns.

review initial business requirements.

84. Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?

Undocumented operating procedures

Lack of segregation of duties

An excessive backlog of user requests

Lack of key performance indicators (KPIs)

85. Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?

Employees must immediately report lost or stolen mobile devices containing organizational data

Employees must sign acknowledgment of the organization's mobile device acceptable use policy

Employees must enroll their personal devices in the organization's mobile device management program

86. Which of the following is the BEST source of information for examining the classification of new data?

Input by data custodians

Security policy requirements

Risk assessment results

Current level of protection

87. When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

legitimate packets blocked by the system have increased

actual attacks have not been identified

detected events have increased false

positives have been reported

88. After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit.

Which of the following risks is MOST affected by this oversight?

Inherent

Operational

Audit

Financial

89. Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Aligning the framework to industry best practices

Establishing committees to support and oversee framework activities

Involving appropriate business representation within the framework

Documenting IT-related policies and procedures

90. A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

the provider has alternate service locations.

the contract includes compensation for deficient service levels.

the provider's information security controls are aligned with the company's.

the provider adheres to the company's data retention policies.

Page 10 of 21

91. Upon completion of audit work, an IS auditor should:

provide a report to senior management prior to discussion with the auditee.

distribute a summary of general findings to the members of the auditing team.

provide a report to the auditee stating the initial findings.

review the working papers with the auditee.

92. The operations team of an organization has reported an IS security attack.

Which of the following should be the FIRST step for the security incident response team?

Report results to management

Document lessons learned

Perform a damage assessment

Prioritize resources for corrective action

93. Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

System flowchart

Data flow diagram

Process flowchart

Entity-relationship diagram

94. During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Leverage the work performed by external audit for the internal audit testing.

Ensure both the internal and external auditors perform the work simultaneously.

Request that the external audit team leverage the internal audit work.

Roll forward the general controls audit to the subsequent audit year.

95. An organization allows employees to retain confidential data on personal mobile devices.

Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Require employees to attend security awareness training.

Password protect critical data files.

Configure to auto-wipe after multiple failed access attempts.

Enable device auto-lock function.

96. An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction.

Which of the following should the auditor do NEXT?

Report the variance immediately to the audit committee

Request an explanation of the variance from the auditee

Increase the sample size to 100% of the population

Exclude the transaction from the sample population

97. Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

CCTV recordings are not regularly reviewed.

CCTV cameras are not installed in break rooms

CCTV records are deleted after one year.

CCTV footage is not recorded 24 x 7.

98. Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

The job scheduler application has not been designed to display pop-up error messages.

Access to the job scheduler application has not been restricted to a maximum of two staff members

Operations shift turnover logs are not utilized to coordinate and control the processing environment

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

99. Which of the following BEST helps to ensure data integrity across system interfaces?

Environment segregation

Reconciliation

System backups

Access controls

100. Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

The certificate revocation list has not been updated.

The PKI policy has not been updated within the last year.

The private key certificate has not been updated.

The certificate practice statement has not been published

Page 11 of 21

101. A new system development project is running late against a critical implementation deadline.

Which of the following is the MOST important activity?

Document last-minute enhancements

Perform a pre-implementation audit

Perform user acceptance testing (UAT)

Ensure that code has been reviewed

102. An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments.

The IS auditor should FIRST

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

103. An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email.

Which of the following metrics BEST indicates the effectiveness of awareness training?

The number of users deleting the email without reporting because it is a phishing email

The number of users clicking on the link to learn more about the sender of the email

The number of users forwarding the email to their business unit managers

The number of users reporting receipt of the email to the information security team

104. An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities.

Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Increasing the frequency of risk-based IS audits for each business entity

Developing a risk-based plan considering each entity's business processes

Conducting an audit of newly introduced IT policies and procedures

Revising IS audit plans to focus on IT changes introduced after the split

105. What is the PRIMARY benefit of using one-time passwords?

An intercepted password cannot be reused

Security for applications can be automated

Users do not have to memorize complex passwords

Users cannot be locked out of an account

106. Which of the following is a concern associated with virtualization?

The physical footprint of servers could decrease within the data center.

Performance issues with the host could impact the guest operating systems.

Processing capacity may be shared across multiple operating systems.

One host may have multiple versions of the same operating system.

107. When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

employee retention

enterprise architecture (EA)

future task updates

task capacity output

108. Which of the following is an example of a preventative control in an accounts payable system?

The system only allows payments to vendors who are included In the system's master vendor list.

Backups of the system and its data are performed on a nightly basis and tested periodically.

The system produces daily payment summary reports that staff use to compare against invoice totals.

Policies and procedures are clearly communicated to all members of the accounts payable department

109. Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

The exceptions are likely to continue indefinitely.

The exceptions may result in noncompliance.

The exceptions may elevate the level of operational risk.

The exceptions may negatively impact process efficiency.

110. Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Ensure compliance with the data classification policy.

Protect the plan from unauthorized alteration.

Comply with business continuity best practice.

Reduce the risk of data leakage that could lead to an attack.

Page 12 of 21

111. Which of the following concerns is BEST addressed by securing production source libraries?

Programs are not approved before production source libraries are updated.

Production source and object libraries may not be synchronized.

Changes are applied to the wrong version of production source libraries.

Unauthorized changes can be moved into production.

112. An audit has identified that business units have purchased cloud-based applications without IPs support.

What is the GREATEST risk associated with this situation?

The applications are not included in business continuity plans (BCFs)

The applications may not reasonably protect data.

The application purchases did not follow procurement policy.

The applications could be modified without advanced notice.

113. An IS auditor notes that IT and the business have different opinions on the availability of their application servers.

Which of the following should the IS auditor review FIRST in order to understand the problem?

The exact definition of the service levels and their measurement

The alerting and measurement process on the application servers

The actual availability of the servers as part of a substantive test

The regular performance-reporting documentation

114. Which of the following is the MAIN purpose of an information security management system?

To identify and eliminate the root causes of information security incidents

To enhance the impact of reports used to monitor information security incidents

To keep information security policies and procedures up-to-date

To reduce the frequency and impact of information security incidents

115. During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months.

Which of the following is the BEST course of action?

Require documentation that the finding will be addressed within the new system

Schedule a meeting to discuss the issue with senior management

Perform an ad hoc audit to determine if the vulnerability has been exploited

Recommend the finding be resolved prior to implementing the new system

116. The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

the access control system's log settings.

how the latest system changes were implemented.

the access control system's configuration.

the access rights that have been granted.

117. An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room.

Which of the following would be MOST useful to the auditor?

Manual sign-in and sign-out log

System electronic log

Alarm system with CCTV

Security incident log

118. What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Senior management's request

Prior year's audit findings

Organizational risk assessment

Previous audit coverage and scope

119. An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.

What is the BEST way (or the auditor to address this issue?

Recommend the application be patched to meet requirements.

Inform the IT director of the policy noncompliance.

Verify management has approved a policy exception to accept the risk.

Take no action since the application will be decommissioned in three months.

120. What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Perform background verification checks.

Review third-party audit reports.

Implement change management review.

Conduct a privacy impact analysis.

Page 13 of 21

121. Which of the following is the BEST source of information to determine the required level of data protection on a file server?

Data classification policy and procedures

Access rights of similar file servers

Previous data breach incident reports

Acceptable use policy and privacy statements

122. Which of following is MOST important to determine when conducing a post-implementation review?

Whether the solution architecture compiles with IT standards

Whether success criteria have been achieved

Whether the project has been delivered within the approved budget

Whether lessons teamed have been documented

123. An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year.

Which of the following should the auditor do FIRST

Escalate to audit management to discuss the audit plan

Notify the chief operating officer (COO) and discuss the audit plan risks

Exclude IS audits from the upcoming year's plan

Increase the number of IS audits in the clan

124. Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Steps taken to address identified vulnerabilities are not formally documented

Results are not reported to individuals with authority to ensure resolution

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

Results are not approved by senior management

125. Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Independence

Integrity

Materiality

Accountability

126. Which of the following occurs during the issues management process for a system development project?

Contingency planning

Configuration management

Help desk management

Impact assessment

127. Which of the following is the PRIMARY reason to perform a risk assessment?

To determine the current risk profile

To ensure alignment with the business impact analysis (BIA)

To achieve compliance with regulatory requirements

To help allocate budget for risk mitigation controls

128. An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

some of the identified throats are unlikely to occur.

all identified throats relate to external entities.

the exercise was completed by local management.

neighboring organizations operations have been included.

129. Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

Implement data loss prevention (DLP) software

Review perimeter firewall logs

Provide ongoing information security awareness training

Establish behavioral analytics monitoring

130. An organization has outsourced its data processing function to a service provider.

Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Assessment of the personnel training processes of the provider

Adequacy of the service provider's insurance

Review of performance against service level agreements (SLAs)

Periodic audits of controls by an independent auditor

Page 14 of 21

131. During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser.

Which Of the following is the auditors BEST recommendation to prevent unauthorized access?

Implement an intrusion detection system (IDS),

Update security policies and procedures.

Implement multi-factor authentication.

Utilize strong anti-malware controls on all computing devices.

132. During an audit of a reciprocal disaster recovery agreement between two companies, the

IS auditor would be MOST concerned with the:

allocation of resources during an emergency.

frequency of system testing.

differences in IS policies and procedures.

maintenance of hardware and software compatibility.

133. An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment.

Which of the following should the auditor do FIRSTS

Determine whether another DBA could make the changes

Report a potential segregation of duties violation

identify whether any compensating controls exist

Ensure a change management process is followed prior to implementation

134. Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Use of stateful firewalls with default configuration

Ad hoc monitoring of firewall activity

Misconfiguration of the firewall rules

Potential back doors to the firewall software

135. Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Disposal policies and procedures are not consistently implemented

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

Business units are allowed to dispose printers directly to

Inoperable printers are stored in an unsecured area.

136. Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Findings from prior audits

Results of a risk assessment

An inventory of personal devices to be connected to the corporate network

Policies including BYOD acceptable user statements

137. Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Logs are being collected in a separate protected host

Automated alerts are being sent when a risk is detected

Insider attacks are being controlled

Access to configuration files Is restricted.

138. Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Lessons learned were implemented.

Management approved the PIR report.

The review was performed by an external provider.

Project outcomes have been realized.

139. The PRIMARY objective of value delivery in reference to IT governance is to:

promote best practices

increase efficiency.

optimize investments.

ensure compliance.

140. A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon

The MOST effective plan of action would be to:

evaluate replacement systems and performance monitoring software.

restrict functionality of system monitoring software to security-related events.

re-install the system and performance monitoring software.

use analytical tools to produce exception reports from the system and performance monitoring software

Page 15 of 21

141. Controls related to authorized modifications to production programs are BEST tested by:

tracing modifications from the original request for change forward to the executable program.

tracing modifications from the executable program back to the original request for change.

testing only the authorizations to implement the new program.

reviewing only the actual lines of source code changed in the program.

142. The implementation of an IT governance framework requires that the board of directors of an organization:

Address technical IT issues.

Be informed of all IT initiatives.

Have an IT strategy committee.

Approve the IT strategy.

143. Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Customer service complaints

Automated monitoring of logs

Server crashes

Penetration testing

144. Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Limiting access to the data files based on frequency of use

Obtaining formal agreement by users to comply with the data classification policy

Applying access controls determined by the data owner

Using scripted access control lists to prevent unauthorized access to the server

145. An IS auditor evaluating the change management process must select a sample from the change log.

What is the BEST way tor the auditor to confirm the change log is complete?

Interview change management personnel about completeness.

Take an item from the log and trace it back to the system.

Obtain management attestation of completeness.

Take the last change from the system and trace it back to the log.

146. To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Root cause

Responsible party

impact

Criteria

147. Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Risk identification

Risk classification

Control self-assessment (CSA)

Impact assessment

148. The IS auditor has recommended that management test a new system before using it in production mode.

The BEST approach for management in developing a test plan is to use processing parameters that are:

randomly selected by a test generator.

provided by the vendor of the application.

randomly selected by the user.

simulated by production entities and customers.

149. Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Degaussing

Random character overwrite

Physical destruction

Low-level formatting

150. Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Improved disaster recovery

Better utilization of resources

Stronger data security

Increased application performance

Page 16 of 21

151. Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

Continuity of service

Identity management

Homogeneity of the network

Nonrepudiation

152. An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet,.

Which of the following should be a concern for the auditor?

The system is hosted on an external third-party service provider's servers.

The system is hosted in a hybrid-cloud platform managed by a service provider.

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

The system is hosted within an internal segment of a corporate network.

153. When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

database conflicts are managed during replication.

end users are trained in the replication process.

the source database is backed up on both sites.

user rights are identical on both databases.

154. Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?

Service auditor's report

Performance metrics

Surprise visit to vendor

Interview with vendor

155. Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Availability of the site in the event of multiple disaster declarations

Coordination with the site staff in the event of multiple disaster declarations

Reciprocal agreements with other organizations

Complete testing of the recovery plan

156. The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Technology risk

Detection risk

Control risk

Inherent risk

157. Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Cross-site scripting (XSS)

Social engineering

Adverse posts about the organization

158. Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

An increase in the number of identified false positives

An increase in the number of detected Incidents not previously identified

An increase in the number of unfamiliar sources of intruders

An increase in the number of internally reported critical incidents

159. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

perform a business impact analysis (BIA).

issue an intermediate report to management.

evaluate the impact on current disaster recovery capability.

conduct additional compliance testing.

160. Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?

Enforce a secure tunnel connection.

Enhance internal firewalls.

Set up a demilitarized zone (DMZ).

Implement a secure protocol.

Page 17 of 21

161. Which of the following should be the FIRST step to successfully implement a corporate data classification program?

Approve a data classification policy.

Select a data loss prevention (DLP) product.

Confirm that adequate resources are available for the project.

Check for the required regulatory requirements.

162. When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

each information asset is to a assigned to a different classification.

the security criteria are clearly documented for each classification

Senior IT managers are identified as information owner.

the information owner is required to approve access to the asset

163. Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Assignment of responsibility for each project to an IT team member

Adherence to best practice and industry approved methodologies

Controls to minimize risk and maximize value for the IT portfolio

Frequency of meetings where the business discusses the IT portfolio

164. When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Block all compromised network nodes.

Contact law enforcement.

Notify senior management.

Identity nodes that have been compromised.

165. Email required for business purposes is being stored on employees' personal devices.

Which of the following is an IS auditor's BEST recommendation?

Require employees to utilize passwords on personal devices

Prohibit employees from storing company email on personal devices

Ensure antivirus protection is installed on personal devices

Implement an email containerization solution on personal devices

166. Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

Crypto-shredding

Multiple overwriting

Reformatting

Re-partitioning

167. In a RAO model, which of the following roles must be assigned to only one individual?

Responsible

Informed

Consulted

Accountable

168. Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Denial of service (DOS)

SQL injection

Phishing attacks

Rootkits

169. Which of the following BEST guards against the risk of attack by hackers?

Tunneling

Encryption

Message validation

Firewalls

170. An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance

This would MOST likely increase the risk of a successful attack by.

phishing.

denial of service (DoS)

structured query language (SQL) injection

buffer overflow

Page 18 of 21

171. An IS auditor should ensure that an application's audit trail:

has adequate security.

logs ail database records.

Is accessible online

does not impact operational efficiency

172. A post-implementation review was conducted by issuing a survey to users.

Which of the following should be of GREATEST concern to an IS auditor?

The survey results were not presented in detail lo management.

The survey questions did not address the scope of the business case.

The survey form template did not allow additional feedback to be provided.

The survey was issued to employees a month after implementation.

173. An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards.

Which of the following should be the auditor's NEXT action1?

Make recommendations to IS management as to appropriate quality standards

Postpone the audit until IS management implements written standards

Document and lest compliance with the informal standards

Finalize the audit and report the finding

174. A review of an organization’s IT portfolio revealed several applications that are not in use.

The BEST way to prevent this situation from recurring would be to implement.

A formal request for proposal (RFP) process

Business case development procedures

An information asset acquisition policy

Asset life cycle management.

175. Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

Controls to adequately safeguard the data may not be applied.

Data may not be encrypted by the system administrator.

Competitors may be able to view the data.

Control costs may exceed the intrinsic value of the IT asset.

176. Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

The change management process was not formally documented

Backups of the old system and data are not available online

Unauthorized data modifications occurred during conversion,

Data conversion was performed using manual processes

177. The PRIMARY benefit of automating application testing is to:

provide test consistency.

provide more flexibility.

replace all manual test processes.

reduce the time to review code.

178. Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Ensuring that audit trails exist for transactions

Restricting access to update programs to accounts payable staff only

Including the creator's user ID as a field in every transaction record created

Restricting program functionality according to user security profiles

179. Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

To determine whether project objectives in the business case have been achieved

To ensure key stakeholder sign-off has been obtained

To align project objectives with business needs

To document lessons learned to improve future project delivery

180. Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Temperature sensors

Humidity sensors

Water sensors

Air pressure sensors

Page 19 of 21

181. A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

use a proxy server to filter out Internet sites that should not be accessed.

keep a manual log of Internet access.

monitor remote access activities.

include a statement in its security policy about Internet use.

182. Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Data owners are not trained on the use of data conversion tools.

A post-implementation lessons-learned exercise was not conducted.

There is no system documentation available for review.

System deployment is routinely performed by contractors.

183. Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

Average the business units’ IT risk levels

Identify the highest-rated IT risk level among the business units

Prioritize the organization's IT risk scenarios

Establish a global IT risk scoring criteria

184. Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly.

Which of the following tests during the quality assurance (QA) phase would have identified this concern?

Stress

Regression

Interface

Integration

185. Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Consultation with security staff

Inclusion of mission and objectives

Compliance with relevant regulations

Alignment with an information security framework

186. An IS auditor is evaluating an organization's IT strategy and plans.

Which of the following would be of GREATEST concern?

There is not a defined IT security policy.

The business strategy meeting minutes are not distributed.

IT is not engaged in business strategic planning.

There is inadequate documentation of IT strategic planning.

187. Which of the following should be done FIRST when planning a penetration test?

Execute nondisclosure agreements (NDAs).

Determine reporting requirements for vulnerabilities.

Define the testing scope.

Obtain management consent for the testing.

188. A data breach has occurred due lo malware.

Which of the following should be the FIRST course of action?

Notify the cyber insurance company.

Shut down the affected systems.

Quarantine the impacted systems.

Notify customers of the breach.

189. What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

it facilitates easier audit follow-up

it enforces action plan consensus between auditors and auditees

it establishes accountability for the action plans

it helps to ensure factual accuracy of findings

190. A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

IT operator

System administration

Emergency support

Database administration

Page 20 of 21

191. From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Inability to close unused ports on critical servers

Inability to identify unused licenses within the organization

Inability to deploy updated security patches

Inability to determine the cost of deployed software

192. Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Lessons learned were documented and applied.

Business and IT stakeholders participated in the post-implementation review.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

Internal audit follow-up was completed without any findings.

193. Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

To enable conclusions about me performance of the processes and target variances tor follow-up analysis

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

To assess the functionality of a software deliverable based on business processes

194. An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree.

Which of the following is MOST important to meet the IS audit standard for proficiency?

The standard is met as long as one member has a globally recognized audit certification.

Technical co-sourcing must be used to help the new staff.

Team member assignments must be based on individual competencies.

The standard is met as long as a supervisor reviews the new auditors' work.

195. Which of the following documents should specify roles and responsibilities within an IT audit organization?

Organizational chart

Audit charier

Engagement letter

Annual audit plan

196. Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Legal and compliance requirements

Customer agreements

Data classification

Organizational policies and procedures

197. Which of the following is the BEST way to prevent social engineering incidents?

Maintain an onboarding and annual security awareness program.

Ensure user workstations are running the most recent version of antivirus software.

Include security responsibilities in job descriptions and require signed acknowledgment.

Enforce strict email security gateway controls

198. Which of the following MUST be completed as part of the annual audit planning process?

Business impact analysis (BIA)

Fieldwork

Risk assessment

Risk control matrix

199. An information systems security officer's PRIMARY responsibility for business process applications is to:

authorize secured emergency access

approve the organization's security policy

ensure access rules agree with policies

create role-based rules for each business process

200. Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

The DRP has not been formally approved by senior management.

The DRP has not been distributed to end users.

The DRP has not been updated since an IT infrastructure upgrade.

The DRP contains recovery procedures for critical servers only.

Page 21 of 21

201. The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)

are recommended by security standards.

can limit Telnet and traffic from the open Internet.

act as fitters between the world and the network.

can detect cyberattacks.

202. Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Requirements may become unreasonable.

The policy may conflict with existing application requirements.

Local regulations may contradict the policy.

Local management may not accept the policy.

203. Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Only new employees are required to attend the program

Metrics have not been established to assess training results

Employees do not receive immediate notification of results

The timing for program updates has not been determined

204. An IS auditor is preparing a plan for audits to be carried out over a specified period.

Which of the following activities should the IS auditor perform FIRST?

Allocate audit resources.

Prioritize risks.

Review prior audit reports.

Determine the audit universe.

205. Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Phishing

Using a dictionary attack of encrypted passwords

Intercepting packets and viewing passwords

Flooding the site with an excessive number of packets

206. Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

Document the security view as part of the EA

Consider stakeholder concerns when defining the EA

Perform mandatory post-implementation reviews of IT implementations

Conduct EA reviews as part of the change advisory board

207. Which of the following management decisions presents the GREATEST risk associated with data leakage?

There is no requirement for desktops to be encrypted

Staff are allowed to work remotely

Security awareness training is not provided to staff

Security policies have not been updated in the past year

208. Which of the following features of a library control software package would protect against unauthorized updating of source code?

Required approvals at each life cycle step

Date and time stamping of source and object code

Access controls for source libraries

Release-to-release comparison of source code

Facebook Twitter LinkedIn Google + Email

CISA Certification Dumps – Certified Information Systems Auditor

CISA Certification Dumps – Certified Information Systems Auditor

Author

LEAVE A COMMENT Cancel reply

Related Posts

How To Pass The ISACA Cybersecurity Audit Certificate Exam?