CISA - All-in-One Exam Guide 4th Edition:
Questions With Indepth Solutions
Save
Terms in this set (75)
IT governance is most concerned with C. IT governance is the mechanism through which IT
A. Security policy strategy is established, controlled, and monitored
B. IT policy through the balanced scorecard. Long-term and
C. IT strategy other strategic decisions are made in the context of
D. IT executive compensation IT governance.
One of the advantages of outsourcing A. Outsourcing is an opportunity for the organization
is to focus on its core competencies. When an
A. It permits the organization to focus organization outsources a business function, it no
on core competencies. longer needs to be concerned about training
B. It results in reduced costs. employees in that function. Outsourcing does not
C. It provides greater control over always reduce costs, because cost reduction is not
work performed by the outsourcing always the primary purpose for outsourcing in the
agency. first place.
D. It eliminates segregation of duties
issues.
An external IS auditor has discovered D. The external auditor can only document the
a segregation of duties issue in a high- finding in the audit report. An external auditor is not
value process. What is the best action in a position to implement controls.
for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit
report.
,An organization has chosen to open a D. An organization that opens a business office in
business office in another country another country and staffs the office with its own
where labor costs are lower and has employees is insourcing, not outsourcing.
hired workers to perform business Outsourcing is the practice of using contract labor,
functions there. This organization has which is clearly not the case in this example. In this
A. Outsourced the function case, the insourcing is taking place at a remote
B. Outsourced the function offshore location.
C. Insourced the function on-site
D. Insourced the function at a remote
location
What is the purpose of a criticality C. A criticality analysis is used to determine which
analysis? business processes are the most critical by ranking
A. Determine feasible recovery them in order of criticality.
targets.
B. Determine which staff members are
the most critical.
C. Determine which business
processes are the most critical.
D. Determine maximum tolerable
downtime.
An organization needs to better B. An organization that needs to understand whether
understand whether one of its key a key process is effective should consider
business processes is effective. What benchmarking the process. This will help the
action should the organization organization better understand whether its approach
consider? is similar to that of other organizations.
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process.
, Annualized loss expectancy (ALE) is A. Annualized loss expectancy (ALE) is the annual
defined as expected loss to an asset. It is calculated by
A. Single loss expectancy (SLE) × multiplying the single loss expectancy (SLE—the
annualized rate of occurrence (ARO) financial loss experienced when the loss is realized
B. Exposure factor (EF) × the one time) by the annualized rate of occurrence (ARO
annualized rate of occurrence (ARO) —the number of times that the organization expects
C. Single loss expectancy (SLE) × the the loss to occur).
exposure factor (EF)
D. Asset value (AV) × the single loss
expectancy (SLE)
A quantitative risk analysis is more B. The most difficult part of a quantitative risk analysis
difficult to perform because is determining the probability that a threat will
A. It is difficult to get accurate figures actually be realized. It is relatively easy to determine
on the impact of a realized threat. the value of an asset and the impact of a threat event.
B. It is difficult to get accurate figures
on the probability of specific threats.
C. It is difficult to get accurate figures
on the value of assets.
D. It is difficult to calculate the
annualized loss expectancy of a
specific threat.
A collection of servers that is A. A server cluster is a collection of two or more
designed to operate as a single servers that is designed to appear as a single server
logical server is known as what?
A. Cluster
B. Grid
C. Cloud
D. Replicant
Questions With Indepth Solutions
Save
Terms in this set (75)
IT governance is most concerned with C. IT governance is the mechanism through which IT
A. Security policy strategy is established, controlled, and monitored
B. IT policy through the balanced scorecard. Long-term and
C. IT strategy other strategic decisions are made in the context of
D. IT executive compensation IT governance.
One of the advantages of outsourcing A. Outsourcing is an opportunity for the organization
is to focus on its core competencies. When an
A. It permits the organization to focus organization outsources a business function, it no
on core competencies. longer needs to be concerned about training
B. It results in reduced costs. employees in that function. Outsourcing does not
C. It provides greater control over always reduce costs, because cost reduction is not
work performed by the outsourcing always the primary purpose for outsourcing in the
agency. first place.
D. It eliminates segregation of duties
issues.
An external IS auditor has discovered D. The external auditor can only document the
a segregation of duties issue in a high- finding in the audit report. An external auditor is not
value process. What is the best action in a position to implement controls.
for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit
report.
,An organization has chosen to open a D. An organization that opens a business office in
business office in another country another country and staffs the office with its own
where labor costs are lower and has employees is insourcing, not outsourcing.
hired workers to perform business Outsourcing is the practice of using contract labor,
functions there. This organization has which is clearly not the case in this example. In this
A. Outsourced the function case, the insourcing is taking place at a remote
B. Outsourced the function offshore location.
C. Insourced the function on-site
D. Insourced the function at a remote
location
What is the purpose of a criticality C. A criticality analysis is used to determine which
analysis? business processes are the most critical by ranking
A. Determine feasible recovery them in order of criticality.
targets.
B. Determine which staff members are
the most critical.
C. Determine which business
processes are the most critical.
D. Determine maximum tolerable
downtime.
An organization needs to better B. An organization that needs to understand whether
understand whether one of its key a key process is effective should consider
business processes is effective. What benchmarking the process. This will help the
action should the organization organization better understand whether its approach
consider? is similar to that of other organizations.
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process.
, Annualized loss expectancy (ALE) is A. Annualized loss expectancy (ALE) is the annual
defined as expected loss to an asset. It is calculated by
A. Single loss expectancy (SLE) × multiplying the single loss expectancy (SLE—the
annualized rate of occurrence (ARO) financial loss experienced when the loss is realized
B. Exposure factor (EF) × the one time) by the annualized rate of occurrence (ARO
annualized rate of occurrence (ARO) —the number of times that the organization expects
C. Single loss expectancy (SLE) × the the loss to occur).
exposure factor (EF)
D. Asset value (AV) × the single loss
expectancy (SLE)
A quantitative risk analysis is more B. The most difficult part of a quantitative risk analysis
difficult to perform because is determining the probability that a threat will
A. It is difficult to get accurate figures actually be realized. It is relatively easy to determine
on the impact of a realized threat. the value of an asset and the impact of a threat event.
B. It is difficult to get accurate figures
on the probability of specific threats.
C. It is difficult to get accurate figures
on the value of assets.
D. It is difficult to calculate the
annualized loss expectancy of a
specific threat.
A collection of servers that is A. A server cluster is a collection of two or more
designed to operate as a single servers that is designed to appear as a single server
logical server is known as what?
A. Cluster
B. Grid
C. Cloud
D. Replicant
