CISA EXAM 3 – Questions With Fully Explained
Solutions
Save
Terms in this set (150)
Q01) C) CORRECT. Line managers assuming a portion of
The success of control self- the responsibility for control monitoring is correct.
assessment depends highly on: The primary objective of a control self-assessment
(CSA) program is to leverage the internal audit
A) assigning staff managers, the function by shifting some of the control monitoring
responsibility for building controls. responsibilities to the functional area line managers.
The success of a CSA program depends on the
B) the implementation of a stringent degree to which line managers assume responsibility
control policy and rule-driven for controls. This enables line managers to detect
controls. and respond to control errors promptly.
C) line managers assuming a portion A) INCORRECT. Assigning staff managers, the
of the responsibility for control responsibility for building controls is incorrect. CSA
monitoring. requires managers to participate in the monitoring of
controls.
D) the implementation of supervision
and monitoring of controls of B) INCORRECT. The implementation of a stringent
assigned duties. control policy and rule-driven controls is incorrect.
The implementation of stringent controls will not
ensure controls are working correctly.
D) INCORRECT The implementation of supervision
and monitoring of controls of assigned duties is
incorrect. Better supervision is a compensating and
detective control and may assist in ensuring control
effectiveness but would work best when used in a
formal process such as CSA.
,Q02) B) CORRECT. The vendor agrees to provide annual
An enterprise is looking to obtain external audit reports in the contract is correct. The
cloud hosting services from a cloud only way to ensure that any potential risk is mitigated
vendor with a high level of maturity. today and in the future is to include a clause within
Which of the following is MOST the contract that the vendor will provide future
important for the auditor to ensure external audit reports. Without the audit clause the
continued alignment with the vendor can choose to forego future audits.
enterprise's security requirements?
D) INCORRECT. The vendor provides the latest third-
A) The vendor agrees to implement party audit report for verification is incorrect.
controls in alignment with the Although the vendor is providing the most recent
enterprise. third-party audit report for review, there is no
agreement contractually that would require the
B) The vendor agrees to provide vendor to continue to provide annual reports for
annual external audit reports in the verification and review.
contract.
C) INCORRECT. The vendor provides the latest
C) The vendor provides the latest internal audit report for verification is incorrect.
internal audit report for verification. Although the vendor is providing the most recent
internal audit report for review, there is no agreement
D) The vendor provides the latest contractually that would require the vendor to
third-party audit report for continue to provide annual reports for verification
verification. and review.
A) INCORRECT. The vendor agrees to implement
controls in alignment with the enterprise is incorrect.
Without a clause in the contract, an agreement to
implement controls does not provide assurance that
controls will continue to be implemented in
alignment with the enterprise.
,Q03) D) CORRECT. Graphically summarize data paths and
What is the purpose of using data flow storage is correct. Data flow diagrams are used as
diagrams, used by the IS auditors? aids to graph or chart data flow and storage. They
trace data from their origination to destination,
A) identify key controls. highlighting the paths and storage of data.
B) highlight high-level data definitions. A) INCORRECT. Identify key controls is incorrect. This
is not the focus of data flow diagrams. The focus is as
C) portray step-by-step details of the name states—the flow of data.
data generation.
B) INCORRECT. Highlight high-level data definitions
D) graphically summarize data paths is incorrect. A data dictionary may be used to
and storage. document data definitions, but the data flow diagram
is used to document how data move through a
process.
C) INCORRECT. Portray step-by-step details of data
generation is incorrect. The purpose of a data flow
diagram is to track the movement of data through a
process and is not primarily to document or indicate
how data are generated.
, Q04) C) IS CORRECT. Filtering false-positives alerts is
The MOST serious challenge in the correct. Because of the configuration and the way
operation of an intrusion detection intrusion detection system (IDS) technology
system is: operates, the main problem in operating IDSs is the
recognition (detection) of events that are not really
A) learning vendor specific protocols. security incidents—false positives, the equivalent of a
false alarm. An IS auditor needs to be aware of this
B) blocking eligible connections. and should check for implementation of related
controls (such as IDS tuning) and incident handling
C) filtering false positive alerts. procedures (such as the screening process) to know
if an event is a security incident or a false positive.
D) updating vendor-specific
protocols. A) INCORRECT. Learning vendor-specific protocols
is incorrect. It might be necessary to learn vendor-
specific protocols or commands for interacting with
IDS; however, most vendors provide relevant
documentation and training which could be quickly
mastered by qualified IT personnel.
D) INCORRECT. Updating detection signatures is
incorrect. It is necessary to regularly update
detection signatures, however the majority of
modern IDSs systems has built-in modules providing
automated and secure updates.
B) INCORRECT. Blocking eligible connections is
incorrect. Blocking suspicious connections is a
characteristic of intrusion prevention systems, which
are different type of network security systems.
Solutions
Save
Terms in this set (150)
Q01) C) CORRECT. Line managers assuming a portion of
The success of control self- the responsibility for control monitoring is correct.
assessment depends highly on: The primary objective of a control self-assessment
(CSA) program is to leverage the internal audit
A) assigning staff managers, the function by shifting some of the control monitoring
responsibility for building controls. responsibilities to the functional area line managers.
The success of a CSA program depends on the
B) the implementation of a stringent degree to which line managers assume responsibility
control policy and rule-driven for controls. This enables line managers to detect
controls. and respond to control errors promptly.
C) line managers assuming a portion A) INCORRECT. Assigning staff managers, the
of the responsibility for control responsibility for building controls is incorrect. CSA
monitoring. requires managers to participate in the monitoring of
controls.
D) the implementation of supervision
and monitoring of controls of B) INCORRECT. The implementation of a stringent
assigned duties. control policy and rule-driven controls is incorrect.
The implementation of stringent controls will not
ensure controls are working correctly.
D) INCORRECT The implementation of supervision
and monitoring of controls of assigned duties is
incorrect. Better supervision is a compensating and
detective control and may assist in ensuring control
effectiveness but would work best when used in a
formal process such as CSA.
,Q02) B) CORRECT. The vendor agrees to provide annual
An enterprise is looking to obtain external audit reports in the contract is correct. The
cloud hosting services from a cloud only way to ensure that any potential risk is mitigated
vendor with a high level of maturity. today and in the future is to include a clause within
Which of the following is MOST the contract that the vendor will provide future
important for the auditor to ensure external audit reports. Without the audit clause the
continued alignment with the vendor can choose to forego future audits.
enterprise's security requirements?
D) INCORRECT. The vendor provides the latest third-
A) The vendor agrees to implement party audit report for verification is incorrect.
controls in alignment with the Although the vendor is providing the most recent
enterprise. third-party audit report for review, there is no
agreement contractually that would require the
B) The vendor agrees to provide vendor to continue to provide annual reports for
annual external audit reports in the verification and review.
contract.
C) INCORRECT. The vendor provides the latest
C) The vendor provides the latest internal audit report for verification is incorrect.
internal audit report for verification. Although the vendor is providing the most recent
internal audit report for review, there is no agreement
D) The vendor provides the latest contractually that would require the vendor to
third-party audit report for continue to provide annual reports for verification
verification. and review.
A) INCORRECT. The vendor agrees to implement
controls in alignment with the enterprise is incorrect.
Without a clause in the contract, an agreement to
implement controls does not provide assurance that
controls will continue to be implemented in
alignment with the enterprise.
,Q03) D) CORRECT. Graphically summarize data paths and
What is the purpose of using data flow storage is correct. Data flow diagrams are used as
diagrams, used by the IS auditors? aids to graph or chart data flow and storage. They
trace data from their origination to destination,
A) identify key controls. highlighting the paths and storage of data.
B) highlight high-level data definitions. A) INCORRECT. Identify key controls is incorrect. This
is not the focus of data flow diagrams. The focus is as
C) portray step-by-step details of the name states—the flow of data.
data generation.
B) INCORRECT. Highlight high-level data definitions
D) graphically summarize data paths is incorrect. A data dictionary may be used to
and storage. document data definitions, but the data flow diagram
is used to document how data move through a
process.
C) INCORRECT. Portray step-by-step details of data
generation is incorrect. The purpose of a data flow
diagram is to track the movement of data through a
process and is not primarily to document or indicate
how data are generated.
, Q04) C) IS CORRECT. Filtering false-positives alerts is
The MOST serious challenge in the correct. Because of the configuration and the way
operation of an intrusion detection intrusion detection system (IDS) technology
system is: operates, the main problem in operating IDSs is the
recognition (detection) of events that are not really
A) learning vendor specific protocols. security incidents—false positives, the equivalent of a
false alarm. An IS auditor needs to be aware of this
B) blocking eligible connections. and should check for implementation of related
controls (such as IDS tuning) and incident handling
C) filtering false positive alerts. procedures (such as the screening process) to know
if an event is a security incident or a false positive.
D) updating vendor-specific
protocols. A) INCORRECT. Learning vendor-specific protocols
is incorrect. It might be necessary to learn vendor-
specific protocols or commands for interacting with
IDS; however, most vendors provide relevant
documentation and training which could be quickly
mastered by qualified IT personnel.
D) INCORRECT. Updating detection signatures is
incorrect. It is necessary to regularly update
detection signatures, however the majority of
modern IDSs systems has built-in modules providing
automated and secure updates.
B) INCORRECT. Blocking eligible connections is
incorrect. Blocking suspicious connections is a
characteristic of intrusion prevention systems, which
are different type of network security systems.
