CISA Correct Questions &
Answers(RATED A+)
Which of the following controls will MOST effectively detect the presence of bursts of
errors in network transmissions?
a. Parity check
b. Echo check
c. Block sum check
d. Cyclic redundancy check - ANSWERd. Cyclic redundancy check
An employee loses a mobile device resulting in loss of sensitive corporate data.
Which of the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. The triggering of remote data wipe capabilities
C. Awareness training for mobile device users
D. Complex password policy for mobile devices - ANSWERA. Data encryption on the
mobile device
During the evaluation of controls over a major application development project, the
MOST effective use of an IS auditor's time would be to review and evaluate:
A. cost-benefit analysis.
B. acceptance testing.
C. application test cases.
D. project plans. - ANSWERC. application test cases.
Which of the following issues associated with a data center's closed circuit television
(CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed.
B. CCTV records are deleted after one year.
C. CCTV footage is not recorded 24 x 7.
D. CCTV cameras are not installed in break rooms. - ANSWERA. CCTV recordings
are not regularly reviewed.
Which of the following is the BEST way to ensure that an application is performing
according to its specifications?
A. Pilot testing
B. System testing
C. Integration testing
D. Unit testing - ANSWERC. Integration testing
An IS auditor has been asked to audit the proposed acquisition of new computer
hardware. The auditor's PRIMARY concern is that:
A. a clear business case has been established.
B. the new hardware meets established security standards.
C. a full, visible audit trail will be included.
,D. the implementation plan meets user requirements. - ANSWERA. a clear business
case has been established.
An organization is implementing a new system that supports a month-end business
process. Which of the following implementation strategies would be MOST efficient
to decrease business downtime?
A. Cutover
B. Phased
C. Pilot
D. Parallel - ANSWERC. Pilot
Upon completion of audit work, an IS auditor should:
A. provide a report to the auditee stating the initial findings.
B. provide a report to senior management prior to discussion with the auditee.
C. distribute a summary of general findings to the members of the auditing team.
D. review the working papers with the auditee. - ANSWERA. provide a report to the
auditee stating the initial findings.
During an IT general controls audit of a high-risk area where both internal and
external audit teams are reviewing the same areas simultaneously, which of the
following is the BEST approach to optimize resources?
A. Leverage the work performed by external audit for the internal audit testing.
B. Ensure both the internal and external auditors perform the work simultaneously.
C. Roll forward the general controls audit to the subsequent audit year.
D. Request that the external audit team leverage the internal audit work. -
ANSWERA. Leverage the work performed by external audit for the internal audit
testing.
The GREATEST benefit of using a prototyping approach in software development is
that it helps to:
A. improve efficiency of quality assurance (QA) testing.
B. conceptualize and clarify requirements.
C. decrease the time allocated for user testing and review.
D. minimize scope changes to the system. - ANSWERD. minimize scope changes to
the system.
Which of the following would MOST effectively ensure the integrity of data
transmitted over a network?
A. Message encryption
B. Steganography
C. Certificate authority (CA)
D. Message digest - ANSWERD. Message digest
An IS auditor is evaluating controls for monitoring the regulatory compliance of a
third party that provides IT services to the organization. Which of the following should
be the auditor's GREATEST concern?
A. A gap analysis against regulatory requirements has not been conducted.
B. The third-party disclosed a policy-related issue of noncompliance.
C. The organization has not reviewed the third party's policies and procedures.
,D. The organization has not communicated regulatory requirements to the third
party. - ANSWERD. The organization has not communicated regulatory
requirements to the third party.
Management receives information indicating a high level of risk associated with
potential flooding near the organization's data center with in the next few years. As a
result, a decision has been made to move data center operations to another facility
on higher ground. Which approach has been adopted?
A. Risk reduction
B. Risk acceptance
C. Risk transfer
D. Risk avoidance - ANSWERD. Risk avoidance
Which of the following MOST effectively minimizes downtime during system
conversions?
A. Phased approach
B. Parallel run
C. Direct cutover
D. Pilot study - ANSWERB. Parallel run
An IS auditor is reviewing processes for importing market price data from external
data providers. Which of the following findings should the auditor consider MOST
critical?
A. The quality of the data is not monitored.
B. The transfer protocol does not require authentication.
C. Imported data is not disposed frequently.
D. The transfer protocol is not encrypted. - ANSWERA. The quality of the data is not
monitored.
In a controlled application development environment, the MOST important
segregation of duties should be between the person who implements changes into
the production environment and the:
A. application programmer.
B. quality assurance (QA) personnel.
C. computer operator.
D. systems programmer. - ANSWERA. application programmer.
A small startup organization does not have the resources to implement segregation
of duties. Which of the following is the MOST effective compensating control?
A. Rotation of log monitoring and analysis responsibilities
B. Additional management reviews and reconciliations
C. Mandatory vacations
D. Third-party assessments - ANSWERB. Additional management reviews and
reconciliations
Which of the following is the BEST indicator of the effectiveness of an organization's
incident response program?
A. Number of successful penetration tests
, B. Percentage of protected business applications
C. Number of security vulnerability patches
D. Financial impact per security event - ANSWERB. Percentage of protected
business applications
An organization recently implemented a cloud document storage solution and
removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users are not required to sign updated acceptable use agreements.
C. The business continuity plan (BCP) was not updated.
D. Users have not been trained on the new system. - ANSWERC. The business
continuity plan (BCP) was not updated.
Which of the following security measures will reduce the risk of propagation when a
cyberattack occurs?
A. Data loss prevention (DLP) system
B. Perimeter firewall
C. Network segmentation
D. Web application firewall - ANSWERC. Network segmentation
When implementing Internet Protocol security (IPsec) architecture, the servers
involved in application delivery:
A. channel access only through the public-facing firewall.
B. channel access through authentication.
C. communicate via Transport Layer Security (TLS).
D. block authorized users from unauthorized activities. - ANSWERC. communicate
via Transport Layer Security (TLS).
During audit fieldwork, an IS auditor learns that employees are allowed to connect
their personal devices to company-owned computers. How can the auditorBEST
validate that appropriate security controls are in place to prevent data loss?
A. Verify the data loss prevention (DLP) tool is properly configured by the
organization.
B. Review compliance with data loss and applicable mobile device user acceptance
policies.
C. Verify employees have received appropriate mobile device security awareness
training.
D. Conduct a walk-through to view results of an employee plugging in a device to
transfer confidential data. - ANSWERB. Review compliance with data loss and
applicable mobile device user acceptance policies.
Management has requested a post-implementation review of a newly implemented
purchasing package to determine to what extent business requirements are being
met. Which of the following is MOST likely to be assessed?
A. Implementation methodology
B. Test results
C. Purchasing guidelines and policies
D. Results of live processing - ANSWERD. Results of live processing
Answers(RATED A+)
Which of the following controls will MOST effectively detect the presence of bursts of
errors in network transmissions?
a. Parity check
b. Echo check
c. Block sum check
d. Cyclic redundancy check - ANSWERd. Cyclic redundancy check
An employee loses a mobile device resulting in loss of sensitive corporate data.
Which of the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. The triggering of remote data wipe capabilities
C. Awareness training for mobile device users
D. Complex password policy for mobile devices - ANSWERA. Data encryption on the
mobile device
During the evaluation of controls over a major application development project, the
MOST effective use of an IS auditor's time would be to review and evaluate:
A. cost-benefit analysis.
B. acceptance testing.
C. application test cases.
D. project plans. - ANSWERC. application test cases.
Which of the following issues associated with a data center's closed circuit television
(CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed.
B. CCTV records are deleted after one year.
C. CCTV footage is not recorded 24 x 7.
D. CCTV cameras are not installed in break rooms. - ANSWERA. CCTV recordings
are not regularly reviewed.
Which of the following is the BEST way to ensure that an application is performing
according to its specifications?
A. Pilot testing
B. System testing
C. Integration testing
D. Unit testing - ANSWERC. Integration testing
An IS auditor has been asked to audit the proposed acquisition of new computer
hardware. The auditor's PRIMARY concern is that:
A. a clear business case has been established.
B. the new hardware meets established security standards.
C. a full, visible audit trail will be included.
,D. the implementation plan meets user requirements. - ANSWERA. a clear business
case has been established.
An organization is implementing a new system that supports a month-end business
process. Which of the following implementation strategies would be MOST efficient
to decrease business downtime?
A. Cutover
B. Phased
C. Pilot
D. Parallel - ANSWERC. Pilot
Upon completion of audit work, an IS auditor should:
A. provide a report to the auditee stating the initial findings.
B. provide a report to senior management prior to discussion with the auditee.
C. distribute a summary of general findings to the members of the auditing team.
D. review the working papers with the auditee. - ANSWERA. provide a report to the
auditee stating the initial findings.
During an IT general controls audit of a high-risk area where both internal and
external audit teams are reviewing the same areas simultaneously, which of the
following is the BEST approach to optimize resources?
A. Leverage the work performed by external audit for the internal audit testing.
B. Ensure both the internal and external auditors perform the work simultaneously.
C. Roll forward the general controls audit to the subsequent audit year.
D. Request that the external audit team leverage the internal audit work. -
ANSWERA. Leverage the work performed by external audit for the internal audit
testing.
The GREATEST benefit of using a prototyping approach in software development is
that it helps to:
A. improve efficiency of quality assurance (QA) testing.
B. conceptualize and clarify requirements.
C. decrease the time allocated for user testing and review.
D. minimize scope changes to the system. - ANSWERD. minimize scope changes to
the system.
Which of the following would MOST effectively ensure the integrity of data
transmitted over a network?
A. Message encryption
B. Steganography
C. Certificate authority (CA)
D. Message digest - ANSWERD. Message digest
An IS auditor is evaluating controls for monitoring the regulatory compliance of a
third party that provides IT services to the organization. Which of the following should
be the auditor's GREATEST concern?
A. A gap analysis against regulatory requirements has not been conducted.
B. The third-party disclosed a policy-related issue of noncompliance.
C. The organization has not reviewed the third party's policies and procedures.
,D. The organization has not communicated regulatory requirements to the third
party. - ANSWERD. The organization has not communicated regulatory
requirements to the third party.
Management receives information indicating a high level of risk associated with
potential flooding near the organization's data center with in the next few years. As a
result, a decision has been made to move data center operations to another facility
on higher ground. Which approach has been adopted?
A. Risk reduction
B. Risk acceptance
C. Risk transfer
D. Risk avoidance - ANSWERD. Risk avoidance
Which of the following MOST effectively minimizes downtime during system
conversions?
A. Phased approach
B. Parallel run
C. Direct cutover
D. Pilot study - ANSWERB. Parallel run
An IS auditor is reviewing processes for importing market price data from external
data providers. Which of the following findings should the auditor consider MOST
critical?
A. The quality of the data is not monitored.
B. The transfer protocol does not require authentication.
C. Imported data is not disposed frequently.
D. The transfer protocol is not encrypted. - ANSWERA. The quality of the data is not
monitored.
In a controlled application development environment, the MOST important
segregation of duties should be between the person who implements changes into
the production environment and the:
A. application programmer.
B. quality assurance (QA) personnel.
C. computer operator.
D. systems programmer. - ANSWERA. application programmer.
A small startup organization does not have the resources to implement segregation
of duties. Which of the following is the MOST effective compensating control?
A. Rotation of log monitoring and analysis responsibilities
B. Additional management reviews and reconciliations
C. Mandatory vacations
D. Third-party assessments - ANSWERB. Additional management reviews and
reconciliations
Which of the following is the BEST indicator of the effectiveness of an organization's
incident response program?
A. Number of successful penetration tests
, B. Percentage of protected business applications
C. Number of security vulnerability patches
D. Financial impact per security event - ANSWERB. Percentage of protected
business applications
An organization recently implemented a cloud document storage solution and
removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users are not required to sign updated acceptable use agreements.
C. The business continuity plan (BCP) was not updated.
D. Users have not been trained on the new system. - ANSWERC. The business
continuity plan (BCP) was not updated.
Which of the following security measures will reduce the risk of propagation when a
cyberattack occurs?
A. Data loss prevention (DLP) system
B. Perimeter firewall
C. Network segmentation
D. Web application firewall - ANSWERC. Network segmentation
When implementing Internet Protocol security (IPsec) architecture, the servers
involved in application delivery:
A. channel access only through the public-facing firewall.
B. channel access through authentication.
C. communicate via Transport Layer Security (TLS).
D. block authorized users from unauthorized activities. - ANSWERC. communicate
via Transport Layer Security (TLS).
During audit fieldwork, an IS auditor learns that employees are allowed to connect
their personal devices to company-owned computers. How can the auditorBEST
validate that appropriate security controls are in place to prevent data loss?
A. Verify the data loss prevention (DLP) tool is properly configured by the
organization.
B. Review compliance with data loss and applicable mobile device user acceptance
policies.
C. Verify employees have received appropriate mobile device security awareness
training.
D. Conduct a walk-through to view results of an employee plugging in a device to
transfer confidential data. - ANSWERB. Review compliance with data loss and
applicable mobile device user acceptance policies.
Management has requested a post-implementation review of a newly implemented
purchasing package to determine to what extent business requirements are being
met. Which of the following is MOST likely to be assessed?
A. Implementation methodology
B. Test results
C. Purchasing guidelines and policies
D. Results of live processing - ANSWERD. Results of live processing
