[2024] Pass your CISA exam with this 100% Free CISA Braindump [Q267-Q288]

[2024] Pass your CISA exam with this 100% Free CISA Braindump

View All CISA Actual Exam Questions, Answers and Explanations for Free

NEW QUESTION # 267
An IS auditor wants to understand the collective effect of the preventive, detective, and corrective controls for a specific business process. Which of the following should the auditor focus on FIRST?

• A. Whether the existence of preventive controls causes corrective controls to become unnecessary
• B. Whether segregation of duties is in place when two controls are applied simultaneously
• C. The various points in the process where controls are exercised
• D. The formal documentation of the process and how adherence is measured

Answer: C

NEW QUESTION # 268
What increases encryption overhead and cost the most?

• A. A long asymmetric encryption key
• B. A long Data Encryption Standard (DES) key
• C. A long symmetric encryption key
• D. A long Advance Encryption Standard (AES) key

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All other answers are single shared symmetric keys.

NEW QUESTION # 269
To ensure message integrity, confidentiality and non-repudiation between two parties, the MOST effective
method would be to create a message digest by applying a cryptographic hashing algorithm against:

• A. the entire message, enciphering the message digest using the sender's private key, enciphering the
  message with a symmetric key and enciphering both the encrypted message and digest using the
  receiver's public key.
• B. any part of the message, enciphering the message digest using the sender's private key, enciphering
  the message with a symmetric key and enciphering the key using the receiver's public key.
• C. the entire message, enciphering the message digest using the sender's private key and enciphering the
  message using the receiver's public key.
• D. the entire message, enciphering the message digest using the sender's private key, enciphering the
  message with a symmetric key and enciphering the key by using the receiver's public key.

Answer: D

Explanation:
Section: Protection of Information Assets
Explanation:
Applying a cryptographic hashing algorithm against the entire message addresses the message integrity
issue. Enciphering the message digest using the sender's private key addresses non repudiation.
Encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the
receiver's public key, most efficiently addresses the confidentiality of the message as well as the receiver's
non repudiation. The other choices would address only a portion of the requirements.

NEW QUESTION # 270
The MOST important difference between hashing and encryption is that hashing:

• A. is concerned with integrity and security.
• B. is the same at the sending and receiving end.
• C. is irreversible.
• D. output is the same length as the original message.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created.
If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving and to encrypt and decrypt.

NEW QUESTION # 271
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

• A. IT steering committee minutes
• B. Business objectives
• C. Alignment with the IT tactical plan
• D. Compliance with industry best practice

Answer: B

Explanation:
Explanation
The most important consideration for an IS auditor when assessing the adequacy of an organization's information security policy is its alignment with the business objectives. The information security policy is a high-level document that defines the organization's vision, goals, principles, and responsibilities for protecting its information assets. The information security policy should support and enable the achievement of the business objectives, such as increasing customer satisfaction, enhancing competitive advantage, or complying with legal requirements. The information security policy should also be consistent with other relevant policies, standards, and frameworks that guide the organization's governance, risk management, and compliance activities.

NEW QUESTION # 272
A computer system is no more secure than the human systems responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by deliberately deceiving them. zombie computers are being HEAVILY relied upon on by which of the following types of attack?

• A. Eavedropping
• B. ATP
• C. DoS
• D. DDoS
• E. Social Engineering
• F. None of the choices.

Answer: D

Explanation:
Explanation/Reference:
Explanation: "Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts (""zombie computers"") are used to flood a target system with network requests, thus attempting to render it unusable through resource exhaustion."

NEW QUESTION # 273
A poor choice of passwords and transmission over unprotected communications lines are examples of:

• A. vulnerabilities.
• B. probabilities.
• C. impacts.
• D. threats.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats
are circumstances or events with the potential to cause harm to information resources. Probabilities
represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a
threat exploiting a vulnerability.

NEW QUESTION # 274
Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

• A. Build in system logic to trigger data deletion at predefined times.
• B. Review the record retention register regularly to initiate data deletion.
• C. Execute all data deletions at a predefined month during the year.
• D. Perform a sample check of current data against the retention schedule.

Answer: D

NEW QUESTION # 275
Which of the following sampling techniques is commonly used in fraud detection when the expected occurrence rate is small and the specific controls are critical?

• A. Stop-or-go sampling
• B. Monetary unit sampling
• C. Discovery sampling
• D. Random sampling

Answer: C

NEW QUESTION # 276
The use of object-oriented design and development techniques would MOST likely:

• A. enhance control effectiveness.
• B. facilitate the ability to reuse modules.
• C. improve system performance.
• D. speed up the system development life cycle.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.

NEW QUESTION # 277
Establishing the level of acceptable risk is the responsibility of:

• A. senior business management.
• B. the chief information officer.
• C. the chief security officer.
• D. quality assurance management.

Answer: A

Explanation:
Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.

NEW QUESTION # 278
During a help desk review, an IS auditor determines the call abandonment rate exceeds agreed-upon service levels. What conclusion can be drawn from this finding?

• A. There are insufficient telephone lines available to the help desk.
• B. There is insufficient staff to handle the help desk call volume.
• C. Users are finding solutions from alternative sources.
• D. Help desk staff are unable to resolve a sufficient number of problems on the first call.

Answer: B

NEW QUESTION # 279
Who is responsible for implementing cost-effective controls in an automated system?

• A. Senior management
• B. Security policy administrators
• C. Business unit management
• D. Board of directors

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Business unit management is responsible for implementing cost-effective controls in an automated system.

NEW QUESTION # 280
Which of the following is the FIRST step in initiating a data classification program?

• A. Risk appetite assessment
• B. Assignment of data ownership
• C. Assignment of sensitivity levels
• D. Inventory of data assets

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
The data classification process starts with the process of establishing ownership of data. This process also
helps to prepare data dictionary

NEW QUESTION # 281
Applying a digital signature to data traveling in a network provides:

• A. security and nonrepudiation.
• B. integrity and nonrepudiation.
• C. confidentiality and integrity.
• D. confidentiality and nonrepudiation.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a different hash. The application of a digital signature would accomplish the non repudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists.

NEW QUESTION # 282
What can be used to gather evidence of network attacks?

• A. Intrusion-detection systems (IDS)
• B. Syslog reporting
• C. Antivirus programs
• D. Access control lists (ACL)

Answer: A

Explanation:
Explanation/Reference:
Intrusion-detection systems (IDS) are used to gather evidence of network attacks.

NEW QUESTION # 283
Which of the following would be of MOST concern during an audit of an end-user computing system containing sensitive information?

• A. Secure authorization is not available
• B. Audit logging is not available
• C. System data is not protected.
• D. The system is not included in inventory.

Answer: B

NEW QUESTION # 284
Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following?

• A. Incident response plan
• B. Business continuity plan
• C. Business impact analysis
• D. IT strategic plan

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.

NEW QUESTION # 285
Digital signatures require the:

• A. signer to have a public key and the receiver to have a private key.
• B. signer and receiver to have a public key.
• C. signer and receiver to have a private key.
• D. signer to have a private key and the receiver to have a public key.

Answer: D

Explanation:
Section: Protection of Information Assets
Explanation:
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender.
The digital signature standard is a public key algorithm. This requires the signer to have a private key and
the receiver to have a public key.

NEW QUESTION # 286
Which of the following should an IS auditor review FIRST during the audit of an organization's business continuity plan (BCP)?

• A. Frequency of business database replication
• B. System recovery time objectives (RTOs)
• C. List of critical business processes
• D. System recovery manuals and documentation

Answer: C

NEW QUESTION # 287
An IS auditor discovers that developers have operator access to the command line of a
production environment operating system. Which of the following controls wou Id BEST mitigate the risk of undetected and unauthorized program changes to the production environment?

• A. Software development tools and compilers have been removed from the production environment
• B. Access to the operating system command line is granted through an access restriction tool with preapproved rights
• C. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs
• D. Commands typed on the command line are logged

Answer: C

Explanation:
The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access was already granted-it does notmatter how. Choice D is wrong because files can be copied to and from the production environment.

NEW QUESTION # 288
......

The CISA certification is highly respected in the IT industry and is recognized by many organizations around the world, including government agencies, financial institutions, and multinational corporations. It is also a mandatory requirement for many information security positions and is often used as a benchmark for hiring and promotion decisions.

 

CISA dumps Free Test Engine Verified By It Certified Experts: https://examcollection.guidetorrent.com/CISA-dumps-questions.html