Pass ISACA Certified Information Systems Auditor Exam in First Attempt Guaranteed Updated Dump from GuideTorrent! Pass CISA Exam with 650 Questions - Verified By GuideTorrent NEW QUESTION # 171 During the audit of a database server, which of the following would be considered the GREATEST exposure? A. The password does not expire on the administrator account B. Default global security settings for the [...]

All Products Contact now

[Q171-Q193] Pass ISACA Certified Information Systems Auditor Exam in First Attempt Guaranteed Updated Dump from GuideTorrent!

Share

Pass ISACA Certified Information Systems Auditor Exam in First Attempt Guaranteed Updated Dump from GuideTorrent!

Pass CISA Exam with 650 Questions - Verified By GuideTorrent

NEW QUESTION # 171
During the audit of a database server, which of the following would be considered the GREATEST exposure?

  • A. The password does not expire on the administrator account
  • B. Default global security settings for the database remain unchanged
  • C. Old data have not been purged
  • D. Database activity is not fully logged

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as B.


NEW QUESTION # 172
Which of the following is the BEST evidence that a project is ready for production?

  • A. A parallel test over a full processing cycle has been successful.
  • B. Rollback procedures have been successfully tested.
  • C. A detailed conversion plan has been rehearsed in two desktop exercises.
  • D. A pilot implementation with reduced scope has been tested and approved.

Answer: A


NEW QUESTION # 173
An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:

  • A. documentation of staff background checks.
  • B. reporting staff turnover, development or training.
  • C. reporting the year-to-year incremental cost reductions.
  • D. independent audit reports or full audit access.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.


NEW QUESTION # 174
An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be the BEST course of action for the IS auditor?

  • A. Accept the BCPs as written.
  • B. Recommend that an additional comprehensive BCP be developed.
  • C. Recommend the creation of a single BCP.
  • D. Determine whether the BCPs are consistent.

Answer: D

Explanation:
Depending on the complexity of the organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one single plan; however, each plan should be consistent with other plans to have a viable business continuity planning strategy.


NEW QUESTION # 175
Data anonymizabon helps to prevent which types of attacks in a big data environment?

  • A. Correlation
  • B. Denial of service (DoS)
  • C. Man-in-the-middle
  • D. Spoofing

Answer: A


NEW QUESTION # 176
Digital signatures require the sender to "sign" the data by encrypting the data with the sender's public key, to then be decrypted by the recipient using the recipient's private key.
True or false?

  • A. False
  • B. True

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Digital signatures require the sender to "sign" the data by encrypting the data with the sender's public key, to then be decrypted by the recipient using the sender's public key.


NEW QUESTION # 177
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?

  • A. An assessment indicating security controls will operate
    effectively
  • B. An assessment of whether requirements will be fully met
  • C. An assessment of whether the expected benefits can be
    achieved
  • D. An assessment indicating the benefits will exceed the implement

Answer: C

Explanation:
Explanation
The most important thing for an IS auditor to look for in a project feasibility study is an assessment of whether the expected benefits can be achieved. A project feasibility study is a preliminary analysis that evaluates the viability and suitability of a proposed project based on various criteria, such as technical, economic, legal, operational, and social factors. The expected benefits are the positive outcomes and value that the project aims to deliver to the organization and its stakeholders. The IS auditor should verify whether the project feasibility study has clearly defined and quantified the expected benefits, and whether it has assessed the likelihood and feasibility of achieving them within the project scope, budget, schedule, and quality parameters. The other options are also important for an IS auditor to look for in a project feasibility study, but not as important as an assessment of whether the expected benefits can be achieved, because they either focus on specific aspects of the project rather than the overall value proposition, or they assume that the project will be implemented rather than evaluating its viability. References: CISA Review Manual (Digital Version)1, Chapter 4, Section 4.2.1


NEW QUESTION # 178
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk.
An IS auditor should be concerned because:

  • A. deleting the files logically does not overwrite the files' physical data.
  • B. backup copies of files were not deleted as well.
  • C. deleting all files separately is not as efficient as formatting the hard disk.
  • D. deleted data cannot easily be retrieved.

Answer: A

Explanation:
An IS auditor should be concerned because deleting the files logically does not overwrite the files' physical data. Deleting a file from a hard disk only removes the reference or pointer to the file from the file system, but does not erase the actual data stored on the disk sectors. The deleted data can still be recovered using special tools or techniques until it is overwritten by new data. This poses a risk of data leakage, theft, or misuse if the hard disk falls into the wrong hands. To securely dispose of a system containing sensitive data, the hard disk should be wiped or sanitized using methods that overwrite or destroy the physical data beyond recovery.
References:
* CISA Review Manual (Digital Version)
* CISA Questions, Answers & Explanations Database


NEW QUESTION # 179
During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?

  • A. Existence check
  • B. Logical relationship check
  • C. Referential integrity
  • D. Table look-ups

Answer: B

Explanation:
Section: The process of Auditing Information System


NEW QUESTION # 180
Which of the following is MOST helpful for measuring benefits realization for a new system?

  • A. Function point analysts
  • B. Balanced scorecard review
  • C. Business impact analysis (BIA)
  • D. Post-implantation review

Answer: D


NEW QUESTION # 181
The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to communicate the:

  • A. probability of future incidents.
  • B. risk acceptance criteria.
  • C. cost-benefit of security controls.
  • D. status of the security posture.

Answer: D

Explanation:
Section: Protection of Information Assets


NEW QUESTION # 182
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

  • A. implement software to perform automatic reconciliations of data between systems
  • B. Enable automatic encryption decryption and electronic signing of data files
  • C. Have coders perform manual reconciliation of data between systems
  • D. Automate the transfer of data between systems as much as feasible

Answer: A

Explanation:
The best recommendation for an organization that does not have a process to identify and correct records that do not get transferred to the receiving system is to implement software to perform automatic reconciliations of data between systems. This will ensure that the data integrity and completeness are maintained and that any errors or discrepancies are detected and resolved in a timely manner. Enabling encryption, decryption, and electronic signing of data files may enhance the data security and authenticity, but not the data accuracy or consistency. Having coders perform manual reconciliation of data between systems may be prone to human errors and inefficiencies. Automating the transfer of data between systems as much as feasible may reduce the chances of data loss or corruption, but not eliminate them completely. References: IS Audit and Assurance Standards, section "Standard 1202: Risk Assessment in Planning"


NEW QUESTION # 183
An organization is deciding whether to outsource its customer relationship management systems to a provider located in another country. Which of the following should be the PRIMARY influence in the outsourcing decision?

  • A. Cross-border privacy laws
  • B. The service provider's disaster recovery plan
  • C. Current geopolitical conditions
  • D. Time zone differences

Answer: A

Explanation:
Section: Information System Acquisition, Development and Implementation


NEW QUESTION # 184
Which of the following is the GREATEST risk associated with end-user computing used in financial statement reporting?

  • A. Loss of operational efficiency
  • B. Inability of IT to support the application
  • C. Loss of data integrity
  • D. Inability to implement segregation of duties

Answer: A


NEW QUESTION # 185
Which of the following would provide the important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

  • A. An inventory of personal devices to be connected to the corporate network
  • B. Policies including BYOD acceptable use statements
  • C. Findings from prior audits
  • D. Results of a risk assessment

Answer: B


NEW QUESTION # 186
When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:

  • A. service delivery objective.
  • B. maximum tolerable outage.
  • C. annualized loss expectancy (ALE).
  • D. quantity of orphan data.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The recovery time objective is determined based on the acceptable downtime in case of a disruption of operations, it indicates the maximum tolerable outage that an organization considers to be acceptable before a system or process must resume following a disaster. Choice A is incorrect, because the acceptable downtime would not be determined by the annualized loss expectancy (ALE). Choices B and C are relevant to business continuity, but they are not determined by acceptable downtime.


NEW QUESTION # 187
To effectively classify data, which of the following MUST be determined?

  • A. Data users
  • B. Data controls
  • C. Data volume
  • D. Data ownership

Answer: D


NEW QUESTION # 188
In the review of a feasibility study for an IS acquisition, the important step is to:

  • A. ensure that the right to audit the vendor has been considered.
  • B. determine whether the cost-benefits are achievable.
  • C. determine whether security and control requirements have been specified.
  • D. ensure that a contingency plan is in place should the project fail.

Answer: A


NEW QUESTION # 189
An organization's IT department is undertaking a large virtualization project to reduce its physical server footprint. Which of the following should be the HIGHEST priority of the information security manager?

  • A. Selecting the virtualization software
  • B. Ensuring the project has appropriate security funding
  • C. Determining how incidents will be managed
  • D. Being involved as the design stage of the project

Answer: D

Explanation:
Section: Governance and Management of IT


NEW QUESTION # 190
Which of the following would an IS auditor consider to be the MOST significant risk associated with a project to reengineer a business process?

  • A. The project manager is inexperienced in information system.
  • B. The negative of change may not be documented.
  • C. Existing baseline processes may not be reported to management.
  • D. Existing controls mat be weakened or removed.

Answer: B


NEW QUESTION # 191
An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

  • A. KPIs have never been updated
  • B. KPI data is not being analyzed
  • C. KPIs are not clearly defined
  • D. Some KPIs are not documented

Answer: C

Explanation:
Explanation
KPIs are not clearly defined is the most concerning finding for an IS auditor, because it implies that the third-party vendor does not have a clear understanding of what constitutes success or failure in their performance. This can lead to inaccurate or misleading reporting, poor decision making, and lack of accountability. KPIs should be SMART (specific, measurable, achievable, relevant, and time-bound) and aligned with the business objectives and expectations of the stakeholders12. References: 1: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2 2: CISA Online Review Course, Module 5, Lesson 3


NEW QUESTION # 192
A small startup organization does not have the resources to implement segregation of duties.
Which of the following is the MOST effective compensating control?

  • A. Rotation of log monitoring and analysis responsibilities
  • B. Additional management reviews and reconciliations
  • C. Mandatory vacations
  • D. Third-party assessments

Answer: B

Explanation:
In a small organization, where the number of employees is relatively small, job rotations may not make much sense, and they are likely to be transferred back to their original positions after a while.


NEW QUESTION # 193
......

Penetration testers simulate CISA exam: https://examcollection.guidetorrent.com/CISA-dumps-questions.html

Related Articles

more
ISACA CISA Certification Practice Exam