Free ISACA CISA Übungsprüfungen - Seite 11 von 55

Question #101

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy?

A . Reviewing the parameter settings
B . Reviewing the system log
C . Interviewing the firewall administrator
D . Reviewing the actual procedures

Lösung einblenden Lösung ausblenden

Question #102

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A . Process and resource inefficiencies
B . Irregularities and illegal acts
C . Noncompliance with organizational policies
D . Misalignment with business objectives

Lösung einblenden Lösung ausblenden

Question #103

An IS auditor is reviewing the installation of a new server. The IS auditor’s PRIMARY objective is to ensure that

A . security parameters are set in accordance with the manufacturer s standards.
B . a detailed business case was formally approved prior to the purchase.
C . security parameters are set in accordance with the organization’s policies.
D . the procurement project invited lenders from at least three different suppliers.

Lösung einblenden Lösung ausblenden

Question #104

During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts.

Which of the following is the auditor’s BEST course of action?

A . Identify accounts that have had excessive failed login attempts and request they be disabled
B . Request the IT manager to change administrator security parameters and update the finding
C . Document the finding and explain the risk of having administrator accounts with inappropriate security settings

Lösung einblenden Lösung ausblenden

Question #105

An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?

A . The system is hosted on an external third-party service provider’s server.
B . The system is hosted in a hybrid-cloud platform managed by a service provider.
C . The system is hosted within a demilitarized zone (DMZ) of a corporate network.
D . The system is hosted within an internal segment of a corporate network.

Lösung einblenden Lösung ausblenden

Question #106

An organization’s sensitive data is stored in a cloud computing environment and is encrypted.

Which of the following findings should be of GREATEST concern to an IS auditor?

A . The encryption keys are not kept under dual control.
B . The cloud vendor does not have multi-regional presence.
C . Symmetric keys are used for encryption.
D . Data encryption keys are accessible to the service provider.

Lösung einblenden Lösung ausblenden

Question #107

A network analyst is monitoring the network after hours and detects activity that appears to be a brute-force attempt to compromise a critical server.

After reviewing the alerts to ensure their accuracy, what should be done NEXT?

A . Perform a root cause analysis.
B . Document all steps taken in a written report.
C . Isolate the affected system.
D . Invoke the incident response plan.

Lösung einblenden Lösung ausblenden

Question #108

An organization’s information security policies should be developed PRIMARILY on the basis of:

A . enterprise architecture (EA).
B . industry best practices.
C . a risk management process.
D . past information security incidents.

Lösung einblenden Lösung ausblenden

Question #109

Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

A . Approval processes for new system implementations
B . Procedures for adding a new user to the invoice processing system
C . Approval processes for updating the corporate website
D . Procedures for regression testing system changes

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Information systems governance is the set of policies, processes, structures, and practices that ensure the alignment of IT with business objectives, the delivery of value from IT investments, the management of IT risks, and the optimization of IT resources1. Information systems governance is a strategic and high-level function that covers the entire organization and its IT portfolio. Therefore, an IS auditor should review the aspects of information systems governance that are relevant to the organization’s vision, mission, goals, and strategies.

One of the aspects that an IS auditor should review when evaluating information systems governance for a large organization is the approval processes for new system implementations. This is because new system implementations are significant IT investments that require careful planning, analysis, design, development, testing, deployment, and evaluation to ensure that they meet the business requirements, deliver the expected benefits, comply with the relevant standards and regulations, and minimize the potential risks2. The approval processes for new system implementations should involve the appropriate stakeholders, such as senior management, business owners, IT managers, project managers, users, and auditors, who have the authority and responsibility to approve or reject the proposed system implementations based on predefined criteria and metrics3. The approval processes for new system implementations should also be documented, transparent, consistent, and timely to ensure accountability and traceability4. Therefore, an IS auditor should review the approval processes for new system implementations to assess whether they are aligned with the information systems governance framework and objectives.

The other possible options are:

Procedures for adding a new user to the invoice processing system: This is an operational task that involves granting access rights and permissions to a specific user for a specific system based on the principle of least privilege. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization.

Approval processes for updating the corporate website: This is a tactical task that involves making changes or enhancements to the content or design of the corporate website based on the business needs and feedback. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization.

Procedures for regression testing system changes: This is a technical task that involves verifying that existing system functionalities are not adversely affected by new system changes or updates. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization.

References: 1: What is IT Governance? – Definition from Techopedia 2: System

Implementation – an overview | ScienceDirect Topics 3: Project Approval Process – Project

Management Knowledge 4: 5 Best Practices For A Successful Project Approval Process | Kissflow

Project : Principle of Least Privilege (POLP) | Imperva : How to Update Your Website Content – 7 Step

Guide | HostGator Blog : What Is Regression Testing? Definition & Best Practices | BrowserStack

Question #110

Which of the following security measures will reduce the risk of propagation when a cyberattack

occurs?

A . Perimeter firewall
B . Data loss prevention (DLP) system
C . Network segmentation
D . Web application firewall (WAF)

Lösung einblenden Lösung ausblenden