Free ISACA CISA Übungsprüfungen - Seite 35 von 55

Question #341

Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

A . There is no software used to track change management.
B . The change is not approved by the business owners.
C . The change is deployed two weeks after approval.
D . The development of the change is not cost-effective.

Lösung einblenden Lösung ausblenden

Question #342

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A . Analyze whether predetermined test objectives were met.
B . Perform testing at the backup data center.
C . Evaluate participation by key personnel.
D . Test offsite backup files.

Lösung einblenden Lösung ausblenden

Question #343

Email required for business purposes is being stored on employees‘ personal devices.

Which of the following is an IS auditor’s BEST recommendation?

A . Require employees to utilize passwords on personal devices
B . Prohibit employees from storing company email on personal devices
C . Ensure antivirus protection is installed on personal devices
D . Implement an email containerization solution on personal devices

Lösung einblenden Lösung ausblenden

Question #344

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

A . Information security policy
B . Industry standards
C . Incident response plan
D . Industry regulations

Lösung einblenden Lösung ausblenden

Question #345

An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes.

Which of the following is the MOST appropriate method to use for this purpose?

A . Penetration testing
B . Authenticated scanning
C . Change management records
D . System log review

Lösung einblenden Lösung ausblenden

Question #346

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management’s decision.

Which of the following should be the IS auditor’s NEXT course of action?

A . Accept management’s decision and continue the follow-up.
B . Report the issue to IS audit management.
C . Report the disagreement to the board.
D . Present the issue to executive management.

Lösung einblenden Lösung ausblenden

Question #347

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?

A . IT steering committee minutes
B . Business objectives
C . Alignment with the IT tactical plan
D . Compliance with industry best practice

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The most important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy is the business objectives. An information security policy is a document that defines the organization’s approach to protecting its information assets from internal and external threats. It should align with the organization’s mission, vision, values, and goals, and support its business processes and functions1. An information security policy should also be focused on the business needs and requirements of the organization, rather than on technical details or specific solutions2.

The other options are not as important as the business objectives, because they do not directly reflect the organization’s purpose and direction. IT steering committee minutes are records of the discussions and decisions made by a group of senior executives who oversee the IT strategy and governance of the organization. They may provide some insights into the information security policy, but they are not sufficient to evaluate its adequacy3. Alignment with the IT tactical plan is a measure of how well the information security policy supports the short-term actions and projects that implement the IT strategy. However, the IT tactical plan itself should be aligned with the business objectives, and not vice versa4. Compliance with industry best practice is a desirable quality of an information security policy, but it is not a guarantee of its effectiveness or suitability for the organization. Industry best practices are general guidelines or recommendations that may not apply to every organization or situation. An information security policy should be customized and tailored to the specific context and needs of the organization.

References:

The 12 Elements of an Information Security Policy | Exabeam1 11 Key Elements of an Information Security Policy | Egnyte2

What is an IT steering committee? Definition, roles & responsibilities …3

What is IT Strategy? Definition, Components & Best Practices | BMC …4

IT Security Policy: Key Components & Best Practices for Every Business

Question #348

Which of the following would present the GREATEST risk within a release management process for a new application?

A . Procedures are not updated to coincide with the production release schedule.
B . Code is deployed to production without authorization.
C . A newly added program may overwrite existing production files.
D . An identified bug was not resolved.

Lösung einblenden Lösung ausblenden

Question #349

What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?

A . Implementation plan for restricting the collection of personal information
B . Privacy legislation in other countries that may contain similar requirements
C . Operational plan for achieving compliance with the legislation
D . Analysis of systems that contain privacy components

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The first thing that an IS auditor should evaluate when reviewing an organization’s response to new privacy legislation is the analysis of systems that contain privacy components. Privacy components are elements of a system that collect, process, store, or transmit personal information that is subject to privacy legislation. An analysis of systems that contain privacy components should identify what types of personal information are involved, where they are located, how they are used, who has access to them, and what risks or threats they face. An analysis of systems that contain privacy components is essential for determining the scope and impact of the new privacy legislation on the organization’s systems and processes.

The other options are not as important as option D. An implementation plan for restricting the collection of personal information is a possible action, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An implementation plan for restricting the collection of personal information is a document that outlines how an organization will comply with the principle of data minimization, which states that personal information should be collected only for specific and legitimate purposes and only to the extent necessary for those purposes. An implementation plan for restricting the collection of personal information should be based on an analysis of systems that contain privacy components. Privacy legislation in other countries that may contain similar requirements is a possible source of reference, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. Privacy legislation in other countries that may contain similar requirements is a set of laws or regulations that governs the protection of personal information in other jurisdictions that may have comparable or compatible standards or expectations as the new privacy legislation. Privacy legislation in other countries that may contain similar requirements may provide guidance or best practices for complying with the new privacy legislation. However, privacy legislation in other countries that may contain similar requirements should not be used as a substitute for an analysis of systems that contain privacy components. An operational plan for achieving compliance with the legislation is a possible deliverable, but not the first thing to evaluate, when reviewing an organization’s response to new privacy legislation. An operational plan for achieving compliance with the legislation is a document that describes how an organization will implement and maintain the necessary policies, procedures, controls, and measures to comply with the new privacy legislation. An operational plan for achieving compliance with the legislation should be derived from an analysis of systems that contain privacy components.

References: Privacy law – Wikipedia, Data Protection and Privacy Legislation Worldwide | UNCTAD, Data minimization – Wikipedia

Question #350

Which of the following responsibilities of an organization’s quality assurance (QA) function should raise concern for an IS auditor?

A . Ensuring standards are adhered to within the development process
B . Ensuring the test work supports observations
C . Updating development methodology
D . Implementing solutions to correct defects

Lösung einblenden Lösung ausblenden