Free ISACA CISA Übungsprüfungen - Seite 37 von 55

Question #361

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

A . Decreased effectiveness of root cause analysis
B . Decreased overall recovery time
C . Increased number of false negatives in security logs
D . Increased demand for storage space for logs

Question #362

What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

A . To improve traceability
B . To prevent piggybacking
C . To implement multi-factor authentication
D . To reduce maintenance costs

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

The primary reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center is to improve traceability (A). Traceability is the ability to track and monitor the activities and movements of individuals or objects within a system or environment. Traceability is important for ensuring security, accountability, and compliance in a data center, where sensitive and critical data are stored and processed.

An RFID access card system can improve traceability by using RFID technology to verify and record the identity and access of each user who enters or exits the data center. RFID stands for Radio Frequency Identification, and it enables wireless communication between a reader and an RFID tag. An RFID tag is installed in a door key card or fob, which users use to gain access to the data center. An RFID reader is installed near the door, and it contains an antenna that receives data transmitted by the RFID tag. A control panel is a computer server that reads and interprets the data passed along by the RFID reader. A database is a storage system that stores the data collected by the control panel1.

An RFID access card system can provide several benefits for traceability, such as123:

It can uniquely identify each user and their access level, and prevent unauthorized access or impersonation.

It can record the date, time, and duration of each user’s access, and generate logs and reports for auditing purposes.

It can monitor the location and status of each user within the data center, and alert security personnel in case of any anomalies or emergencies.

It can integrate with other security systems, such as cameras, alarms, or biometrics, to enhance verification and protection.

A universal PIN code system, on the other hand, can compromise traceability by using a single or shared personal identification number (PIN) to grant access to multiple users. A universal PIN code system can pose several risks for traceability, such as4:

It can be easily guessed, stolen, shared, or compromised by malicious actors or insiders.

It can not distinguish between different users or their access levels, and allow unauthorized or excessive access.

It can not record or track the activities or movements of each user within the data center, and create gaps or errors in the audit trail.

It can not integrate with other security systems, and provide limited verification and protection.

Therefore, an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center to improve traceability.

References:

RFID Access Control Guide: 4 Best RFID Access Control Systems – ButterflyMX

Choosing Card Technology in 2023 | ICT

RFID Vs Magnetic Key Cards: What’s The Difference? – Go Safer Security

RFID vs Barcode – Advantages, Disadvantages & Differences

Question #363

Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?

A . The security policy has not been reviewed within the past year.
B . Security policy documents are available on a public domain website.
C . Security policies are not applicable across all business units.
D . End users are not required to acknowledge security policy training.

Lösung einblenden Lösung ausblenden

Question #364

Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?

A . Timely audit execution
B . Effective allocation of audit resources
C . Reduced travel and expense costs
D . Effective risk mitigation

Lösung einblenden Lösung ausblenden

Question #365

An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment.

Which of the following would have BEST prevented the update access from being migrated?

A . Establishing a role-based matrix for provisioning users
B . Re-assigning user access rights in the quality assurance (QA) environment
C . Holding the application owner accountable for application security
D . Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

Lösung einblenden Lösung ausblenden

Question #366

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

A . Have an independent party review the source calculations
B . Execute copies of EUC programs out of a secure library
C . implement complex password controls
D . Verify EUC results through manual calculations

Lösung einblenden Lösung ausblenden

Question #367

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release.

Which of the following should the IS auditor review FIRST?

A . Capacity management plan
B . Training plans
C . Database conversion results
D . Stress testing results

Lösung einblenden Lösung ausblenden

Question #368

Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?

A . Insufficient processes to track ownership of each EUC application?
B . Insufficient processes to lest for version control
C . Lack of awareness training for EUC users
D . Lack of defined criteria for EUC applications

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The finding that should be of greatest concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization is the lack of defined criteria for EUC applications. EUC applications are applications that are developed and maintained by end-users, rather than by IT professionals, to support their business functions and processes. Examples of EUC applications include spreadsheets, databases, reports, and scripts. The lack of defined criteria for EUC applications means that the organization does not have clear and consistent standards or guidelines to identify, classify, and manage EUC applications.

This can lead to various risks, such as:

Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested

Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored

Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated

Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived

Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce.

Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application.

This can lead to risks, such as:

Lack of accountability or ownership for the quality and accuracy of the EUC application and its data Lack of support or maintenance for the EUC application when the owner leaves or changes roles Lack of awareness or training for the users of the EUC application on its purpose and functionality However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.

Insufficient processes to test for version control is a finding that should be of concern to an IS auditor

assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested.

This can lead to risks, such as:

Errors or inconsistencies in the data and results from different versions of the EUC application

Conflicts or confusion among the users of the EUC application on which version is current or correct

Loss or overwrite of data and results from previous versions of the EUC application

However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.

Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely.

This can lead to risks, such as:

Misuse or abuse of the EUC applications by users who are not aware of their impact or implications

Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations

Dissatisfaction or frustration among users who are not aware of their benefits or limitations

However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.

References:

End-user computing – Wikipedia 1

How to Manage the Risks Associated with End User Computing 2

Managing end user computing risks – KPMG UK 3

Question #369

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

A . each information asset is to a assigned to a different classification.
B . the security criteria are clearly documented for each classification
C . Senior IT managers are identified as information owner.
D . the information owner is required to approve access to the asset

Lösung einblenden Lösung ausblenden

Question #370

Which of the following is the MOST important consideration when establishing operational log management?

A . Types of data
B . Log processing efficiency
C . IT organizational structure
D . Log retention period

Lösung einblenden Lösung ausblenden