Free ISACA CISA Übungsprüfungen - Seite 38 von 55

Question #371

Which of the following would provide the BEST evidence that a cloud provider’s change management process is effective?

A . Minutes from regular change management meetings with the vendor
B . Written assurances from the vendor’s CEO and CIO
C . The results of a third-party review provided by the vendor
D . A copy of change management policies provided by the vendor

Lösung einblenden Lösung ausblenden

Question #372

Which of the following is MOST important during software license audits?

A . Judgmental sampling
B . Substantive testing
C . Compliance testing
D . Stop-or-go sampling

Lösung einblenden Lösung ausblenden

Question #373

An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions.

Which of the following attributes BEST describes the risk element that this technology is addressing?

A . Integrity
B . Nonrepudiation
C . Confidentiality
D . Availability

Lösung einblenden Lösung ausblenden

Question #374

An IT balanced scorecard is PRIMARILY used for:

A . evaluating the IT project portfolio
B . measuring IT strategic performance
C . allocating IT budget and resources
D . monitoring risk in lT-related processes

Lösung einblenden Lösung ausblenden

Question #375

Which of the following BEST facilitates the legal process in the event of an incident?

A . Right to perform e-discovery
B . Advice from legal counsel
C . Preserving the chain of custody
D . Results of a root cause analysis

Lösung einblenden Lösung ausblenden

Question #376

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

A . eliminated
B . unchanged
C . increased
D . reduced

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. End user testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors3.

Therefore, option B is the correct answer.

Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4.

Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired.

Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.

References:

Chapter 4 Methods of Software Acquisition5

What is User Acceptance Testing (UAT): A Complete Guide1

What Is End-to-End Testing? (With How-To and Example)3

How to Evaluate New Software in 5 Steps4

User Acceptance Testing (UAT) in ERP Projects

User Acceptance Testing for Packaged Software

Question #377

An IS auditor is reviewing an organization’s cloud access security broker (CASB) solution.

Which of the following is MOST important for the auditor to verify?

A . Cloud services are classified.
B . Users are centrally managed.
C . Cloud processes are resilient.
D . Users are periodically recertified.

Lösung einblenden Lösung ausblenden

Question #378

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

A . Risk acceptance
B . Risk mitigation
C . Risk transference
D . Risk reduction

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Segregation of duties is a fundamental concept in cybersecurity and information security. It refers to the practice of dividing critical tasks and responsibilities among different individuals or roles within an organization to reduce the risk of fraud, error, or unauthorized activities1. Segregation of duties is designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance2.

There are different types of responses to risk associated with segregation of duties, depending on the level of risk and the cost-benefit analysis.

Some of the common responses are:

Risk acceptance: This means acknowledging a risk and deciding to tolerate it without taking any corrective actions. This response is usually chosen when the risk is low or the cost of mitigation is too high3.

Risk mitigation: This means taking steps ahead of time to lessen the effects of a risk and make it less likely to happen. Some examples of mitigation strategies are making backup plans, setting up early warning systems, and staying away from high-risk areas or activities4.

Risk transference: This means shifting the negative impact of a risk and/or the responsibility for managing the risk response to a third party. Some examples of transference strategies are outsourcing, insurance, or contracts5.

Risk reduction: This means reducing the probability and/or severity of the risk below a threshold of acceptability. Some examples of reduction strategies are implementing controls, policies, or procedures to prevent or detect risks6.

Based on these definitions, the response to risk associated with segregation of duties that would incur the lowest initial cost is A. Risk acceptance. This is because risk acceptance does not require any additional resources or actions to address the risk. However, risk acceptance also implies that the organization is willing to bear the consequences of the risk if it occurs, which could be costly in the long run.

Therefore, the correct answer to your question is A. Risk acceptance.

Question #378

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

A . Risk acceptance
B . Risk mitigation
C . Risk transference
D . Risk reduction

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Segregation of duties is a fundamental concept in cybersecurity and information security. It refers to the practice of dividing critical tasks and responsibilities among different individuals or roles within an organization to reduce the risk of fraud, error, or unauthorized activities1. Segregation of duties is designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance2.

There are different types of responses to risk associated with segregation of duties, depending on the level of risk and the cost-benefit analysis.

Some of the common responses are:

Risk acceptance: This means acknowledging a risk and deciding to tolerate it without taking any corrective actions. This response is usually chosen when the risk is low or the cost of mitigation is too high3.

Risk mitigation: This means taking steps ahead of time to lessen the effects of a risk and make it less likely to happen. Some examples of mitigation strategies are making backup plans, setting up early warning systems, and staying away from high-risk areas or activities4.

Risk transference: This means shifting the negative impact of a risk and/or the responsibility for managing the risk response to a third party. Some examples of transference strategies are outsourcing, insurance, or contracts5.

Risk reduction: This means reducing the probability and/or severity of the risk below a threshold of acceptability. Some examples of reduction strategies are implementing controls, policies, or procedures to prevent or detect risks6.

Based on these definitions, the response to risk associated with segregation of duties that would incur the lowest initial cost is A. Risk acceptance. This is because risk acceptance does not require any additional resources or actions to address the risk. However, risk acceptance also implies that the organization is willing to bear the consequences of the risk if it occurs, which could be costly in the long run.

Therefore, the correct answer to your question is A. Risk acceptance.

Question #380

When auditing the adequacy of a cooling system for a data center, which of the following is MOST important for the IS auditor to review?

A . Environmental performance metrics
B . Geographical location of the data center
C . Disaster recovery plan (DRP) testing results
D . Facilities maintenance records

Lösung einblenden Lösung ausblenden