CISA | Renew CISA Prep 2020

Proper study guides for Improved Isaca Isaca CISA certified begins with Isaca CISA preparation products which designed to deliver the Accurate CISA questions by making you pass the CISA test at your first time. Try the free CISA demo right now.

Online Isaca CISA free dumps demo Below:


Performance of a biometric measure is usually referred to in terms of (choose all that apply):

  • A. failure to reject rate
  • B. false accept rate
  • C. false reject rate
  • D. failure to enroll rate
  • E. None of the choice

Answer: BCD


Performance of a biometric measure is usually referred to in terms of the false accept rate (FAR), the false non match or reject rate (FRR), and the failure to enroll rate (FTE or FER). The FAR measures the percent of invalid users who are incorrectly accepted in, while the FRR measures the percent of valid users who are wrongly rejected.


How does the SSL network protocol provide confidentiality?

  • A. Through symmetric encryption such as RSA
  • B. Through asymmetric encryption such as Data Encryption Standard, or DES
  • C. Through asymmetric encryption such as Advanced Encryption Standard, or AES
  • D. Through symmetric encryption such as Data Encryption Standard, or DES

Answer: D

The SSL protocol provides confidentiality through symmetric encryption such as Data Encryption Standard, or DES.


An organization has a number of branches across a wide geographical areA. To ensure that all aspects of the disaster recovery plan are evaluated in a cost effective manner, an IS auditor should recommend the use of a:

  • A. data recovery tes
  • B. full operational tes
  • C. posttes
  • D. preparedness tes

Answer: D


A preparedness test should be performed by each local office/area to test the adequacy of the preparedness of local operations in the event of a disaster. This test should be performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence of the plan's adequacy. A data recovery test is a partial test and will not ensure that all aspects are evaluated. A full operational test is not the most cost effective test in light of the geographical dispersion of the branches, and a posttest is a phase of the test execution process.


If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions. True or false?

  • A. True
  • B. False

Answer: A

If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions.


During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?

  • A. Look for compensating control
  • B. Review financial transactions log
  • C. Review the scope of the audi
  • D. Ask the administrator to disable these account

Answer: A


The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor's responsibility to ask for disabling accounts during an audit.


What is essential for the IS auditor to obtain a clear understanding of network management?

  • A. Security administrator access to systems
  • B. Systems logs of all hosts providing application services
  • C. A graphical map of the network topology
  • D. Administrator access to systems

Answer: C

A graphical interface to the map of the network topology is essential for the IS auditor to obtain a clear understanding of network management.


The frequent updating of which of the following is key to the continued effectiveness of a
disaster recovery plan (DRP)?

  • A. Contact information of key personnel
  • B. Server inventory documentation
  • C. individual roles and responsibilities
  • D. Procedures for declaring a disaster

Answer: A


In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. Choices B, C and D would be more likely to remain stable overtime.


Which of the following is used to evaluate biometric access controls?

  • A. FAR
  • B. EER
  • C. ERR
  • D. FRR

Answer: B

When evaluating biometric access controls, a low equal error rate (EER) is preferred. EER is also called the crossover error rate (CER).


Which of the following will replace system binaries and/or hook into the function calls of the operating system to hide the presence of other programs (choose the
most precise answer)?

  • A. rootkits
  • B. virus
  • C. trojan
  • D. tripwire
  • E. None of the choice

Answer: A


"A backdoor may take the form of an installed program (e.g., Back Orifice) or could be in the form of an existing ""legitimate"" program, or executable file. A specific form of backdoors are rootkits, which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other programs, users, services and open ports."


A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:

  • A. reasonableness chec
  • B. parity chec
  • C. redundancy chec
  • D. check digit

Answer: C


A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of datA.


IT control objectives are useful to IS auditors, as they provide the basis for understanding the:

  • A. desired result or purpose of implementing specific control procedure
  • B. best IT security control practices relevant to a specific entit
  • C. techniques for securing informatio
  • D. security polic

Answer: A


An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.


An IT steering committee should review information systems PRIMARILY to assess:

  • A. whether IT processes support business requirement
  • B. if proposed system functionality is adequat
  • C. the stability of existing softwar
  • D. the complexity of installed technolog

Answer: A


The role of an IT steering committee is to ensure that the IS department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals.


During an audit, an IS auditor notes that an organization's business continuity plan (BCP) does not adequately address information confidentiality during a recovery process. The IS auditor should recommend that the plan be modified to include:

  • A. the level of information security required when business recovery procedures are invoke
  • B. information security roles and responsibilities in the crisis management structur
  • C. information security resource requirement
  • D. change management procedures for information security that could affect business continuity arrangement

Answer: A


Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidential data during a crisis needto be identified. The other choices do not directly address the information confidentiality issue.


Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization?

  • A. Built-in alternative routing
  • B. Completing full system backup daily
  • C. A repair contract with a service provider
  • D. A duplicate machine alongside each server

Answer: A


Alternative routing would ensure the network would continue if a server is lost or if a link is severed as message rerouting could be automatic. System backup will not afford immediate protection. The repair contract is not as effective as perm a nentalte (native routing. Standby servers will not provide continuity if a link is severed.


Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?

  • A. Assess the impact of patches prior to installatio
  • B. Ask the vendors for a new software version with all fixes include
  • C. install the security patch immediatel
  • D. Decline to deal with these vendors in the futur

Answer: A


The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problems. New software versions withall fixes included are not always available and a full installation could be time consuming. Declining to deal with vendors does not take care of the flaw.


To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:

  • A. Secure Shell (SSH-2) tunnel for the duration of the proble
  • B. two-factor authentication mechanism for network acces
  • C. dial-in acces
  • D. virtual private network (VPN) account for the duration of the vendor support contrac

Answer: A


For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated
users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve thesame level of security as SSH-2.


An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan?

  • A. Full operational test
  • B. Preparedness test
  • C. Paper test
  • D. Regression test

Answer: B


A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. A paper test is a structured walk-through of the disaster recovery plan and should be conducted before a preparedness test. A full operational test is conducted after the paper and preparedness test. A regression test is not a disaster recovery planning (DRP) test and is used in software maintenance.


An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. Inthis situation, which of the following would be considered an adequate set of compensating controls?

  • A. Allow changes to be made only with the DBA user accoun
  • B. Make changes to the database after granting access to a normal user accoun
  • C. Use the DBA user account to make changes, log the changes and review the change log the following da
  • D. Use the normal user account to make changes, log the changes and review the change log the following da

Answer: C


The use of a database administrator (DBA) user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use ofthe DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review form an appropriate set of compensating controls.


Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in the data warehouse?

  • A. implement column- and row-level permissions
  • B. Enhance user authentication via strong passwords
  • C. Organize the data warehouse into subject matter-specific databases
  • D. Log user access to the data warehouse

Answer: A


Choice A specifically addresses the question of sensitive data by controlling what information users can access. Column-level security prevents users from seeing one or more attributes on a table. With row-level security a certain grouping of information on a table is restricted; e.g., if a table held details of employee salaries, then a restriction could be put in place to ensure that, unless specifically authorized, users could not view the salaries of executive staff. Column- and row-level security can be achieved in a relational database by allowing users to access logical representations of data rather than physical tables. This 'fine-grained' security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses. Enhancing user authentication via strong passwords is a security control that should apply to all users of the data warehouse and does not specifically address protection of sensitive datA. Organizing a data warehouse into subject-specific databases is a potentially useful practice but, in itself, does not adequately protect sensitive datA. Database-level security is normally too 'coarse' a level to efficiently and effectively protect information. For example, one database may hold information that needs to be restricted such as employee salary and customer profitability details while other information such as employee department may need to be legitimately a


The waterfall life cycle model of software development is most appropriately used when:

  • A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operat
  • B. requirements are well understood and the project is subject to time pressure
  • C. the project intends to apply an object-oriented design and programming approac
  • D. the project will involve the use of new technolog

Answer: A


Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful, in these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. Theability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.


Which of the following types of spyware was originally designed for determining the sources of error or for measuring staff productivity?

  • A. Keywords logging
  • B. Keystroke logging
  • C. Directory logging
  • D. Password logging
  • E. None of the choice

Answer: B


Keystroke logging (in the form of spyware) was originally a function of diagnostic tool deployed by software developers for capturing user's keystrokes.
This is done for determining the sources of error or for measuring staff productivity.


A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?

  • A. Reviewing logs frequently
  • B. Testing and validating the rules
  • C. Training a local administrator at the new location
  • D. Sharing firewall administrative duties

Answer: B


A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important.


When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:

  • A. whose sum of activity time is the shortes
  • B. that have zero slack tim
  • C. that give the longest possible completion tim
  • D. whose sum of slack time is the shortes

Answer: B


A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities onthe critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained.


During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?

  • A. Postpone the audit until the agreement is documented
  • B. Report the existence of the undocumented agreement to senior management
  • C. Confirm the content of the agreement with both departments
  • D. Draft a service level agreement (SLA) for the two departments

Answer: C


An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact that there is not a written agreement does not justify postponing the audit, and reporting to senior management is not necessary at this stage of the audit. Drafting a service level agreement (SLA) is not the IS auditor's responsibility.


What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management? Choose the BEST answer.

  • A. The software can dynamically readjust network traffic capabilities based upon current usag
  • B. The software produces nice reports that really impress managemen
  • C. It allows users to properly allocate resources and ensure continuous efficiency of operation
  • D. It allows management to properly allocate resources and ensure continuous efficiency of operation

Answer: D

Using capacity-monitoring software to monitor usage patterns and trends enables management to properly allocate resources and ensure continuous efficiency of operations.


The advantage of a bottom-up approach to the development of organizational policies is that the policies:

  • A. are developed for the organization as a whol
  • B. are more likely to be derived as a result of a risk assessmen
  • C. will not conflict with overall corporate polic
  • D. ensure consistency across the organizatio

Answer: B


A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.


Which of the following would BEST maintain the integrity of a firewall log?

  • A. Granting access to log information only to administrators
  • B. Capturing log events in the operating system layer
  • C. Writing dual logs onto separate storage media
  • D. Sending log information to a dedicated third-party log server

Answer: D


Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, the risk of unauthorized log modification will be mitigated, therefore improving the integrity of log information. To enforce segregation of duties, administrators should not have access to log files. This primarily contributes to the assurance of confidentiality rather than integrity. Thereare many ways to capture log information: through the application layer, network layer, operating systems layer, etc.; however, there is no log integrity advantage in capturing events in the operating systems layer. If it is a highly mission-critical information system, it may be nice to run the system with a dual log mode. Having logs in two different storage devices will primarily contribute to the assurance of the availability of log information, rather than to maintaining its integrity.


Thanks for reading the newest CISA exam dumps! We recommend you to try the PREMIUM Certleader CISA dumps in VCE and PDF here: (1177 Q&As Dumps)