CISA : Certified Information Systems Auditor : Part 157

  1. Which of the following is the BEST control to protect an organization’s sensitive data when using a publicly available cloud storage service?

    • Cryptographic hash function performed by the cloud vendor
    • Transparent volume encryption offered by the cloud vendor
    • Data encryption performed by the organization prior to uploading 
    • Transport layer security (TLS) between the cloud vendor and the organization
  2. An IS audit concludes that entry to the computer room is appropriately controlled. The audit result provides assurance that:

    • the theft of hardware is prevented.
    • the confidentiality of data is protected.
    • data leakage is prevented.
    • unauthorized access is prevented. 
  3. Which of the following BEST helps to ensure data integrity across system interfaces?

    • Environment segregation
    • System backups
    • Reconciliations
    • Access controls
  4. When implementing a software product (middleware) to pass data between local area network (LAN) servers and the mainframe, the MOST critical control consideration is:

    • cross-platform security authentication.
    • time synchronization of databases.
    • network traffic levels between platforms.
    • time-stamping of transactions to facilitate recovery.
  5. Which of the following test approaches would utilize data analytics to test a dual approval payment control?

    • Review payments completed in the past month that do not have a unique approver.
    • Attempt to complete a payment without a secondary approval.
    • Review users within the payment application who are assigned an approver role.
    • Evaluate configuration settings for the secondary approval requirements.
  6. To mitigate the risk of exposing data through application programming interface (API) queries, which of the following design considerations is MOST important?

    • Data minimalization
    • Data quality
    • Data retention
    • Data integrity
  7. Which of the following is the BEST way to transmit documents classified as confidential over the Internet?

    • Hashing the document contents and destroying the hash value
    • Sending documents as multiple packets over different network routes
    • Converting documents to proprietary format before transmission
    • Using a virtual private network (VPN)
  8. An organization is designing an application programming interface (API) for business-to-business data sharing with a vendor. Which of the following is the BEST way to reduce the potential risk of data leakage?

    • Implement a policy to require data transfer over hypertext transfer protocol (HTTP)
    • Implement the API on a secure server and encrypt traffic between both organizations 
    • Restrict the allowable number of API calls within a specified period
    • Conduct an independent review of the application architecture and service level agreements (SLAs)
  9. Which of the following threats is MOST effectively controlled by a firewall?

    • Network congestion
    • Denial of service (DoS) attack 
    • Network sniffing
    • Password cracking
  10. Which of the following is the BEST way to mitigate the impact of ransomware attacks?

    • Backing up data frequently 
    • Invoking the disaster recovery plan (DRP)
    • Requiring password changes for administrative accounts
    • Paying the ransom
  11. During a post-incident review of a security breach, what type of analysis should an IS auditor expect to be performed by the organization’s information security team?

    • Gap analysis
    • Business impact analysis (BIA) 
    • Qualitative risk analysis
    • Root cause analysis
  12. When reviewing a contract for a disaster recovery hot site, which of the following would be the MOST significant omission?

    • Audit rights
    • Testing procedures
    • Exposure coverage 
    • Equipment provided
  13. Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?

    • Integrity of records 
    • Confidentiality of records
    • Availability of records
    • Distribution of records
  14. Which of the following is the GREATEST risk associated with instant messaging?

    • Data governance may become ineffective.
    • Data classification procedures may not be followed.
    • Data logging is more difficult.
    • Data exfiltration is more likely to occur.
  15. When using a wireless device, which of the following BEST ensures confidential access to email via web mail?

    • Simple object access protocol (SOAP)
    • Hypertext transfer protocol secure (HTTPS) 
    • Extensible markup language (XML)
    • Wired equivalent privacy (WEP)
  16. Which of the following is an indication of possible hacker activity involving voice communications?

    • A significant percentage of lines are busy during early morning and late afternoon hours.
    • Outbound calls are found to significantly increase in frequency during non-business hours. 
    • Inbound calls experience significant fluctuations based on time-of-day and day-of-week.
    • Direct inward system access (DISA) is found to be disabled on the company’s exchange.
  17. Which of the following would provide the BEST evidence for use in a forensic investigation of an employee’s hard drive?

    • A file level copy of the hard drive
    • Bit-stream copy of the hard drive 
    • Memory dump to an external hard drive
    • Prior backups
  18. Which of the following is the BEST way to minimize leakage of data in transit?

    • Virtual local area network (VLAN)
    • Storage encryption
    • Virtual private network (VPN)
    • Digital signature
  19. The recovery time objective (RTO) is normally determined on the basis of the:

    • criticality of the systems affected
    • risk of occurrence
    • acceptable downtime of the alternate site
    • cost of recovery of all systems
  20. Which of the following attacks is BEST detected by an intrusion detection system (IDS)?

    • Spamming
    • Spoofing
    • Logic bomb
    • System scanning