CISA : Certified Information Systems Auditor : Part 30
-
In a multinational organization, local security regulations should be implemented over global security policy because:
- global security policies include unnecessary controls for local businesses
- business objectives are defined by local business unit managers
- requirements of local regulations take precedence
- deploying awareness of local regulations is more practical than of global policy
-
Which of the following is a step in establishing a security policy?
- Developing platform-level security baselines.
- Developing configurations parameters for the network,
- Implementing a process for developing and maintaining the policy.
- Creating a RACI matrix.
-
A large number of exceptions to an organization’s information security standards have been granted after senior management approved a bring your own device (BYOD) program. To address this situation, it is MOST important for the information security manage to:
- introduce strong authentication on devices
- reject new exception requests
- require authorization to wipe lost devices
- update the information security policy
-
Which of the following is MOST important for the IS auditor to verify when reviewing the development process of a security policy?
- Evidence of active involvement of key stakeholders
- Output from the enterprise’s risk management system
- Identification of the control framework
- Evidence of management approval
-
Which of the following should be the PRIMARY reason to establish a social media policy for all employees?
- To publish acceptable messages to be used by employees when posting
- To raise awareness and provide guidance about social media risks
- To restrict access to social media during business hours to maintain productivity
- To prevent negative public social media postings and comments
-
An internal IS auditor discovers that a service organization did not notify its customers following a data breach. Which of the following should the auditor do FIRST?
- Notify audit management of the finding.
- Report the finding to regulatory authorities.
- Notify the service organization’s customers.
- Require the service organization to notify its customers.
-
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
- Industry standards
- The business impact analysis (BIA)
- The business objectives
- Previous audit recommendations
-
A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:
- evaluate the business risk
- evaluate a third-party solution
- initiate an exception approval process
- deploy additional security controls
-
Which of the following is MOST important to consider when developing a bring your own device (BYOD) policy?
- Supported operating systems
- Procedure for accessing the network
- Application download restrictions
- Remote wipe procedures
-
An IT steering committee assists the board of directors to fulfill IT governance duties by:
- developing IT policies and procedures for project tracking.
- focusing on the supply of IT services and products.
- overseeing major projects and IT resource allocation.
- implementing the IT strategy.
-
Which of the following can provide assurance that an IT project has delivered its planned benefits?
- User acceptance testing (UAT)
- Steering committee approval
- Post-implementation review
- Quality assurance evaluation
-
Which of the following is MOST important when evaluating the retention period for a cloud provider’s client data backups?
- Cost of data storage
- Contractual commitments
- Previous audit recommendations
- Industry best practice
-
Which of the following is MOST important to include in a contract with a software development service provider?
- A list of key performance indicators (KPIs)
- Ownership of intellectual property
- Service level agreement (SLA)
- Explicit contract termination requirements
-
Which of the following is a distinguishing feature at the highest level of a maturity model?
- There are formal standards and procedures.
- Projects are controlled with management supervision.
- A continuous improvement process is applied.
- Processes are monitored continuously.
-
The PRIMARY purpose of a precedence diagramming method in managing IT projects is to:
- monitor project scope creep.
- identify the critical path.
- identify key milestones.
- minimize delays and overruns.
-
Reports to the executive level concerning IT performance should focus on:
- third-party compliance with organizational practices.
- IT performance in relation to operational improvements.
- IT deliverables against organizational strategies.
- capacity planning effectiveness within the organization.
-
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
- Include strategic objectives in IT staff performance objectives.
- Review IT staff job descriptions for alignment.
- Identify required IT skill sets that support key business processes.
- Develop quarterly training for each IT staff member.
-
Which of the following should be the PRIMARY basis for planning and prioritizing IT infrastructure security audits?
- Asset value to the organization
- Management requests
- The organization’s risk appetite
- Security best practice
-
Which of the following is the MOST effective control to reduce the risk of information leakage through social media?
- Use of keystroke loggers
- Periodic review of the data classification policy
- Limited access to social media sites in the workplace
- Security awareness training
-
An operations manager has recently moved to internal audit. Which of the following would be of GREATEST concern when assigning audit projects to this individual?
- A control within the audit scope was implemented by the operations manager six months ago.
- A control within the audit scope was downgraded to low risk by the operations manager six months ago.
- The owner of a process within the audit scope worked for the operations manager six month ago.
- A system within the audit scope is supported by an emerging technology for which the operations manager lacks experience.
Subscribe
0 Comments
Newest