CISA : Certified Information Systems Auditor : Part 41
-
During an exit interview, senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report. Which of the following would be the auditor’s BEST course of action?
- Revise the assessment based on senior management’s objections
- Gather evidence to analyze senior management’s objections.
- Escalate the issue to audit management.
- Finalize the draft audit report without changes.
-
Which of the following is the MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?
- Standardized enterprise architecture (EA)
- A uniform IT chargeback process
- IT project governance and management
- IT performance monitoring and reporting
-
The implementation of an IT governance framework requires that the board of directors of an organization:
- approve the IT strategy.
- be informed of all IT initiatives.
- have an IT strategy committee.
- address technical IT issues.
-
An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective?
- Utilize solid state memory.
- Implement a data retention policy.
- Perform periodic tape backups.
- Stream backups to the cloud.
-
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?
- Business objectives
- Alignment with the IT tactical plan
- Compliance with industry best practice
- IT steering committee minutes
-
An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
- A significant increase in external attack attempts
- A significant increase in approved exceptions
- A significant increase in cybersecurity audit findings
- A significant increase in authorized connections to third parties
-
When reviewing an organization’s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
- industry best practices.
- an information security framework.
- past information security incidents.
- a risk management process.
-
Which of the following is the BEST use of a maturity model in a small organization?
- To develop a roadmap for the organization to achieve the highest maturity level
- To identify required actions to close the gap between current and desired maturity levels
- To benchmark against peer organizations that have attained the highest maturity level
- To assess the current maturity level and the level of compliance with key controls
-
Which of the following information security requirements BEST enables the tracking of organizational data in a bring your own device (BYOD) environment?
- Employees must sign acknowledgement of the organization’s mobile device acceptable use policy.
- Employees must use auto-lock features and complex passwords on personal devices.
- Employees must immediately report lost or stolen mobile devices containing organizational data.
- Employees must enroll their personal devices in the organization’s mobile device management program.
-
End users have been demanding the ability to use their own devices for work, but want to keep personal information out of corporate control. Which of the following would be MOST effective at reducing the risk of security incidents while satisfying and user requirements?
- Require complex passwords
- Implement an acceptable use policy
- Enable remote wipe capabilities for the devices
- Encrypt corporate data on the devices
-
When classifying information, it is MOST important to align the classification to:
- industry standards
- security policy
- business risk
- data retention requirements
-
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
- Total cost of each project
- Expected return divided by total project cost
- Net present value (NPV) of the portfolio
- Cost of projects divided by total IT cost
-
IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?
- Performance monitoring tools
- More frequent data backups
- Periodic table link checks
- Concurrent access controls
-
Which of the following is the PRIMARY benefit of performing a maturity model assessment?
- It identifies and fixes attribute weaknesses.
- It ensures organizational consistency and improvement.
- It facilitates the execution of an improvement plan.
- It acts as a measuring tool and progress indicator.
-
Which of the following is MOST important to review when evaluating the performance of a critical web application?
- Business-defined application response times
- Feedback from customer satisfaction surveys
- Roles and responsibilities for reporting
- Strategy for application performance monitoring in the cloud
-
When assessing whether an organization’s IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?
- Utilization reports
- Balanced scorecard
- Benchmarking surveys
- IT governance frameworks
-
Which of the following is the BEST indicator of the effectiveness of an organization’s portfolio management program?
- Percentage of investments achieving their forecasted value
- Maturity levels of the value management processes
- Experience of the portfolio management personnel
- Stakeholder’s perception of IT’s value
-
The PRIMARY objective of IT service level management is to:
- improve IT cost control.
- increase awareness of IT services.
- manage computer operations activities.
- satisfy customer requirements.
-
A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network. Which of the following is the BEST course of action to address the situation?
- Require that new systems that can meet the standards be implemented.
- Document the deficiencies in the risk register.
- Develop processes to compensate for the deficiencies.
- Disconnect the legacy system from the rest of the network.
-
Which of the following would BEST enable effective decision-making?
- Annualized loss estimates determined from past security events.
- A universally applied list of generic threats impacts, and vulnerabilities
- Formalized acceptance of risk analysis by business management
- A consistent process to analyze new and historical information risk
Subscribe
0 Comments
Newest