CISA : Certified Information Systems Auditor : Part 77

  1. The PRIMARY purpose of a security information and event management (SIEM) system is to:

    • identify potential incidents
    • provide status of incidents
    • resolve incidents
    • track ongoing incidents
  2. Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)?

    • The activities being monitored deviate from what is considered normal.
    • The environment is complex.
    • The pattern of normal behavior changes quickly and dramatically.
    • The information regarding monitored activities becomes state.
  3. Information security awareness programs are MOST effective when they are:

    • customized for each target audience
    • conducted at employee orientation
    • reinforced by computer-based training
    • sponsored by senior management
  4. An information security manager has discovered a potential security breach in a server that supports a critical business process. Which of the following should be the information security manager’s FIRST course of action?

    • Validate that there has been an incident
    • Notify the business process owner
    • Shut down the server in an organized manner
    • Inform senior management of the incident
  5. Which of the following is the MOST important outcome of testing incident response plans?

    • Internal procedures are improved.
    • An action plan is available for senior management.
    • Staff is educated about current threats.
    • Areas requiring investment are identified.
  6. What should be the MAIN goal of an organization’s incident response plan?

    • Keep stakeholders notified of incident status.
    • Enable appropriate response according to criticality.
    • Correlate incidents from different systems.
    • Identify the root cause of the incident.
  7. An organization has purchased a security information and event management (SIEM) tool. Which of the following would be MOST important to consider before implementation?

    • The contract with the SIEM vendor
    • Controls to be monitored
    • Available technical support
    • Reporting capabilities
  8. A client/server configuration will:

    • optimize system performance by having a server on a front-end and clients on a host
    • enhance system performance through the separation of front-end and back-end processes
    • keep track of all the clients using the IS facilities of a service organization
    • limit the clients and servers’ relationship by limiting the IS facilities to a single hardware system
  9. Which of the following would BEST ensure the confidentiality of sensitive data during transmission?

    • Restricting the recipient through destination IP addresses
    • Sending data over public networks using Secure Sockets Layer (SSL)
    • Password protecting data over virtual local area networks (VLAN)
    • Sending data through proxy servers
  10. Which of the following is the GREATEST risk of cloud computing?

    • Reduced performance
    • Disclosure of data
    • Lack of scalability
    • Inflexibility
  11. In an IT organization where many responsibilities are shared, which of the following would be the BEST control for detecting unauthorized data changes?

    • Data changes are independently reviewed by another group.
    • Users are required to periodically rotate responsibilities.
    • Segregation of duties conflicts are periodically reviewed.
    • Data changes are logged in an outside application.
  12. Which of the following is a substantive test procedure?

    • Using audit software to verify the total of an accounts receivable file
    • Observing that user IDs and passwords are required to sign on to the online system
    • Test of invoice calculation process
    • Verifying that appropriate approvals are documented in a sample of program changes
  13. Which of the following is an advantage of decentralized security administration?

    • Greater integrity
    • Faster turnaround
    • More uniformity
    • Better-trained administrators
  14. An IS auditor notes that several recent incidents related to server overload were not anticipated early enough by IT operations to prevent outages. Which of the following is the auditor’s BEST recommendation?

    • Update the IT operations balanced scorecard.
    • Improve training for IT operations personnel.
    • Re-evaluate key performance indicators (KPIs).
    • Purchase additional server hardware.
  15. An IS audit of help desk operations reveals that a number of similar issues have recently been reported to the help desk, but incident details have not been tracked. Which of the following is the MOST significant risk in this situation?

    • The help desk may not be meeting agreed-upon service levels.
    • The help desk may not be able to perform root cause analysis.
    • The help desk may lack resources to investigate incidents.
    • The help desk may not respond to incidents in a timely manner.
  16. Using development and operations (DevOps) processes, an organization’s IT department has automated the process of replacing application programming interfaces (APIs) in production with new versions. Which of the following controls would BEST reduce the risk of vulnerabilities in this situations?

    • Review API change requests to ensure appropriate authorization exists
    • Conduct API security testing prior to release into production
    • Examine API log files to determine when changes occur in production
    • Review an up-to-date inventory of APIs in production for completeness
  17. An IT department is unaware of spreadsheets and databases that have been created by business end users to support their respective operations. Which of the following is the GREATEST risk in this situation?

    • End-user solutions may not have proper documentation.
    • End-user developed systems may duplicate data.
    • End-user solutions may not be protected by IT general controls.
    • End-user developed systems may be inefficient.
  18. Which of the following observations should be of MOST concern to an IS auditor evaluating an IT security team’s incident handling practices?

    • The team’s scope covers any nonstandard operation of IT services within the organization.
    • The prioritization of incidents is not done through a standardized process.
    • Defined acceptable ranges for incident resolution are not established.
    • Unresolved incidents are escalated based on criteria set by the organization’s CIO.
  19. Which of the following is the BEST indication that an organization’s security incident and event monitoring (SIEM) capability is operating effectively?

    • Security event logging is centralized.
    • Security event logging policies are defined.
    • Security event logging is enabled for individual applications.
    • Security event logging is correlated across multiple applications.
  20. Which of the following is an example of a corrective control?

    • Restoring system information from data backups
    • Utilizing processes that enforce segregation of duties
    • Generating automated batch job failure notifications
    • Employing only qualified personnel to execute tasks