Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISA review questions > Assessment > Flashcards

Assessment Flashcards

1
Q

Which of these choices is the best answer regarding who is primarily responsible for
providing internal controls to detect, correct, and prevent irregularities or illegal acts?

A. Board of directors
B. Information technology
C. Legal, aka general council
D. Human resources

A

A.

The board of directors has oversight control and responsibility to task executive management with the duties of providing internal controls. This function is to be specifically authorized in writing; given sufficient priority; and given resources of personnel, time, and money for proper implementation. CHAPTER 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following functions should be separated from the others if segregation of
duties cannot be achieved in an automated system?
A. Origination
B. Authorization
C. Reprocessing
D. Transaction logging

A

B.
Authorization should be separate from all other activities. A second person should review changes before implementation. Authorization will be granted if the change is warranted and the level of risk is acceptable. Chapter 3 and 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of the audit committee?

A. To provide daily coordination of all audit activities
B. To challenge and review assurances
C. To assist the managers with training in auditing skills
D. To govern, control, and manage the organization

A

B.
The purpose of the audit committee is to review and challenge assurances made and to maintain a positive working relationship with management and the auditors. For more information, see Chapters 2 and 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the qualifications of the incident commander when responding to a crisis?
A. Trained crisis manager
B. First person on scene
C. Member of management
D. First responder

A

B.
The first person on the scene is the incident commander, regardless of rank or position. The incident commander may be relieved by a person with more experience or less experience, according to the situation. The incident commander will change throughout the crisis. For more information, see Chapter 8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following options is not true in regard to configuring routers, servers, workstations, printers, and networked databases set up using default settings?

A. Designed to reduce technical support during installation for novice users

B. Sufficient controls to provide a minimum level of safety for production use

C. Predictable to facilitate successful intrusion attacks using well-known filenames, access
paths, and missing or incomplete security parameters

D. Remote scanning and automated penetration tools that prey upon systems running on
default settings

A

B.
Option B is not true. Vendors automate the installation to be as easy as possible so the majority of buyers will keep the product past the return deadline. Systems running on default settings are highly susceptible to attack because the layout and security profile is well known and easily available for anyone via a simple web search. All operating systems and databases require postinstallation tasks to lock default accounts, complete missing security parameters, set missing passwords, set access restrictions, and remove the installation utility and online examples, which the hacker will use against you. See Chapter 6 for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How should management act to best deal with emergency changes?

A. Emergency changes cannot be made without advance testing.
B. The change control process does not apply to emergency conditions.
C. All changes should still undergo review.
D. Emergency changes are not allowed under any condition.

A

C.
All emergency changes should still undergo the formal change management process after the fact. The review determines whether the change should remain in place or be modifi ed. For more information, see Chapter 6.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following would be a concern that the auditor should explain in the audit report along with their findings?

A. Lack of a detailed list of audit objectives
B. Undue restrictions placed by management on evidence use or audit procedure
C. Communicating results directly to the chairperson of the audit committee
D. Need by the current auditor to communicate with the prior auditors

A

B.
Undue restrictions on scope would be a major concern, as would a lack of time or the inability to obtain suffi cient reliable evidence. For more information, see Chapter 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

During the performance of an audit, a reportable finding is identified with the auditee. The
auditee immediately fixed the problem upon identification. Which of the following is true
as a result of this interaction?

A. Auditee resolved the problem before the audit report is written, therefore no finding
exists.
B. Auditor can verify that the corrective action has been taken before the audit report is
written, therefore no finding exists.
C. Auditor includes the finding in the final audit report as resolved.
D. Auditor lists the finding as it existed.

A

D.
Audit reports are intended to reflect the situation prior to the start of the audit. An audit is always a review of past history. This situation indicates that the auditee never detected the problem until it was found by the auditor. The audit report should include the finding and described the corrective action taken by the auditee after discovery. If the finding was to be color-coded red, the final audit report should indicate a red color code with the notation in the comments field that corrective action was taken by the auditee. For more information, see Chapter 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following management methods provides the most control rather than
discretionary flexibility?
A. Distributed
B. Centralized
C. In-house
D. Outsourced

A

B. Centralized management always provides the most control. Distributed management is also known as discretionary because the decision is made locally and is based on a variety of factors. Distributed methods provide the lowest overall control. For more information, see Chapter 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the principal issue surrounding the use of CAAT software?

A. The capability of the software vendor
B. Documentary evidence is more effective
C. Inability of automated tools to consider the human characteristics of the environment
D. The possible cost, complexity, and security of output

A

D.
Computer-assisted audit tools are able to perform detailed technical tasks faster than humans and produce more accurate data during particular functions such as system scanning. Cost, training, and security of output are major considerations. For more information, see Chapter 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Digital signatures are designed to provide additional protection for electronic messages in
order to determine which of the following?

A. Message read by unauthorized party
B. Message sender verification
C. Message deletion
D. Message modification

A

B.
Digital signatures provide authentication assurance of the email sender. A cryptographic process uses the private key of the sender to form a hash value of the message. Message hashing provides assurance that the message is from the specified sender and was not modified. For more information, see Chapter 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which is the primary benefit of using a risk-based approach in audit planning?

A. Simplifies resource scheduling.
B. Allocates resources to the areas of highest concern.
C. Properly trained personnel are available.
D. Lowers the overall cost of compliance.

A

B.
Areas of highest concern are usually identified by comparing individual tasks identified within the auditee’s workflow process diagram with the handling rules of individual data assets being used according to their records management system (RMS). A risk-based approach allows annual audit compliance requirements to be divided up into a series of smaller audits occurring each month in each quarter. Resource scheduling and verifying the availability of properly trained personnel may be done months in advance using various methods of external individual audits. For more information, see Chapters 2 and 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What indicators are used to identify the anticipated level of recovery and loss at a given
point in time?

A. RPO and RTO
B. RTO and SDO
C. RPO and ITO
D. SDO and IRO

A

A.
The recovery point objective (RPO) indicates the fallback position and duration of loss that has occurred. A valid RPO example is to recover by using backup data from last night’s backup tape, meaning that the more recent transactions would be lost. The recovery time objective (RTO) indicates a point in time that the restored data should be available for the user to access. For more information, see Chapter 8.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is the best choice to ensure that internal control objectives are met?

A. Top executive issues a policy stating compliance objectives.
B. Procedures are created to govern employee conduct.
C. Suitable systems for tracking and reporting incidents are used.
D. The clients operating records are audited annually.

A

C.
Designing, implementing, and using suitable systems for tracking and reporting incidents
is the best way to ensure that internal control objectives are met. What gets measured is what
gets done, so tracking the detection of problems is the best answer. The other choices are also
important actions, but in the hierarchy of controls the first priority is timely detection. Lack of detection is a total governance failure. For more information, see Chapter 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following statements is true concerning asymmetric key cryptography?

A. The sender encrypts the files by using the recipient’s private key.
B. The sender and receiver use the same key.
C. Asymmetric keys cannot be used for digital signatures.
D. The sender and receiver have different keys.

A

D.
The sender and receiver each have their own public and private key pair. Only the public keys are shared between sender and receiver. All the other statements are false. Asymmetric keys are definitely used for creating digital signatures. The sender would never use the recipient’s private
key, only the recipient’s public key. For more information, see Chapter 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who is responsible for designating the appropriate information classification level?

A. Data custodian
B. Data user
C. Data owner
D. Security manager

A

C.
The data owner is responsible for designating the appropriate information security level and appointing the custodian. The data owner is usually a vice president or someone in a position higher up in the organization, up to an agency head. The data owner also specifies the controls to be used. The audit committee and management can change the security level if the data owner fails to properly classify the data. For more information, see Chapter 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the best statement regarding the purpose of using the OSI model?

A. To define separation of duties, controls, and boundaries
B. To define which level of program-to-program gateways operate
C. To define how networking protocols work for IT professionals
D. To define the differences between OSI and IP protocols

A

A.
The Open Systems Interconnect (OSI) model is used to define separation of duties for electronic services, personnel, control points, and boundaries used in service-level agreements, compliance rules, and legal contracts. Most IT professionals were never taught the actual content and don’t understand the incredibly valuable information they missed. For more information, see Chapter 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is one of the bigger concerns regarding asset disposal?

A. Residual asset value
B. Employees taking disposed property home
C. Standing data
D. Environmental regulations

A

C.
Standing data should be purged from the equipment prior to disposal. Standing data refers to information that can be recovered from a device by using any means. For more information, see Chapter 6.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the primary purpose of database views?

A. Restrict the viewing of selected data
B. Provide a method for generating reports
C. Allow the user access into the database
D. Allow the system administrator access to maintain the database

A

A.
Database views are weak controls used to implement least privilege and restrict the data that can be viewed by the user. For more information, see Chapter 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which step is necessary before moving into the next phase when using the System Development Life Cycle?

A. Phase meeting
B. Change control
C. Formal approval
D. Review meeting

A

C.
Formal approval is necessary before moving into the next phase. A review meeting is held with the stakeholders, project manager, and executive chairperson. All of the projections and open issues are discussed. Each item is approved, rejected, or canceled. The project may advance to the next stage with formal approval. The auditor should look for evidence of formal approval and how the decision was made. For more information, see Chapter 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following indicates why continuity planners can create plans without a
business impact analysis (BIA)?

A. Management already dictated all the key processes to be used.
B. They can’t because critical processes may change monthly or annually.
C. Business impact analysis is not required.
D. Risk assessment is acceptable.

A

B.
It is not possible to create business continuity plans without a current business impact analysis (BIA). The BIA is a step-by-step process map that identifies critical processes and their dependencies. The critical processes will change as the business changes with new products and customers. For more information, see Chapter 8.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following answers contains the steps for business process reengineering (BPR)
in proper sequence?

A. Diagnose, envision, redesign, reconstruct
B. Envision, initiate, diagnose, redesign, reconstruct, evaluate
C. Evaluate, envision, redesign, reconstruct, review
D. Initiate, evaluate, diagnose, reconstruct, review

A

B.
According to ISACA, the general steps in business process reengineering are envision the need, initiate the project, diagnose the existing process, redesign a process, use change management to reconstruct the organization in transition, and evaluate the results. For more information, see Chapter 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Segregation or separation of duties may not be practical in a small environment. A single employee may be performing the combined functions of server operator and application programmer. The IS auditor should recommend controls for which of the following?

A. Automated logging of changes made to development libraries

B. Procedures that verify that only approved program changes are implemented

C. Automated controls to prevent the operator logon ID from making program modifications

D. Hiring additional technical staff to force segregation of duties

A

B.
Procedures should be implemented to ensure that only approved program changes are implemented. The purpose of separation of duties is to prevent intentional or unintentional errors. In the worst case, a logical separation of duties may exist if a single person performs two job roles. The ultimate objective is to ensure that a second person has reviewed and approved a change before it is implemented. For more information, see Chapter 6.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is true concerning reporting by internal auditors?

A. Results can be used for industry licensing.
B. The corresponding value of the audit report is high.
C. Results can be used for external reporting.
D. The corresponding value of the audit report is low.

A

D.
Reports by internal auditors have a low corresponding value due to the built-in reporting conflict that may exist. This is why external independent audits are required for regulatory licensing. For more information, see Chapter 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
The auditor is permitted to deviate from professional audit standards when they feel it is necessary because of which of the following? A. Standards are designed for discretionary use. B. The unique characteristics of each client will require auditor flexibility. C. Deviating from standards is almost unheard of and would require significant justification. D. Deviation depends on the authority granted in the audit charter.
C. Standards are mandatory and any deviation would require justification. Exceptions are rarely accepted. For more information, see Chapter 2.
26
Which of the following is true regarding the principle of auditor independence? A. It is not an issue for auditors working for a consulting company. B. It is required for an external audit to prevent bias. C. An internal auditor must undergo certification training to be independent. D. The audit committee would bestow independence on the auditor.
B. The auditor must be independent of personal and organizational relationships with the auditee, which could imply a biased opinion. The auditor is not permitted to audit a system for which they participated in the support, configuration, or design. An auditor may not audit any system that they helped to remediate. For more information, see Chapter 1.
27
What is the best definition of auditing? A. Review of past history using evidence to tell the story B. Forecasting compliance generated by a new system preparing to enter production C. Precompliance assessment based on management’s intended design D. Certification testing of the system benefits or failures
A. Auditing is a review of past history. We use evidence and testing to determine the story. It’s not possible to use an audit to forecast compliance benefits before entering production. Every system creates unforeseen consequences that can be fully realized only after that system enters production. You can audit the system attributes during design and development but you can’t audit the unrealized operating issues impacting its compliance. Compliance requires an audit after it enters production to include the way the system is actually used and managed. For more information, see Chapters 3 and 5.
28
Which of the following is the most significant issue to consider regarding insurance coverage? A. Premiums may be very expensive. B. Insurance can pay for all the costs of recovery. C. Coverage must include all business assets. D. Salvage, rather than replacement, may be dictated.
D. The insurance company may dictate salvage to save money. Salvage will increase the delay before recovery. Any replacement purchases by the organization may not be covered under reimbursement. For more information, see Chapter 8.
29
Which of the following statements is not true regarding the use of passwords for authentication? A. Password lockout is not effective against hackers using the common technique of bypassing the login utility. B. Hash utilities for one-way encryption of OS login passwords are highly susceptible to chosen ciphertext lookup tables, which will show the actual plaintext password currently in use. C. Many dynamic websites with a database backend use program-to-program configuration files to store the passwords using encrypted hash format. D. Passwords are portable, easily captured and reused for unauthorized access, and considered terribly weak authenticators.
D. Option D is no true. Passwords are considered weak because they are portable and easily reused for authorized access. Hacker utilities frequently bypass the login utility by going straight to the authenticator service. For over 30 years, the rainbow tables have provided a ciphertext-to-plaintext lookup for each of the known hash encryption algorithms used by various operating systems. Simply matching the hash value of the target with the lookup table will allow you to see what plaintext generated the hash value. On many websites, the database login and password are visible using the right-click View Source option. Program- to-program configuration file passwords are normally stored in the directory tree using simple plaintext without encryption. For more information, see Chapter 6.
30
Using public-key interchange (PKI) encryption, which key is used by the sender for authentication of the receiving party? A. Sender’s private key B. Recipient’s private key C. Recipient’s public key D. Sender’s public key
31
Which of the following statements is true concerning a software worm? A. Uses authentication defects to freely travel to infect other systems B. Is a synonym for a malicious virus appending itself to data files C. Must be executed by opening a file D. Attaches itself to programs and data by the opening and closing of files
A. Unlike a virus, a worm can freely travel across network connections to infect other systems. Worms exploit authentication failures in other programs to copy themselves between systems. Worms can infect files without the file being opened or closed by the user. For more information, see Chapter 7.
32
What are three of the four key perspectives on the IT balanced scorecard? A. Business justification, service-level agreements, budget B. Organizational staffing, cost reduction, employee training C. Cost reduction, business process, growth D. Service level, critical success factors, vendor selection
C. The four perspectives on the IT balanced scorecard are the customer perspective, business process perspective, financial perspective, and the growth perspective. Each of these seeks to define the highest return by IT. For more information, see Chapter 2.
33
Which sampling method is used when the likelihood of finding evidence is low? A. Discovery B. Cell C. Random D. Stop and go
A. Discovery sampling is known as the 100 percent sample. All available sources are investigated to find any evidence that may exist. Discovery sampling is commonly used in criminal investigations. It’s also the best way to find possible correlations when an event cannot be explained. For more information, see Chapter 3.
34
Which of the following would represent the greatest concern to an auditor investigating roles and responsibilities of the IT personnel? A. An IT member is reviewing current server workload requirements and forecasts future needs. B. An IT member monitors system performance, making necessary program changes and tracking any resulting problems. C. An IT member tests and assesses the effectiveness of current procedures and recommends specific improvements. D. An IT member works directly with the user to improve response times and performance across the network.
B. The separation of duties is intended to prevent an individual from monitoring their own work or authorizing their own changes. Self-monitoring and self-authorization would be a problem warranting serious concern because it violates the intention of IT governance. The auditor would want to investigate whether changes were formally reviewed and approved by the change control board prior to implementation. For more information, see Chapter 6.
35
When auditing the use of encryption, which of the following would be the primary concern of the auditor? A. Management’s level of control over the use of encryption B. Strength of encryption algorithm in use C. Key sizes used in the encryption and decryption process D. Using the correct encryption method for compliance
A. The most important concern is how management controls the use of encryption. Is the encryption managed under a complete life cycle from creation to destruction? The management of keys should govern creation storage, proper authorization, correct use with the appropriate algorithm, tracking, archiving or reissuing, retiring, and ultimately the destruction of the encryption keys after all legal obligations have been met. For more information, see Chapter 7.
36
Which of the following represents the hierarchy of controls from highest level to lowest level? A. General, pervasive, detailed, application B. Pervasive, general, application, detailed C. Detailed, pervasive, application, detailed D. Application, general, detailed, pervasive
A. General controls represent the highest class of controls that apply to everyone within the organization. Pervasive controls represent the protection necessary when using particular technology (e.g., mobile device or hazardous substance). IS controls are pervasive in all departments using computers. No matter who is in charge, the IS controls must be used to ensure integrity and availability. Detailed controls specify exactly how a procedure will be executed and when. Application controls are the lowest-level controls and are usually built into the software or govern its use. Application controls will be compromised if the higher-level controls are not present. For more information, see Chapter 3.
37
What is the primary objective in the third phase of incident response? A. Containment B. Lessons learned C. Eradication D. Analysis
A. The phases in incident handling are (1) preparation, (2) detection and analysis, (3) containment eradication and recovery, and (4) post-incident activity, including lessons learned. For more information, see Chapter 6.
38
What is the purpose of using the ACID principle with database applications? A. To write the entire transaction to the master file or discard without making any changes B. To provide environmental protection to safeguard the server to ensure maximum uptime C. To step-link each data transaction to ensure consistency D. To remove unnecessary data from the database for better performance
A. The ACID principle says to write the entire transaction or back it completely out. A stands for atomicity (all or nothing), C for consistency (restore data if the write fails), I for isolation (separation between transactions), and D for durability (retain the data). For more information, see Chapter 5.
39
What is the first priority of management upon the possible detection of an irregular or illegal act? A. Shut down access to the system. B. Aid the process of investigation and inquiry. C. Notify appropriate law enforcement. D. Contact auditors to schedule an audit of the situation.
B. Management is required to aid and participate in the investigation and inquiry of suspected irregular or illegal activity. A predesignated, pretrained incident response team will investigate and may receive special access directly to management for advice on how to handle the issue. See Chapters 2 and 6 for more information.
40
What is the principle purpose of using function point analysis? A. Verify the integrity of financial transaction algorithms in a program B. Estimate the complexity involved in software development C. Review the results of automated transactions meeting criteria for the audit D. Provide system boundary data during the Requirements Definition phase
B. Function point analysis is used by highly experienced programmers to estimate the complexity involved in writing new software. It starts by counting the inputs, outputs, inquiries (searches), data structure, and external interfaces. For more information, see Chapter 5.
41
Which of the following common methods is typically not used by hackers to remotely control encryption keys which exist unencrypted in executable RAM memory? A. Malware downloading and installing a Trojan horse utility without the user’s knowledge B. Remotely gaining unencrypted access to POS/computers on the internal store LAN before encryption occurs for transmission C. Gaining physical access into the system using social engineering D. Gaining unauthorized access using static passwords in configuration files intended for
C. Almost all commercial computers are easily compromised by malware downloads, compromised device drivers, reusing static passwords viewable in program-to-program configuration files, Plug and Play features enabled, and other remote access attacks. Social engineering, which requires being onsite, is seldom used because remote access is so easy with less chance of getting caught. For more information, see Chapter 6.
42
Which of the following is not one of the three major control types? A. Detective B. Deterrent C. Preventive D. Corrective
B. The major control types are detective (finds), corrective (fixes), and physical (stops reoccurrence). A deterrent control is simply a very weak form of preventative control. For more information, see Chapter 3.
43
Which method of backup should be used on a computer hard disk or flash media prior to starting a forensic investigation? A. Full B. Differential C. Bitstream D. Logical
C. Bitstream imaging is the only backup method that records the deleted files along with the contents of the swap space and slack space. Bitstream backup is also referred to as physical imaging. All of the other choices would miss these important files that are necessary as evidence. For more information, see Chapter 6.
44
After presenting the report at the conclusion of an audit, the lead auditor discovers the omission of a procedure. What should the auditor do next? A. Log on to CareerBuilder.com and change their current employment status to available. B. Cancel the report if audit alternatives cannot compensate for the deficiency. C. File an incident disclosure report with the audit association to minimize any liability. D. No action is required as long as the omitted procedure is included in the next audit.
B. The auditor needs to review the audit alternatives to determine whether the alternatives could sufficiently compensate for the omission. The auditor should cancel their report if the omitted procedures would change the outcome and if audit alternatives cannot compensate for the deficiency. For more information, see Chapter 3.
45
Which of the following statements is not true regarding devices or systems that routinely allow unknown or unauthenticated users access to use the CPU, memory, or hard drive storage? A. Unknown/anonymous users can upload or download data from the web server database. Unintended data or configuration settings may be revealed or executable code with escalation attack commands may be uploaded. B. Unknown/anonymous users can access the LAN printer/multi-function device (MFP) to spool, print, fax, or receive files or remotely manipulate device settings. C. Unknown/anonymous users can remotely alter startup settings or boot file images without the knowledge of system administrators. D. Unknown/anonymous users can be sales prospects, so the risk is acceptable because security controls must be cost effective and not interrupt revenue activities.
D. Option D is not Cost-effective security controls relates to being cost-effective when compared to the risk likelihood and cost consequences of system interruption, system takeover, or data breach. The other three statements are true. LAN printer/MFP devices usually lack access control lists, have no antivirus protection and no malware firewall, and are frequently overlooked by users, which make the LAN printer an excellent platform to launch additional attacks. For more information, see Chapter 6.
46
In regard to the IT governance control objectives, which of the following occurrences would the auditor be most concerned about during execution of the audit? A. Using the practice of self-monitoring to report problems B. Using proper change control C. Conflict in the existing reporting relationship D. Production system without accreditation
B. The auditor would be most concerned about use of proper change control. Auditors want to see change control procedures being used for separation of duties. All of the other choices represent violations warranting further investigation. For more information, see Chapters 2 and 6.
47
What is the purpose behind system accreditation? A. Hold management responsible for fitness of use and any failures B. Provide formal sign-off on the results of certification tests C. Improve the accuracy of forecasting in IT budgets D. Make the user responsible for their use of the system
A. System accreditation is a formal sign-off to witness management’s acceptance of fitness for the system’s intended use and full responsibility for any failures. System accreditation is for a period of 90 days, 180 days, or 365 days (annual). The system must be reaccredited by the expiration date. For more information, see Chapter 5.
48
Implementing a strong external boundary is a successful method to prevent hackers and thieves from accessing your internal computer systems provided you are using which of the following technologies? A. Internet firewalls and intrusion detection systems with prevention capabilities (an IDPS) to prevent ingress B. Strong administrative policy controls with harsh sanctions that include termination and/or criminal liability C. Antivirus software with malware detection capabilities D. The elimination of shared access accounts and static passwords, including those shared for mandatory administrative access
B. Boundary security is based on ingress filtering (authorized inbound), egress filtering (outbound, which includes authorized users getting tricked by malware or social engineering or even sending files that are ot supposed to leave the organization to outsiders or web services), changing default settings that are well known and make any system overly predictable for compromise by hacker, and preventing shared administrative access via static passwords contained in configuration files across the network that are almost never rotated after setup. For more information, see Chapter 6.
49
Which of the following techniques is used in the storage and transmission of a symmetric encryption key? A. Key rotation B. Generating a unique encryption key C. Key wrapping D. Generating a shared encryption key
C. Key wrapping is used to protect encryption keys during storage and transmission of the keys. Encryption keys should never be directly accessible to the user. For more information, see Chapter 7.
50
Which of the following situations should the auditor consider if the auditee has implemented six phases of the System Development Life Cycle (SDLC)? A. The auditee is probably doing a good job with no concerns at this time. B. The IT governance model has been implemented. C. The auditee may be missing a critical function. D. There are only five phases to the System Development Life Cycle.
C. The complete System Development Life Cycle contains seven phases, not six. The auditee may have a control failure because the postimplementation (phase 6) or disposal process (phase 7) may not have been formally adopted. Using fewer than seven phases would indicate that shortcuts have been taken. For more information, see Chapter 5.
51
Which backup method will copy only changed files without resetting the archive bit (archive flag)? A. Physical B. Incremental C. Full D. Differential
D. The differential backup method will copy all files that have changed since the last full backup but will not reset the archive bit. Files can be restored in less time by using just the last full backup with the last differential backup tape. For more information, see Chapter 8.
52
What is the purpose of a digital signature? A. Electronic marker showing the recipient that a sender actually sent a document B. Provides a copy of the sender’s public key along with the document C. Cyclic redundancy check to prove document integrity D. Provides the recipient with a method of testing the document received from a sender
D. An electronic signature is worthless unless the recipient actually tests the document by decrypting it. Electronic signatures should never be trusted by just their presence alone. Digital signatures must be tested by the recipient to verify their authenticity. For more information, see Chapter 7.
53
What is the functional difference between identification and authentication? A. Authorization is a match; identification is only a claim until verified. B. Authentication is only a claim; identification is a verified match. C. Identification is only a claim until verified; authentication is a match. D. Identification is only a claim; authorization is a match.
C. Identification is simply a claim that must be verified. Authentication is when the claim matches the reference, thereby indicating that the identity is correct. For more information, see Chapter 7.
54
Select the best answer to finish this statement: A (blank) is strategic in nature, while the (blank) is tactical. A. policy, procedure B. standard, procedure C. procedure, standard D. policy, standard
D. A policy is strategic, standards are tactical, and procedures are operational. For more information, see Chapter 1.
55
What is the primary objective for using a system with a Redundant Array of Independent—or Inexpensive—Disks (RAID)? A. Prevent corruption B. Increase availability C. Eliminate the need for backups D. Increase storage capacity
B. Using a system with a Redundant Array of Independent—or Inexpensive—Disks (RAID) will increase availability. RAID does not prevent data corruption; therefore, backups are still required. RAID systems use more disk space for redundancy and therefore provide less available storage capacity. For more information, see Chapter 4.
56
What function does the auditor provide? A. Second set of eyes, which are external to the subject under review B. Independent assurance that the claims of management are correct C. Assistance by fixing problems found during the audit D. Adapting standards to fit the needs of the client
A. Whether conducting an internal or external audit, the auditor is a paid impartial observer. None of the other statements are true. The auditor never takes ownership of problems found. Standards are either met by the client (compliant) or not met by the client (not compliant). For more information, see Chapter 1.
57
Which of the following situations does not represent a reporting conflict? A. Information security manager reporting to internal auditors B. Employee reporting violations to their boss, who is also in charge of compliance C. IT security reporting to the chief information officer D. Self-monitoring and reporting of violations
A. IT security managers should report problems to internal auditors. It’s a reporting conflict if an IT-related employee is required to make violation reports directly to their manager. There may be job pressures to cover up problems. A built-in reporting conflict exists when your job requires you to report violations to your superior, if that person is responsible for ensuring compliance. For more information, see Chapter 6.
58
Complete the following statement with the best available answer: The (blank) file is created when the system shuts down improperly. It usually contains (blank) that is/are useful in forensic investigations or used by hackers to leak confidential data and your authenticators. A. dump, contents from RAM memory B. abend, a history of all the user transactions processed C. diagnostic, system startup settings D. abort, all user account information
A. A crash dump file is created when the system crashes abruptly. This file contains the contents of working memory (RAM) and a list of tasks that were being processed. This special diagnostic file is extremely helpful during forensic investigations. For more information, see Chapter 6.
59
In using public-key interchange (PKI) encryption, which key is not used by the recipient for decrypting a message? A. Sender’s private key B. Recipient’s private key C. Sender’s public key D. Recipient’s public key
A. The sender’s private key is never used by the recipient. It takes only three keys to decrypt the message: the sender’s public key, the recipient’s public key, and the recipient’s private key. For more information, see Chapter 7.
60
Where should the computer room be located? A. Secure basement B. First floor C. Middle floor D. Top floor
C. ISACA states that the computer room should never be in the basement because of the risk of flooding. The first floor is susceptible to break-ins. The top floor is susceptible to roof leaks and storm damage. In this book, I discuss the details of how the basement decision occurred. For more information, see Chapter 6.
61
What is the primary purpose of using the root kit? A. System administration tool used by the superuser, also known as the server agent B. Method for tracing source problems in determining cause-and-effect analysis C. Camouflage technique designed to hide certain details from view D. Covert method of remotely compromising the operating system kernel
D. Root kits are used by hackers to remotely subvert the operating system security and compromise the kernel. Root kits can be installed without the knowledge of the user and use stealth techniques to hide their existence from monitoring software. For more information, see Chapter 7.
62
Complete the following statement: A (blank) must be used to prevent (blank) of the hard-disk evidence during the collection phase of forensic investigations. A. forensic specialist, analysis B. write blocker, contamination C. immunizer, corruption D. data analyzer, destruction
B. A write blocker is used to prevent any changes from being written to the hard disk during the collection of evidence. The simple act of booting up the computer will cause changes that taint the evidence. Any changes, no matter how small, will be used by defense lawyers to prove that evidence tampering occurred. Any claim of evidence tampering that cannot be disproved will destroy the value of the evidence. For more information, see Chapter 6.
63
Which of the following statements is true concerning the role of management and the role of the auditor? A. Management uses the auditor’s report before making their assertions. B. Management must make their assertions prior to reading the auditor’s report. C. The auditor is able to view only evidence that has been predetermined by management. D. The auditor’s opinion will be based on the desire of management
B. Management must make their assertions independent of the auditor’s report. The role of the auditor is to determine whether management claims can be verified as correct by the available evidence. For more information, see Chapter 1.
64
Which of the following is the best way for an auditor to prove their competence to perform an audit? A. Having prior experience working in information technology B. Citing each point in a regulation with an audit objective and specific test C. Obtaining auditor certification with ongoing training D. Having prior experience in financial auditing
B. Every auditor should build a list of all the individual points contained in a regulation, citing each point by page, paragraph, and line number. This detailed specification will be used to explain how the audit meets the objective. Specific tests should be created for each item. If the audit test must be rerun, the subsequent auditor should always find similar results by using the existing documentation. For more information, see Chapter 3.
65
Which of the following processes would be the best candidate for business process reengineering? A. Excluded process B. Nonworking process C. Working process D. Marginal process
B. A nonworking process would be the best candidate for reengineering. The actual decision is based on the best return on investment. There is no need to reengineer something that fails to generate a positive return. For more information, see Chapter 2.
66
Which of the following statements is true concerning the auditor’s qualified opinion? A. The auditor has reservations about the findings. B. The auditor is professionally qualified to give an opinion. C. The auditor has no reservations about the findings. D. The auditor has prior experience working in the IT department.
A. A qualified opinion means the auditor has reservations about the scope of the audit, concerns with the available evidence, or concerns that the findings may not represent the true story. Audit reports containing a qualified opinion will have limitations on their use. For more information, see Chapter 3.
67
Wireless LAN encryption systems using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA, WPA2-PSK) in the transmission of network data will base the transmission security upon which of the following? A. Broadcasting a single password through the airwaves to be shared by all network users B. Broadcasting a unique individual password for each of the network users C. Strength of the WPA2 encryption algorithm selected during the configuration at setup D. Strength of the encryption key being used with WPA2
A. PSK is the acronym for pre-shared key, which is constantly broadcast by the Wi-Fi system and will be universally shared by all network users. Pre-shared key transmissions and beacon signals can easily be captured by anyone with free software downloaded via plenty of Internet sites. A secondary vulnerability exists through the Wi-Fi Protected Setup (WPS) utility on Wi-Fi devices. Passwords are never a good idea as the primary authenticator because they are portable, easily captured, easily identified in transmission, and guessable even when they are stored in encrypted hash format (using password rainbow tables). For more information, see Chapter 4.
68
During a business continuity audit, it is discovered that the business impact analysis (BIA) was not performed even though an initial feasibility review of the financial statement was performed. What would this indicate to the auditor? A. The customer was able to get their plan in place without using the BIA technique. B. The business continuity plan is likely to be a failure. C. Risk analysis and the customer’s selection of the strategy fulfill their most important objectives. D. It’s not necessary to perform a business impact analysis because financial feasibility was performed.
B. The business continuity (BC) plan is likely to fail. It would be nearly impossible for a BC plan to work without first performing a business impact analysis (BIA). Nobody can protect business processes that they were unable to define in a formal specification (BIA report). For more information, see Chapter 8.
69
Which of the following systems uses heuristic techniques to make decisions on behalf of the user? A. Associate decision mart B. Expert system C. Decision support system (DSS) D. Data warehouse
B. Expert systems make decisions for the user by using weighting rules against data points in the database (heuristics) to build correlations. Expert systems frequently contain more than 100,000 discrete points of data. All the other choices expect the user to make their own decision based on available information. For more information, see Chapter 5.
70
Which of the following is the best representation of a soft token used for two-factor authentication? A. Digital signature B. Digital identity C. Digital certificate D. Digital hash
C. Digital certificates (also known as soft tokens) can be used for two-factor authentication. The key fob is also known as a hard token because of its physical nature. Passwords do not provide for two-factor authentication unless coupled with hard tokens, soft tokens, or biometrics. For more information, see Chapter 7.
71
Which of the following is the best example of implementing a detective control via administrative methods? A. Auditing of system configuration and log files B. Running a verification of the backup tape for integrity C. Using an intrusion detection and prevention system (IDPS) D. Restoring a damaged file using a copy from the vendor
A. Auditing of the system configuration and reading system logs are examples of detective controls implemented by using administrative methods. Auditing is always a detective control. Auditors may use computer-assisted audit tools, but auditing is still an administrative process. For more information, see Chapter 3.
72
Which of the following nonstatistical audit samples is also known as a judgmental sample? A. Haphazard B. Attribute C. Unstratified mean D. Random
A. A haphazard sample is also known as a judgmental sample. For more information, see Chapter 3.
73
Which of the following firewall setups would not be a concern to the auditor? A. Firewall not backed up nightly B. Backup media left in the drive C. Source routing enabled D. Remote login or file sharing enabled
A. Firewalls do not need to be backed up except after changes to the system. Backups of the firewall must be full backups on stand-alone devices, also known as a zero-day restore. An auditor should be seriously concerned if source routing is enabled (major hazard), backup media is left in the drive (covert storage for attackers), or remote login or file sharing is enabled (open to remote access). For more information, see Chapter 6.
74
What is the primary purpose of the agile programming methodology? A. Automate the tedious administrative portions of the System Development Life Cycle B. Rapidly create prototypes or prioritize tasks when accurate forecasting is not possible C. Create flexible internal controls that are easy to keep up-to-date D. Improve the quality of traditional planning with better documentation of requirements
B. Agile programming is used to create prototypes or prioritize operations tasks via time-box management techniques to force new iterations within short periods of time. Agile is used when accurate forecasting is not likely. Traditional administrative planning and documentation is forfeited in favor of the undocumented knowledge contained in a person’s head. For more information, see Chapter 5.
75
A member of the auditee staff offers to loan you an unauthorized copy of software that you need for a short time. What should you, as the auditor, always remember? A. It’s okay to borrow the software for one-time use. B. The auditee is not acting in an ethical manner. C. The auditee will usually get amnesty for turning in the auditor or discrediting the auditor. D. Odds of getting caught on this are very low.
C. The auditee will usually get amnesty for turning you in. Copyright violations are always illegal and unethical. You can bet that the auditee will later boast about how they helped you or blast you for issuing an unfavorable report after they did you a favor. Never use unauthorized software under any condition; besides breaking the law, it will make you look bad. No honest person or organization wants to use an auditor who violates the law. For more information, see Chapter 1.
76
Who should the auditor notify if an illegal or inappropriate act involves the persons responsible for governance of controls? A. Law enforcement B. Audit committee C. Federal regulators D. Whistle-blower hotline
B. The auditor should contact the audit committee, never law enforcement or the regulators. If necessary, the auditor’s lawyer will handle contacting the authorities. For more information, see Chapter 3.
77
What is the primary purpose of the audit charter? A. Specify the scope of the audit B. Serve as a record for the agreed-upon terms of the engagement with external auditors C. Specify the mutually agreed-upon procedures that will be used during the audit D. Assign the auditor responsibility, authority, and accountability
D. Audit charters are high-level documents used to grant and assign authorization, responsibility and accountability. to the auditor responsible for conducting an audit and to specify that the auditor will be accountable for their behavior. For more information, see Chapter 3.
78
Security best practices and regulations state privileged access logins that are used for access authentication need to be unique, properly constructed, not reused, and rotated (changed) every 60 to 90 days. How many privileged access passwords typically exist on a normal server running a content management system (CMS) with a database for dynamic web pages? A. 1 to 15 privileged access passwords B. 16 to 30 privileged access passwords C. 30 to 45 privileged access passwords D. More than 45 privileged access passwords
78. C. Option C is usually correct, and it could be more. Besides the hardware boot loader and bios passwords, the operating system has multiple privileged access accounts with passwords unconfigured at installation. Privileged access accounts and passwords always exist in multiple instances for each database (Oracle, MySql, MariaDB, PostgreSQL, etc.) and for driver utilities. Program-to-program privileged access passwords contained in static configuration files ( cfg in .init, etc.) and other miscellaneous middleware applications (including ODBC, or open database connectivity applications) also exist. For more information, see Chapter 6.
79
Portfolio management includes all of the following except which one? A. Selection of projects based on the best return on investment B. Centralized control of priorities across the projects C. Management of concurrent projects D. Method of controlling changes in the work breakdown structure
D. Portfolio management is similar to trading stocks or baseball cards. The objective is to get the highest possible value for your collection of projects. Each project is judged on which ones represent the best return on investment; all other projects are canceled or ignored. Changes to the work breakdown structure (list of project tasks) will occur within the project itself. For more information, see Chapter 2.
80
Which of the following audit tools incorporates dummy transactions into the normal processing on a system? A. Continuous and intermittent simulation (CIS) B. Integrated test facility (ITF) C. Program audit hooks D. Snapshot
B. The auditor can use an embedded audit module, also known as an integrated test facility, to create a set of dummy transactions that will be processed along with genuine transactions. The auditor compares the output data against their own calculations. This allows for substantial testing without disrupting the normal processing schedule. For more information, see Chapter 3.

CISA review questions (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions