ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 12

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 1291

Question

Who is responsible for authorizing access level of a data user?

A. Data Owner
B. Data User
C. Data Custodian
D. Security Administrator

Answer

A. Data Owner

Explanation

Data owners are responsible for authorizing access level of a data user. These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

For your exam you should know below roles in an organization:

• Data Owners – Data Owners are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
• Data Custodian or Data Steward ‘ are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
• Security Administrator – Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

The following were incorrect answers:

• Security Administrator – Security administrator is responsible for providing adequate and logical security for IS programs, data and equipment.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data.
• Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

CISA Question 1292

Question

Who is responsible for restricting and monitoring access of a data user?

A. Data Owner
B. Data User
C. Data Custodian
D. Security Administrator

Answer

D. Security Administrator

Explanation

Security administrator are responsible for providing adequate and logical security for IS programs, data and equipment.

For CISA exam you should know below roles in an organization

• Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
• Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
• Security Administrator-Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

The following were incorrect answers:

• Data Owner – These peoples are generally managers and directors responsible for using information for running and controlling the business.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data.
• Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators

CISA Question 1293

Question

Who is responsible for providing adequate physical and logical security for IS program, data and equipment?

A. Data Owner
B. Data User
C. Data Custodian
D. Security Administrator

Answer

D. Security Administrator

Explanation

Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.

For CISA exam you should know below roles in an organization

• Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
• Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
• Security Administrator -Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

The following were incorrect answers:

• Data Owner – These peoples are generally managers and directors responsible for using information for running and controlling the business.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data.
• Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

CISA Question 1294

Question

Who is primarily responsible for storing and safeguarding the data?

A. Data Owner
B. Data User
C. Data Steward
D. Security Administrator

Answer

C. Data Steward

Explanation

Data Steward or data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.

For CISA exam you should know below roles in an organization

• Data Owners – These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
• Data Custodian or Data Steward – These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
• Security Administrator -Security administrator is responsible for providing adequate physical and logical security for IS programs, data and equipment.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

The following were incorrect answers:

• Data Owner – These peoples are generally managers and directors responsible for using information for running and controlling the business.
• Data Users – Data users, including internal and external user community, are the actual user of computerized data.
• Security Administrator – Security administrator is responsible for providing adequate and logical security for IS programs, data and equipment.

CISA Question 1295

Question

Which of the following technique is NOT used by a preacher against a Private Branch Exchange (PBX)?

A. Eavesdropping
B. Illegal call forwarding
C. Forwarding a user to an unused or disabled number
D. SYN Flood

Answer

D. SYN Flood

Explanation

The word NOT the keyword used in the question. You need to find out the technique which preacher do not use to exploit PBX.

SYN Flood -Sends a flood of TCP/SYN packets with forged sender address, causing half-open connections and saturates available connection capacity on the target machine.

For CISA Exam you should know below mentioned techniques used by preacher for illegal purpose of PBX.

• Eavesdropping on conversation, without the other parties being aware of it
• Eavesdropping on conference call
• Illegal forwarding calls from specific equipment to remote numbers
• Forwarding a user to an unused or disabled number, thereby making it unreachable by external calls.

The following were incorrect answers:

• The other options presented correctly describes the techniques used preacher for illegal purpose of PBX.

CISA Question 1296

Question

Which of the following option INCORRECTLY describes PBX feature?

A. Voice mail -Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.
B. Tenanting-Provides for the possibility to break into a busy line to inform another user an important message
C. Automatic Call Distribution – Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed onhold until one become available
D. Diagnostics -Allows for bypassing normal call restriction procedures

Answer

B. Tenanting-Provides for the possibility to break into a busy line to inform another user an important message

Explanation

The word INCORRECTLY was the keyword used in the question. You need to find out the incorrectly described PBX feature from given options.

The Tenanting feature is incorrectly described.

Tenanting limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

For your exam you should know below mentioned PBX features and Risks:

System Features –

Description –

Risk –

Automatic Call distribution –

Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

Tapping and control of traffic –

Call forwarding –

Allow specifying an alternate number to which calls will be forwarded based on certain condition

User tracking –

Account codes –

Used to:

Track calls made by certain people or for certain projects for appropriate billing

Dial-In system access (user dials from outside and gain access to normal feature of the PBX)

Changing the user class of service so a user can access a different set of features (i.e. the override feature)

Fraud, user tracking, non authorized features

Access Codes –

Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

Non-authorized features –

Silent Monitoring –

Silently monitors other calls –

Eavesdropping –

Conferencing –

Allows for conversation among several users

Eavesdropping, by adding unwanted/unknown parties to a conference override(intrude)

Provides for the possibility to break into a busy line to inform another user an important message

Eavesdropping –

Auto-answer –

Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

Gaining information not normally available, for various purpose

Tenanting –

Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Illegal usage, fraud, eavesdropping

Voice mail –

Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

Privacy release –

Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

Eavesdropping –

No busy extension –

Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

Eavesdropping a conference in progress

Diagnostics –

Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

Fraud and illegal usage –

Camp-on or call waiting –

When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

Making the called individual a party to a conference without knowing it.

Dedicated connections –

Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

Eavesdropping on a line –

The following were incorrect answers:

• The other options presented correctly describes PBX features thus not the right choice.

CISA Question 1297

Question

Which of the following PBX feature supports shared extensions among several devices, ensuring that only one device at a time can use an extension?

A. Call forwarding
B. Privacy release
C. Tenanting
D. Voice mail

Answer

B. Privacy release

Explanation

Privacy release supports shared extensions among several devices, ensuring that only one device at a time can use an extension.

For your exam you should know below mentioned PBX features and Risks:

System Features –

Description –

Risk –

Automatic Call distribution –

Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

Tapping and control of traffic –

Call forwarding –

Allow specifying an alternate number to which calls will be forwarded based on certain condition

User tracking –

Account codes –

Used to:

Track calls made by certain people or for certain projects for appropriate billing

Dial-In system access (user dials from outside and gain access to normal feature of the PBX)

Changing the user class of service so a user can access a different set of features (i.e. the override feature)

Fraud, user tracking, non authorized features

Access Codes –

Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

Non-authorized features –

Silent Monitoring –

Silently monitors other calls –

Eavesdropping –

Conferencing –

Allows for conversation among several users

Eavesdropping, by adding unwanted/unknown parties to a conference override(intrude)

Provides for the possibility to break into a busy line to inform another user an important message

Eavesdropping –

Auto-answer –

Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

Gaining information not normally available, for various purpose

Tenanting –

Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Illegal usage, fraud, eavesdropping

Voice mail –

Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

Privacy release –

Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

Eavesdropping –

No busy extension –

Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

Eavesdropping a conference in progress

Diagnostics –

Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

Fraud and illegal usage –

Camp-on or call waiting –

When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

Making the called individual a party to a conference without knowing it.

Dedicated connections –

Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

Eavesdropping on a line –

The following were incorrect answers:

Call forwarding – Allow specifying an alternate number to which calls will be forwarded based on certain condition

Tenanting -Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Voice Mail -Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

CISA Question 1298

Question

Which of the following PBX feature allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed onhold until one become available?

A. Automatic Call distribution
B. Call forwarding
C. Tenanting
D. Voice mail

Answer

A. Automatic Call distribution

Explanation

Automatic Call distribution allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

For your exam you should know below mentioned PBX features and Risks:

System Features –

Description –

Risk –

Automatic Call distribution –

Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

Tapping and control of traffic –

Call forwarding –

Allow specifying an alternate number to which calls will be forwarded based on certain condition

User tracking –

Account codes –

Used to:

Track calls made by certain people or for certain projects for appropriate billing

Dial-In system access (user dials from outside and gain access to normal feature of the PBX)

Changing the user class of service so a user can access a different set of features (i.e. the override feature)

Fraud, user tracking, non authorized features

Access Codes –

Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

Non-authorized features –

Silent Monitoring –

Silently monitors other calls –

Eavesdropping –

Conferencing –

Allows for conversation among several users

Eavesdropping, by adding unwanted/unknown parties to a conference override(intrude)

Provides for the possibility to break into a busy line to inform another user an important message

Eavesdropping –

Auto-answer –

Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

Gaining information not normally available, for various purpose

Tenanting –

Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Illegal usage, fraud, eavesdropping

Voice mail –

Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

Privacy release –

Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

Eavesdropping –

No busy extension –

Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

Eavesdropping a conference in progress

Diagnostics –

Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

Fraud and illegal usage –

Camp-on or call waiting –

When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

Making the called individual a party to a conference without knowing it.

Dedicated connections –

Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

Eavesdropping on a line –

The following were incorrect answers:

Call forwarding – Allow specifying an alternate number to which calls will be forwarded based on certain condition

Tenanting – Limits system user access to only those users who belong to the same tenant group useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Voice Mail – Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

CISA Question 1299

Question

Which of the following PBX feature provides the possibility to break into a busy line to inform another user of an important message?

A. Account Codes
B. Access Codes
C. Override
D. Tenanting

Answer

C. Override

Explanation

Override feature of PBS provides for the possibility to break into a busy line to inform another user an important message.

For CISA exam you should know below mentioned PBS features and Risks

System Features –

Description –

Risk –

Automatic Call distribution –

Allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available

Tapping and control of traffic –

Call forwarding –

Allow specifying an alternate number to which calls will be forwarded based on certain condition

User tracking –

Account codes –

Used to:

Track calls made by certain people or for certain projects for appropriate billing

Dial-In system access (user dials from outside and gain access to normal feature of the PBX)

Changing the user class of service so a user can access a different set of features (i.e. the override feature)

Fraud, user tracking, non authorized features

Access Codes –

Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

Non-authorized features –

Silent Monitoring –

Silently monitors other calls –

Eavesdropping –

Conferencing –

Allows for conversation among several users

Eavesdropping, by adding unwanted/unknown parties to a conference override(intrude)

Provides for the possibility to break into a busy line to inform another user an important message

Eavesdropping –

Auto-answer –

Allows an instrument to automatically go when called usually gives an auditor or visible warning which can easily turned off

Gaining information not normally available, for various purpose

Tenanting –

Limits system user access to only those users who belong to the same tenant group – useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

Illegal usage, fraud, eavesdropping

Voice mail –

Stores messages centrally and – by using a password – allows for retrieval from inside or outside lines.

Disclosure or destruction of all messages of a user when that user’s password in known or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy messages or embedded codes, illegal access to external lines.

Privacy release –

Supports shared extensions among several devices, ensuring that only one device at a time can use an extension. Privacy release disables the security by allowing devices to connect to an extension already in use.

Eavesdropping –

No busy extension –

Allows calls to an in-use extension to be added to a conference when that extension is on conference and already off-hook

Eavesdropping a conference in progress

Diagnostics –

Allows for bypassing normal call restriction procedures. This kind of diagnostic is sometimes available from any connected device. It is a separate feature, in addition to the normal maintenance terminal or attendant diagnostics

Fraud and illegal usage –

Camp-on or call waiting –

When activated, sends a visual audible warning to an off-hook instrument that is receiving another call. Another option of this feature is to conference with the camped-on or call waiting

Making the called individual a party to a conference without knowing it.

Dedicated connections –

Connections made through the PBX without using the normal dialing sequences. It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also used for data connections between devices and the central processing facility

Eavesdropping on a line –

The following were incorrect answers:

Account Codes – that are used to:

Track calls made by certain people or for certain projects for appropriate billing

Dial-In system access (user dials from outside and gain access to normal feature of the PBX)

Changing the user class of service so a user can access a different set of features (i.e. the override feature)

Access Codes – Key for access to specific feature from the part of users with simple instruments, i.e. traditional analog phones.

Tenanting – Limits system user access to only those users who belong to the same tenant group useful when one company leases out part of its building to other companies and tenants share an attendant, trunk lines,etc

CISA Question 1300

Question

Which of the following is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization?

A. Private Branch Exchange
B. Virtual Local Area Network
C. Voice over IP
D. Dial-up connection

Answer

A. Private Branch Exchange

Explanation

A Private Branch Exchange(PBX) is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization that operates it. Protection of PBX is thus a height priority. Failure to secure PBX can result in exposing the organization to toll fraud, theft of proprietary or confidential information, loss of revenue or legal entanglements.

PBX environment involves many security risks, presented by people both internal and external to an organization. The threat of the PBX telephone system is many, depending on the goals of these attackers, and include:

• Theft of service – Toll fraud, probably the most common of motives for attacker.
• Disclosure of Information – Data disclosed without authorization, either by deliberate actionably accident. Examples includes eavesdropping on conversation and unauthorized access to routing and address data.
• Data Modification – Data altered in some meaningful way by recording, deleting or modifying it. For example, an intruder may change billing information or modify system table to gain additional services.
• Unauthorized access – Actions that permit an unauthorized user to gain access to system resources or privileges.
• Denial of service – Actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.
• Traffic Analysis – A form of passive attack in which an intruder observes information about calls and make inferences, e.g. from the source and destination number or frequency and length of messages. For example, an intruder observes a high volume of calls between a company’s legal department and patent office, and conclude that a patent is being filed.

The following were incorrect answers:

• Virtual Local Area Network – A virtual local area network (VLAN) is a logical group of workstations, servers and network devices that appear to be on the same LAN despite their geographical distribution. A VLAN allows a network of computers and users to communicate in a simulated environment as if they exist in a single LAN and are sharing a single broadcast and multicast domain. VLANs are implemented to achieve scalability, security and ease of network management and can quickly adapt to change in network requirements and relocation of workstations and server nodes.
• Voice over IP – VoIP is a technology where voice traffic is carried on top of existing data infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before being decode back into the original voice.
• Dial-up connection – Dial-up refers to an Internet connection that is established using a modem. The modem connects the computer to standard phone lines, which serve as the data transfer medium. When a user initiates a dial-up connection, the modem dials a phone number of an Internet Service Provider (ISP) that is designated to receive dial-up calls. The ISP then establishes the connection, which usually takes about ten seconds and is accompanied by several beeping an buzzing sounds.