ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 3

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 221

Question

An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?

A. User-level permissions
B. Role-based
C. Fine-grained
D. Discretionary

Answer

B. Role-based

Explanation

Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user’s role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise.
Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.

CISA Question 222

Question

A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation?

A. Audit logs are not enabled for the system
B. A logon ID for the technical lead still exists
C. Spyware is installed on the system
D. A Trojan is installed on the system

Answer

A. Audit logs are not enabled for the system

Explanation

Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult.

CISA Question 223

Question

Which of the following is the BEST practice to ensure that access authorizations are still valid?

A. information owner provides authorization for users to gain access
B. identity management is integrated with human resource processes
C. information owners periodically review the access controls
D. An authorization matrix is used to establish validity of access

Answer

B. identity management is integrated with human resource processes

Explanation

Personnel and departmental changes can result in authorization creep and can impact the effectiveness of access controls. Many times when personnel leave an organization, or employees are promoted, transferred or demoted, their system access is not fully removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes. When an employee transfers to a different function, access rights are adjusted at the same time.

CISA Question 224

Question

A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization’s data?

A. Introduce a secondary authentication method such as card swipe
B. Apply role-based permissions within the application system
C. Have users input the ID and password for each database transaction
D. Set an expiration period for the database password embedded in the program

Answer

B. Apply role-based permissions within the application system

Explanation

When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user’s role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire.

CISA Question 225

Question

When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to:

A. carry the flash drive in a portable safe.
B. assure management that you will not lose the flash drive.
C. request that management deliver the flash drive by courier.
D. encrypt the folder containing the data with a strong key.

Answer

D. encrypt the folder containing the data with a strong key.

Explanation

Encryption, with a strong key, is the most secure method for protecting the information on the flash drive. Carrying the flash drive in a portable safe does not guarantee the safety of the information in the event that the safe is stolen or lost. No matter what measures you take, the chance of losing the flash drive still exists. It is possible that a courier might lose the flash drive or that it might be stolen.

CISA Question 226

Question

An IS auditor finds that a DBA has read and write access to production data. The IS auditor should:

A. accept the DBA access as a common practice.
B. assess the controls relevant to the DBA function.
C. recommend the immediate revocation of the DBA access to production data.
D. review user access authorizations approved by the DBA.

Answer

B. assess the controls relevant to the DBA function.

Explanation

It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBA should have access based on a need-to-know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA.

CISA Question 227

Question

Minimum password length and password complexity verification are examples of:

A. detection controls.
B. control objectives.
C. audit objectives.
D. control procedures.

Answer

D. control procedures.

Explanation

Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.

CISA Question 228

Question

During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals.
The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?

A. Look for compensating controls.
B. Review financial transactions logs.
C. Review the scope of the audit.
D. Ask the administrator to disable these accounts.

Answer

A. Look for compensating controls.

Explanation

The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor’s responsibility to ask for disabling accounts during an audit.

CISA Question 229

Question

The responsibility for authorizing access to application data should be with the:

A. data custodian.
B. database administrator (DBA).
C. data owner.
D. security administrator.

Answer

C. data owner.

Explanation

Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The database administrator (DBA) is responsible for managing the database and the security administrator is responsible for implementing and maintaining IS security. The ultimate responsibility for data resides with the data owner.

CISA Question 230

Question

Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?

A. Encrypt the hard disk with the owner’s public key.
B. Enable the boot password (hardware-based password).
C. Use a biometric authentication device.
D. Use two-factor authentication to logon to the notebook.

Answer

A. Encrypt the hard disk with the owner’s public key.

Explanation

Only encryption of the data with a secure key will prevent the loss of confidential information. In such a case, confidential information can be accessed only with knowledge of the owner’s private key, which should never be shared. Choices B, C and D deal with authentication and not with confidentiality of information. An individual can remove the hard drive from the secured laptop and install it on an unsecured computer, gaining access to the data.