The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 231
- Question
- Answer
- Explanation
- CISA Question 232
- Question
- Answer
- Explanation
- CISA Question 233
- Question
- Answer
- Explanation
- CISA Question 234
- Question
- Answer
- Explanation
- CISA Question 235
- Question
- Answer
- Explanation
- CISA Question 236
- Question
- Answer
- Explanation
- CISA Question 237
- Question
- Answer
- Explanation
- CISA Question 238
- Question
- Answer
- Explanation
- CISA Question 239
- Question
- Answer
- Explanation
- CISA Question 240
- Question
- Answer
- Explanation
CISA Question 231
Question
In an online banking application, which of the following would BEST protect against identity theft?
A. Encryption of personal password
B. Restricting the user to a specific terminal
C. Two-factor authentication
D. Periodic review of access logs
Answer
C. Two-factor authentication
Explanation
Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective control and does not protect against identity theft.
CISA Question 232
Question
After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?
A. Fine-grained access control
B. Role-based access control (RBAC)
C. Access control lists
D. Network/service access control
Answer
B. Role-based access control (RBAC)
Explanation
Authorization in this VoIP case can best be addressed by role-based access control (RBAC) technology. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. Access control lists and finegrained access control on VoIP web applications do not scale to enterprise wide systems, because they are primarily based on individual user identities and their specific technical privileges. Network/ service addresses VoIP availability but does not address application-level access or authorization.
CISA Question 233
Question
Which of the following would prevent unauthorized changes to information stored in a server’s log?
A. Write-protecting the directory containing the system log
B. Writing a duplicate log to another server
C. Daily printing of the system log
D. Storing the system log in write-once media
Answer
D. Storing the system log in write-once media
Explanation
Storing the system log in write-once media ensures the log cannot be modified. Write- protecting the system log does not prevent deletion or modification, since the superuser or users that have special permission can override the write protection. Writing a duplicate log to another server or daily printing of the system log cannot prevent unauthorized changes.
CISA Question 234
Question
Inadequate programming and coding practices introduce the risk of:
A. phishing.
B. buffer overflow exploitation.
C. SYN flood.
D. brute force attacks.
Answer
B. buffer overflow exploitation.
Explanation
Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. Phishing, SYN flood and brute force attacks happen independently of programming and coding practices.
CISA Question 235
Question
The logical exposure associated with the use of a checkpoint restart procedure is:
A. denial of service.
B. an asynchronous attack
C. wire tapping.
D. computer shutdown.
Answer
B. an asynchronous attack
Explanation
Asynchronous attacks are operating system-based attacks. A checkpoint restart is a feature that stops a program at specified intermediate points for later restart in an orderly manner without losing data at the checkpoint. The operating system saves a copy of the computer programs and data in their current state as well as several system parameters describing the mode and security level of the program at the time of stoppage. An asynchronous attack occurs when an individual with access to this information is able to gain access to the checkpoint restart copy of the system parameters and change those parameters such that upon restart the program would function at a higher-priority security level.
CISA Question 236
Question
An organization has been recently downsized, in light of this, an IS auditor decides to test logical access controls. The IS auditor’s PRIMARY concern should be that:
A. all system access is authorized and appropriate for an individual’s role and responsibilities.
B. management has authorized appropriate access for all newly-hired individuals.
C. only the system administrator has authority to grant or modify access to individuals.
D. access authorization forms are used to grant or modify access to individuals.
Answer
A. all system access is authorized and appropriate for an individual’s role and responsibilities.
Explanation
The downsizing of an organization implies a large number of personnel actions over a relatively short period of time. Employees can be assigned new duties while retaining some or all of their former duties. Numerous employees may be laid off. The auditor should be concerned that an appropriate segregation of duties is maintained, that access is limited to what is required for an employee’s role and responsibilities, and that access is revoked for those that are no longer employed by the organization. Choices B, C and D are all potential concerns of an IS auditor, but in light of the particular risks associated with a downsizing, should not be the primary concern.
CISA Question 237
Question
From a control perspective, the PRIMARY objective of classifying information assets is to:
A. establish guidelines for the level of access controls that should be assigned.
B. ensure access controls are assigned to all information assets.
C. assist management and auditors in risk assessment.
D. identify which assets need to be insured against losses.
Answer
A. establish guidelines for the level of access controls that should be assigned.
Explanation
Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
CISA Question 238
Question
An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?
A. Kerberos
B. Vitality detection
C. Multimodal biometrics
D. Before-image/after-image logging
Answer
A. Kerberos
Explanation
Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B and C are incorrect because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/afterimage logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.
CISA Question 239
Question
For a discretionary access control to be effective, it must:
A. operate within the context of mandatory access controls.
B. operate independently of mandatory access controls.
C. enable users to override mandatory access controls when necessary.
D. be specifically permitted by the security policy.
Answer
A. operate within the context of mandatory access controls.
Explanation
Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility.
Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective
CISA Question 240
Question
Which of the following BEST restricts users to those functions needed to perform their duties?
A. Application level access control
B. Data encryption
C. Disabling floppy disk drives
D. Network monitoring device
Answer
A. Application level access control
Explanation
The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.