The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 241
- Question
- Answer
- Explanation
- CISA Question 242
- Question
- Answer
- Explanation
- CISA Question 243
- Question
- Answer
- Explanation
- CISA Question 244
- Question
- Answer
- Explanation
- CISA Question 245
- Question
- Answer
- Explanation
- CISA Question 246
- Question
- Answer
- Explanation
- CISA Question 247
- Question
- Answer
- Explanation
- CISA Question 248
- Question
- Answer
- Explanation
- CISA Question 249
- Question
- Answer
- Explanation
- CISA Question 250
- Question
- Answer
- Explanation
CISA Question 241
Question
Which of the following is a general operating system access control function?
A. Creating database profiles
B. Verifying user authorization at a field level
C. Creating individual accountability
D. Logging database access activities for monitoring access violation
Answer
C. Creating individual accountability
Explanation
Creating individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
CISA Question 242
Question
Which of the following presents an inherent risk with no distinct identifiable preventive controls?
A. Piggybacking
B. Viruses
C. Data diddling
D. Unauthorized application shutdown
Answer
C. Data diddling
Explanation
Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses, because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling.
Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical
piggybacking is an attempt to gain access through someone who has the rights, e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions. This could be prevented by encrypting the message. Viruses are malicious program code inserted into another executable code that can self-re plicate and spread from computer to computer via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine. Antiviral software can be used to protect the computer against viruses. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.
CISA Question 243
Question
The information security policy that states ‘each individual must have their badge read at every controlled door’ addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
Answer
A. Piggybacking
Explanation
Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger, if every employee must have their badge read at every controlled door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user to obtain sensitive information could be done by an unauthorized person who has gained access to areas using piggybacking, but this policy specifically refers to physical access control.
Shoulder surfing would not be prevented by the implementation of this policy.
Dumpster diving, looking through an organization’s trash for valuable information, could be done outside the company’s physical perimeter; therefore, this policy would not address this attack method. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.
CISA Question 244
Question
An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?
A. Digitalized signatures
B. Hashing
C. Parsing
D. Steganography
Answer
D. Steganography
Explanation
Steganography is a technique for concealing the existence of messages or information. An increasingly important stenographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music’s perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.
CISA Question 245
Question
An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor’s main concern should be that:
A. more than one individual can claim to be a specific user.
B. there is no way to limit the functions assigned to users.
C. user accounts can be shared.
D. users have a need-to-know privilege.
Answer
B. there is no way to limit the functions assigned to users.
Explanation
Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. The risk that more than one individual can claim to be a specific user is associated with the authentication processes, rather than with authorization. The risk that user accounts can be shared is associated with identification processes, rather than with authorization. The need-to-know basis is the best approach to assigning privileges during the authorization process.
CISA Question 246
Question
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:
A. the company policy be changed.
B. passwords are periodically changed.
C. an automated password management tool be used.
D. security awareness training is delivered.
Answer
C. an automated password management tool be used.
Explanation
The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing their old password for a designated period of time. Choices A, B and D do not enforce compliance.
CISA Question 247
Question
An information security policy stating that ‘the display of passwords must be masked or suppressed’ addresses which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
Answer
C. Shoulder surfing
Explanation
If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to ‘the display of passwords.’ If the policy referred to ‘the display and printing of passwords’ then it would address shoulder surfing and dumpster diving (looking through an organization’s trash for valuable information), impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
CISA Question 248
Question
Which of the following would MOST effectively reduce social engineering incidents?
A. Security awareness training
B. increased physical security measures
C. E-mail monitoring policy
D. intrusion detection systems
Answer
A. Security awareness training
Explanation
Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e- mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
CISA Question 249
Question
Which of the following would be the BEST access control procedure?
A. The data owner formally authorizes access and an administrator implements the user authorization tables.
B. Authorized staff implements the user authorization tables and the data owner sanctions them.
C. The data owner and an IS manager jointly create and update the user authorization tables.
D. The data owner creates and updates the user authorization tables.
Answer
A. The data owner formally authorizes access and an administrator implements the user authorization tables.
Explanation
The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access.
CISA Question 250
Question
Which of the following is an example of the defense in-depth security principle?
A. Using two firewalls of different vendors to consecutively check the incoming network traffic
B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic
C. Having no physical signs on the outside of a computer center building
D. Using two firewalls in parallel to check different types of incoming traffic
Answer
B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic
Explanation
Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Having no physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.