The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 251
- Question
- Answer
- CISA Question 252
- Question
- Answer
- Explanation
- CISA Question 253
- Question
- Answer
- Explanation
- CISA Question 254
- Question
- Answer
- Explanation
- CISA Question 255
- Question
- Answer
- Explanation
- CISA Question 256
- Question
- Answer
- Explanation
- CISA Question 257
- Question
- Answer
- Explanation
- CISA Question 258
- Question
- Answer
- Explanation
- CISA Question 259
- Question
- Answer
- Explanation
- CISA Question 260
- Question
- Answer
- Explanation
CISA Question 251
Question
The implementation of access controls FIRST requires:
A. a classification of IS resources.
B. the labeling of IS resources.
C. the creation of an access control list.
D. an inventory of IS resources.
Answer
D. an inventory of IS resources.
CISA Question 252
Question
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:
A. critical
B. vital.
C. sensitive.
D. noncritical.
Answer
C. sensitive.
Explanation
Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by identical capabilities and cannot be replaced by manual methods.
Vital functions refer to those that can be performed manually but only for a brief period of time; this is associated with lower costs of disruption than critical functions. Noncritical functions may be interrupted for an extended period of time at little or no cost to the company, and require little time or cost to restore.
CISA Question 253
Question
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an EFT system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send their own messages
Answer
A. Three users with the ability to capture and verify their own messages
Explanation
The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.
CISA Question 254
Question
The reliability of an application system’s audit trail may be questionable if:
A. user IDs are recorded in the audit trail.
B. the security administrator has read-only rights to the audit file.
C. date and time stamps are recorded when an action occurs.
D. users can amend audit trail records when correcting system errors.
Answer
D. users can amend audit trail records when correcting system errors.
Explanation
An audit trail is not effective if the details in it can be amended.
CISA Question 255
Question
A hacker could obtain passwords without the use of computer tools or programs through the technique of:
A. social engineering.
B. sniffers.
C. back doors.
D. Trojan horses.
Answer
A. social engineering.
Explanation
Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else’s personal data. A sniffer is a computer tool to monitor the traffic in networks. Back doors are computer programs left by hackers to exploit vulnerabilities. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.
CISA Question 256
Question
Which of the following provides the framework for designing and developing logical access controls?
A. Information systems security policy
B. Access control lists
C. Password management
D. System configuration files
Answer
A. Information systems security policy
Explanation
The information systems security policy developed and approved by an organization’s top management is the basis upon which logical access control is designed and developed. Access control lists, password management and systems configuration files are tools for implementing the access controls.
CISA Question 257
Question
The FIRST step in data classification is to:
A. establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.
Answer
A. establish ownership.
Explanation
Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process.
CISA Question 258
Question
With the help of a security officer, granting access to data is the responsibility of:
A. data owners.
B. programmers.
C. system analysts.
D. librarians.
Answer
A. data owners.
Explanation
Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners’ approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).
CISA Question 259
Question
Security administration procedures require read-only access to:
A. access control tables.
B. security log files.
C. logging options.
D. user profiles.
Answer
B. security log files.
Explanation
Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported.
CISA Question 260
Question
Electromagnetic emissions from a terminal represent an exposure because they:
A. affect noise pollution.
B. disrupt processor functions.
C. produce dangerous levels of electric current.
D. can be detected and displayed.
Answer
D. can be detected and displayed.
Explanation
Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized person access to data. They should not cause disruption of CPUs or effect noise pollution.