The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 271
- Question
- Answer
- Explanation
- CISA Question 272
- Question
- Answer
- Explanation
- CISA Question 273
- Question
- Answer
- Explanation
- CISA Question 274
- Question
- Answer
- Explanation
- CISA Question 275
- Question
- Answer
- Explanation
- CISA Question 276
- Question
- Answer
- Explanation
- CISA Question 277
- Question
- Answer
- Explanation
- CISA Question 278
- Question
- Answer
- Explanation
- CISA Question 279
- Question
- Answer
- CISA Question 280
- Question
- Answer
CISA Question 271
Question
What is the MOST effective method of preventing unauthorized use of data files?
A. Automated file entry
B. Tape librarian
C. Access control software
D. Locked library
Answer
C. Access control software
Explanation
Access control software is an active control designed to prevent unauthorized access to data.
CISA Question 272
Question
Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system (GPS)
C. A smart card requiring the user’s PIN
D. User ID along with password
Answer
C. A smart card requiring the user’s PIN
Explanation
A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a single- factor user authentication.
CISA Question 273
Question
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:
A. an unauthorized user may use the ID to gain access.
B. user access management is time consuming.
C. passwords are easily guessed.
D. user accountability may not be established.
Answer
D. user accountability may not be established.
Explanation
The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.
CISA Question 274
Question
Which of the following is the MOST effective control when granting temporary access to vendors?
A. Vendor access corresponds to the service level agreement (SLA).
B. User accounts are created with expiration dates and are based on services provided.
C. Administrator access is provided for a limited period.
D. User IDs are deleted when the work is completed.
Answer
B. User accounts are created with expiration dates and are based on services provided.
Explanation
The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access.
Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user, I Dafter the work is completed is necessary, but if not automated, the deletion could be overlooked.
CISA Question 275
Question
To determine who has been given permission to use a particular system resource, an IS auditor should review:
A. activity lists.
B. access control lists.
C. logon ID lists.
D. password lists.
Answer
B. access control lists.
Explanation
Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.
CISA Question 276
Question
The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:
A. make unauthorized changes to the database directly, without an audit trail.
B. make use of a system query language (SQL) to access information.
C. remotely access the database.
D. update data without authentication.
Answer
A. make unauthorized changes to the database directly, without an audit trail.
Explanation
Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application.
Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference.
What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.
CISA Question 277
Question
Accountability for the maintenance of appropriate security measures over information assets resides with the:
A. security administrator.
B. systems administrator.
C. data and systems owners.
D. systems operations group.
Answer
C. data and systems owners.
Explanation
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights.
System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator.
Owners, however, remain accountable for the maintenance of appropriate security measures.
CISA Question 278
Question
Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?
A. System analysis
B. Authorization of access to data
C. Application programming
D. Data administration
Answer
B. Authorization of access to data
Explanation
The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators.
CISA Question 279
Question
Which of the following is the MOST important control to help minimize the risk of data leakage from calls made to a business-to-business application programming interface (API)?
A. Providing API security awareness training to developers
B. Deploying content inspection at the API gateway
C. Implementing API server clusters
D. Implementing an API versioning system
Answer
B. Deploying content inspection at the API gateway
CISA Question 280
Question
Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a low recovery point objective (RPO)?
A. Redundant arrays
B. Nightly backups
C. Remote backups
D. Mirrored sites
Answer
D. Mirrored sites