Skip to Content

ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 3

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

ISACA Certified Information Systems Auditor (CISA) Exam Questions and Answers

CISA Question 271

Question

What is the MOST effective method of preventing unauthorized use of data files?

A. Automated file entry
B. Tape librarian
C. Access control software
D. Locked library

Answer

C. Access control software

Explanation

Access control software is an active control designed to prevent unauthorized access to data.

CISA Question 272

Question

Which of the following satisfies a two-factor user authentication?

A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system (GPS)
C. A smart card requiring the user’s PIN
D. User ID along with password

Answer

C. A smart card requiring the user’s PIN

Explanation

A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a single- factor user authentication.

CISA Question 273

Question

During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:

A. an unauthorized user may use the ID to gain access.
B. user access management is time consuming.
C. passwords are easily guessed.
D. user accountability may not be established.

Answer

D. user accountability may not be established.

Explanation

The use of a single user ID by more than one individual precludes knowing who in fact used that ID to access a system; therefore, it is literally impossible to hold anyone accountable. All user IDs, not just shared IDs, can be used by unauthorized individuals. Access management would not be any different with shared IDs, and shared user IDs do not necessarily have easily guessed passwords.

CISA Question 274

Question

Which of the following is the MOST effective control when granting temporary access to vendors?

A. Vendor access corresponds to the service level agreement (SLA).
B. User accounts are created with expiration dates and are based on services provided.
C. Administrator access is provided for a limited period.
D. User IDs are deleted when the work is completed.

Answer

B. User accounts are created with expiration dates and are based on services provided.

Explanation

The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each ID. The SLA may have a provision for providing access, but this is not a control; it would merely define the need for access.
Vendors require access for a limited period during the time of service. However, it is important to ensure that the access during this period is monitored. Deleting these user, I Dafter the work is completed is necessary, but if not automated, the deletion could be overlooked.

CISA Question 275

Question

To determine who has been given permission to use a particular system resource, an IS auditor should review:

A. activity lists.
B. access control lists.
C. logon ID lists.
D. password lists.

Answer

B. access control lists.

Explanation

Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.

CISA Question 276

Question

The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:

A. make unauthorized changes to the database directly, without an audit trail.
B. make use of a system query language (SQL) to access information.
C. remotely access the database.
D. update data without authentication.

Answer

A. make unauthorized changes to the database directly, without an audit trail.

Explanation

Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application.
Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference.
What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.

CISA Question 277

Question

Accountability for the maintenance of appropriate security measures over information assets resides with the:

A. security administrator.
B. systems administrator.
C. data and systems owners.
D. systems operations group.

Answer

C. data and systems owners.

Explanation

Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights.
System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator.
Owners, however, remain accountable for the maintenance of appropriate security measures.

CISA Question 278

Question

Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?

A. System analysis
B. Authorization of access to data
C. Application programming
D. Data administration

Answer

B. Authorization of access to data

Explanation

The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators.

CISA Question 279

Question

Which of the following is the MOST important control to help minimize the risk of data leakage from calls made to a business-to-business application programming interface (API)?

A. Providing API security awareness training to developers
B. Deploying content inspection at the API gateway
C. Implementing API server clusters
D. Implementing an API versioning system

Answer

B. Deploying content inspection at the API gateway

CISA Question 280

Question

Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a low recovery point objective (RPO)?

A. Redundant arrays
B. Nightly backups
C. Remote backups
D. Mirrored sites

Answer

D. Mirrored sites

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker