Skip to Content

ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 6

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

ISACA Certified Information Systems Auditor (CISA) Exam Questions and Answers

CISA Question 591

Question

To address the risk of operations staff’s failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:

A. avoidance
B. transference
C. mitigation
D. acceptance

Answer

C. mitigation

Explanation

Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.

CISA Question 592

Question

Which of the following terms refers to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders?

A. ILD&P
B. ICT&P
C. ILP&C
D. ILR&D
E. None of the choices.

Answer

A. ILD&P

Explanation

Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization’s internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.

CISA Question 593

Question

Assessing IT risks is BEST achieved by:

A. evaluating threats associated with existing IT assets and IT projects.
B. using the firm’s past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.

Answer

A. evaluating threats associated with existing IT assets and IT projects.

Explanation

To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient. Basing an assessment on past losses will not adequately reflect inevitable changes to the firm’s IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to be assessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risks.

CISA Question 594

Question

Which of the following does a lack of adequate security controls represent?

A. Threat
B. Asset
C. Impact
D. Vulnerability

Answer

D. Vulnerability

Explanation

The lack of adequate security controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information and lead to the loss of goodwill for the organization. A succinct definition of risk is provided by the Guidelines for the Management of IT Security published by the International Organization for Standardization (ISO), which defines risk as the ‘potential that a given threat will exploit the vulnerability of an asset or group of assets to cause loss or damage to the assets.’ The various elements of the definition are vulnerability, threat, asset and impact. Lack of adequate security functionality in this context is a vulnerability

CISA Question 595

Question

Which of the following security risks can be reduced by a properly configured network firewall?

A. Insider attacks
B. SQL injection attacks
C. Denial of service (DoS) attacks
D. Phishing attacks

Answer

C. Denial of service (DoS) attacks

CISA Question 596

Question

A database administrator should be prevented from:

A. using an emergency user ID.
B. accessing sensitive information.
C. having end user responsibilities.
D. having access to production files.

Answer

B. accessing sensitive information.

CISA Question 597

Question

Which of the following should be the PRIMARY basis for how digital evidence is handled during a forensics investigation?

A. Industry best practices
B. Regulatory requirements
C. Organizational risk culture
D. Established business practices

Answer

B. Regulatory requirements

CISA Question 598

Question

On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?

A. Encrypt the message containing the sender’s public key, using a private-key cryptosystem.
B. Send a certificate that can be verified by a certification authority with the public key.
C. Encrypt the message containing the sender’s public key; using the recipient’s pubic key.
D. Send the public key to the recipient prior to establishing the connection.

Answer

B. Send a certificate that can be verified by a certification authority with the public key.

CISA Question 599

Question

The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

A. has a decreased risk of leakage.
B. is more effective at suppressing flames.
C. allows more time to abort release of the suppressant.
D. disperses dry chemical suppressants exclusively.

Answer

A. has a decreased risk of leakage.

CISA Question 600

Question

Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

A. Only collect logs from servers classified as business critical.
B. Limit the use of logs to only those purposes for which they were collected.
C. Limit log collection to only periods of increased security activity.
D. Restrict the transfer of log files from host machine to online storage.

Answer

B. Limit the use of logs to only those purposes for which they were collected.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker