The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 581
- Question
- Answer
- Explanation
- CISA Question 582
- Question
- Answer
- Explanation
- CISA Question 583
- Question
- Answer
- Explanation
- CISA Question 584
- Question
- Answer
- Explanation
- CISA Question 585
- Question
- Answer
- Explanation
- CISA Question 586
- Question
- Answer
- Explanation
- CISA Question 587
- Question
- Answer
- Explanation
- CISA Question 588
- Question
- Answer
- Explanation
- CISA Question 589
- Question
- Answer
- Explanation
- CISA Question 590
- Question
- Answer
- Explanation
CISA Question 581
Question
The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
A. financial results.
B. customer satisfaction.
C. internal process efficiency.
D. innovation capacity.
Answer
A. financial results.
Explanation
Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
CISA Question 582
Question
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.
Answer
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.
Explanation
Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
CISA Question 583
Question
An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
A. Stricter controls should be implemented by both the organization and the cleaning agency.
B. No action is required since such incidents have not occurred in the past.
C. A clear desk policy should be implemented and strictly enforced in the organization.
D. A sound backup policy for all important office documents should be implemented.
Answer
A. Stricter controls should be implemented by both the organization and the cleaning agency.
Explanation
An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business.
Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency.
That such incidents have not occurred in the past does not reduce the seriousness of their impact.
Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don’ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information.
CISA Question 584
Question
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
A. alignment of the IT activities with IS audit recommendations.
B. enforcement of the management of security risks.
C. implementation of the chief information security officer’s (CISO) recommendations.
D. reduction of the cost for IT security.
Answer
B. enforcement of the management of security risks.
Explanation
The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit.
The cost of IT security may or may not be reduced.
CISA Question 585
Question
Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?
A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports
Answer
C. Business risk
Explanation
Priority should be given to those areas which represent a known risk to the enterprise’s operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority
CISA Question 586
Question
As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:
A. performance measurement.
B. strategic alignment.
C. value delivery.
D. resource management.
Answer
A. performance measurement.
Explanation
Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
CISA Question 587
Question
Which of the following should be considered FIRST when implementing a risk management program?
A. An understanding of the organization’s threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
Answer
A. An understanding of the organization’s threat, vulnerability and risk profile
Explanation
Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization’s threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed.
This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.
CISA Question 588
Question
An IS auditor is reviewing an IT security risk management program. Measures of security risk should:
A. address all of the network risks.
B. be tracked over time against the IT strategic plan.
C. take into account the entire IT environment.
D. result in the identification of vulnerability tolerances.
Answer
C. take into account the entire IT environment.
Explanation
When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost. IT strategic plans are not granular enough to provide appropriate measures.
Objective metrics must be tracked over time against measurable goals, thus the management of risk is enhanced by comparing today’s results against last week, last month, last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk. They do not identify tolerances.
CISA Question 589
Question
An IS auditor reviewing the risk assessment process of an organization should FIRST:
A. identify the reasonable threats to the information assets.
B. analyze the technical and organizational vulnerabilities.
C. identify and rank the information assets.
D. evaluate the effect of a potential security breach.
Answer
C. identify and rank the information assets.
Explanation
Identification and ranking of information assets-e.g., data criticality, locations of assets-will set the tone or scope of how to assess risk in relation to the organizational value of the asset. Second, the threats facing each of the organization’s assets should be analyzed according to their value to the organization.
Third, weaknesses should be identified so that controls can be evaluated to determine if they mitigate the weaknesses. Fourth, analyze how these weaknesses, in absence of given controls, would impact the organization information assets.
CISA Question 590
Question
A poor choice of passwords and transmission over unprotected communications lines are examples of:
A. vulnerabilities.
B. threats.
C. probabilities.
D. impacts.
Answer
A. vulnerabilities.
Explanation
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.