ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 7

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 601

Question

A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration in establishing a contingency plan and an alternate processing site?

A. The alternative site does not reside on the same fault no matter how far the distance apart.
B. The contingency plan for high priority applications does not involve a shared cold site.
C. The alternative site is a hot site with equipment ready to resume processing immediately.
D. The contingency plan provides for backup tapes to be taken to the alternative site.

Answer

A. The alternative site does not reside on the same fault no matter how far the distance apart.

CISA Question 602

Question

Which of the following are used in a firewall to protect the entity’s internal resources?

A. Internet Protocol (IP) address restrictions
B. Remote access servers
C. Secure Sockets Layers (SSLs)
D. Fail-over services

Answer

A. Internet Protocol (IP) address restrictions

CISA Question 603

Question

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A. Installing biometrics-based authentication
B. Configuring the router as a firewall
C. Periodically reviewing log files
D. Using smart cards with one-time passwords

Answer

C. Periodically reviewing log files

CISA Question 604

Question

Which of the following firewall technologies involves examining the header of every packet of data traveling between the Internet and the corporate network without examining the previous packets?

A. Proxy servers
B. Bastion host
C. Stateful filtering
D. Stateless filtering

Answer

D. Stateless filtering

CISA Question 605

Question

In an online application, which of the following would provide the MOST information about the transaction audit trail?

A. File layouts
B. System/process flowchart
C. Source code documentation
D. Data architecture

Answer

B. System/process flowchart

CISA Question 606

Question

Which of the following provides the MOST helpful information to determine how much data an organization can afford to lose when a critical system failure occurs?

A. Industry data loss statistics
B. Risk assessment results
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)

Answer

C. Recovery point objective (RPO)

CISA Question 607

Question

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:

A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.

Answer

C. apply a qualitative approach.

Explanation

The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues.
Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, ant at the end of the day, the result will be a not well-supported evaluation.

CISA Question 608

Question

When developing a risk management program, what is the FIRST activity to be performed?

A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis

Answer

C. Inventory of assets

Explanation

Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.

CISA Question 609

Question

Which of the following is a mechanism for mitigating risks?

A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)

Answer

A. Security and control practices

Explanation

Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.

CISA Question 610

Question

An IS auditor was hired to review e-business security. The IS auditor’s first task was to examine each existing e-business application looking for vulnerabilities.
What would be the next task?

A. Report the risks to the CIO and CEO immediately
B. Examine e-business application in development
C. Identify threats and likelihood of occurrence
D. Check the budget available for risk management

Answer

C. Identify threats and likelihood of occurrence

Explanation

An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.