The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 641
- Question
- Answer
- Explanation
- CISA Question 642
- Question
- Answer
- Explanation
- CISA Question 643
- Question
- Answer
- Explanation
- CISA Question 644
- Question
- Answer
- Explanation
- CISA Question 645
- Question
- Answer
- Explanation
- CISA Question 646
- Question
- Answer
- Explanation
- CISA Question 647
- Question
- Answer
- Explanation
- CISA Question 648
- Question
- Answer
- Explanation
- CISA Question 649
- Question
- Answer
- Explanation
- CISA Question 650
- Question
- Answer
- Explanation
CISA Question 641
Question
A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organization.
B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.
Answer
A. that they are consistent across the organization.
Explanation
Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.
CISA Question 642
Question
To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:
A. the IT infrastructure.
B. organizational policies, standards and procedures.
C. legal and regulatory requirements.
D. the adherence to organizational policies, standards and procedures.
Answer
C. legal and regulatory requirements.
Explanation
To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.
CISA Question 643
Question
In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:
A. implementation.
B. compliance.
C. documentation.
D. sufficiency.
Answer
D. sufficiency.
Explanation
An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps.
CISA Question 644
Question
A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.
Answer
B. retention.
Explanation
Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e- mail communication is held in the same regard as the official form of classic ‘paper* makes the retention of corporate e-mail a necessity. All e-mail generated on an organization’s hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.
CISA Question 645
Question
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C. Enforcement of security rules by providing punitive actions for any violation of security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
Answer
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
Explanation
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value.
Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user’s education on the importance of security.
CISA Question 646
Question
The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?
A. Utilization of an intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees
Answer
D. Training provided on a regular basis to all current and new employees
Explanation
Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness.
CISA Question 647
Question
Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods
Answer
B. Identification of network applications to be externally accessed
Explanation
Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
CISA Question 648
Question
Which of the following should be included in an organization’s IS security policy?
A. A list of key IT resources to be secured
B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features
Answer
B. The basis for access authorization
Explanation
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy.
CISA Question 649
Question
Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?
A. Response
B. Correction
C. Detection
D. Monitoring
Answer
A. Response
Explanation
A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.
CISA Question 650
Question
The development of an IS security policy is ultimately the responsibility of the:
A. IS department.
B. security committee.
C. security administrator.
D. board of directors.
Answer
D. board of directors.
Explanation
Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.