The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 651
- Question
- Answer
- Explanation
- CISA Question 652
- Question
- Answer
- Explanation
- CISA Question 653
- Question
- Answer
- Explanation
- CISA Question 654
- Question
- Answer
- Explanation
- CISA Question 655
- Question
- Answer
- Explanation
- CISA Question 656
- Question
- Answer
- Explanation
- CISA Question 657
- Question
- Answer
- Explanation
- CISA Question 658
- Question
- Answer
- Explanation
- CISA Question 659
- Question
- Answer
- Explanation
- CISA Question 660
- Question
- Answer
- Explanation
CISA Question 651
Question
An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information.
B. information security is not critical to all functions.
C. IS audit should provide security training to the employees.
D. the audit finding will cause management to provide continuous training to staff.
Answer
A. this lack of knowledge may lead to unintentional disclosure of sensitive information.
Explanation
All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information.
Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
CISA Question 652
Question
The rate of change in technology increases the importance of:
A. outsourcing the IS function.
B. implementing and enforcing good processes.
C. hiring personnel willing to make a career within the organization.
D. meeting user requirements.
Answer
B. implementing and enforcing good processes.
Explanation
Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated; usually they do not feel their jobs are at risk and are prepared to switch jobs frequently. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IS environment.
CISA Question 653
Question
The PRIMARY objective of an audit of IT security policies is to ensure that:
A. they are distributed and available to all staff.
B. security and control policies support business and IT objectives.
C. there is a published organizational chart with functional descriptions.
D. duties are appropriately segregated.
Answer
B. security and control policies support business and IT objectives.
Explanation
Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies.
CISA Question 654
Question
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A. User management coordination does not exist.
B. Specific user accountability cannot be established.
C. Unauthorized users may have access to originate, modify or delete data.
D. Audit recommendations may not be implemented.
Answer
C. Unauthorized users may have access to originate, modify or delete data.
Explanation
Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
CISA Question 655
Question
The advantage of a bottom-up approach to the development of organizational policies is that the policies:
A. are developed for the organization as a whole
B. are more likely to be derived as a result of a risk assessment.
C. will not conflict with overall corporate policy.
D. ensure consistency across the organization.
Answer
B. are more likely to be derived as a result of a risk assessment.
Explanation
A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments.
Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.
CISA Question 656
Question
When reviewing an organization’s strategic IT plan an IS auditor should expect to find:
A. an assessment of the fit of the organization’s application portfolio with business objectives.
B. actions to reduce hardware procurement cost.
C. a listing of approved suppliers of IT contract resources.
D. a description of the technical architecture for the organization’s network perimeter security.
Answer
A. an assessment of the fit of the organization’s application portfolio with business objectives.
Explanation
An assessment of how well an organization’s application portfolio supports the organization’s business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc., can support the business objectives.
Operational efficiency initiatives belong to tactical planning, not strategic planning. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization’s business objectives. A listing of approved suppliers of IT contract resources is a tactical rather than a strategic concern. An IT strategic plan would not normally include detail ofa specific technical architecture.
CISA Question 657
Question
When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the:
A. establishment of a review board.
B. creation of a security unit.
C. effective support of an executive sponsor.
D. selection of a security process owner.
Answer
C. effective support of an executive sponsor.
Explanation
The executive sponsor would be in charge of supporting the organization’s strategic security program, and would aid in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). None of the other choices are effective without visible sponsorship of top management.
CISA Question 658
Question
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:
A. incorporates state of the art technology.
B. addresses the required operational controls.
C. articulates the IT mission and vision.
D. specifies project management practices.
Answer
C. articulates the IT mission and vision.
Explanation
The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.
CISA Question 659
Question
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:
A. control self-assessments.
B. a business impact analysis.
C. an IT balanced scorecard.
D. business process reengineering.
Answer
C. an IT balanced scorecard.
Explanation
An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control self- assessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives.
CISA Question 660
Question
In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A. Optimized
B. Managed
C. Defined
D. Repeatable
Answer
B. Managed
Explanation
Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be ‘managed and measurable.’