Isaca CISA Free Practice Questions

NEW QUESTION 1

An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:

• A. evaluate the record retention plans for off-premises storag
• B. interview programmers about the procedures currently being followe
• C. compare utilization records to operations schedule
• D. review data file access records to test the librarian functio

Answer: B

Explanation:

Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation.

NEW QUESTION 2

"Which of the following BEST describes the concept of ""defense in depth""?"

• A. more than one subsystem needs to be compromised to compromise the security of the system and the information it hold
• B. multiple firewalls are implemente
• C. multiple firewalls and multiple network OS are implemente
• D. intrusion detection and firewall filtering are require
• E. None of the choice

Answer: A

Explanation:

"With 0""defense in depth"", more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to ""fail secure"" rather than ""fail insecure""."

NEW QUESTION 3

An IS auditor reviewing access controls for a client-server environment should FIRST:

• A. evaluate the encryption techniqu
• B. identify the network access point
• C. review the identity management syste
• D. review the application level access control

Answer: B

Explanation:

A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network accesspoints should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.

NEW QUESTION 4

Receiving an EDI transaction and passing it through the communication's interface stage usually requires:

• A. translating and unbundling transaction
• B. routing verification procedure
• C. passing data to the appropriate application syste
• D. creating a point of receipt audit lo

Answer: B

Explanation:

The communication's interface stage requires routing verification procedures. EDI or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication's interface stage.

NEW QUESTION 5

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:

• A. a big bang deployment after proof of concep
• B. prototyping and a one-phase deploymen
• C. a deployment plan based on sequenced phase
• D. to simulate the new infrastructure before deploymen

Answer: C

Explanation:

When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches.

NEW QUESTION 6

A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?

• A. Key verification
• B. One-for-one checking
• C. Manual recalculations
• D. Functional acknowledgements

Answer: D

Explanation:

Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.

NEW QUESTION 7

What is the BEST action to prevent loss of data integrity or confidentiality in the case of
an e-commerce application running on a LAN, processing electronic fund transfers (EFT) and orders?

• A. Using virtual private network (VPN) tunnels for data transfer
• B. Enabling data encryption within the application
• C. Auditing the access control to the network
• D. Logging all changes to access lists

Answer: A

Explanation:

The best way to ensure confidentiality and integrity of data is to encrypt it using virtual private network (VPN) tunnels. This is the most common and convenient way to encrypt the data traveling over the network. Data encryption within the application is less efficient than VPN. The other options are good practices, but they do not directly prevent the loss of data Integrity and confidentiality during communication through a network.

NEW QUESTION 8

While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?

• A. A scan of all floppy disks before use
• B. A virus monitor on the network file server
• C. Scheduled daily scans of all network drives
• D. A virus monitor on the user's personal computer

Answer: C

Explanation:

Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.

NEW QUESTION 9

Which of the following are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem? Choose the BEST answer.

• A. Expert systems
• B. Neural networks
• C. Integrated synchronized systems
• D. Multitasking applications

Answer: B

Explanation:
Neural networks are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem.

NEW QUESTION 10

An IS auditor is reviewing a project that is using an Agile software development approach. Which of the following should the IS auditor expect to find?

• A. Use of a process-based maturity model such as the capability maturity model (CMM)
• B. Regular monitoring of task-level progress against schedule
• C. Extensive use of software development tools to maximize team productivity
• D. Postiteration reviews that identify lessons learned for future use in the project

Answer: D

Explanation:

A key tenet of the Agile approach to software project management is team learning and the use of team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that, atthe end of each iteration, the team considers and documents what worked well and what could have worked better, and identifies improvements to be implemented in subsequent iterations. CMM and Agile really sit at opposite poles. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. Agile projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects do make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of

NEW QUESTION 11

Which of the following should be a concern to an IS auditor reviewing a wireless network?

• A. 128-bit static-key WEP (Wired Equivalent Privacy) encryption is enable
• B. SSID (Service Set IDentifier) broadcasting has been enable
• C. Antivirus software has been installed in all wireless client
• D. MAC (Media Access Control) access control filtering has been deploye

Answer: B

Explanation:

SSID broadcasting allows a user to browse for available wireless networks and to access them without authorization. Choices A, C and D are used to strengthen a wireless network.

NEW QUESTION 12

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

• A. Assimilation of the framework and intent of a written security policy by all appropriate parties
• B. Management support and approval for the implementation and maintenance of a security policy
• C. Enforcement of security rules by providing punitive actions for any violation of security rules
• D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

Answer: A

Explanation:

Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education onthe importance of security.

NEW QUESTION 13

Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data?

• A. Cold site
• B. Hot site
• C. Alternate site
• D. Warm site

Answer: A

Explanation:
A cold site is often an acceptable solution for preparing for recovery of noncritical systems and datA.

NEW QUESTION 14

What is an effective control for granting temporary access to vendors and external support personnel? Choose the BEST answer.

• A. Creating user accounts that automatically expire by a predetermined date
• B. Creating permanent guest accounts for temporary use
• C. Creating user accounts that restrict logon access to certain hours of the day
• D. Creating a single shared vendor administrator account on the basis of least-privileged access

Answer: A

Explanation:
Creating user accounts that automatically expire by a predetermined date is an effective control for granting temporary access to vendors and external support personnel.

NEW QUESTION 15

The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:

• A. outgoing traffic with IP source addresses externa! to the networ
• B. incoming traffic with discernible spoofed IP source addresse
• C. incoming traffic with IP options se
• D. incoming traffic to critical host

Answer: A

Explanation:

Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.

NEW QUESTION 16

When auditing a proxy-based firewall, an IS auditor should:

• A. verify that the firewall is not dropping any forwarded packet
• B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresse
• C. verify that the filters applied to services such as HTTP are effectiv
• D. test whether routing information is forwarded by the firewal

Answer: C

Explanation:

A proxy-based firewall works as an intermediary (proxy) between the service or application and the client, it makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between media access control (MAC) and IP addresses is a task for protocols such as Address Resolution Protocol/Reverse Address Resolution Protocol (ARP/RARP).

NEW QUESTION 17

Which of the following refers to the proving of mathematical theorems by a computer program?

• A. Analytical theorem proving
• B. Automated technology proving
• C. Automated theorem processing
• D. Automated theorem proving
• E. None of the choice

Answer: D

Explanation:

Automated theorem proving (ATP) is the proving of mathematical theorems by a computer program. Depending on the underlying logic, the problem of deciding the validity of a theorem varies from trivial to impossible. Commercial use of automated theorem proving is mostly concentrated in integrated circuit design and verification.

NEW QUESTION 18

An IS auditor performing detailed network assessments and access control reviews should FIRST:

• A. determine the points of entr
• B. evaluate users' access authorizatio
• C. assess users' identification and authorizatio
• D. evaluate the domain-controlling server configuratio

Answer: A

Explanation:

In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all implementation issues for appropriate controls for the points of entry.

NEW QUESTION 19
......