Isaca CISA Free Practice Questions

NEW QUESTION 1

Which of the following would be the BEST access control procedure?

• A. The data owner formally authorizes access and an administrator implements the user authorization table
• B. Authorized staff implements the user authorization tables and the data owner sanctions the
• C. The data owner and an IS manager jointly create and update the user authorization table
• D. The data owner creates and updates the user authorization table

Answer: A

Explanation:

The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedurefor authorizing access.

NEW QUESTION 2

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:

• A. maintenance of access logs of usage of various system resource
• B. authorization and authentication of the user prior to granting access to system resource
• C. adequate protection of stored data on servers by encryption or other mean
• D. accountability system and the ability to identify any terminal accessing system resource

Answer: B

Explanation:

The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.

NEW QUESTION 3

After an IS auditor has identified threats and potential impacts, the auditor should:

• A. Identify and evaluate the existing controls
• B. Conduct a business impact analysis (BIA)
• C. Report on existing controls
• D. Propose new controls

Answer: A

Explanation:
After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls.

NEW QUESTION 4

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:

• A. increases in quality can be achieved, even if resource allocation is decrease
• B. increases in quality are only achieved if resource allocation is increase
• C. decreases in delivery time can be achieved, even if resource allocation is decrease
• D. decreases in delivery time can only be achieved if quality is decrease

Answer: A

Explanation:

The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

NEW QUESTION 5

Machines that operate as a closed system can NEVER be eavesdropped.

• A. True
• B. False

Answer: B

Explanation:

Any data that is transmitted over a network is at some risk of being eavesdropped, or even
modified by a malicious person. Even machines that operate as a closed system can be eavesdropped upon via monitoring the faint electromagnetic transmissions generated by the hardware such as TEMPEST.

NEW QUESTION 6

What is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption?

• A. An organizational certificate
• B. A user certificate
• C. A website certificate
• D. Authenticode

Answer: C

Explanation:
A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption.

NEW QUESTION 7

Which of the following is a tool you can use to simulate a big network structure on a single computer?

• A. honeymoon
• B. honeytrap
• C. honeytube
• D. honeyd
• E. None of the choice

Answer: D

Explanation:

honeyd is a GPL licensed software you can use to simulate a big network structure on a single computer.

NEW QUESTION 8

If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do? Choose the BEST answer.

• A. Lack of IT documentation is not usually material to the controls tested in an IT audi
• B. The auditor should at least document the informal standards and policie
• C. Furthermore, the IS auditor should create formal documented policies to be implemente
• D. The auditor should at least document the informal standards and policies, and test for complianc
• E. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemente
• F. The auditor should at least document the informal standards and policies, and test for complianc
• G. Furthermore, the IS auditor should create formal documented policies to be implemente

Answer: C

Explanation:
If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.

NEW QUESTION 9

What is a reliable technique for estimating the scope and cost of a software-development project?

• A. Function point analysis (FPA)
• B. Feature point analysis (FPA)
• C. GANTT
• D. PERT

Answer: A

Explanation:
A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project.

NEW QUESTION 10

An advantage of using sanitized live transactions in test data is that:

• A. all transaction types will be include
• B. every error condition is likely to be teste
• C. no special routines are required to assess the result
• D. test transactions are representative of live processin

Answer: D

Explanation:

Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

NEW QUESTION 11

Which of the following is the MOST effective control over visitor access to a data center?

• A. Visitors are escorte
• B. Visitor badges are require
• C. Visitors sign i
• D. Visitors are spot-checked by operator

Answer: A

Explanation:

Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.

NEW QUESTION 12

Which of the following BEST supports the prioritization of new IT projects?

• A. Internal control self-assessment (CSA)
• B. Information systems audit
• C. Investment portfolio analysis
• D. Business risk assessment

Answer: C

Explanation:

It is most desirable to conduct an investment portfolio analysis, which will present not only a clear focus on investment strategy, but will provide the rationale for terminating nonperforming IT projects. Internal control self-assessment {CSA} may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects. Like internal CSA, IS audits may provide only part of the picture for the prioritization of IT projects. Businessrisk analysis is part of the investment portfolio analysis but, by itself, is not the best method for prioritizing new IT projects.

NEW QUESTION 13

Processing controls ensure that data is accurate and complete, and is processed only through which of the following? Choose the BEST answer.

• A. Documented routines
• B. Authorized routines
• C. Accepted routines
• D. Approved routines

Answer: B

Explanation:
Processing controls ensure that data is accurate and complete, and is processed only through authorized routines.

NEW QUESTION 14

Many WEP systems require a key in a relatively insecure format. What format is this?

• A. binary forma
• B. hexadecimal forma
• C. 128 bit forma
• D. 256 bit forma
• E. None of the choice

Answer: B

Explanation:

As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity.
Many WEP systems require a key in hexadecimal format. If one chooses keys that spell words in the limited 0-9, A-F hex character set, these keys can be easily guessed.

NEW QUESTION 15

Data flow diagrams are used by IS auditors to:

• A. order data hierarchicall
• B. highlight high-level data definition
• C. graphically summarize data paths and storag
• D. portray step-by-step details of data generatio

Answer: C

Explanation:

Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of datA. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.

NEW QUESTION 16

In a client-server architecture, a domain name service (DNS) is MOST important because it provides the:

• A. address of the domain serve
• B. resolution service for the name/addres
• C. IP addresses for the interne
• D. domain name syste

Answer: B

Explanation:

DNS is utilized primarily on the Internet for resolution of the name/address of the web site. It is an Internet service that translates domain names into IP addresses. As names are alphabetic, they are easier to remember. However, the Internet is based on IP addresses. Every time a domain name is used, a DNS service must translate the name into the corresponding IP address. The DNS system has its own network, if one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.

NEW QUESTION 17

Which of the following will BEST ensure the successful offshore development of business applications?

• A. Stringent contract management practices
• B. Detailed and correctly applied specifications
• C. Awareness of cultural and political differences
• D. Postimplementation reviews

Answer: B

Explanation:

When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptionsand modifications may not be adequately communicated. Contract management practices, cultural and political differences, and postimplementation reviews, although important, are not as pivotal to the success of the project.

NEW QUESTION 18

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?

• A. Outsourced activities are core and provide a differentiated advantage to the organizatio
• B. Periodic renegotiation is specified in the outsourcing contrac
• C. The outsourcing contract fails to cover every action required by the arrangemen
• D. Similar activities are outsourced to more than one vendo

Answer: A

Explanation:

An organization's core activities generally should not be outsourced, because they are what the organization does best; an IS auditor observing that should be concerned. An IS auditor should not be concerned about the other conditions because specification of periodic renegotiation in the outsourcing contract is a best practice. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, while multisourcing is an acceptable way to reduce risk.

NEW QUESTION 19
......