CISA EXAM 1 2022

1. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A References from other customers B Service level agreement (SLA) template C Maintenance agreement D Conversion plan The answer is A An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows—issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose. 2. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A control self-assessments. B a business impact analysis. C an IT balanced scorecard. D business process reengineering. The correct answer is C An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control self-assessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives. 00:24 01:36 3. A poor choice of passwords and transmission over unprotected communications lines are examples of: A vulnerabilities. B threats. C probabilities. D impacts. The answer is A Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability. 4. To support an organization's goals, an IS department should have: A a low-cost philosophy. B long- and short-range plans. C leading-edge technology. D plans to acquire new hardware and software. The correct answer is B To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only 2/11Latihan CISA Exam Chapter 2 if hardware or software is needed to achieve the organizational goals. 5. A local area network (LAN) administrator normally would be restricted from: A having end-user responsibilities. B reporting to the end-user manager. C having programming responsibilities. D being responsible for LAN security administration. The correct answer is C A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. 6. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A O/S and hardware refresh frequencies B Gain-sharing performance bonuses C Penalties for noncompliance D Charges tied to variable cost metrics The correct answer is B Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client. 7. Which of the following is a mechanism for mitigating risks? A Security and control practices B Property and liability insurance C Audit and certification D Contracts and service level agreements (SLAs) The answer is A Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation. 8. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? A Security incident summaries B Vendor best practices C CERT coordination center D Significant contracts The correct answer is D Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT () is an information source for assessing vulnerabilities within the IT infrastructure. 9. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A Utilization of an intrusion detection system to report incidents B Mandating the use of passwords to access all software C Installing an efficient user log system to track the actions of each user D Training provided on a regular basis to all current and new employees The correct answer is D Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness. 10. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A recovery. B retention. C rebuilding. D reuse. The correct answer is B Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic "paper" makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.