CISA Practice Questions well answered with a guaranteed pass 90% or more!

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? Correct A. Nonrepudiation B. Encryption C. Authentication D. Integrity . You are correct, the answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication. D. Integrity ensures that transactions are accurate but does not provide the identification of the customer Which of the following BEST ensures the integrity of a server's operating system (OS)? A. Protecting the server in a secure location B. Setting a boot password Correct C. Hardening the server configuration D. Implementing activity logging You are correct, the answer is C. A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them. 00:07 01:36 The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? A. Database digital signatures Incorrect B. Database encryption nonces and other variables C. Database media access control (MAC) address authentication D. Database initialization parameters You answered B. The correct answer is D. A. Digital signatures are used for authentication and nonrepudiation, and are not commonly used in databases. As a result, this is not an area in which the IS auditor should investigate. B. A nonce is defined as a "parameter that changes over time" and is similar to a number generated to authenticate one specific user session. Nonces are not related to database security (they are commonly used in encryption schemes). C. A media access control (MAC) address is the hardware address of a network interface. MAC address authentication is sometimes used with wireless local area network (WLAN) technology, but is not related to database security. D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("" in the case of Oracle DBMS), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters. Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system. Incorrect C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server. You answered C. The correct answer is B. A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software. A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: Correct A. the users may not remember to manually encrypt the data before transmission. B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability. You are correct, the answer is A. A. If the data is not encrypted, an unauthorized external party may download sensitive company data. B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it. C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. D. Tracing accountability is of minimal concern compared to the compromise of sensitive data. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. Correct D. identify and evaluate the existing controls. You are correct, the answer is D. A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place. B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed. C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated. D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified. The PRIMARY purpose of an IT forensic audit is: A. to participate in investigations related to corporate fraud. B. the systematic collection and analysis of evidence after a system irregularity. C. to assess the correctness of an organization's financial statements. Incorrect D. to preserve evidence of criminal activity. You answered D. The correct answer is B. A. Forensic audits are not limited to corporate fraud. B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. C. Assessing the correctness of an organization's financial statements is not the primary purpose of most forensic audits. D. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose. The sender of a public key would be authenticated by a: A. certificate revocation list (CRL). B. digital signature. Correct C. digital certificate. D. receiver's private key. You are correct, the answer is C. A. A certificate revocation list (CRL) is the list of certificates that can no longer be trusted. B. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. D. The sender's public key cannot be opened by any key except the sender's private key. When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? A. Controls are eliminated as part of the BPR effort. Incorrect B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area. You answered B. The correct answer is A. A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern. B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort. D. A recommended best practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern. An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. Incorrect D. Immediately investigate the source and nature of the incident. You answered D. The correct answer is B. A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down. B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management. D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor. Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. B. validation checks. C. input controls. Correct D. database commits and rollbacks. You are correct, the answer is D. A. Database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point. B. Validation checks will prevent introduction of corrupt data, but will not address system failure. C. Input controls are important to protect the integrity of input data, but will not address system failure. D. Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully. Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting Correct C. Table lookups D. Tracing and tagging You are correct, the answer is C. A. Transaction logs are a detective control and provide audit trails. B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.