Free ISACA CISA Übungsprüfungen - Seite 7 von 55

Question #61

A current project to develop IT-based solutions will need additional funding to meet changes in business requirements. Who is BEST suited to obtain this additional funding?

A . Project sponsor
B . Project manager
C . IT strategy committee
D . Board of directors

Lösung einblenden Lösung ausblenden

Question #62

The following findings are the result of an IS auditor’s post-implementation review of a newly implemented system.

Which of the following findings is of GREATEST significance?

A . A lessons-learned session was never conducted.
B . The projects 10% budget overrun was not reported to senior management.
C . Measurable benefits were not defined.
D . Monthly dashboards did not always contain deliverables.

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met, determine how effectively this was achieved, learn lessons for the future, and ensure that the organisation gets the most benefit from the implementation of projects1. A PIR is an important tool for assessing the success and value of a project, as well as identifying the areas for improvement and best practices for future projects.

One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2. Measurable benefits should be aligned with the organisation’s strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).

The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:

The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables

The project did not have a valid and realistic business case or justification for its initiation and implementation

The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact

The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders

The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices

Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project’s completion.

The other possible findings are:

A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons-learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.

The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.

Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project’s progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even

without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.

References: 1: What is Post-Implementation Review in Project Management? 2: The role & importance of the Post Implementation Review

Question #63

A business application’s database is copied to a replication server within minutes.

Which of the following processes taking place during business hours will MOST benefit from this architecture?

A . Rolling forward of transactions when a production server fails
B . Ad hoc batch reporting jobs from the replication server
C . Analysis of application performance degradation
D . Hardware replacement work involving databases

Lösung einblenden Lösung ausblenden

Question #64

An organization has implemented a distributed security administration system to replace the previous centralized one.

Which of the following presents the GREATEST potential concern?

A . Security procedures may be inadequate to support the change
B . A distributed security system is inherently a weak security system
C . End-user acceptance of the new system may be difficult to obtain
D . The new system will require additional resources

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

A distributed security administration system is a system that allows different administrators to manage the security of different parts of the network or organization. This can provide more flexibility, scalability, and efficiency than a centralized system, where one administrator is responsible for the entire security. However, a distributed security administration system also presents some potential challenges and risks, such as:

Inconsistency and conflict among different security policies and standards

Lack of coordination and communication among different administrators

Difficulty in monitoring and auditing the overall security status and performance

Increased complexity and cost of security management and maintenance

Therefore, the greatest potential concern for implementing a distributed security administration system is that the security procedures may be inadequate to support the change. Security procedures are the rules and guidelines that define how security is implemented and enforced in an organization. They include policies, standards, processes, roles, responsibilities, controls, and metrics. Security procedures should be aligned with the business objectives, risks, and requirements of the organization, as well as the best practices and regulations in the industry. Security procedures should also be reviewed and updated regularly to reflect the changes in the environment, technology, and threats.

If the security procedures are not adequate to support the change from a centralized to a distributed security administration system, the organization may face increased security risks, such as unauthorized access, data breaches, compliance violations, reputation damage, and financial losses. Therefore, it is essential to ensure that the security procedures are revised and adapted to suit the new system, and that they are communicated and enforced effectively across the organization.

References:

1: Security in Distributed System – GeeksforGeeks

2: Distributed System Security Architecture – Wikipedia

3: Distributed Systems Security: Issues, Processes and Solutions

Question #65

Which of the following findings from an IT governance review should be of GREATEST concern?

A . The IT budget is not monitored
B . All IT services are provided by third parties.
C . IT value analysis has not been completed.
D . IT supports two different operating systems.

Lösung einblenden Lösung ausblenden

Question #66

Which of the following is the MOST efficient way to identify fraudulent activity on a set of

transactions?

A . Control self-assessments (CSAs)
B . Interviews with control owners
C . Regression analysis
D . Benford’s law analysis

Lösung einblenden Lösung ausblenden

Question #67

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company.

Which of the following would be MOST helpful In determining the effectiveness of the framework?

A . Sell-assessment reports of IT capability and maturity
B . IT performance benchmarking reports with competitors
C . Recent third-party IS audit reports
D . Current and previous internal IS audit reports

Lösung einblenden Lösung ausblenden

Question #68

Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

A . Implement data loss prevention (DLP) software
B . Review perimeter firewall logs
C . Provide ongoing information security awareness training
D . Establish behavioral analytics monitoring

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The most effective way to identify exfiltration of sensitive data by a malicious insider is to establish behavioral analytics monitoring. Behavioral analytics is the process of analyzing the patterns and anomalies in user behavior to detect and prevent insider threats. Behavioral analytics can help identify unusual or suspicious activities, such as accessing sensitive data at odd hours, transferring large amounts of data to external devices or locations, or using unauthorized applications or protocols. Behavioral analytics can also help correlate data from multiple sources, such as network logs, user profiles, and access rights, to provide a holistic view of user activity and risk.

Data loss prevention (DLP) software is a tool that can help prevent exfiltration of sensitive data by a malicious insider, but it is not the most effective way to identify it. DLP software can block or alert on unauthorized data transfers based on predefined rules and policies, but it may not be able to detect sophisticated or stealthy exfiltration techniques, such as encryption, steganography, or data obfuscation.

Reviewing perimeter firewall logs is a way to identify exfiltration of sensitive data by a malicious insider, but it is not the most effective way. Perimeter firewall logs can show the traffic volume and destination of data transfers, but they may not be able to show the content or context of the data. Perimeter firewall logs may also be overwhelmed by the amount of normal traffic and miss the signals of malicious exfiltration.

Providing ongoing information security awareness training is a way to reduce the risk of exfiltration of sensitive data by a malicious insider, but it is not a way to identify it. Information security awareness training can help educate users on the importance of protecting sensitive data and the consequences of violating policies and regulations, but it may not deter or detect those who are intentionally or maliciously exfiltrating data.

References:

ISACA, CISA Review Manual, 27th Edition, 2019, p. 300

ISACA, CISA Review Questions, Answers & Explanations Database – 12 Month Subscription 1 Cybersecurity Engineering for Legacy Systems: 6 Recommendations – SEI Blog 2 How to Secure Your Company’s Legacy Applications – iCorps

Question #69

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

A . integrated test facility (ITF).
B . parallel simulation.
C . transaction tagging.
D . embedded audit modules.

Lösung einblenden Lösung ausblenden

Question #70

The following findings are the result of an IS auditor’s post-implementation review of a newly implemented system.

Which of the following findings is of GREATEST significance?

A . A lessons learned session was never conducted.
B . Monthly dashboards did not always contain deliverables.
C . The project’s 10% budget overrun was not reported to senior management.
D . Measurable benefits were not defined.

Lösung einblenden Lösung ausblenden