Free ISACA CISA Übungsprüfungen - Seite 8 von 55

Question #71

An IS auditor is assigned to perform a post-implementation review of an application system.

Which of the following would impair the auditor’s independence?

A . The auditor implemented a specific control during the development of the system.
B . The auditor provided advice concerning best practices.
C . The auditor participated as a member of the project team without operational responsibilities
D . The auditor designed an embedded audit module exclusively for audit

Lösung einblenden Lösung ausblenden

Question #72

An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule.

What should the auditor do NEXT?

A . Interview IT management to clarify the current procedure.
B . Report this finding to senior management.
C . Review the organization’s patch management policy.
D . Request a plan of action to be established as a follow-up item.

Lösung einblenden Lösung ausblenden

Question #73

Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives?

A . Enterprise architecture (EA)
B . Business impact analysis (BIA)
C . Risk assessment report
D . Audit recommendations

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Enterprise architecture (EA) is the most helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives. EA is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy1. EA provides a blueprint for an effective IT strategy and guides the controlled evolution of IT in a way that delivers business benefit in a cost-effective way2. By reviewing the EA, the IS auditor can evaluate how well the planned IT budget supports the business vision, strategy, objectives, and capabilities of the organization.

The other options are not as helpful as EA for reviewing the alignment of planned IT budget with the

organization’s goals and strategic objectives. BIA is a process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption3. BIA quantifies the impacts of disruptions on service delivery, risks to service delivery, and recovery time objectives (RTOs) and recovery point objectives (RPOs)3. BIA is useful for developing strategies, solutions, and plans for business continuity and disaster recovery, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Risk assessment report is a document that contains the results of performing a risk assessment or the formal output from the process of assessing risk4. Risk assessment is a method to identify, analyze, and control hazards and risks present in a situation or a place5. Risk assessment report is useful for identifying and mitigating potential threats and issues that are detrimental to the business or an enterprise, but it does not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Audit recommendations are guidance that highlights actions to be taken by management6. When implemented, process risks should be mitigated, and performance should be enhanced6. Audit recommendations are useful for improving the quality and reliability of the information system and its outputs, but they do not directly address the alignment of planned IT budget with the organization’s goals and strategic objectives. Therefore, option A is the correct answer.

Question #74

Capacity management enables organizations to:

A . forecast technology trends
B . establish the capacity of network communication links
C . identify the extent to which components need to be upgraded
D . determine business transaction volumes.

Lösung einblenden Lösung ausblenden

Question #75

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

A . Unit testing
B . Pilot testing
C . System testing
D . Integration testing

Lösung einblenden Lösung ausblenden

Question #76

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available.

What should the auditor recommend be done FIRST?

A . Implement a new system that can be patched.
B . Implement additional firewalls to protect the system.
C . Decommission the server.
D . Evaluate the associated risk.

Lösung einblenden Lösung ausblenden

Question #77

Which of the following is MOST important when creating a forensic image of a hard drive?

A . Requiring an independent third party be present while imaging
B . Securing a backup copy of the hard drive
C . Generating a content hash of the hard drive
D . Choosing an industry-leading forensics software tool

Lösung einblenden Lösung ausblenden

Question #78

Which of the following presents the GREATEST risk of data leakage in the cloud environment?

A . Lack of data retention policy
B . Multi-tenancy within the same database
C . Lack of role-based access
D . Expiration of security certificate

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

Multi-tenancy within the same database (B) presents the greatest risk of data leakage in the cloud environment, because it means that multiple customers share the same physical database and resources. This can lead to data isolation and security issues, such as unauthorized access, cross-tenant attacks, or data leakage due to misconfiguration or human error. To prevent data leakage in a multi-tenant database, cloud providers need to implement strict access control policies, encryption, isolation mechanisms, and auditing tools.

Lack of data retention policy (A) is not the greatest risk of data leakage in the cloud environment, because it mainly affects the availability and compliance of data, not its confidentiality or integrity. Data retention policy defines how long data should be stored and when it should be deleted or archived. Without a data retention policy, cloud customers may face legal or regulatory issues, storage costs, or performance degradation.

Lack of role-based access © is not the greatest risk of data leakage in the cloud environment, because it can be mitigated by implementing proper authentication and authorization mechanisms. Role-based access control (RBAC) is a security model that assigns permissions and privileges to users based on their roles and responsibilities. Without RBAC, cloud customers may face unauthorized access, privilege escalation, or data misuse.

Expiration of security certificate (D) is not the greatest risk of data leakage in the cloud environment, because it can be easily detected and renewed. A security certificate is a digital document that verifies the identity and authenticity of a website or service. It also enables secure communication using encryption. If a security certificate expires, it may cause trust issues, warning messages, or connection errors, but not necessarily data leakage.

References:

7 Ways to Prevent Data Leaks in the Cloud | OTAVA®

An analysis of data leakage and prevention techniques in cloud environment

Question #79

Which of the following should be an IS auditor’s PRIMARY consideration when determining which issues to include in an audit report?

A . Professional skepticism
B . Management’s agreement
C . Materiality
D . Inherent risk

Lösung einblenden Lösung ausblenden

Question #80

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

A . Hash totals
B . Online review of description
C . Comparison to historical order pattern
D . Self-checking digit

Lösung einblenden Lösung ausblenden