Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 171:

  Which of the following would BEST help lo support an auditor's conclusion about the effectiveness of an implemented data classification program?

  A. Purchase of information management tools
  B. Business use cases and scenarios
  C. Access rights provisioned according to scheme
  D. Detailed data classification scheme
  C. Access rights provisioned according to scheme

  ---

  Explanation

  Access rights provisioned according to scheme would best help to support an auditor's conclusion about the effectiveness of an implemented data classification program. This would indicate that the data classification program has been properly implemented and enforced, and that the data is protected according to its sensitivity and value. The other options are not sufficient to demonstrate the effectiveness of a data classification program, as they do not show how the data is actually accessed and used by authorized users.

  References: CISA Review Manual (Digital Version), Chapter 6, Section 6.2.31 CISA Review Questions, Answers and Explanations Database, Question ID 2042

• Question 172:

  The MOST important function of a business continuity plan is to:

  A. ensure that the critical business functions can be recovered
  B. provide procedures for evaluating tests of the business continuity plan
  C. provide a schedule of events that has to occur if there is a disaster
  D. ensure that all business functions are restored
  A. ensure that the critical business functions can be recovered

  ---

  Explanation

• Question 173:

  Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?

  A. Business continuity plan (BCP)
  B. Recovery point objective (RPO)
  C. Mean time to restore (MTTR)
  D. Mean time between failures (MTBF)
  B. Recovery point objective (RPO)

  ---

  Explanation

  A recovery point objective (RPO) is the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time. This is generally thought of as the point in time before the event at which data can be successfully recovered ?that is, the time elapsed since the most recent reliable backup1. RPOs are important to consider when reviewing an organization's defined data backup and restoration procedures, because they determine how frequently the organization needs to perform backups, and how much data it can afford to lose in case of a disaster. RPOs are usually defined based on the business impact and criticality of the data, as well as the compliance and regulatory requirements. For example, a financial institution may have a very low RPO (such as a few minutes or seconds) for its transactional data, while a research institute may have a higher RPO (such as a few hours or days) for its experimental data. The other possible options are:

  A. Business continuity plan (BCP): A BCP is a document that outlines how an organization will continue to operate or resume its critical functions and processes in the event of a disruption or disaster. A BCP includes various elements, such as risk assessment, business impact analysis, recovery strategies, roles and responsibilities, communication plan, and testing and maintenance. A BCP is related to an organization's defined data backup and restoration procedures, but it is not the most important factor to consider when reviewing them. A BCP defines the recovery objectives and strategies for the entire organization, while the data backup and restoration procedures are more specific and technical in nature.

  C. Mean time to restore (MTTR): MTTR is a metric that measures the average time it takes to restore a system or service after a failure or outage. MTTR is an indicator of the efficiency and effectiveness of an organization's recovery process, as well as the availability and reliability of its systems or services. MTTR is related to an organization's defined data backup and restoration procedures, but it is not the most important factor to consider when reviewing them. MTTR reflects the actual performance of the recovery process, while the data backup and restoration procedures define the expected steps and actions for the recovery process.

  D. Mean time between failures (MTBF): MTBF is a metric that measures the average time between failures or outages of a system or service. MTBF is an indicator of the quality and durability of an organization's systems or services, as well as their susceptibility to failures or outages. MTBF is related to an organization's defined data backup and restoration procedures, but it is not the most important factor to consider when reviewing them. MTBF reflects the potential frequency of failures or outages, while the data backup and restoration procedures define the contingency plans for failures or outages.

• Question 174:

  Which of the following could an IS auditor recommend to improve the estimated resources required in system development?

  A. Business areas involvement
  B. Prototyping
  C. Function point analysis
  D. CASE tools
  C. Function point analysis

  ---

  Explanation

• Question 175:

  Which of the following focus areas is a responsibility of IT management rather than IT governance?

  A. IT controls implementation
  B. Risk optimization
  C. IT resource optimization
  D. Benefits realization
  A. IT controls implementation

  ---

  Explanation

• Question 176:

  In which phase of the audit life cycle process should an IS auditor initially discuss observations with management?

  A. Planning phase
  B. Reporting phase
  C. Follow-up phase
  D. Fieldwork phase
  D. Fieldwork phase

  ---

  Explanation

  Explanation Comprehensive and Detailed Step-by-Step Audit findings should be communicated as early as possible to avoid misunderstandings, provide an opportunity for corrective action, and ensure transparency. Option A (Incorrect):The planning phase involves defining audit scope, objectives, and methodology, but findings are not yet available to discuss with management. Option B (Incorrect):The reporting phase formalizes audit results, but discussing issuesonlyat this stage may lead to delays in corrective action. Option C (Incorrect):The follow-up phase ensures that management has implemented corrective actions, but this occursafterthe initial discussion of findings. Option D (Correct):The fieldwork phase is when auditors activelygather evidence, analyze data, and identify issues. Discussing observationsduringthis phase allows for immediate clarification, validation, and resolution of misunderstandings before the final report.

  ISACA CISA Review Manual -Domain 1: Information Systems Auditing Process?Discusses audit engagement, reporting, and communication best practices.

• Question 177:

  In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon. The auditor should FIRST:

  A. mark the recommendation as satisfied and close the finding
  B. verify if management's action mitigates the identified risk
  C. re-perform the audit to assess the changed control environment
  D. escalate the deviation to the audit committee
  D. escalate the deviation to the audit committee

  ---

  Explanation

• Question 178:

  You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" field of a TCP packet. This is only 16 bits which isn't much but it concerns you because:

  A. This could be a sign of covert channeling in bank network communications and should be investigated.
  B. It could be a sign of a damaged network cable causing the issue.
  C. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem.
  D. It is normal traffic because sometimes the previous fields 16-bit checksum value can over run into the urgent pointer's 16-bit field causing the condition.
  A. This could be a sign of covert channeling in bank network communications and should be investigated.

  ---

  Explanation

  The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up the stack for immediate processing. Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB)packet and the data is called Out Of Band (OOB) data.

  The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable.

  Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels. For example, in a Mandatory Access Control systems a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.

  In this case the Urgent bit could be used for a few reasons:

  1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some of the TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the URGENT flag set, it would create a very effective denial of service attack.

  2. It could be used as a client server application to transmit data back and forward without going through the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels.

  The other answers are incorrect

  http://www.fas.org/irp/nsa/rainbow/tg030.htm document covering the subject of covert channels and also see: http://gray-world.net/papers.shtml which is a large collection of documents on Covert Channels

• Question 179:

  Which of the following is an IS auditor's MOST important step in a privacy audit?

  A. Assess the controls in place for data management.
  B. Determine whether privacy training is being conducted for employees.
  C. Review third-party agreements for adequate personally identifiable information (PII) protection measures.
  D. Analyze all stages of the personally identifiable information (PII) data life cycle to identify potential risks.
  D. Analyze all stages of the personally identifiable information (PII) data life cycle to identify potential risks.

  ---

  Explanation

  Explanation

• Question 180:

  During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

  A. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.
  B. Review compliance with data loss and applicable mobile device user acceptance policies.
  C. Verify the data loss prevention (DLP) tool is properly configured by the organization.
  D. Verify employees have received appropriate mobile device security awareness training.
  B. Review compliance with data loss and applicable mobile device user acceptance policies.

  ---

  Explanation

  The best way to validate that appropriate security controls are in place to prevent data loss is to review compliance with data loss and applicable mobile device user acceptance policies. This will ensure that the organization has established clear rules and guidelines for employees to follow when connecting their personal devices to company- owned computers. A walk-through, a DLP tool configuration, and a security awareness training are not sufficient to validate the effectiveness of the controls, as they may not cover all possible scenarios and risks.

  References: IT Audit Fundamentals Certificate Resources