Isaca CISA Online Practice Questions and Exam Preparation

Isaca CISA Online Questions & Answers

• Question 641:

  Which of the following function in traditional EDI process is used for transmitting and receiving electronic documents between trading partners via dial up lines, public switched network or VAN?

  A. Communication handler
  B. EDI Interface
  C. Application System
  D. EDI Translator
  A. Communication handler

  ---

  Explanation

  Communication handler ?Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

  For your exam you should know below information about Traditional EDI functions.

  Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner's computer system Communication handler ?Process for transmitting and receiving electronic

  documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized message switching and storage capabilities to provide electronic mailbox

  services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when they log on to check their mailbox and receive transmission.

  EDI Interface ?Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

  EDI Translator ?The device translates data between standard format (ANSI X12) and trading partner's propriety information.

  Application Interface ?This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the

  data or process of receiving company.

  3. Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  The following were incorrect answers:

  EDI Interface ?Interface function that manipulates and routes data between the application system and the communication handler.

  Application System ?The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually

  unaffected.

  EDI Translator ?The device translates data between standard format (ANSI X12) and trading partner's propriety information.

  CISA review manual 2014 Page number 178

• Question 642:

  Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

  A. Cross-site scripting (XSS)
  B. Copyright violations
  C. Social engineering
  D. Adverse posts about the organization
  C. Social engineering

  ---

  Explanation

  Social engineering is the manipulation of people to perform actions or divulge confidential information. It is a common technique used by attackers to gain unauthorized access to systems or data. Employees who use public social networking sites may be vulnerable to social engineering attacks, such as phishing, baiting, or pretexting, which pose the greatest risk to the organization's security. The other options are not as serious as social engineering, as they relate to web application vulnerabilities, intellectual property rights, and reputation management, which are less likely to compromise the organization's assets or operations.

  References: CISA Review Manual (Digital Version), Domain 5: Protection of Information Assets, Section 5.3 Security Awareness Training1

• Question 643:

  During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.

  Which of the following should be recommended as the PRIMARY factor to determine system criticality?

  A. Recovery point objective (RPO)
  B. Maximum allowable downtime (MAD)
  C. Mean time to restore (MTTR)
  D. Key performance indicators (KPls)
  B. Maximum allowable downtime (MAD)

  ---

  Explanation

  The primary factor to determine system criticality is the maximum allowable downtime (MAD), which is the maximum period of time that a system can be unavailable before causing significant damage or risk to the organization. The MAD reflects the business impact and the recovery requirements of the system, and it can be used to prioritize the systems and allocate the resources for disaster recovery planning. The other options are not as important as the MAD, and they may vary depending on the system characteristics and the recovery strategy. The recovery point objective (RPO) is the maximum amount of data loss that is acceptable for a system. The mean time to restore (MTTR) is the average time required to restore a system after a failure. The key performance indicators (KPIs) are metrics that measure the performance and effectiveness of a system.

  References: CISA Review Manual (Digital Version) 1, page 468-469.

• Question 644:

  Which of the following techniques would provide the BEST assurance to an IS auditor that all necessary data has been successfully migrated from a legacy system to a modern platform?

  A. Review of logs from the migration process
  B. Data analytics
  C. Interviews with migration staff
  D. Statistical sampling
  A. Review of logs from the migration process

  ---

  Explanation

• Question 645:

  An IS auditor s role in privacy and security is to:

  A. implement risk management methodologies.
  B. verify compliance with applicable laws.
  C. assist in developing an IS security strategy.
  D. assist the governance steering committee with implementing a security policy.
  B. verify compliance with applicable laws.

  ---

  Explanation

• Question 646:

  When developing a risk-based IS audit plan, the PRIMARY focus should be on functions:

  A. considered important by IT management.
  B. with the most ineffective controls.
  C. with the greatest number of threats.
  D. considered critical to business operations.
  D. considered critical to business operations.

  ---

  Explanation

• Question 647:

  A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

  A. Penetration test results
  B. Database application monitoring logs
  C. Code review by a third party
  D. Web application firewall implementation
  A. Penetration test results

  ---

  Explanation

• Question 648:

  If concurrent update transactions to an account are not processed properly, which of the following will be affected?

  A. Integrity
  B. Confidentiality
  C. Availability
  D. Accountability
  A. Integrity

  ---

  Explanation

• Question 649:

  Which of the following is the BEST way to prevent social engineering incidents?

  A. Ensure user workstations are running the most recent version of antivirus software.
  B. Maintain an onboarding and annual security awareness program.
  C. Include security responsibilities in job descriptions and require signed acknowledgment.
  D. Enforce strict email security gateway controls.
  B. Maintain an onboarding and annual security awareness program.

  ---

  Explanation

• Question 650:

  During the due diligence phase of an acquisition, the MOST important course of action for an information security manager would be to:

  A. review the state of security awareness
  B. perform a gap analysis
  C. perform a risk assessment
  D. review information security policies
  C. perform a risk assessment

  ---

  Explanation