CISA Certified Information Systems Auditor Certification Practice Test

How is the risk of improper file access affected upon implementing a database system?

Options are :

  • Risk is increased. (Correct)
  • Risk varies.
  • Risk is reduced.
  • Risk is not affected.

Answer : Risk is increased.

Why is the WAP gateway a component warranting critical concern and review for the IS auditor when auditing and testing controls enforcing message confidentiality?

Options are :

  • WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL. (Correct)
  • WAP is often configured by default settings and is thus insecure
  • WAP often interfaces critical IT systems.
  • WAP provides weak encryption for wireless traffic.

Answer : WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL.

If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function, what is the auditor's primary responsibility?

Options are :

  • Segregation of duties is an administrative control not considered by an IS auditor.
  • To reassign job functions to eliminate potential fraud.
  • To advise senior management. (Correct)
  • To implement compensator controls

Answer : To advise senior management.

When should systems administrators first assess the impact of applications or systems patches?

Options are :

  • Within five business days following installation
  • Prior to installation (Correct)
  • Immediately following installation
  • No sooner than five business days following installation

Answer : Prior to installation

Which of the following provides the BEST single-factor authentication?

Options are :

  • Password
  • PIN
  • Token
  • Biometrics (Correct)

Answer : Biometrics

What type of fire-suppression system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities?

Options are :

  • A deluge sprinkler system
  • A halon sprinkler system
  • A dry-pipe sprinkler system (Correct)
  • A wet-pipe system

Answer : A dry-pipe sprinkler system

When should reviewing an audit client's business plan be performed relative to reviewing an organization's IT strategic plan?

Options are :

  • Reviewing an audit client's business plan should be performed without regard to an organization's IT strategic plan.
  • Reviewing an audit client's business plan should be performed after reviewing an organization's IT strategic plan.
  • Reviewing an audit client's business plan should be performed during the review of an organization's IT strategic plan.
  • Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan (Correct)

Answer : Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan

Why does an IS auditor review an organization chart?

Options are :

  • To identify project sponsors
  • To better understand the responsibilities and authority of individuals (Correct)
  • To optimize the responsibilities and authority of individuals
  • To control the responsibilities and authority of individuals

Answer : To better understand the responsibilities and authority of individuals

What are trojan horse programs? Choose the BEST answer

Options are :

  • A common form of Internet attack (Correct)
  • A common form of internal attack
  • Malicious programs that require the aid of a carrier program such as email
  • Malicious programs that can run independently and can propagate without the aid of a carrier program such as email

Answer : A common form of Internet attack

What is a common vulnerability, allowing denial-of-service attacks?

Options are :

  • Configuring firewall access rules
  • Lack of employee awareness of organizational security policies
  • Assigning access to users according to the principle of least privilege
  • Improperly configured routers and router access lists (Correct)

Answer : Improperly configured routers and router access lists

What type(s) of firewalls provide(s) the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic?

Options are :

  • An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls
  • A circuit-level gateway
  • An application-layer gateway, or proxy firewall, and stateful-inspection firewalls (Correct)
  • A first-generation packet-filtering firewall

Answer : An application-layer gateway, or proxy firewall, and stateful-inspection firewalls

Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false?

Options are :

  • . False
  • TRUE (Correct)

Answer : TRUE

Which of the following provide(s) near-immediate recoverability for time-sensitive systems and transaction processing?

Options are :

  • Parallel processing
  • Automated electronic journaling and parallel processing
  • Data mirroring and parallel processing (Correct)
  • Data mirroring

Answer : Data mirroring and parallel processing

The directory system of a database-management system describes:

Options are :

  • The access method to the data
  • The location of data AND the access method (Correct)
  • The location of data
  • Neither the location of data NOR the access method

Answer : The location of data AND the access method

What can be used to gather evidence of network attacks?

Options are :

  • Sys log reporting
  • Intrusion-detection systems (IDS) (Correct)
  • Antivirus programs
  • Access control lists (ACL)

Answer : Intrusion-detection systems (IDS)

What is an effective control for granting temporary access to vendors and external support personnel? Choose the BEST answer.

Options are :

  • Creating permanent guest accounts for temporary use
  • Creating a single shared vendor administrator account on the basis of least-privileged access
  • Creating user accounts that restrict logon access to certain hours of the day
  • Creating user accounts that automatically expire by a predetermined date (Correct)

Answer : Creating user accounts that automatically expire by a predetermined date

What can be implemented to provide the highest level of protection from external attack?

Options are :

  • Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host (Correct)
  • Configuring the firewall as a screened host behind a router
  • Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts
  • Configuring the firewall as the protecting bastion host

Answer : Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host

Who is responsible for implementing cost-effective controls in an automated system?

Options are :

  • Security policy administrators
  • Board of directors
  • Senior management
  • Business unit management (Correct)

Answer : Business unit management

Which of the following should an IS auditor review to determine user permissions that have been granted for a particular resource? Choose the BEST answer.

Options are :

  • Access control lists (ACL) (Correct)
  • Error logs
  • Application logs
  • Systems logs

Answer : Access control lists (ACL)

If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions. True or false?

Options are :

  • TRUE (Correct)
  • FALSE

Answer : TRUE

Using the OSI reference model, what layer(s) is/are used to encrypt data?

Options are :

  • Data link layer
  • Transport layer
  • Session layer
  • Session and transport layers (Correct)

Answer : Session and transport layers

Who should be responsible for network security operations?

Options are :

  • IS auditors
  • Security administrators (Correct)
  • Network administrators
  • Business unit managers

Answer : Security administrators

What is a callback system?

Options are :

  • It is a remote-access control whereby the user initially connects to the network systems via dialup access, only to have the initial connection terminated by the server, which then subsequently allows the user to call back at an approved number for a limited period of time.
  • It is a remote-access system whereby the remote-access server immediately calls the user back at a predetermined number if the dial-in connection fails.
  • It is a remote-access system whereby the user's application automatically redials the remoteaccess server if the initial connection attempt fails
  • It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database. (Correct)

Answer : It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database.

In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized?

Options are :

  • The data should be low-level formatted
  • The data should be deleted and overwritten with binary 0s.
  • The data should be demagnetized. (Correct)
  • The data should be deleted.

Answer : The data should be demagnetized.

What is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption?

Options are :

  • Authenticode
  • A user certificate
  • A website certificate (Correct)
  • An organizational certificate

Answer : A website certificate

Which of the following is a passive attack method used by intruders to determine potential network vulnerabilities?

Options are :

  • SYN flood
  • Denial of service (DoS)
  • Distributed denial of service (DoS)
  • Traffic analysis (Correct)

Answer : Traffic analysis

Which of the following can degrade network performance? Choose the BEST answer.

Options are :

  • Inefficient and superfluous use of network devices such as switches
  • Superfluous use of redundant load-sharing gateways
  • Inefficient and superfluous use of network devices such as hubs (Correct)
  • Increasing traffic collisions due to host congestion by creating new collision domains

Answer : Inefficient and superfluous use of network devices such as hubs

What process is used to validate a subject's identity?

Options are :

  • Authentication (Correct)
  • Nonrepudiation
  • Identification
  • Authorization

Answer : Authentication

What is often assured through table link verification and reference checks?

Options are :

  • Database normalcy
  • Database synchronization
  • Database accuracy
  • Database integrity (Correct)

Answer : Database integrity

What are intrusion-detection systems (IDS) primarily used for?

Options are :

  • To identify AND prevent intrusion attempts to a network
  • To identify intrusion attempts to a network (Correct)
  • Forensic incident response
  • To prevent intrusion attempts to a network

Answer : To identify intrusion attempts to a network

How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network?

Options are :

  • Modems encapsulate analog transmissions within digital, and digital transmissions within analog
  • Modems encapsulate digital transmissions within analog, and analog transmissions within digita
  • Modems convert digital transmissions to analog, and analog transmissions to digital
  • Modems convert analog transmissions to digital, and digital transmission to analog. (Correct)

Answer : Modems convert analog transmissions to digital, and digital transmission to analog.

When reviewing print systems spooling, an IS auditor is MOST concerned with which of the following vulnerabilities?

Options are :

  • The potential for unauthorized deletion of report copies
  • The potential for unauthorized editing of report copies
  • The potential for unauthorized printing of report copies (Correct)
  • The potential for unauthorized modification of report copies

Answer : The potential for unauthorized printing of report copies

What determines the strength of a secret key within a symmetric key cryptosystem?

Options are :

  • A combination of key length, initial input vectors, and the complexity of the dataencryption algorithm that uses the key (Correct)
  • A combination of key length, degree of permutation, and the complexity of the data-encryption algorithm that uses the key
  • Initial input vectors and the complexity of the data-encryption algorithm that uses the key
  • A combination of key length and the complexity of the data-encryption algorithm that uses the key

Answer : A combination of key length, initial input vectors, and the complexity of the dataencryption algorithm that uses the key

When auditing third-party service providers, an IS auditor should be concerned with which of the following? Choose the BEST answer.

Options are :

  • A statement of due care
  • Ownership of the programs and files
  • A statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster
  • Ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster (Correct)

Answer : Ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster

Digital signatures require the sender to "sign" the data by encrypting the data with the sender's public key, to then be decrypted by the recipient using the recipient's private key. True or false?

Options are :

  • FALSE
  • TRUE (Correct)

Answer : TRUE

Which of the following help(s) prevent an organization's systems from participating in a distributed denial-of-service (DDoS) attack? Choose the BEST answer.

Options are :

  • Outbound traffic filtering (Correct)
  • Inbound traffic filtering
  • Recentralizing distributed systems
  • Using access control lists (ACLs) to restrict inbound connection attempt

Answer : Outbound traffic filtering

Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false?

Options are :

  • TRUE (Correct)
  • FALSE

Answer : TRUE

To identify project sponsors

Options are :

  • A processing audit
  • An IT security policies audit (Correct)
  • A vulnerability assessment
  • A software audit

Answer : An IT security policies audit

Which of the following is the most fundamental step in preventing virus attacks?

Options are :

  • Adopting and communicating a comprehensive antivirus policy (Correct)
  • Implementing antivirus protection software on users' desktop computers
  • Inoculating systems with antivirus code
  • Implementing antivirus content checking at all network-to-Internet gateways

Answer : Adopting and communicating a comprehensive antivirus policy

When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three-to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should especially focus on procedures in an audit of IS strategy. True or false?

Options are :

  • TRUE
  • FALSE (Correct)

Answer : FALSE

What supports data transmission through split cable facilities or duplicate cable facilities?

Options are :

  • Dual routing
  • Diverse routing (Correct)
  • Redundant routing
  • Alternate routing

Answer : Diverse routing

Set 1 : Certified Information Systems Auditor
Set 2 : Certified Information Systems Auditor
Set 3 : Certified Information Systems Auditor
Set 4 : Certified Information Systems Auditor
Set 5 : Certified Information Systems Auditor
Set 6 : Certified Information Systems Auditor

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions