• Home
  • Articles
  • [Feb 03, 2022] CISA Exam Dumps - ISACA Practice Test Questions [Q236-Q257]

[Feb 03, 2022] CISA Exam Dumps - ISACA Practice Test Questions [Q236-Q257]

Share

[Feb 03, 2022] CISA Exam Dumps - ISACA Practice Test Questions

New Real CISA Exam Dumps Questions


How to get access to the ISACA CISA Dumps

You can download PDF files of the practice test by clicking the link, but VCE is not available here. Dumps will give you the confidence and guarantee to pass the CISA exam, by allowing you to download PDF dumpfiles of Simulator & mock tests. You will get CISA exam-relevant data in an instant and then you can start preparing for fasttest.

How to get access to the latest versions of these ISACA CISA Dumps? Let us get started to learn. It is the specialty of these exam dumps that a candidate can get access to these exam dumps from a website or mobile app. Let us do an intimation about them separately. If you want to get access to these exam dumps from a website, you just need to turn on the windows of your computers, open Chrome, firefox, Operamini, or any internet browser, search our exam dumps, download PDF, and start practicing from practice exams anytime. Now let us talk about the mobile phone, how we can get access to these exam dumps through your phone. If you want to get PDF exam dumps files on your portable device. First download our mobile app from the app store or play store, in your IOS or android. Download the PDF test which is associated with the CISA exam and step forward to your certificate.


Target Audience

The potential candidates for the ISACA CISA certification are the information technology and information security auditors as well as control, assurance, and information security professionals. These are the specialists with expertise in the field of security and information technology. They have the competence and skills required to achieve success in the prerequisite exam.

 

NEW QUESTION 236
Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server?

  • A. FTP
  • B. SSH
  • C. S/MIME
  • D. SSL

Answer: D

Explanation:
Explanation/Reference:
The Secure Socket Layer (SSL) Protocol is primarily used to provide confidentiality to the information sent across clients and servers.
For your exam you should know the information below:
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmitted over a public network such as the Internet.
SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL.SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.
SSL is included as part of both the Microsoft and Netscape browsers and most Web server products.
Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The
"sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer.SSL uses the public-and- private key encryption system from RSA, which also includes the use of a digital certificate. Later on SSL uses a Session Key along a Symmetric Cipher for the bulk of the data.
TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.
TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.
The SSL handshake
A HTTP-based SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A simplified overview of how the SSL handshake is processed is shown in the diagram below.
SSL Handshake

Image Reference - http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ handshak.gif The client sends a client "hello" message that lists the cryptographic capabilities of the client (sorted in client preference order), such as the version of SSL, the cipher suites supported by the client, and the data compression methods supported by the client. The message also contains a 28-byte random number.
The server responds with a server "hello" message that contains the cryptographic method (cipher suite) and the data compression method selected by the server, the session ID, and another random number.
Note:
The client and the server must support at least one common cipher suite, or else the handshake fails. The server generally chooses the strongest common cipher suite.
The server sends its digital certificate. (In this example, the server uses X.509 V3 digital certificates with SSL.) If the server uses SSL V3, and if the server application (for example, the Web server) requires a digital certificate for client authentication, the server sends a "digital certificate request" message. In the "digital certificate request" message, the server sends a list of the types of digital certificates supported and the distinguished names of acceptable certificate authorities.
The server sends a server "hello done" message and waits for a client response. Upon receipt of the server "hello done" message, the client (the Web browser) verifies the validity of the server's digital certificate and checks that the server's "hello" parameters are acceptable.
If the server requested a client digital certificate, the client sends a digital certificate, or if no suitable digital certificate is available, the client sends a "no digital certificate" alert. This alert is only a warning, but the server application can fail the session if client authentication is mandatory.
The client sends a "client key exchange" message. This message contains the pre-master secret, a 46- byte random number used in the generation of the symmetric encryption keys and the message authentication code (MAC) keys, encrypted with the public key of the server.
If the client sent a digital certificate to the server, the client sends a "digital certificate verify" message signed with the client's private key. By verifying the signature of this message, the server can explicitly verify the ownership of the client digital certificate.
Note:
An additional process to verify the server digital certificate is not necessary. If the server does not have the private key that belongs to the digital certificate, it cannot decrypt the pre-master secret and create the correct keys for the symmetric encryption algorithm, and the handshake fails.
The client uses a series of cryptographic operations to convert the pre-master secret into a master secret, from which all key material required for encryption and message authentication is derived. Then the client sends a "change cipher spec" message to make the server switch to the newly negotiated cipher suite.
The next message sent by the client (the "finished" message) is the first message encrypted with this cipher method and keys.
The server responds with a "change cipher spec" and a "finished" message of its own.
The SSL handshake ends, and encrypted application data can be sent.
The following answers are incorrect:
FTP - File Transfer Protocol (FTP) is a standard Internet protocol for transmitting files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers.
SSH - Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively.
S/MIME - S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the Rivets-Shamir-Adelman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 352
Official ISC2 guide to CISSP CBK 3rd Edition Page number 256
http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ss7aumst18.htm

 

NEW QUESTION 237
An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?

  • A. Identify threats and likelihood of occurrence
  • B. Report the risks to the CIO and CEO immediately
  • C. Check the budget available for risk management
  • D. Examine e-business application in development

Answer: A

Explanation:
An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.

 

NEW QUESTION 238
Which of the following is the client organization's responsibility in a Software as a Service (SaaS) environment?

  • A. Ensuring that users are properly authorized
  • B. Detecting unauthorized access
  • C. Ensuring the data is available when needed
  • D. Preventing insertion of malicious code

Answer: A

Explanation:
Section: Information System Acquisition, Development and Implementation

 

NEW QUESTION 239
The PRIMARY advantage of a continuous audit approach is that it:

  • A. can improve system security when used in time-sharing environments that process a large number of
    transactions.
  • B. requires the IS auditor to review and follow up immediately on all information collected.
  • C. does not depend on the complexity of an organization's computer systems.
  • D. does not require an IS auditor to collect evidence on system reliability while processing is taking place.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
The use of continuous auditing techniques can improve system security when used in time- sharing
environments that process a large number of transactions, but leave a scarce paper trail. Choice A is
incorrect since the continuous audit approach often does require an IS auditor to collect evidence on
system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would
review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of
continuous audit techniques depends on the complexity of an organization's computer systems.

 

NEW QUESTION 240
In an online banking application, which of the following would BEST protect against identity theft?

  • A. Restricting the user to a specific terminal
  • B. Two-factor authentication
  • C. Encryption of personal password
  • D. Periodic review of access logs

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Two-factor authentication requires two independent methods for establishing identity and privileges.
Factors include something you know, such as a password; something you have, such as a token; and
something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A
password could be guessed or broken. Restricting the user to a specific terminal is not a practical
alternative for an online application. Periodic review of access logs is a detective control and does not
protect against identity theft.

 

NEW QUESTION 241
An organization's disposal policy emphasizes obtaining maximum value for surplus IT media. The IS
auditor should obtain assurance that:

  • A. the media is returned to the vendor for credit
  • B. identification labels are removed
  • C. the media is recycled to other groups within the organization
  • D. any existing data is removed before disposal

Answer: C

Explanation:
Section: The process of Auditing Information System

 

NEW QUESTION 242
Which of the following E-commerce model covers all the transactions between companies and government
organization?

  • A. B-to-G relationships
  • B. B-to-E relationships
  • C. B-to-C relationships
  • D. B-to-B relationships

Answer: A

Explanation:
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
Business-to-Government(B-to-G) relationships covers all the transactions between companies and
government organizations. Currently this category is infancy, but it could expand quit rapidly as government
use their own operations to promote awareness and growth of e-commerce. In addition to public
procurement, administrations may also offer the option of electronic interchange for such transactions as
VAT returns and the payment of corporate taxes.
For CISA exam you should know below E-commerce models:
Business-to-Consumer (B-to-C) relationships - The greatest potential power of E-commerce comes from
its ability to redefine relationship with customers in creating a new convenient, low-cost channel to transact
business. Companies can tailor their marketing strategies to an individual customer's needs and wants. As
more of its business shifts on-line, a company will have an enhanced ability to track how its customer
interact with it.
Business-to-Business (B-to-B) relationships -The relationship among the selling services of two or more
business opens up the possibility of re-engineering business process across the boundaries that have
traditionally separated external entities from each other. Because of the ease of access and the ubiquity of
the Internet, for example companies can build business process that combine previously separated
activities. The result is faster, higher quality and lower-cost set of transactions. The market has ever
created to subdivision of B-to-B called business-to-small business(B-to-SB) relationships
Business-to-employee(B-to-E) relationships -Web technologies also assist in the dissemination of
information to and among an organization employees.
Business-to-Government(B-to-G) relationships - covers all the transactions between companies and
government organizations. Currently this category is infancy, but it could expand quit rapidly as government
use their own operations to promote awareness and growth of e-commerce. In addition to public
procurement, administrations may also offer the option of electronic interchange for such transactions as
VAT returns and the payment of corporate taxes.
The following were incorrect answers:
The other options presented does not covers all transactions between companies and government
organizations.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 175

 

NEW QUESTION 243
Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization's business critical server hardware?

  • A. Preventive maintenance costs exceed the business allocated budget.
  • B. Preventive maintenance a outsourced to multiple vendors without requiring nondisclosure agreements (NDAs).
  • C. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters

Answer: B

Explanation:
d. Preventive maintenance has not been approved by tie information system owner.

 

NEW QUESTION 244
A recent audit concluded that an organization's information security system was weak and that monitoring would likely fail to detect penetration. Which of the following would be the MOST appropriate recommendation?

  • A. Establish a clear policy related to security and the handling of sensitive data
  • B. Encrypt sensitive data while strengthening the system
  • C. Identify and periodically remove sensitive data that is no longer needed
  • D. Look continually for new criminal behavior and attacks on sensitive data

Answer: B

 

NEW QUESTION 245
Users are issued security tokens to be used in combination with a PIN to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?

  • A. Users must never keep the token in the same bag as their laptop computer
  • B. Users should select a PIN that is completely random, with no repeating digits
  • C. Users should never write down their PIN
  • D. Users should not leave tokens where they could be stolen

Answer: C

Explanation:
Explanation/Reference:
Explanation:
If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.
Access to the token is of no value without the PIN; one cannot work without the other. The PIN does not need to be random as long as it is secret.

 

NEW QUESTION 246
When conducting a penetration test of an IT system, an organization should be MOST concerned with:

  • A. the confidentiality of the report.
  • B. logging all changes made to the production system.
  • C. restoring all systems to the original state.
  • D. finding all possible weaknesses on the system.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
All suggested items should be considered by the system owner before agreeing to penetration tests, but the most important task is to be able to restore all systems to their original state. Information that is created and/or stored on the tested systems should be removed from these systems. If for some reason, at the end of the penetration test, this is not possible, all files (with their location) should be identified in the technical report so that the client's technical staff will be able to remove these after the report has been received.

 

NEW QUESTION 247
Which of the following device in Frame Relay WAN technique is generally customer owned device that provides a connectivity between company's own network and the frame relays network?

  • A. DLE
  • B. DTE
  • C. DME
  • D. DCE

Answer: B

Explanation:
Section: Information System Operations, Maintenance and Support
Explanation:
Data Terminal Equipment (DTE) - Usually a customer owned device that provides connectivity between company's own network and the frame relay's network.
For your exam you should know below information about WAN Technologies:
Point-to-point protocol
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider's server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you.
PPP uses the Internet protocol (IP) (and is designed to handle other protocol as well). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
Point-to-point protocol

X.25
X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication.
X.25 is a packet switching technology which uses carrier switch to provide connectivity for many different networks.
Subscribers are charged based on amount of bandwidth they use. Data are divided into 128 bytes and encapsulated in High Level Data Link Control (HDLC).
X.25 works at network and data link layer of an OSI model.
X.25

Frame Relay
Works as packet switching
Operates at data link layer of an OSI model
Companies that pay more to ensure that a higher level of bandwidth will always be available, pay a committed information rate or CIR Two main types of equipment's are used in Frame Relay
1. Data Terminal Equipment (DTE) - Usually a customer owned device that provides connectivity between company's own network and the frame relay's network.
2. Data Circuit Terminal Equipment (DCE) - Service provider device that does the actual data transmission and switching in the frame relay cloud.
The Frame relay cloud is the collection of DCE that provides that provides switching and data communication functionality. Frame relay is any to any service.
Frame Relay

Integrated Service Digital Network (ISDN)
Enables data, voice and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission.
Runs on top of the Plain Old Telephone System (POTS). The same copper telephone wire is used.
Provide digital point-to-point circuit switching medium.
ISDN

Asynchronous Transfer Mode (ATM)
Uses Cell switching method
High speed network technology used for LAN, MAN and WAN
Like frame relay it is connection oriented technology which creates and uses fixed channel Data are segmented into fixed size cell of 53 bytes Some companies have replaces FDDI back-end with ATM Asynchronous Transfer Mode

Multiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS) is a standard-approved technology for speeding up network traffic flow and making things easier to manage.MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to.
MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols.
In reference to the Open Systems Interconnection, or OSI model, MPLS allows most packets to be forwarded at Layer 2 (switching) level rather than at the Layer 3 (routing) level.
In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
MPLS

The following answers are incorrect:
DCE - Data Circuit Terminal Equipment (DCE) is a service provider device that does the actual data transmission and switching in the frame relay cloud.
DME - Not a valid frame relay technique
DLE - Not a valid frame relay technique
Reference:
CISA review manual 2014 page number 266

 

NEW QUESTION 248
An organization has implemented a control to help ensure databases containing personal information will not be updated with online transactions that are incomplete due to connectivity issues. Which of the following information attributes is PRIMARILY addressed by this control?

  • A. Availability
  • B. integrity
  • C. Confidentiality
  • D. Compliance

Answer: A

 

NEW QUESTION 249
An IS auditor is reviewing a project that is using an Agile software development approach. Which of the following should the IS auditor expect to find?

  • A. Postiteration reviews that identify lessons learned for future use in the project
  • B. Use a process-based maturity model such as the capability maturity model (CMM)
  • C. Regular monitoring of task-level progress against schedule
  • D. Extensive use of software development tools to maximize team productivity

Answer: A

Explanation:
Explanation/Reference:
Explanation:
A key tenet of the Agile approach to software project management is team learning and the use of team learning to refine project management and software development processes as the project progresses.
One of the best ways to achieve this is that, at the end of each iteration, the team considers and documents what worked well and what could have worked better, and identifies improvements to be implemented in subsequent iterations. CMM and Agile really sit at opposite poles. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. Agile projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics.
Additionally, less importance is placed on formal paper- based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects do make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

 

NEW QUESTION 250
A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:

  • A. check digits.
  • B. reasonableness check.
  • C. redundancy check.
  • D. parity check.

Answer: C

Explanation:
A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of datA.

 

NEW QUESTION 251
Which of the following term in business continuity defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences?

  • A. RTO
  • B. MTD
  • C. RPO
  • D. WRT

Answer: B

Explanation:
Section: Information System Operations, Maintenance and Support
Explanation:
The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences.
This value should be defined by the business management team or someone like CTO, CIO or IT manager.
For your exam you should know below information about RPO, RTO, WRT and MTD:
Stage 1: Business as usual
Business as usual

At this stage all systems are running production and working correctly.
Stage 2: Disaster occurs
Disaster Occurs

On a given point in time, disaster occurs and systems needs to be recovered. At this point the Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss measured in time. For example, the maximum tolerable data loss is 15 minutes.
Stage 3: Recovery
Recovery

At this stage the system are recovered and back online but not ready for production yet. The Recovery Time Objective (RTO) determines the maximum tolerable amount of time needed to bring all critical systems back online. This covers, for example, restore data from back-up or fix of a failure. In most cases this part is carried out by system administrator, network administrator, storage administrator etc.
Stage 4: Resume Production
Resume Production

At this stage all systems are recovered, integrity of the system or data is verified and all critical systems can resume normal operations. The Work Recovery Time (WRT) determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity. This could be, for example, checking the databases and logs, making sure the applications or services are running and are available. In most cases those tasks are performed by application administrator, database administrator etc. When all systems affected by the disaster are verified and/or recovered, the environment is ready to resume the production again.
MTD

The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences.
This value should be defined by the business management team or someone like CTO, CIO or IT manager.
The following answers are incorrect:
RPO - Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss measured in time. For example, the maximum tolerable data loss is 15 minutes.
RTO - The Recovery Time Objective (RTO) determines the maximum tolerable amount of time needed to bring all critical systems back online. This covers, for example, restore data from back-up or fix of a failure.
In most cases this part is carried out by system administrator, network administrator, storage administrator etc.
WRT - The Work Recovery Time (WRT) determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity. This could be, for example, checking the databases and logs, making sure the applications or services are running and are available. In most cases those tasks are performed by application administrator, database administrator etc. When all systems affected by the disaster are verified and/or recovered, the environment is ready to resume the production again.
Reference:
CISA review manual 2014 page number 284
http://defaultreasoning.com/2013/12/10/rpo-rto-wrt-mtdwth/

 

NEW QUESTION 252
An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (Pll) on customer bills or receipts However it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them What is the BEST recommendation?

  • A. Data tokenization
  • B. Data encryption
  • C. Data sanitization
  • D. Data masking

Answer: B

 

NEW QUESTION 253
During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:

  • A. inadequate functional testing.
  • B. increased maintenance.
  • C. delays in problem resolution.
  • D. improper documentation of testing.

Answer: A

Explanation:
The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important.

 

NEW QUESTION 254
Due to the small size of the payroll department, an organization is unable to segregate the employee setup and payroll processing functions. Which of the following would be the BEST compensating control for the lack of segregation of duties?

  • A. A review is conducted to verity that terminated employees, are removed from the employee master file.
  • B. A payroll variance report is reviewed tor anomalies every pay period
  • C. The system is configured to require secondary approval for changes to the employee master file
  • D. An independent payroll disbursement review is conducted

Answer: D

 

NEW QUESTION 255
An organization has agreed to perform remediation related to high risk audit findings. The remediation process involves a complex reorganization of user roles as well as the implementation of several compensating controls that may not be completed within the next audit cycle. Which of the following is the BEST way for an IS auditor to follow up on the activities?

  • A. Continue to audit the failed controls according to the audit schedule.
  • B. Review the progress of remediation on a regular basis.
  • C. Provide management with a remediation timeline and verify adherence.
  • D. Schedule a review of the controls after the projected remediation date.

Answer: C

Explanation:
Section: The process of Auditing Information System

 

NEW QUESTION 256
Which of the following BEST restricts users to those functions needed to perform their duties?

  • A. Data encryption
  • B. Application level access control
  • C. Disabling floppy disk drives
  • D. Network monitoring device

Answer: B

Explanation:
The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.

 

NEW QUESTION 257
......

CISA Certification Exam Dumps Questions in here: https://drive.google.com/open?id=1bja11X3Elf1tovp4GZv23DcCU6OtA9bd

Pass Your CISA Exam Easily with Accurate PDF Questions: https://www.passleadervce.com/Isaca-Certification/reliable-CISA-exam-learning-guide.html

Related Articles

more
ISACA CISA Certification Practice Exam