[Nov 23, 2021] Reliable CISA Exam Tips Test Pdf Exam Material

New 2021 CISA Test Tutorial (Updated 973 Questions)

Further Certification Path after Passing CISA Exam

Once IT specialists manage to get the passing score in the CISA certification exam they can move forward to leverage their skills with more advanced ISACA certificates. Therefore, they can take the CRISC certification exam that helps them become certified professionals in Risk and Information Systems Control. Another certification that successful ISACA CISA certified specialists can take is the CISM or Certified Information Security Manager.

Conclusion

The CISA exam is definitely an instrumental tool for IT generalists wanting to jump aboard the audit field or IT auditors who want to climb the career ladder. With a successful feat in this superior Isaca certification, you become an in-demand specialist with a validated skillset and proven IT/IS audit expertise. So, better get started with your preparation by utilizing the helpful resources mentioned above and earn this top-notch endorsement in no time.

 

NEW QUESTION 118
An IS auditor reviewing the acquisition of new equipment would consider which of the following to be a significant weakness?

• A. The closing date for responses was extended after a request from potential vendors.
• B. Independent consultants prepared the request for proposal (RFP) documents.
• C. Evaluation criteria were finalized after the initial assessment of responses.
• D. Staff involved in the evaluation were aware of the vendors being evaluated.

Answer: C

Explanation:
Section: Information System Acquisition, Development and Implementation

 

NEW QUESTION 119
In which of the following payment mode, an issuer attempts to emulate physical cash by creating digital certificates, which are purchased by users who redeem them with the issuer at a later date?

• A. Electronic withdraw model
• B. Electronics Checks model
• C. Electronic transfer model
• D. Electronic Money Model

Answer: D

Explanation:
Section: Information System Acquisition, Development and Implementation Explanation:
In an electronic money model issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.
For CISA exam you should know below information about payment systems
There are two types of parties involved in all payment systems - the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service performs two main functions- making payments and receiving payments - and therefore can be described as a payer or payee receptively.
Electronic Money Model - The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.
Electronic Check Model - Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.
Electronic Transfer Model - Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.
The following were incorrect answers:
Electronic Check Model - Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.
Electronic Transfer Model -Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.
Electronic Withdraw Model - Not a valid type of payment system.
Reference:
CISA review manual 2014 Page number 183

 

NEW QUESTION 120
The use of symmetric key encryption controls to protect sensitive data transmitted over a communications network requires that:

• A. primary keys for encrypting the data be stored in encrypted form.
• B. public keys be stored in encrypted form.
• C. encryption keys be changed only when a compromise is detected at both ends.
• D. encryption keys at one end be changed on a regular basis.

Answer: A

Explanation:
Section: Protection of Information Assets

 

NEW QUESTION 121
An organization has recently acquired another organization. When reviewing both IS departments, the IS auditor discovers two redundant IT applications. Which of the following would be the auditor's BEST recommendation for management?

• A. Assess the gaps on both applications to determine further steps.
• B. Submit a request for proposal (RFP) to replace the applications.
• C. Keep the most comprehensive application as approved by senior management.
• D. Develop an initiative to integrate both applications.

Answer: B

 

NEW QUESTION 122
Which of the following will replace system binaries and/or hook into the function calls of the operating
system to hide the presence of other programs (choose the most precise answer)?

• A. tripwire
• B. virus
• C. trojan
• D. rootkits
• E. None of the choices.

Answer: D

Explanation:
Section: Protection of Information Assets
Explanation:
"A backdoor may take the form of an installed program (e.g., Back Orifice) or could be in the form of an
existing ""legitimate"" program, or executable file. A specific form of backdoors are rootkits, which replaces
system binaries and/or hooks into the function calls of the operating system to hide the presence of other
programs, users, services and open ports."

 

NEW QUESTION 123
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern shouldbe that the:

• A. outsourcer will approach the other service provider directly for further work.
• B. contract may be terminated because prior permission from the outsourcer was not obtained.
• C. requirement for protecting confidentiality of information could be compromised.
• D. other service provider to whom work has been outsourced is not subject to audit.

Answer: C

Explanation:
Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are not related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.

 

NEW QUESTION 124
An organization wants to reuse company-provided smartphones collected from staff leaving the
organization. Which of the following would be the BEST recommendation?

• A. Data should be securely deleted from the smartphones.
• B. The memory cards of the smartphones should be replaced.
• C. Smartphones should not be reused, but physically destroyed.
• D. The SIM card and telephone number should be changed.

Answer: A

Explanation:
Section: Protection of Information Assets

 

NEW QUESTION 125
In an IS auditor's review of an organization's configuration management practices for software, which of the following is MOST important?

• A. Software rental contracts or lease agreements
• B. Service level agreements (SLAs) between the IT function and users
• C. Post-implementation review reports from development efforts
• D. Organizational policies related to release management

Answer: D

Explanation:
Section: The process of Auditing Information System
Explanation

 

NEW QUESTION 126
Which of the following would BEST help to ensure compliance with an organization's information security requirements by an IT service provider?

• A. Defining the business recovery plan with the IT service provider
• B. Requiring an external security audits of the IT service provider
• C. Defining information security requirements with internal IT
• D. Requiring regular reporting from the IT service provider

Answer: D

Explanation:
Section: Governance and Management of IT

 

NEW QUESTION 127
Which of the following would MOST effectively detect a condition where an employee assigned to an operations role could perform system administrator functions?

• A. Business process review
• B. User Access review
• C. Entitlement design review
• D. System review

Answer: B

 

NEW QUESTION 128
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?

• A. Review the parameter settings.
• B. Interview the firewall administrator.
• C. Review the device's log file for recent attacks.
• D. Review the actual procedures.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide audit evidence as strong as choice A.

 

NEW QUESTION 129
A poor choice of passwords and transmission over unprotected communications lines are examples of:

• A. vulnerabilities.
• B. probabilities.
• C. threats.
• D. impacts.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats
are circumstances or events with the potential to cause harm to information resources. Probabilities
represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a
threat exploiting a vulnerability.

 

NEW QUESTION 130
Which of the following term related to network performance refers to the variation in the time of arrival of packets on the receiver of the information?

• A. Bandwidth
• B. Latency
• C. Jitter
• D. Throughput

Answer: C

Explanation:
Explanation/Reference:
Simply said, the time difference in packet inter-arrival time to their destination can be called jitter. Jitter is specific issue that normally exists in packet switched networks and this phenomenon is usually not causing any communication problems.TCP/IP is responsible for dealing with the jitter impact on communication.
On the other hand, in VoIP network environment, or better say in any bigger environment today where we use IP phones on our network this can be a bigger problem. When someone is sending VoIP communication at a normal interval (let's say one frame every 10 ms) those packets can stuck somewhere in between inside the packet network and not arrive at expected regular peace to the destined station.
That's the whole jitter phenomenon all about so we can say that the anomaly in tempo with which packet is expected and when it is in reality received is jitter.
jitter

Image from: http://howdoesinternetwork.com/wp-content/uploads/2013/05/jitter.gif In this image above, you can notice that the time it takes for packets to be send is not the same as the period in which the will arrive on the receiver side. One of the packets encounters some delay on his way and it is received little later than it was asumed. Here are the jitter buffers entering the story. They will mitigate packet delay if required. VoIP packets in networks have very changeable packet inter-arrival intervals because they are usually smaller than normal data packets and are therefore more numerous with bigger chance to get some delay along the way.
For your exam you should know below information about Network performance:
Network performance refers to measurement of service quality of a telecommunications product as seen by the customer.
The following list gives examples of network performance measures for a circuit-switched network and one type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the grade of service. The number of rejected calls is a measure of how well the network is performing under heavy traffic loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate, quality of service (QoS), data throughput, connect time, stability, technology, modulation technique and modem enhancements.
There are many different ways to measure the performance of a network, as each network is different in nature and design. Performance can also be modeled instead of measured; one example of this is using state transition diagrams to model queuing performance in a circuit-switched network. These diagrams allow the network planner to analyze how the network will perform in each state, ensuring that the network will be optimally designed.
The following measures are often considered important:
Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that information can be transferred Throughput - Throughput is the actual rate that information is transferred Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a function of the signals travel time, and processing time at any nodes the information traverses Jitter - Jitter is the variation in the time of arrival at the receiver of the information Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of the total sen The following answers are incorrect:
Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that information can be transferred Throughput - Throughput is the actual rate that information is transferred Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a function of the signals travel time, and processing time at any nodes the information traverses The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 275
and
http://howdoesinternetwork.com/2013/jitter

 

NEW QUESTION 131
An organization has purchased a security information and event management (SIEM) tool. Which of the following would be MOST important to consider before implementation?

• A. Available technical support
• B. Reporting capabilities
• C. The contract with the SIEM vendor
• D. Controls to be monitored

Answer: D

Explanation:
Section: Information System Operations, Maintenance and Support
Explanation/Reference:

 

NEW QUESTION 132
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. Inthis situation, which of the following would be considered an adequate set of compensating controls?

• A. Use the DBA user account to make changes, log the changes and review the change log the following day.
• B. Use the normal user account to make changes, log the changes and review the change log the following day.
• C. Allow changes to be made only with the DBA user account.
• D. Make changes to the database after granting access to a normal user account.

Answer: A

Explanation:
The use of a database administrator (DBA) user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The use ofthe DBA user account without logging would permit uncontrolled changes to be made to databases once access to the account was obtained. The use of a normal user account with no restrictions would allow uncontrolled changes to any of the databases. Logging would only provide information on changes made, but would not limit changes to only those that were authorized. Hence, logging coupled with review
form an appropriate set of compensating controls.

 

NEW QUESTION 133
Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks?

• A. Session keys are dynamic
• B. Keys are static and shared
• C. Source addresses are not encrypted or authenticated
• D. Private symmetric keys are used

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP.

 

NEW QUESTION 134
A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP?

• A. Full-scale test with relocation of all departments, including IT, to the contingency site
• B. Walk-through test of a series of predefined scenarios with all critical personnel involved
• C. Functional test of a scenario with limited IT involvement
• D. IT disaster recovery test with business departments involved in testing the critical applications

Answer: C

Explanation:
After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the business continuity plan (BCP) before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. The walk-through test is the most basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. A disaster recovery test would not help in verifying the administrative and organizational parts of the BCP which are not IT-related.
Topic 8, Mixed Questions

 

NEW QUESTION 135
An IS auditor performing a review of the backup processing facilities should be MOST concerned that:

• A. adequate fire insurance exists.
• B. regular hardware maintenance is performed.
• C. offsite storage of transaction and master files exists.
• D. backup processing facilities are fully tested.

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
Adequate fire insurance and fully tested backup processing facilities are important elements for recovery,
but without the offsite storage of transaction and master files, it is generally impossible to recover. Regular
hardware maintenance does not relate to recovery.

 

NEW QUESTION 136
Which of the following is a mechanism for mitigating risks?

• A. Security and control practices
• B. Contracts and service level agreements (SLAs)
• C. Audit and certification
• D. Property and liability insurance

Answer: A

Explanation:
Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.

 

NEW QUESTION 137
Which of the following security control is intended to bring environment back to regular operation?

• A. Deterrent
• B. Preventive
• C. Corrective
• D. Recovery

Answer: D

Explanation:
Section: The process of Auditing Information System
Explanation:
Recovery controls are intended to bring the environment back to regular operations For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.
This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.
The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events.
When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs.
It is this fundamental reason why access controls are the key target of circumvention by attackers.
Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points.
Preventative Controls
Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation.
Compensating Controls
Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk.
For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement.
Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment.
Detective Controls
Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk.
As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided.
For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system.
This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.
Corrective Controls
When a security incident occurs, elements within the security infrastructure may require corrective actions.
Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with.
Recovery Controls
Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations.
There are several situations that may affect access controls, their applicability, status, or management.
Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install.
Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations.
The following answers are incorrect:
Deterrent - Deterrent controls are intended to discourage a potential attacker Preventive - Preventive controls are intended to avoid an incident from occurring Corrective - Corrective control fixes components or systems after an incident has occurred Reference:
CISA Review Manual 2014 Page number 44
and
Official ISC2 CISSP guide 3rd edition Page number 50 and 51

 

NEW QUESTION 138
Which of the following tools are MOST helpful for benchmarking an existing IT capability?

• A. IT balanced scorecards
• B. Risk assessments
• C. Prior IS audit reports
• D. IT maturity models

Answer: D

 

NEW QUESTION 139
Which of the following would be the PRIMARY benefit of replacing physical keys with an electronic entry
system for a data center?

• A. Creates an audit trail
• B. Reduces cost
• C. Enables data mining
• D. Ensures compliance

Answer: A

Explanation:
Section: Protection of Information Assets

 

NEW QUESTION 140
......

CISA Cert Guide PDF 100% Cover Real Exam Questions: https://www.validexam.com/CISA-latest-dumps.html

CISA Exam Questions Dumps, Selling ISACA Products: https://drive.google.com/open?id=1bx4V-3incBOiaAaRgDXTlyC3kvsjHOVz