[Nov 30, 2021] CISA Exam Dumps 100% Same Q&A In Your Real Exam [Q121-Q141]

[Nov 30, 2021] CISA Exam Dumps 100% Same Q&A In Your Real Exam

CISA Test Engine Dumps Training With 440 Questions

Information Systems Auditing Process: This topic area evaluates your ability to provide conclusions on the status of IS/IT security, control, and risk solutions of an organization. It will measure your skills in the following subsections:

Execution – audit project management; sampling methodology; data analytics; communication and reporting methods; audit evidence collection methods.
Planning – IS audit standards, guidelines and codes of ethics; business processes; types of controls; risk-based audit planning; types of assessments and audits;

Certification Path

The Certified Information Systems Auditor Certification includes only one CISA exams.

NEW QUESTION 121
Which of the following is the BEST way to mitigate the impact of ransomware attacks?

A. Invoking the disaster recovery plan (DRP)
B. Paying the ransom
C. Backing up data frequently
D. Requiring password changes for administrative accounts

Answer: C

Explanation:
Section: Protection of Information Assets

NEW QUESTION 122
What topology provides the greatest redundancy of routes and the greatest network fault tolerance?

A. A star network topology
B. A mesh network topology with packet forwarding enabled at each host
C. A ring network topology
D. A bus network topology

Answer: B

Explanation:
Explanation/Reference:
A mesh network topology provides a point-to-point link between every network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.

NEW QUESTION 123
When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor?

A. Passwords are not shared.
B. Password files are not encrypted.
C. Redundant logon IDs are deleted.
D. The allocation of logon IDs is controlled.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon IDs and proper logon ID procedures are essential, but they are less important than ensuring that the password files are encrypted.

NEW QUESTION 124
What type of BCP test uses actual resources to simulate a system crash and validate the plan's effectiveness?

A. Walk-through
B. Parallel
C. Paper
D. Preparedness

Answer: D

Explanation:
Explanation/Reference:
Of the three major types of BCP tests (paper, walk-through, and preparedness), only the preparedness test uses actual resources to simulate a system crash and validate the plan's effectiveness.

NEW QUESTION 125
Which of the following would be the GREATEST concern when an organization's disaster recovery strategy utilizes a cold site?

A. The lack of networking infrastructure
B. The lack of hardware components availability
C. The lack of electrical power connections
D. The lack of appropriate environmental controls

Answer: D

NEW QUESTION 126
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to "never expire.' Which of the following recommendations would BEST address the risk with minimal disruption to the business?

A. Schedule downtime to implement password changes
B. Introduce database access monitoring into the environment
C. Modify applications to no longer require direct access to the database.
D. Modify the access management policy to make allowances for application accounts

Answer: D

NEW QUESTION 127
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:

A. programmers' efficiency is improved.
B. reliable products are guaranteed.
C. predictable software processes are followed.
D. security requirements are designed.

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.

NEW QUESTION 128
Which of the following should be the PRIMARY objective of an information security governance framework?

A. Provide a baseline for optimizing the security profile of the organization.
B. Increase the organization's return on security investment.
C. Ensure that users comply with the organization's information security policies.
D. Demonstrate compliance with industry best practices to external stakeholders.

Answer: A

Explanation:
Section: Governance and Management of IT

NEW QUESTION 129
An IS auditof notes the transaction processing times in an order processing system have significantly increased after a major release Which of the following should the IS auditor review FIRST?

A. Stress testing results
B. Capacity management plan
C. Database conversion results
D. Training plans

Answer: A

NEW QUESTION 130
An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

A. The business strategy meeting minutes are not distributed.
B. There is not a defined IT security policy.
C. IT is not engaged in business strategic planning.
D. There is inadequate documentation of IT strategic planning

Answer: C

NEW QUESTION 131
An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:

A. professional competence.
B. professional independence
C. technical competence.
D. organizational independence.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
When an IS auditor recommends a specific vendor, they compromise professional independence.
Organizational independence has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical and professional competence is not relevant to the requirement of independence.

NEW QUESTION 132
The MOST appropriate person to chair the steering committee for an enterprise-wide system development should normally be the:

A. project manager
B. business analyst
C. executive level manager.
D. IS director

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation/Reference:

NEW QUESTION 133
Which of the following is the GREATEST risk to the effectiveness of application system controls?

A. inadequate procedure manuals
B. Unresolved regulatory compliance issues
C. Removal of manual processing steps
D. Collusion between employees

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Collusion is an active attack that can be sustained and is difficult to identify since even well-thought-out application controls may be circumvented. The other choices do not impact well-designed application controls.

NEW QUESTION 134
When segregation of duties concerns exists between IT support staff and end users, what would be suitable compensating control?

A. Performing background checks prior to hiring IT staff
B. Reviewing transaction and application logs
C. Locking user sessions after a specified period of inactivity
D. Restricting physical access to computing equipment

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught.
Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.

NEW QUESTION 135
Which of the following is a MAJOR benefit of using a wireless network?

A. Faster network speed
B. Stronger authentication
C. Lower installation cost
D. Protection against eavesdropping

Answer: B

Explanation:
Section: Protection of Information Assets

NEW QUESTION 136
Which of the following is used in providing logical access control to restrict updating or deleting business information in a relational database?

A. View
B. Primary key
C. Join
D. Trigger

Answer: A

NEW QUESTION 137
To address an organization's disaster recovery requirements, backup intervals should not exceed the:

A. maximum acceptable outage (MAO).
B. recovery time objective (RTO).
C. service level objective (SLO).
D. recovery point objective (RPO).

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The recovery point objective (RPO) defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If service levels are not met, the usual consequences are penalty payments, not cessation of business. Organizations will try to set service level objectives (SLOs) so as to meet established targets. The resulting time for the service level agreement (SLA) will usually be longer than the RPO. The recovery time objective (RTO) defines the time period after the disaster in which normal business functionality needs to be restored. The maximum acceptable outage (MAO) is the maximum amount of system downtime that is tolerable. It can be used as a synonym for RTO. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.

NEW QUESTION 138
Which of the following is the MOST important benefit of Involving IS audit when implementing governance of enterprise IT?

A. Providing independent and objective feedback to facilitate improvement of IT processes
B. Making decisions regarding risk response and monitoring of residual risk
C. Identifying relevant roles for an enterprise IT governance framework
D. Verifying that legal, regulatory, and contractual requirements are being met

Answer: D

NEW QUESTION 139
Attribute sampling is BEST suited to estimate:

A. compliance with approved procedures.
B. whether a recorded balance is within limits of materiality.
C. the true monetary value of a population.
D. the total error amount in the population.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation/Reference:

NEW QUESTION 140
Which of the following technique is used for speeding up network traffic flow and making it easier to manage?

A. Point-to-point protocol
B. MPLS
C. ISDN
D. X.25

Answer: B

Explanation:
Explanation/Reference:
Multiprotocol Label Switching (MPLS) is a standards-approved technology for speeding up network traffic flow and making it easier to manage. MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to. MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the Layer 2 (switching) level rather than at the Layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
For your exam you should know below information about WAN Technologies:
Point-to-point protocol
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider's server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
Point-to-point protocol
X.25
X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication.
X.25 is a packet switching technology which uses carrier switch to provide connectivity for many different networks.
Subscribers are charged based on amount of bandwidth they use. Data are divided into 128 bytes and encapsulated in High Level Data Link Control (HDLC).
X.25 works at network and data link layer of an OSI model.

X.25
Frame Relay
Works on a packet switching
Operates at data link layer of an OSI model
Companies that pay more to ensure that a higher level of bandwidth will always be available, pay a committed information rate or CIR Two main types of equipment's are used in Frame Relay
1. Data Terminal Equipment (DTE) - Usually a customer owned device that provides a connectivity between company's own network and the frame relay's network.
2. Data Circuit Terminal Equipment (DCE) - Service provider device that does the actual data transmission and switching in the frame relay cloud.
The Frame relay cloud is the collection of DCE that provides that provides switching and data communication functionality. Frame relay is any to any service.
Frame Relay
Integrated Service Digital Network
Enables data, voice and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission.
Same copper telephone wire is used.
Provide digital point-to-point circuit switching medium.
ISDN
Asynchronous Transfer Mode (ATM)
Uses Cell switching method
High speed network technology used for LAN, MAN and WAN
Like a frame relay it is connection oriented technology which creates and uses fixed channel Data are segmented into fixed size cell of 53 bytes Some companies have replaces FDDI back-end with ATM Asynchronous Transfer Mode

Multiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS) is a standards-approved technology for speeding up network traffic flow and making it easier to manage. MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to. MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the Layer 2 (switching) level rather than at the Layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
MPLS

The following answers are incorrect:
X.25 - X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication.X.25 is a packet switching technology which uses carrier switch to provide connectivity for many different networks.
Point-to-point protocol - PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server.
ISDN -Enables data, voice and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 266