ISACA CISA Certified Information Systems Auditor Online Training

Question #31

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

A . Configure a single server as a primary authentication server and a second server as a secondary authentication server.
B . Configure each authentication server as belonging to a cluster of authentication servers.
C . Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.
D . Configure each authentication server and ensure that the disks of each server form part of a duplex.

Reveal Solution Hide Solution

Question #32

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

A . allocation of resources during an emergency.
B . frequency of system testing.
C . differences in IS policies and procedures.
D . maintenance of hardware and software compatibility.

Reveal Solution Hide Solution

Question #33

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

A . Phishing
B . Using a dictionary attack of encrypted passwords
C . Intercepting packets and viewing passwords
D . Flooding the site with an excessive number of packets

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Flooding the site with an excessive number of packets is an attack technique that will succeed because of an inherent security weakness in an Internet firewall. This type of attack is also known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the processing capacity of the firewall or the target system, rendering it unable to respond to legitimate requests or perform its normal functions. An Internet firewall is a device or software that monitors and controls incoming and outgoing network traffic based on predefined rules. A firewall can block or allow traffic based on various criteria, such as source address, destination address, port number, protocol type, application type, etc. However, a firewall cannot prevent traffic from reaching its interface or distinguish between legitimate and malicious traffic based on its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its limited resources. Phishing is an attack technique that involves sending fraudulent emails or messages that appear to come from legitimate sources, such as banks, government agencies, online services, etc., in order to trick recipients into revealing their personal or financial information, such as passwords, credit card numbers, bank account details, etc., or into clicking on malicious links or attachments that can infect their systems with malware or ransomware. Phishing does not exploit an inherent security weakness in an Internet firewall, but rather exploits human psychology and social engineering techniques. A firewall cannot prevent phishing emails or messages from reaching their intended targets, unless they contain some identifiable features that can be filtered out by the firewall rules. However, a firewall cannot detect or prevent users from responding to phishing emails or messages or from opening malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack technique that involves trying to guess or crack passwords by using a list of common or likely passwords or by using a brute-force method that tries all possible combinations of characters. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to detect and block repeated or suspicious login attempts or to enforce strong password policies. However, a firewall cannot protect passwords from being stolen or intercepted by other means, such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an attack technique that involves capturing and analyzing network traffic that contains sensitive information, such as passwords, credit card numbers, bank account details, etc., in order to use them for malicious purposes. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits insecure or unencrypted network communication protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic or to authenticate the source and destination of the traffic. However, a firewall cannot protect packets from being modified or tampered with by other means, such as man-in-the-middle attacks, replay attacks, etc.

References: ISACA CISA Review Manual 27th Edition, page 300

Question #34

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

A . Effectiveness of the security program
B . Security incidents vs. industry benchmarks
C . Total number of hours budgeted to security
D . Total number of false positives

Reveal Solution Hide Solution

Question #35

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

A . basis for allocating indirect costs.
B . cost of replacing equipment.
C . estimated cost of ownership.
D . basis for allocating financial resources.

Reveal Solution Hide Solution

Question #36

Which of the following is an audit reviewer’s PRIMARY role with regard to evidence?

A . Ensuring unauthorized individuals do not tamper with evidence after it has been captured
B . Ensuring evidence is sufficient to support audit conclusions
C . Ensuring appropriate statistical sampling methods were used
D . Ensuring evidence is labeled to show it was obtained from an approved source

Reveal Solution Hide Solution

Question #37

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

A . Identifying relevant roles for an enterprise IT governance framework
B . Making decisions regarding risk response and monitoring of residual risk
C . Verifying that legal, regulatory, and contractual requirements are being met
D . Providing independent and objective feedback to facilitate improvement of IT processes

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The most important benefit of involving IS audit when implementing governance of enterprise IT is providing independent and objective feedback to facilitate improvement of IT processes. Governance of enterprise IT is the process of ensuring that IT supports the organization’s strategy, goals, and objectives in an effective, efficient, ethical, and compliant manner. IS audit can provide value to governance of enterprise IT by assessing the alignment of IT with business needs, evaluating the performance and value delivery of IT, identifying risks and issues related to IT, recommending corrective actions and best practices, and monitoring the implementation and effectiveness of IT governance activities. IS audit can also provide assurance that IT governance processes are designed and operating in accordance with relevant standards, frameworks, laws, regulations, and contractual obligations. Identifying relevant roles for an enterprise IT governance framework is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help define and clarify the roles and responsibilities of various stakeholders involved in IT governance, such as board members, senior management, business units, IT function, external parties, etc. IS audit can also help ensure that these roles are aligned with the organization’s strategy, goals, and objectives, and that they have adequate authority, accountability, communication, and reporting mechanisms. However, this benefit is more related to the design phase of IT governance implementation than to the ongoing monitoring and improvement phase. Making decisions regarding risk response and monitoring of residual risk is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help identify and assess the risks associated with IT activities and processes, such as strategic risks, operational risks, compliance risks, security risks, etc. IS audit can also help evaluate the effectiveness of risk management practices and controls implemented by management to mitigate or reduce these risks. However, this benefit is more related to the assurance function of IS audit than to its advisory function. Verifying that legal, regulatory, and contractual requirements are being met is a benefit of involving IS audit when implementing governance of enterprise IT, but not the most important one. IS audit can help verify that IT activities and processes comply with applicable laws, regulations, and contractual obligations, such as data protection laws, privacy laws, cybersecurity laws, industry standards, service level agreements, etc. IS audit can also help identify and report any instances of noncompliance or violations that could result in legal or reputational consequences for the organization. However, this benefit is more related to the assurance function of IS audit than to its advisory function.

References: ISACA CISA Review Manual 27th Edition, page 283

Question #38

Which of the following is MOST important for an effective control self-assessment (CSA) program?

A . Determining the scope of the assessment
B . Performing detailed test procedures
C . Evaluating changes to the risk environment
D . Understanding the business process

Reveal Solution Hide Solution

Question #39

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

A . Senior management’s request
B . Prior year’s audit findings
C . Organizational risk assessment
D . Previous audit coverage and scope

Reveal Solution Hide Solution

Question #40

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

A . Segregation of duties between staff ordering and staff receiving information assets
B . Complete and accurate list of information assets that have been deployed
C . Availability and testing of onsite backup generators
D . Knowledge of the IT staff regarding data protection requirements

Reveal Solution Hide Solution