CISA Practice Exam Preparation

Certified Information Systems Auditor popularly called CISA is offered by ISACA Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly? A. Field checks B. Control totals C. Reasonableness checks D. A before-and-after maintenance report Answer: D Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Blackbox test B. Desk checking C. Structured walk-through D. Design and code Answer: A Which of the following is MOST likely to result from a business process reengineering (BPR) project? A. An increased number of people using technology B. Significant cost savings, through a reduction in the complexity of information technology C. A weaker organizational structures and less accountability D. Increased information protection (IP) risk will increase Answer: A Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device? A. Router B. Bridge C. Repeater D. Gateway Answer: B IS management has decided to rewrite a legacy customer relations system using fourthgeneration languages (4GLs). Which of the following risks is MOST often associated with system development using 4GLs? A. Inadequate screen/report design facilities B. Complex programming language subsets C. Lack of portability across operating systems D. Inability to perform data intensive operations Answer: D Which of the following is a benefit of using callback devices? A. Provide an audit trail B. Can be used in a switchboard environment C. Permit unlimited user mobility D. Allow call forwarding Answer: A A call-back system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and: A. dials back to the user machine based on the user id and password using a telephone number from its database. B. dials back to the user machine based on the user id and password using a telephone number provided by the user during this connection. C. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its database. D. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the sender's database. Answer: A Structured programming is BEST described as a technique that: A. provides knowledge of program functions to other programmers via peer reviews. B. reduces the maintenance time of programs by the use of small-scale program modules. C. makes the readable coding reflect as closely as possible the dynamic execution of the program. D. controls the coding and testing of the high-level functions of the program in the development proc ess. Answer: B Which of the following data validation edits is effective in detecting transposition and transcription errors? A. Range check B. Check digit C. Validity check D. Duplicate check Answer: B An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a: A. cold site. B. warm site. C. dial-up site. D. duplicate processing facility. Answer: A A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing? A. Unit testing B. Integration testing C. Design walk-throughs D. Configuration management Answer: B In an EDI process, the device which transmits and receives electronic documents is the: A. communications handler. B. EDI translator. C. application interface. D. EDI interface. Answer: A The MOST significant level of effort for business continuity planning (BCP) generally is required during the: A. testing stage. B. evaluation stage. C. maintenance stage. D. early stages of planning. Answer: D The use of a GANTT chart can: A. aid in scheduling project tasks. B. determine project checkpoints. C. ensure documentation standards. D. direct the post-implementation review. Answer: A Which of the following translates e-mail formats from one network to another so that the message can travel through all the networks? A. Gateway B. Protocol converter C. Front-end communication processor D. Concentrator/multiplexor Answer: A Which of the following BEST describes the necessary documentation for an enterprise product reengineering (EPR) software installation? A. Specific developments only B. Business requirements only C. All phases of the installation must be documented D. No need to develop a customer specific documentation Answer: C A hub is a device that connects: A. two LANs using different protocols. B. a LAN with a WAN. C. a LAN with a metropolitan area network (MAN). D. two segments of a single LAN. Answer: D A LAN administrator normally would be restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration. Answer: C Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same? A. A substantive test of program library controls B. A compliance test of program library controls C. A compliance test of the program compiler controls D. A substantive test of the program compiler controls Answer: B A data administrator is responsible for: A. maintaining database system software. B. defining data elements, data names and their relationship. C. developing physical database structures. D. developing data dictionary system software. Answer: B A database administrator is responsible for: A. defining data ownership. B. establishing operational standards for the data dictionary. C. creating the logical and physical database. D. establishing ground rules for ensuring data integrity and security. Answer: C An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is LEAST likely to expect the job description of the DBA to include: A. defining the conceptual schema. B. defining security and integrity checks. C. liaising with users in developing data model. D. mapping data model with the internal schema. Answer: D Which of the following network configuration options contains a direct link between any two host machines? A. Bus B. Ring C. Star D. Completely connected (mesh) Answer: D Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A. Check digit B. Existence check C. Completeness check D. Reasonableness check Answer: C What process is used to validate a subject's identity? A. Identification B. Nonrepudiation C. Authorization D. Authentication Answer: D What is often assured through table link verification and reference checks? A. Database integrity B. Database synchronization C. Database normalcy D. Database accuracy Answer: A Which of the following s hould an IS auditor review to determine user permissions that have been granted for a particular resource? Choose the BEST answer. A. Systems logs B. Access control lists (ACL) C. Application logs D. Error logs Answer: B What should IS auditors always check when auditing password files? A. That deleting password files is protected B. That password files are encrypted C. That password files are not accessible over the network D. That password files are archived Answer: B Using the OSI reference model, what layer(s) is/are used to encrypt data? A. Transport layer B. Session layer C. Session and transport layers D. Data link layer Answer: C When should systems administrators first assess the impact of applications or systems patches? A. Within five business days following installation B. Prior to installation C. No sooner than five business days following installation D. Immediately following installation Answer: B Which of the following is the most fundamental step in preventing virus attacks? A. Adopting and communicating a comprehensive antivirus policy B. Implementing antivirus protection software on users' desktop computers C. Implementing antivirus content checking at all network-to-Internet gateways D. Inoculating systems with antivirus code Answer: A Which of the following is of greatest concern when performing an IS audit? A. Users' ability to directly modify the database B. Users' ability to submit queries to the database C. Users' ability to indirectly modify the database D. Users' ability to directly view the database Answer: A What supports data transmission through split cable facilities or duplicate cable facilities? A. Diverse routing B. Dual routing C. Alternate routing D. Redundant routing Answer: A What type(s) of firewalls provide(s) the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic? A. A first-generation packet-filtering firewall B. A circuit-level gateway C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls Answer: C Which of the following can degrade network performance? Choose the BEST answer. A. Superfluous use of redundant load-sharing gateways B. Increasing traffic collisions due to host congestion by creating new collision domains C. Inefficient and superfluous use of network devices such as switches D. Inefficient and superfluous use of network devices such as hubs Answer: D Which of the following provide(s) near-immediate recoverability for time-sensitive systems and transaction processing? A. Automated electronic journaling and parallel processing B. Data mirroring and parallel processing C. Data mirroring D. Parallel processing Answer:B What is an effective control for granting temporary access to vendors and external support personnel? Choose the BEST answer. A. Creating user accounts that automatically expire by a predetermined date B. Creating permanent guest accounts for temporary use C. Creating user accounts that restrict logon access to certain hours of the day D. Creating a single shared vendor administrator account on the basis of least-privileged access Answer: A Which of the following help(s) prevent an organization's systems from participating in a distributed denial-of-service (DDoS) attack? Choose the BEST answer. A. Inbound traffic filtering B. Using access control lists (ACLs) to restrict inbound connection attempts C. Outbound traffic filtering D. Recentralizing distributed systems Answer: C What is a common vulnerability, allowing denial-of-service attacks? A. Assigning access to users according to the principle of least privilege B. Lack of employee awareness of organizational security policies C. Improperly configured routers and router access lists D. Configuring firewall access rules Answer: C What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information? Choose the BEST answer. A. Referential integrity controls B. Normalization controls C. Concurrenc y controls D. Run-to-run totals Answer: A What increases encryption overhead and cost the most? A. A long symmetric encryption key B. A long asymmetric encryption key C. A long Advance Encryption Standard (AES) key D. A long Data Encryption Standard (DES) key Answer: B Which of the following best characterizes "worms"? A. Malicious programs that can run independently and can propagate without the aid of a carrier program such as email B. Programming code errors that cause a program to repeatedly dump data C. Malicious programs that require the aid of a carrier program such as email D. Malicious programs that masquerade as common applications such as screensavers or macro-enabled Word documents Answer: A Which of the following is used to evaluate biometric access controls? A. FAR B. EER C. ERR D. FRR Answer: B Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false? A. True B. False Answer: A How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network? A. Modems convert analog transmissions to digital, and digital transmission to analog. B. Modems encapsulate analog transmissions within digital, and digital transmissions within analog. C. Modems convert digital transmissions to analog, and analog transmissions to digital. D. Modems encapsulate digital transmissions within analog, and analog transmissions within digital. Answer: A Who is ultimately responsible and accountable for reviewing user access to systems? A. Systems security administrators B. Data custodians C. Data owners D. Information systems auditors Answer: C Of the three major types of off-site processing facilities, what type is characterized by at least providing for electricity and HVAC? A. Cold site B. Alternate site C. Hot site D. Warm site Answer: A In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized? A. The data should be deleted and overwritten with binary 0s. B. The data should be demagnetized. C. The data should be low-level formatted. D. The data should be deleted. Answer: B When reviewing print systems spooling, an IS auditor is MOST concerned with which of the following vulnerabilities? A. The potential for unauthorized deletion of report copies B. The potential for unauthorized modification of report copies C. The potential for unauthorized printing of report copies D. The potential for unauthorized editing of report copies Answer: C Why is the WAP gateway a component warranting critical concern and review for the IS auditor when auditing and testing controls enforcing message confidentiality? A. WAP is often configured by default settings and is thus insecure. B. WAP provides weak encryption for wireless traffic. C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL. D. WAP often interfaces critical IT systems. Answer: C With the objective of mitigating the risk and impact of a major business interruption, a disaster- recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false? A. True B. False Answer: A What is a primary high-level goal for an auditor who is reviewing a system development project? A. To ensure that programming and processing environments are segregated B. To ensure that proper approval for the project has been obtained C. To ensure that business objectives are achieved D. To ensure that projects are monitored and administrated effectively Answer: C Whenever an application is modified, what should be tested to determine the full impact of the change? Choose the BEST answer. A. Interface systems with other applications or systems B. The entire program, including any interface systems with other applications or systems C. All programs, including interface systems with other applications or systems D. Mission-critical functions and any interface systems with other applications or systems Answer: B What often results in project scope creep when functional requirements are not defined as well as they could be? A. Inadequate software baselining B. Insufficient strategic planning C. Inaccurate resource allocation D. Project delays Answer: A Fourth-Generation Languages (4GLs) are most appropriate for designing the application's graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. True or false? A. True B. False Answer: A When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should especially focus on procedures in an audit of IS strategy. True or false? A. True B. False Answer: B What process allows IS management to determine whether the activities of the organization differ from the planned or expected levels? Choose the BEST answer. A. Business impact assessment B. Risk assessment C. IS assessment methods D. Key performance indicators (KPIs) Answer: C When should reviewing an audit client's business plan be performed relative to reviewing an organization's IT strategic plan? A. Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan. B. Reviewing an audit client's business plan should be performed after reviewing an organization's IT strategic plan. C. Reviewing an audit client's business plan should be performed during the review of an organization's IT strategic plan. D. Reviewing an audit client's business plan should be performed without regard to an organization's IT strategic plan. Answer: A Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false? A. True B. False Answer: A Who should be responsible for network security operations? A. Business unit managers B. Security administrators C. Network administrators D. IS auditors Answer: B Proper segregation of duties does not prohibit a quality control administrator from also being responsible for change control and problem management. True or false? A. True B. False Answer: A What can be implemented to provide the highest level of protection from external attack? A. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host B. Configuring the firewall as a screened host behind a router C. Configuring the firewall as the protecting bastion host D. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts Answer: A The directory system of a database-management system describes: A. The access method to the data B. The location of data AND the access method C. The location of data D. Neither the location of data NOR the access method Answer: B How is the risk of improper file access affected upon implementing a database system? A. Risk varies. B. Risk is reduced. C. Risk is not affected. D. Risk is increased. Answer: D To affix a digital signature to a message, the sender must first create a message digest by applying a cryptographic hashing algorithm against: A. the entire message and thereafter enciphering the message digest using the sender's private key. B. any arbitrary part of the message and thereafter enciphering the message digest using the sender's private key. C. the entire message and thereafter enciphering the message using the sender's private key. D. the entire message and thereafter enciphering the message along with the message digest using the sender's private key. Answer: A A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a: A. digest signature. B. electronic signature. C. digital signature. D. hash signature. Answer: C A critical function of a firewall is to act as a: A. special router that connects the Internet to a LAN. B. device for preventing authorized users from accessing the LAN. C. server used to connect authorized users to private trusted network resources. D. proxy server to increase the speed of access to authorized users. Answer: B Which of the following hardware devices relieves the central computer from performing network control, format conversion and message handling tasks? A. Spool B. Cluster controller C. Protocol converter D. Front end processor Answer: D