Download New Updated (July) Isaca CISA Actual Test 361-370

Ensurepass

 

QUESTION 361

Which of the following goals would you expect to find in an organization’s strategic plan?

 

A.

Test a new accounting package.

B.

Perform an evaluation of information technology needs.

C.

Implement a new project planning system within the next 12 months.

D.

Become the supplier of choice for the product offered.

 

Correct Answer: D

Explanation:

Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans
should be consistent with the organization’s broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business andwould thus be a part of the organization’s strategic plan. The other choices are project-oriented and do not address business objectives.

 

 

QUESTION 362

Which of the following is the initial step in creating a firewall policy?

 

A.

A cost-benefit analysis of methods for securing the applications

B.

Identification of network applications to be externally accessed

C.

Identification of vulnerabilities associated with network applications to be externally accessed

D.

Creation of an applications traffic matrix showing protection methods

 

Correct Answer: B

Explanation:

Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

 

 

QUESTION 363

The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:

 

A.

financial results.

B.

customer satisfaction.

C.

internal process efficiency.

D.

innovation capacity.

 

Correct Answer: A

Explanation:

Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.

 

 

QUESTION 364

The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:

 

A.

destruction policy.

B.

security policy.

C.

archive policy.

D.

audit policy.

 

Correct Answer: C

Explanation:

With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.

 

 

QUESTION 365

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

 

A.

enterprise data model.

B.

IT balanced scorecard (BSC).

C.

IT organizational structure.

D.

historical financial statements.

 

Correct Answer: B

Explanation:

The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the abilityto innovate. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management’s activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.

 

 

QUESTION 366

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

 

A.

Assimilation of the framework and intent of a written security policy by all appropriate parties

B.

Management support and approval for the implementation and maintenance of a security policy

C.

Enforcement of security rules by providing punitive actions for any violation of security rules

D.

Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

 

Correct Answer: A

Explanation:

Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user’s education onthe importance of security.

 

 

QUESTION 367

A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:

 

A.

recovery.

B.

retention.

C.

rebuilding.

D.

reuse.

 

Correct Answer: B

Explanation:

Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the officialform of classic ‘paper* makes the retention of corporate e-mail a necessity. All e-mail generated on an organization’s hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse.

 

 

QUESTION 368

When developing a security architecture, which of the following steps should be executed FIRST?

 

A.

Developing security procedures

B.

Defining a security policy

C.

Specifying an access control methodology

D.

Defining roles and responsibilities

 

Correct Answer: B

Explanation:

Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies willoften set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.

 

 

QUESTION 369

An example of a direct benefit to be derived from a proposed IT-related business investment is:

 

A.

enhanced reputation.

B.

enhanced staff morale.

C.

the use of new technology.

D.

increased market penetration.

 

Correct Answer: D

Explanation:

A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft.Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.

 

 

QUESTION 370

The MAJOR consideration for an IS auditor reviewing an organization’s IT project portfolio is the:

 

A.

IT budget.

B.

existing IT environment.

C.

business plan.

D.

investment plan.

 

Correct Answer: C

Explanation:

One of the most important reasons for which projects get funded is how well a project meets an organization’s strategic objectives. Portfolio management takes a holistic view of a company’s overall IT strategy. IT strategy should be aligned with thebusiness strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …