Download New Updated (July) Isaca CISA Actual Test 381-390

Ensurepass

 

QUESTION 381

Which of the following reduces the potential impact of social engineering attacks?

 

A.

Compliance with regulatory requirements

B.

Promoting ethical understanding

C.

Security awareness programs

D.

Effective performance incentives

 

Correct Answer: C

Explanation:

Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.

 

 

QUESTION 382

An IS auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:

 

A.

this lack of knowledge may lead to unintentional disclosure of sensitive information.

B.

information security is not critical to all functions.

C.

IS audit should provide security training to the employees.

D.

the audit finding will cause management to provide continuous training to staff.

 

Correct Answer: A

Explanation:

All employees should be aware of the enterprise’s information security policy to
prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.

 

 

QUESTION 383

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:

 

A.

ensure the employee maintains a good quality of life, which will lead to greater productivity.

B.

reduce the opportunity for an employee to commit an improper or illegal act.

C.

provide proper cross-training for another employee.

D.

eliminate the potential disruption caused when an employee takes vacation one day at a time.

 

Correct Answer: B

Explanation:

Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established.

 

 

QUESTION 384

Assessing IT risks is BEST achieved by:

 

A.

evaluating threats associated with existing IT assets and IT projects.

B.

using the firm’s past actual loss experience to determine current exposure.

C.

reviewing published loss statistics from comparable organizations.

D.

reviewing IT control weaknesses identified in audit reports.

 

Correct Answer: A

Explanation:

To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselves are not sufficient.Basing an assessment on past losses will not adequately reflect inevitable changes to the firm’s IT assets, projects, controls and strategic environment. There are also likely to be problems with the scope and quality of the loss data available to beassessed. Comparable organizations will have differences in their IT assets, control environment and strategic circumstances. Therefore, their loss experience cannot be used to directly assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing threat exposure and further analysis may be needed to assess threat probability. Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have recently been audited, and there may not be a sufficient assessment of strategic IT risks.

 

 

QUESTION 385

After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?

 

A.

Project management and progress reporting is combined in a project management office which is driven by external consultants.

B.

The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.

C.

The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company’s legacy systems.

D.

The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

 

Correct Answer: B

Explanation:

The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In postmerger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralizedependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. Itis a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs asorganizations and processes change to leverage the intended synergy effects of the merger.

 

 

QUESTION 386

Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?

 

A.

Process maturity

B.

Performance indicators

C.

Business risk

D.

Assurance reports

 

Correct Answer: C

Explanation:

Priority should be given to those areas which represent a known risk to the enterprise’s operations. The level of process maturity, process performance and audit reports will feed into the decision making process. Those areas that represent real risk to the business should be given priority.

 

 

QUESTION 387

A poor choice of passwords and transmission over unprotected communications lines are examples of:

 

A.

vulnerabilities.

B.

threats.

C.

probabilities.

D.

impacts.

 

Correct Answer: A

Explanation:

Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat, while impacts represent the outcome or result of a threat exploiting a vulnerability.

 

 

 

QUESTION 388

To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:

 

A.

the IT infrastructure.

B.

organizational policies, standards and procedures.

C.

legal and regulatory requirements.

D.

the adherence to organizational policies, standards and procedures.

 

Correct Answer: C

Explanation:

To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.

 

 

QUESTION 389

The PRIMARY objective of an audit of IT security policies is to ensure that:

 

A.

they are distributed and available to all staff.

B.

security and control policies support business and IT objectives.

C.

there is a published organizational chart with functional descriptions.

D.

duties are appropriately segregated.

 

Correct Answer: B

Explanation:

Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies.

 

 

QUESTION 390

Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?

 

A.

Ensuring that invoices are paid to the provider

B.

Participating in systems design with the provider

C.

Renegotiating the provider’s fees

D.

Monitoring the outsourcing provider’s performance

 

Correct Answer: D

Explanation:

In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider’s performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a byproduct of monitoring the outsourcing provider’s performance, while renegotiating fees is usually a one-time activity.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …