Download New Updated (July) Isaca CISA Actual Test 391-400

Ensurepass

 

QUESTION 391

When an employee is terminated from service, the MOST important action is to:

 

A.

hand over all of the employee’s files to another designated employee.

B.

complete a backup of the employee’s work.

C.

notify other employees of the termination.

D.

disable the employee’s logical access.

 

Correct Answer: D

Explanation:

There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee’s logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All
the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.

 

 

QUESTION 392

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

 

A.

incorporates state of the art technology.

B.

addresses the required operational controls.

C.

articulates the IT mission and vision.

D.

specifies project management practices.

 

Correct Answer: C

Explanation:

The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.

 

 

QUESTION 393

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual’sexperience and:

 

A.

length of service, since this will help ensure technical competence.

B.

age, as training in audit techniques may be impractical.

C.

IS knowledge, since this will bring enhanced credibility to the audit function.

D.

ability, as an IS auditor, to be independent of existing IS relationships.

 

Correct Answer: D

Explanation:

Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department’s needs should be defined and any candidate should be evaluated against those requirements. The length of service will not ensure technical competency. Evaluating an individual’s qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.

 

 

 

QUESTION 394

The PRIMARY objective of implementing corporate governance by an organization’s management is to:

 

A.

provide strategic direction.

B.

control business operations.

C.

align IT with business.

D.

implement best practices
.

 

Correct Answer: A

Explanation:

Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence, the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.

 

 

QUESTION 395

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

 

A.

control self-assessments.

B.

a business impact analysis.

C.

an IT balanced scorecard.

D.

business process reengineering.

 

Correct Answer: C

Explanation:

An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. Control self- assessment (CSA), business impact analysis (BIA) and business process reengineering (BPR) are insufficient to align IT with organizational objectives.

 

 

QUESTION 396

An IS auditor should be concerned when a telecommunication analyst:

 

A.

monitors systems performance and tracks problems resulting from program changes.

B.

reviews network load requirements in terms of current and future transaction volumes.

C.

assesses the impact of the network load on terminal response times and network data transfer rates.

D.

recommends network balancing procedures and improvements.

 

Correct Answer: A

Explanation:

The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes {choice B), assessing the impact of network load or terminal response times and network data transferrates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes {choice A) would put the analyst in a self-monitoring role.

 

 

QUESTION 397

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

 

A.

meets or exceeds industry security standards.

B.

agrees to be subject to external security reviews.

C.

has a good market reputation for service and experience.

D.

complies with security policies of the organization.

 

Correct Answer: B

Explanation:

It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify orprove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

 

 

QUESTION 398

Which of the following provides the best evidence of the adequacy of a security awareness program?

 

A.

The number of stakeholders including employees trained at various levels

B.

Coverage of training at all locations across the enterprise

C.

The implementation of security devices from different vendors

D.

Periodic reviews and comparison with best practices

 

Correct Answer: D

Explanation:

The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various aspects of a security awareness program, but do not help assess the content.

 

 

QUESTION 399

When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control?

 

A.

Restricting physical access to computing equipment

B.

Reviewing transaction and application logs

C.

Performing background checks prior to hiring IT staff

D.

Locking user sessions after a specified period of inactivity

 

Correct Answer: B

Explanation:

Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure ITstaff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.

 

 

QUESTION 400

Which of the following should be considered FIRST when implementing a risk management program?

 

A.

An understanding of the organization’s threat, vulnerability and risk profile

B.

An understanding of the risk exposures and the potential consequences of compromise

C.

A determination of risk management priorities based on potential consequences

D.

A risk mitigation strategy sufficient to keep risk consequences at an acceptable level

 

Correct Answer: A

Explanation:

Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization’s threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …