[Q269-Q285] Full CISA Practice Test and 1265 unique questions with explanations waiting just for you!

Share

Full CISA Practice Test and 1265 unique questions with explanations waiting just for you!

Certified Information Systems Auditor Dumps CISA Exam for Full Questions - Exam Study Guide

NEW QUESTION # 269
Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

  • A. Lack of a benchmark analysis
  • B. Inaccurate business impact analysis (BIA)
  • C. Inadequate IT portfolio management
  • D. Inadequate IT change management practices

Answer: C


NEW QUESTION # 270
What is the BEST way is evaluate a control environment where the organization and a third party have shared responsibility?

  • A. Review complementary user entity controls.
  • B. Perform an onsite evaluation
  • C. Review the service level agreement (SLA).
  • D. Conduct a control self-assessment (CSA).

Answer: C


NEW QUESTION # 271
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

  • A. Data quality
  • B. Data minimization
  • C. Data retention
  • D. Data integrity

Answer: B

Explanation:
The answer B is correct because data minimization is the most important design consideration to mitigate the risk of exposing data through application programming interface (API) queries. An API is a set of rules and protocols that allows different software components or systems to communicate and exchange data. API queries are requests sent by users or applications to an API to retrieve or manipulate data. For example, a user may query an API to get information about a product, a service, or a location.
Data minimization is the principle of collecting, processing, and storing only the minimum amount of data that are necessary for a specific purpose. Data minimization can help to reduce the risk of exposing data through API queries by limiting the amount and type of data that are available or accessible through the API. Data minimization can also help to protect the privacy and security of the data subjects and the data providers, as well as to comply with the relevant laws and regulations.
Some of the benefits of data minimization for API design are:
* Privacy: Data minimization can enhance the privacy of the data subjects by ensuring that only the data that are relevant and essential for the API purpose are collected and processed. This can prevent unnecessary or excessive collection or disclosure of personal or sensitive data, such as names, addresses, phone numbers, email addresses, etc. Data minimization can also help to comply with the privacy laws and regulations that require data protection by design and by default, such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).
* Security: Data minimization can improve the security of the data providers by reducing the attack surface and the potential damage of a data breach. If less data are stored or transmitted through the API, there are fewer opportunities for attackers to access or compromise the data. Data minimization can also help to implement security controls such as encryption, access control, or logging more efficiently and effectively.
* Performance: Data minimization can increase the performance of the API by optimizing the use of resources and bandwidth. If less data are stored or transmitted through the API, there are less storage space and network traffic required. Data minimization can also help to improve the speed and reliability of the API responses.
Some of the techniques for data minimization in API design are:
* Define clear and specific purposes for the API and document them in the API specification or documentation.
* Identify and classify the data that are needed for each purpose and assign them appropriate labels or levels, such as public, internal, confidential, or restricted.
* Implement filters or parameters in the API queries that allow users or applications to specify or limit the data fields or attributes they want to retrieve or manipulate.
* Use pagination or throttling in the API responses that limit the number or size of data items returned per request.
* Use anonymization or pseudonymization techniques that remove or replace any identifying information from the data before sending them through the API.
Some examples of web resources that discuss data minimization in API design are:
* Data Minimization in Web APIs - World Wide Web Consortium (W3C)
* Adding Privacy by Design in Secure Application Development
* Chung-ju/Data-Minimization: A repository of related papers. - GitHub


NEW QUESTION # 272
The final decision to include a material finding in an audit report should be made by the:

  • A. IS auditor.
  • B. auditee's manager.
  • C. CEO of the organization
  • D. audit committee.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the auditor.


NEW QUESTION # 273
The PRIMARY role of a control self-assessment (CSA) facilitator is to:

  • A. focus the team on internal controls.
  • B. provide solutions for control weaknesses.
  • C. report on the internal control weaknesses.
  • D. conduct interviews to gain background information.

Answer: A


NEW QUESTION # 274
Which of the following access rights in the production environment should be granted to a developer to maintain segregation of duties?

  • A. System administration
  • B. Emergency support
  • C. IT operations
  • D. Database administration

Answer: A


NEW QUESTION # 275
An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, Which of the following should be a concern for the auditor?

  • A. The system is hosted within a demilitarized zone (DMZ) of a corporate network.
  • B. The system is hosted within an internal segment of a corporate network.
  • C. The system is hosted in a hybrid-cloud platform managed by a service provider.
  • D. The system is hosted on an external third-party service provider's servers.

Answer: B

Explanation:
A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly1.
Hosting the system on an external third-party service provider's servers (A) or a hybrid-cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23.
Hosting the system within a demilitarized zone (DMZ) of a corporate network is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.


NEW QUESTION # 276
The PRIMARY advantage of object-oriented technology is enhanced:

  • A. grouping of objects into methods for data access.
  • B. efficiency due to the re-use of elements of logic.
  • C. management of a restricted variety of data types for a data object.
  • D. management of sequential program execution for data access.

Answer: B

Explanation:
Explanation
The primary advantage of object-oriented technology is enhanced efficiency due to the re-use of elements of logic. Object-oriented technology is a software design model that uses objects, which contain both data and code, to create modular and reusable programs. Objects can be inherited from other objects, which reduces duplication and improves maintainability. Grouping objects into methods for data access, managing sequential program execution for data access, and managing a restricted variety of data types for a data object are not advantages of object-oriented technology. References: ISACA CISA Review Manual 27th Edition, page 304


NEW QUESTION # 277
An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

  • A. The application purchases did not follow procurement policy.
  • B. The applications may not reasonably protect data.
  • C. The applications are not included in business continuity plans (BCFs)
  • D. The applications could be modified without advanced notice.

Answer: B


NEW QUESTION # 278
The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of the following audit recommendations should the IS auditor suggest?

  • A. Relocate the shut off switch.
  • B. Install protective covers.
  • C. Log environmental failures.
  • D. Escort visitors.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A protective cover over the switch would allow it to be accessible and visible, but would prevent accidental activation.


NEW QUESTION # 279
Which of the following protocol does NOT work at the Application layer of the TCP/IP Models?

  • A. NTP
  • B. HTTP
  • C. TCP
  • D. FTP

Answer: C

Explanation:
Explanation/Reference:
The NOT keyword is used in the question. You need to find out a protocol which does not work at application layer. TCP protocol works at transport layer of a TCP/IP models.
For your exam you should know below information about TCP/IP model:
Network Models

Layer 4. Application Layer
Application layer is the top most layer of four layer TCP/IP model. Application layer is present on the top of the Transport layer. Application layer defines TCP/IP application protocols and how host programs interface with Transport layer services to use the network.
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP (Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP (Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Layer 3. Transport Layer
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the source and destination hosts to carry on a conversation. Transport layer defines the level of service and status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
Layer 2. Internet Layer
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is between Network Access Layer and Transport layer. Internet layer pack data into data packets known as IP datagram's, which contain source and destination address (logical address or IP address) information that is used to forward the datagram's between hosts and across networks. The Internet layer is also responsible for routing of IP datagram's.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver independently to the destination. At the destination side data packets may appear in a different order than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP (Internet Group Management Protocol).
Layer 1. Network Access Layer
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines details of how data is physically sent through the network, including how bits are electrically or optically signaled by hardware devices that interface directly with a network medium, such as coaxial cable, optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when Ethernet operates in a shared media. An Access Method determines how a host will place data on the medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire when the wire is free from network traffic. When a host wants to place data on the wire, it will check the wire to find whether another host is already using the medium. If there is traffic already in the medium, the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place data on the medium at the same instance, they will collide with each other, destroying the data. If the data is destroyed during transmission, the data will need to be retransmitted. After collision, each host will wait for a small interval of time and again the data will be retransmitted.
Protocol Data Unit (PDU):
Protocol Data Unit - PDU

The following answers are incorrect:
HTTP, FTP and NTP protocols works at application layer in TCP/IP model.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 272


NEW QUESTION # 280
Which of the following factors will BEST promote effective information security management?

  • A. Identification and risk assessment of sensitive resources
  • B. Security policy framework
  • C. Security awareness training
  • D. Senior management commitment

Answer: D

Explanation:
Section: Governance and Management of IT


NEW QUESTION # 281
The MOST effective control for addressing the risk of piggybacking is:

  • A. the use of smart cards.
  • B. a single entry point with a receptionist.
  • C. a deadman door.
  • D. a biometric door lock.

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking.


NEW QUESTION # 282
An IS auditor determines that the vendor's deliverables do not include the source code for a newly acquired product. To address this issue, which of the following should the auditor recommend be included in the contract?

  • A. Right-to-audit clause
  • B. Software escrow agreement
  • C. Service level agreement (SLA)
  • D. Confidentiality and data protection clauses

Answer: B

Explanation:
The correct answer is C. Software escrow agreement. A software escrow agreement is a legal arrangement between three parties: the software developer (licensor), the end-user (licensee), and an escrow agent. The agreement ensures that the software's source code and other relevant assets are securely stored with the escrow agent, and can be released to the licensee under certain conditions, such as the licensor's bankruptcy, insolvency, or failure to provide support or maintenance1. A software escrow agreement can provide the licensee with assurance and continuity for the software they depend on, and protect them from losing access or functionality in case of any unforeseen events or disputes with the licensor1.


NEW QUESTION # 283
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services. Which of the following would BEST enable the organization to resolve this issue?

  • A. Incident management
  • B. Problem management
  • C. Service level management
  • D. Change management

Answer: B


NEW QUESTION # 284
If a database is restored from information backed up before the last system image, which of the following is
recommended?

  • A. The system should be restarted before the last transaction.
  • B. The system should be restarted on the last transaction.
  • C. The system should be restarted at the first transaction.
  • D. The system should be restarted after the last transaction.

Answer: A

Explanation:
Section: Protection of Information Assets
Explanation:
If a database is restored from information backed up before the last system image, the system should be
restarted before the last transaction because the final transaction must be reprocessed.


NEW QUESTION # 285
......

Authentic Best resources for CISA Online Practice Exam: https://www.testkingpass.com/CISA-testking-dumps.html

Get the superior quality CISA Dumps Questions from TestkingPass: https://drive.google.com/open?id=17DLhcqyRqqohbRslCMWu5KY94vD2P7yu