Ensurepass

 

QUESTION 331

When an organization is outsourcing their information security function, which of the following should be kept in the organization?

 

A.

Accountability for the corporate security policy

B.

Defining the corporate security policy

C.

Implementing the corporate security policy

D.

Defining security procedures and guidelines

 

Correct Answer: A

Explanation:

Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.

 

 

QUESTION 332

To support an organization’s goals, an IS department should have:

 

A.

a low-cost philosophy.

B.

long- and short-range plans.

C.

leading-edge technology.

D.

plans to acquire new hardware and software.

 

Correct Answer: B

Explanation:

To ensure its contribution to the realization of an organization’s overall goals, the IS department should have long- and short-range plans that are consistent with the organization’s broader plans for attaining its goal
s. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

 

 

QUESTION 333

An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

 

A.

User acceptance testing (UAT) occur for all reports before release into production

B.

Organizational data governance practices be put in place

C.

Standard software tools be used for report development

D.

Management sign-off on requirements for new reports

 

Correct Answer: B

Explanation:

This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. The otherchoices, while sound development practices, do not address the root cause of the problem described.

 

 

QUESTION 334

The advantage of a bottom-up approach to the development of organizational policies is that the policies:

 

A.

are developed for the organization as a whole.

B.

are more likely to be derived as a result of a risk assessment.

C.

will not conflict with overall corporate policy.

D.

ensure consistency across the organization.

 

Correct Answer: B

Explanation:

A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization.

 

 

QUESTION 335

An IS steering committee should:

 

A.

include a mix of members from different departments and staff levels.

B.

ensure that IS security policies and procedures have been executed properly.

C.

have formal terms of reference and maintain minutes of its meetings.

D.

be briefed about new trends and products at each meeting by a vendor.

 

Correct Answer: C

Explanation:

It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.

 

 

QUESTION 336

Responsibility for the governance of IT should rest with the:

 

A.

IT strategy committee.

B.

chief information officer (CIO).

C.

audit committee.

D.

board of directors.

 

Correct Answer: D

Explanation:

Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. The audit committee, the chief information officer (CIO) and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.

 

 

QUESTION 337

Effective IT governance will ensure that the IT plan is consistent with the organization’s:

 

A.

business plan.

B.

audit plan.

C.

security plan.

D.

investment plan.

 

Correct Answer: A

Explanation:

To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization’s business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.

 

 

QUESTION 338

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

 

A.

dependency on a single person.

B.

inadequate succession planning.

C.

one person knowing all parts of a system.

D.

a disruption of operations.

 

Correct Answer: C

Explanation:

Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risks addressed in choices A, B and D.

QUESTION 339

As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:

 

A.

performance measurement.

B.

strategic alignment.

C.

value delivery.

D.

resource management.

 

Correct Answer: A

Explanation:

Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver {process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.

 

 

QUESTION 340

Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?

 

A.

Security incident summaries

B.

Vendor best practices

C.

CERT coordination center

D.

Significant contracts

 

Correct Answer: D

Explanation:

Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for assessing vulnerabilities within the IT infrastructure.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.