Ensurepass

 

QUESTION 421

Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?

 

A.

Response

B.

Correction

C.

Detection

D.

Monitoring

 

Correct Answer: A

Explanation:

A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.

 

 

QUESTION 422

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

 

A.

That an audit clause is present in all contracts

B.

That the SLA of each contract is substantiated by appropriate KPIs

C.

That the contractual warranties of the providers support the business needs of the organization

D.

That at contract termination, support is guaranteed by each outsourcer for new outsourcers

 

Correct Answer: C

Explanation:

The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.

 

 

QUESTION 423

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?

 

A.

Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan.

B.

Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract.

C.

No, because the backup to be provided should be specified adequately in the contract.

D.

No, because the service bureau’s business continuity plan is proprietary information.

 

Correct Answer: A

Explanation:

The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan.

 

 

QUESTION 424

Involvement of senior management is MOST important in the development of:

 

A.

strategic plans.

B.

IS policies.

C.

IS procedures.

D.

standards and guidelines.

 

Correct Answer: A

Explanation:

Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan.

 

 

QUESTION 425

When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?

 

A.

There could be a question regarding the legal jurisdiction.

B.

Having a provider abroad will cause excessive costs in future audits.

C.

The auditing process will be difficult because of the distance.

D.

There could be different auditing norms.

 

Correct Answer: A

Explanation:

In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.

 

 

QUESTION 426

In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?

 

A.

Optimized

B.

Managed

C.

Defined

D.

Repeatable

 

Correct Answer: B

Explanation:

Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be ‘managed and measurable.’

 

 

QUESTION 427

IT control objectives are useful to IS auditors, as they provide the basis for understanding the:

 

A.

desired result or purpose of implementing specific control procedures.

B.

best IT security control practices relevant to a specific entity.

C.

techniques for securing information.

D.

security policy.

 

Correct Answer: A

Explanation:

An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.

 

 

QUESTION 428

Which of the following IT governance best practices improves strategic alignment?

 

A.

Supplier and partner risks are managed.

B.

A knowledge base on customers, products, markets and processes is in place.

C.

A structure is provided t
hat facilitates the creation and sharing of business information.

D.

Top management mediate between the imperatives of business and technology.

 

Correct Answer: D

Explanation:

Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets andprocesses being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management best practice.

 

 

QUESTION 429

The ultimate purpose of IT governance is to:

 

A.

encourage optimal use of IT.

B.

reduce IT costs.

C.

decentralize IT resources across the organization.

D.

centralize control of IT.

 

Correct Answer: A

Explanation:

IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact.

QUESTION 430

A top-down approach to the development of operational policies will help ensure:

 

A.

that they are consistent across the organization.

B.

that they are implemented as a part of risk assessment.

C.

< p class="MsoNormal" style="margin: 0cm 0cm 0pt; line-height: normal; text-autospace: ; mso-layout-grid-align: none" align="left">compliance with all policies.

D.

that they are reviewed periodically.

 

Correct Answer: A

Explanation:

Deriving lower level policies from corporate policies {a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach of itself does not ensure compliance and development does not ensure that policies are reviewed.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.