CISA Flashcards-Domain 2





[qdeck random=”true” card_back=”none” align=”center” style=”border-color: #ff3366 !important; border-style: solid !important; border-width: 5px !important; “] [q] In any given scenario, two main advantage of outsourcing in their preferential order are:

[a] -Expert service can be obtained from outside (so organisation can concentrate on its core business)

 

-Cost Saving

[q] In any given scenario, no organisation can outsourced or transfer its ______________.

[a] Accountability

[q] What are the four Important clauses in outsourcing agreements (SLA)?

[a] -clause with respect to ownership of intellectual property rights

 

-clause with respect to data confidentiality and privacy.

 

-clause with respect to BCP & DRP.

 

-clause with respect to right to audit.

[q] In any given scenario, if service provider is in other country, then main concern of IS Auditor will be ___________________.

[a] legal jurisdiction

[q] IT governance is primarily the responsibility of :

[a] the board of directors.

[q] Who provides overall direction and monitors costs and project schedules & timetables ?

[a] Project Steering Committee

[q] Who provides technical support for the hardware and software environments by developing, installing and operating the requested system ?

[a] System development management

[q] Authority ultimately responsible for the development of an IS security policy:

[a] The board of directors.

[q] Which team should assume overall responsibility for system development projects?

[a] Project steering committee

[q] Accountability for the maintenance of appropriate security measures over information assets resides with the:

[a] Data/system owner

[q] Which statement is correct: (a)enterprise requirements should form the basis of security requirements or (b) security requirements should form the basis of enterprise requirements

[a] (a)enterprise requirements should form the basis of security requirements

[q] Which statement is correct: (a) Business plans should be aligned with an organization’s IT plans or   (b) IT plans should be aligned with an organization’s business plans.

[a] (b) IT plans should be aligned with an organization’s business plans.

[q] An IS auditor is reviewing an organization’s IS strategy. Which is the most important criteria for such review?

[a] It supports the business objectives.

[q] What are the three indicators of IT balanced scorecard ?

[a] (a) customer satisfaction

(b) internal processes and

(c) ability to innovate.

[q] What is the important pre-requisite before implementing an IT balanced scorecard ?

[a] defined key performance indicators.

[q] When an employee is terminated from service, the MOST important action is to:

[a] disable the employee’s logical access.

[q] Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

[a] Compensating controls

[q] The development of an IS security policy is ultimately the responsibility of the:

[a] board of directors.

[q] Who assumes ownership of a systems-development project and the resulting system?

[a] User management

[q] In case of purchase of proprietary application software, MOST important consideration should be:

[a] Escrow Arrangement
[q]Which controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?

[a]Compensating Controls

[q]The lack of adequate security controls represents a(n):

(a) threat Or (b) vulnerability.

[a] (b) vulnerability.

[q]When developing a risk management program, the FIRST activity to be performed is
a(n):

(a) criticality analysis Or (b) inventory of assets

[a] (b) inventory of assets

[q]When an organization is outsourcing their information security function, which of the
following should be kept in the organization?

(a)Accountability for the corporate security policy Or (b) Defining the corporate security policy

[a] (a)Accountability for the corporate security policy

[q] Which of the following reduces the potential impact of social engineering attacks?

(a)Effective performance incentives Or (b) Security awareness programs

[a] (b) Security awareness programs

[q]IT governance is PRIMARILY the responsibility of the:

(a) board of directors Or (b) IT steering committee.

[a] (a) board of directors

[q]When an information security policy has been designed, it is MOST important that the information security policy be:

 

(a) circulated to users.  Or (b) updated frequently.

 

 

[a]circulated to users.

 

[q]An IS auditor reviewing an outsourcing contract of IT facilities would expect it to

define the:

 

(a)ownership of intellectual property  Or (b)application development methodology.

 

 

[a] ownership of intellectual property

 

 

[q]A local area network (LAN) administrator normally would be restricted from:

 

(a) having end-user responsibilities.  Or (b) having programming responsibilities.

 

[a] having programming responsibilities.

 

 

[q] The PRIMARY objective of an audit of IT security policies is to ensure that:

 

(a)they are distributed and available to all staff  Or (b)security and control policies support business and IT objectives.

 

[a] security and control policies support business and IT objectives.

 

 

[q]  An IS steering committee should:

 

(a)ensure that IS security policies and procedures have been executed properly. Or (b)have formal terms of reference and maintain minutes of its meetings.

 

[a] have formal terms of reference and maintain minutes of its meetings.
[q]__________ arrangement ensures that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business

[a]Escrow

[q]Major risk can be absence of IT alignment with __________.

[a]Business Objective

[q]__________ is ultimately responsible for total project management for IT related projects. They provide direction and monitors costs and project schedules.

[a] Project steering committee

[q]__________ assumes ownership of the project and resulting system.

[a] User management

[q] Which of the following is the GREATEST risk of an inadequate policy definition for
ownership of data and systems?

(a) Specific user accountability cannot be established Or (b)Unauthorized users may have access to originate, modify or delete data.

[a] Unauthorized users may have access to originate, modify or delete data.

[q]PDCA is a iterative four step method used for continuous improvements. What are the 4 steps of PDCA cycle ?

[a]Plan-Do-Check-Act

[q]__________ is a systematic approach to compare enterprise performance against peers and competitors in a effort to learn the best way of conducting business.

[a]Benchmarking

[q]__________ are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated.

[a] Compensatory Controls

[/qdeck]